Another concern is “entitlement drag.” It’s not unusual, for example, for employees to accumulate unnecessary access privileges as they are promoted, transferred, or temporarily assigned to another department within the organization. Users that drag excess entitlements into their new role may create toxic combinations of access that often result in segregation-of-duties violations or create other business risks.
Since then, data breaches and information security risks have steadily increased. To get a better handle on the nature and source of these risks — and how companies can address them from a GRC perspective — I asked Brian Cleary, a vice president with Aveksa, a provider of enterprise access governance solutions, several questions. Cleary helpfully couched his responses in terms that non-IT managers can follow while fleshing out the nature of insider threats, orphaned accounts, and “entitlement drag.”
From a governance, risk, and compliance (GRC) perspective, both entitlements and roles are very important. Many regulations have user access control requirements for things like segregation of duties in Sarbanes-Oxley or Chinese walls in the Gramm-Leach Bliley Act. For example, individuals who have entitlements allowing them to post vendor invoices in the accounts payable system shouldn’t have entitlements allowing them to pay invoices.
Business roles will simplify the change-management process for the IT organization by enabling individuals in the organization to request predetermined, compliant roles Big Fat Finance, and by creating a closed-loop validation process that will make certain that entitlements not required for the new role are removed in a timely fashion.
Organizations with effective access governance processes also recognize and address the need for preventative controls. The biggest challenge for organizations is being able to apply access policy controls in an environment of constant change to user relationship with the organization. Using business roles to determine the access necessary for the function or process the user is involved with can help organizations better manage changes to access. Once business roles have been modeled with the appropriate access entitlements, organizations easily understand if new access requests will create toxic combinations that introduce compliance or business risk by running their rules against the requests.
FD: What risks in this area remain largely undetected or unmanaged?
BC: Insider threats, orphaned accounts, and entitlement drag pose the largest risk. Insider malfeasance is a very common occurrence. In fact, recent research by the Identity Theft Resource Center shows that a higher percentage of all breaches reported in the first half of 2009 were from insider theft rather than from hacking,
Orphaned accounts are another huge risk that can lead to serious financial and regulatory consequences. In a typical large enterprise, user access data is not only contained within centralized directories where it can be monitored, it’s also scattered throughout the organization’s information resources. The data in these user repositories may go unmonitored, greatly increasing the possibility that “orphaned” accounts could remain after the off-boarding process that takes place when an employee leaves an organization.
With detective controls, such as regular access certification, organizations are less susceptible to entitlement creep and to exploitation of orphaned accounts in information systems. Review and certification provide a set of detective controls that are typically required by regulations and industry mandates such as Sarbanes-Oxley, the Payment Card Industry Data Security Standard (PCI DSS), and HIPAA, to name a few. Access review also contributes to achieving the minimum required access principle, as this process provides business unit reviewing managers the ability to identify and remediate entitlements that aren’t required for a user’s role within the organization.
More than two years ago, TJX Companies announced that more than 45 million credit and debit card numbers were stolen from its information systems. The data breach, the largest of its kind, required the off-price retailer (whose stores include T.J. Maxx, Marshalls, HomeGoods, and others) to file an explanation with the SEC.
FD: What are some of the common qualities and processes within companies with leading practices in this area?
BC: Organizations that have embraced GRC best practices have implemented a continuous access lifecycle management framework that consists of both preventative and detective controls for access change.
Access change management processes and controls present a significant challenge for most organizations, and the enterprises that are effectively addressing this challenge have recognized the need for automation. By creating a framework that combines automation and policy controls with a business-friendly process for managing access change, these organizations are benefiting from increased operational efficiency, faster delivery of access, and proactive management of access-related risks while achieving sustainable compliance.
With such an access governance framework in place, organizations will be well on their way to managing the business and regulatory risks of inappropriate access to information resources. ###
Roles are a way to simplify the view into user access. Rather than thinking of all of the applications and specific entitlements within applications that a user needs access to, roles become a container for all of the access a person in a functional role would need in order to do their job.
Leveraging a roles-based approach for governing user access governance strengthens the policy framework by putting in place a set of preventive controls that operate at the point of a user requesting new access or making changes to existing access. Doing so also streamlines access delivery and ensures better accuracy for the access that’s delivered. The access delivery efficiencies that can be realized by the IT organization alone can justify taking this approach.
FD: There have been several high-profile examples of employee data breaches in the general business press lately. What are some of these examples and do they contain any object lessons from a corporate risk management perspective?
BC: The well-known case of the TJX data breach is a perfect example of the huge risk associated with orphaned accounts, or in this case, what can be classified as a rogue or phony account, as it was never associated with a legitimate user. The fact that hackers maintained access that went undetected for nearly a year and a half indicates lack of an approach for reviewing and recertifying access in order to provide the visibility to orphaned accounts and get them quickly removed.
These are surprisingly common problems in large organizations, and they are natural consequences of the usual pressure on IT departments to provide access quickly when employees are transferred or promoted into positions that require new sets of entitlements.
Organizations must have an enterprise-wide view into user access so that they can apply controls at the entitlement level. The use of roles is important to GRC because they can simplify access compliance reporting. Additionally, when they’re used as the way to request access, they operate as a preventative control because rules can run at the point of request to catch toxic combinations of access that can create a compliance violation or introduce risk to the business.
Another high-profile data breach that carries some heavy lessons learned is the Société Générale breach. This breach cost the bank more than $7 billion, making it the largest fraud in banking history. In a classic – and not unusual – failure to properly govern access, a recently promoted employee retained access entitlements from his previous role that were no longer appropriate for the new role. As a result, he was able to create an enormous portfolio of high-risk investments, concealing his activities for several years until the bank finally detected his activities and closed out his investment positions. A proactive approach to reviewing and certifying the appropriateness of access would have prevented the employee from dragging his prior access entitlements to his new role.
Full Disclosure: For the uninitiated, what are information-access related user entitlements and roles and why are these important from a GRC perspective?
Brian Cleary: Entitlements are the access rights or privileges that a user has within an information resource, such as an application, database, file share, or system. An accounts payable clerk, for example, would have entitlements within the ERP system to the financial module that allows them to issue checks to pay vendor invoices.
http://coachfactorystore-bag.weebly.com
0 comments:
Post a Comment