Access Management: The Risks Explained

Identity and access management is a multi-faceted chain of processes and very challenging to stay on top of. First off, we are going to explore what exactly makes access management so complex and why more and more businesses are opting to automate the processes involved.

Users usually don’t just have a one-fits-all user account, say, in the Active Directory. No, they will have multiple accounts across multiple systems –in Exchange, various business apps, the cloud, and more. If a user leaves the company, all of their user accounts must be identified and taken offline. If the user had different user names for different systems, identifying orphaned accounts is even more difficult.

In most organizations, the motto is come and go. New people join, switch departments, work on different projects and leave again. Every one of these changes means there are privileges that need adapting. Users either require additional privileges or have their old ones removed. Keeping track of whether every single user really only has the privileges he or she needs for their job is a huge task that is, in fact, impossible to do manually.

The tools provided by Microsoft (Active Directory management console and NTFS settings) are not in any way suitable to fulfill the demands of the modern business world. They are unable to provide an overview of effective rights and have no reporting function. But the numbers of files, folders and data that need managing are ever-increasing, which means the problem is growing bigger, not smaller. One approach to flattening these numbers is by applying and sticking to the best practices.

“Since when and why does User X have access to my project data?!” Most IT managers will be familiar with this question. But without seamless documentation, it is impossible to answer. The problem is that maintaining such records manually is a difficult and time-consuming task. But unless the logs are complete and without breaks or mistakes, you will have severe problems mastering audits.

Many companies use workflow and logging solutions that are less than adequate for the job, e.g. ticketing or helpdesk solutions or even just a shared mailbox in Exchange where all requests are saved.

Do you feel your IT staff are spending way too much time setting and correcting user privileges? Is the amount of time consumed by reproducing user lifecycles in the form of IT accounts disproportionate in comparison to the outcome? The overall question is: How much time and resources do these processes consume? Let’s examine the privilege assignment process, from request to approval, in detail:

That’s quite a few steps, isn’t it? And with cloud applications exploding, the list will grow longer still because cloud apps are not managed centrally and therefore add another layer of complexion to workflow management. Currently, the main problems that arise due to a manual approach to user management include:

Let’s be honest here: most businesses are fully aware that incorrect or excess privileges give way too many people access to data and systems they shouldn’t have access to, or which they simply don’t need to have access to. This is because businesses choose not to adhere to the principle of least privilege, even though this should be a top priority for every organization.

The problem is that excess privileges kind of sneak up on you. With every department change and every new project, users collect additional rights. Not to mention reference users – those are a huge problem too. It’s when admins just copy an existing user, including all privileges, to create a new user for a new team member in the system.

OK, so most companies have good or at least okay-ish workflows in place for granting permissions. However, the reverse process – taking permissions away – is usually ignored altogether. Most organizations just don’t have a workflow for it. This is mostly because, again, there aren’t any good tools available to keep track of transition and expiry periods for privileges.

What organizations need is a process where privileges are revoked automatically when they are no longer needed. Furthermore, data owners must be able to review the privileges they are in charge of regularly and to remove those which have become obsolete.

The tragic case of a Portuguese healthcare facility who had to pay a fine of 400,000 euros for violating the GDPR illustrates very well the disaster a lax approach to access management can lead to.

Of course, you are aware of the rules and regulations your organization is required to adhere to when it comes to data handling. Nevertheless, let’s take a closer look at some of the regulations around the world.

All of the above mentioned legal regulations (and many others) stipulate more or less the same thing: Sensitive data (be it personal, credit card or accounting data) must be protected against unauthorized access. The fact that this cannot be achieved using the available standard tools is now widely recognized.

If none of the risks we have laid out so far phase you and you are absolutely sure that your access management strategy works perfectly and everything is well-documented – congratulations! You’re ready to take on the next compliance audit!

But – if some of the things we mentioned got you thinking or if you are unsure what measures your company currently has deployed, it may be time to dive into the subject of access management a little more.

If you would like to find out how tenfold can help you automate workflows, manage access rights centrally and wing audits, sign up for our free webinar!