In most companies, access rights are issued according to strict guidelines. In contrast, however, there is usually no structured process in place at all for the removal of access rights that are no longer needed. Department changes, resignations and special rights leave a trail of chaos along the privilege landscape. The saying goes that an intern will have accumulated more access rights at the end of his or her 3-year traineeship at the company than the CEO. And it’s true! – The reason being that trainees pass through numerous departments and collect endless privileges on the way.
This situation poses a serious threat to your company’s IT security, as these outdated access rights could potentially allow access to sensitive company data.
IT security experts therefore recommend sticking to the so-called “principle of least privilege”, which states that users should only have access rights that they actually need to carry out their respective jobs.
How to get rid of unnecessary access rights
Step 1: Use profiles (automated adaptation of standard privileges)
One very simple method of managing access rights is to use so-called “profiles”: all privileges that are commonly required by a certain group of users are combined into one profile. Users can then be assigned to one or more profiles, for instance the profile “IT department” as well as the profile “Team leader”.
This concept does not only simplify the process of assigning access rights, but also the process of removing them once a person switches to a different department or resigns.
Step 2: Recertification (regular reviewing of individual privileges)
As mentioned above, basic access rights can be assigned and revoked, as required, using profiles – but what about privileges that are only relevant for a certain period of time, for instance for project work that requires an employee to gain access to another department’s data for the duration of the project? Nobody feels responsible for removing these access rights once the project is completed, and there is no workflow in place for the event either.
For such cases, we recommend setting up a “Recertification process“. The idea here is that data managers must review the access rights they are in charge of regularly to ensure these are up-to-date and, if not, remove them. Though this sounds fairly straightforward, it is hardly achievable in practice without the appropriate software because the manual efforts involved are disproportionately high.
Step 3: User lifecycle phases (such as maternity leave)
When people works for a company, they will pass through different lifecycle phases: they enter the company, they switch departments, they resign or retire – plus special events like military service or maternity leave. What happens to the affected person’s privileges during their leave? Do they still need access to certain systems? The answers and situations vary from company to company.
Do not forget to include these possible scenarios in your access and lifecycle management concept!
Following these three simple steps will help you to regain control of those outdated and possibly hazardous access rights. Implementing these processes manually is possible, but very time-consuming and prone to errors. Find out now how tenfold can support you in getting control over your access landscape.