Access Management: The Risks Explained

Most organizations have experienced this scenario first-hand: aย compliance auditย is imminent and suddenly IT staffย scrambleย to find outย whoย has access toย what data, whoย grantedย it andย why. And on top of that, they have toย proveย toย auditorsย that those privileges were subject toย regular reviews. Itโ€™s a bit of a nightmare for organizations who have not yet employed a properย access management solution. This article aims to take a closer look at theย challengesย ofย identity access managementย and to explain why doing it allย manuallyย may cost you far more than just a fewย resources.

Access Management: The Risks

Identity and access management is a multi-faceted chain of processes and very challenging to stay on top of. First off, we are going to explore what exactly makes access management so complex and why more and more businesses are opting to automate the processes involved.

Multi-Tasking

Users usually donโ€™t just have a one-fits-all user account, say, in the Active Directory. No, they will have multiple accounts across multiple systems โ€“in Exchange, various business apps, the cloud, and more. If a user leaves the company, all of their user accounts must be identified and taken offline. If the user had different user names for different systems, identifying orphaned accounts is even more difficult.

Dynamic Processes and High Fluctuation

In most organizations, the motto is come and go. New people join, switch departments, work on different projects and leave again. Every one of these changes means there are privileges that need adapting. Users either require additional privileges or have their old ones removed. Keeping track of whether every single user really only has the privileges he or she needs for their job is a huge task that is, in fact, impossible to do manually.

Inadequate or Wrong Tools

The tools provided by Microsoft (Active Directory management console and NTFS settings) are not in any way suitable to fulfill the demands of the modern business world. They are unable to provide an overview of effective rights and have no reporting function. But the numbers of files, folders and data that need managing are ever-increasing, which means the problem is growing bigger, not smaller. One approach to flattening these numbers is by applying and sticking to the best practices.

White paper

Access Governance Best Practices for Microsoft Environments

Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.

How Well Are You Equipped for Privilege Tracking?

โ€œSince when and why does User X have access to my project data?!โ€ Most IT managers will be familiar with this question. But without seamless documentation, it is impossible to answer. The problem is that maintaining such records manually is a difficult and time-consuming task. But unless the logs are complete and without breaks or mistakes, you will have severe problems mastering audits.

Many companies use workflow and logging solutions that are less than adequate for the job, e.g. ticketing or helpdesk solutions or even just a shared mailbox in Exchange where all requests are saved.

It is evident that good reporting is not possible using these resources โ€“ and youโ€™ll know what that means once you face your first IT audit.

How Much Time Are You Spending On Access Management?

Do you feel your IT staff are spending way too much time setting and correcting user privileges? Is the amount of time consumed by reproducing user lifecycles in the form of IT accounts disproportionate in comparison to the outcome? The overall question is: How much time and resources do these processes consume? Letโ€™s examine the privilege assignment process, from request to approval, in detail:

  • If a user needs extra rights, he or she must request these rights via email or using other inadequate tools.

  • IT staff must then find out who is responsible for the data the request was made for.

  • The data owner must then be contacted as part a workflow. This process is particularly difficult to log.

  • Once the data owner has approved the request, the IT department must go about assigning the new privileges to the user across various systems.

  • Once this has been done, both data owner and user must be informed that the privileges have been assigned and are active.

Thatโ€™s quite a few steps, isnโ€™t it? And with cloud applications exploding, the list will grow longer still because cloud apps are not managed centrally and therefore add another layer of complexion to workflow management. Currently, the main problems that arise due to a manual approach to user management include:

  • Each request requires the attention of several people.

  • Process control is complex and must be done manually by IT staff.

  • The available standard tools for handling such processes are mostly inadequate for the job.

Is Your Data Exposed to Theft or Abuse?

Letโ€™s be honest here: most businesses are fully aware that incorrect or excess privileges give way too many people access to data and systems they shouldnโ€™t have access to, or which they simply donโ€™t need to have access to. This is because businesses choose not to adhere to the principle of least privilege, even though this should be a top priority for every organization.

The problem is that excess privileges kind of sneak up on you. With every department change and every new project, users collect additional rights. Not to mention reference users โ€“ those are a huge problem too. Itโ€™s when admins just copy an existing user, including all privileges, to create a new user for a new team member in the system.

The problem is, again, that excess and/or outdated access rights open the floodgates to employee data theft or misuse and make your organization more vulnerable to ransomware attacks.

Are Permissions Revoked in Time?

OK, so most companies have good or at least okay-ish workflows in place for granting permissions. However, the reverse process โ€“ taking permissions away โ€“ is usually ignored altogether. Most organizations just donโ€™t have a workflow for it. This is mostly because, again, there arenโ€™t any good tools available to keep track of transition and expiry periods for privileges.

What organizations need is a process where privileges are revoked automatically when they are no longer needed. Furthermore, data owners must be able to review the privileges they are in charge of regularly and to remove those which have become obsolete.

The tragic case of a Portuguese healthcare facility who had to pay a fine of 400,000 euros for violating the GDPR illustrates very well the disaster a lax approach to access management can lead to.

Are You in Line With Legal Requirements?

Of course, you are aware of the rules and regulations your organization is required to adhere to when it comes to data handling. Nevertheless, letโ€™s take a closer look at some of the regulations around the world.

  • Does your company process data from citizens of the European Union? If the answer is yes, the European Data Protection Regulation (GDPR) applies to you, regardless of whether your company is located in the EU. Learn more about the GDPR from our white paper:ย Access Management in Accordance with the GDPR.

  • Is your company listed in a US stock exchange? If so, you are required to comply with the accounting transparency requirements of the Sarbanes-Oxley Act (SOX).

  • Does your company process credit card information? If yes, PCI DSS dictates important data security guidelines that you must adhere to.

  • Is your company ISO-27001 certified, or is this something you are striving for? If so, you should become familiar with ISO 27002 controls asap. Read our white paperย Access management according to ISO 27001ย to learn more about this subject.

What Do the Regulations Say?

All of the above mentioned legal regulations (and many others) stipulate more or less the same thing: Sensitive data (be it personal, credit card or accounting data) must be protected against unauthorized access. The fact that this cannot be achieved using the available standard tools is now widely recognized.

What Is the Solution?

If none of the risks we have laid out so far phase you and you are absolutely sure that your access management strategy works perfectly and everything is well-documented โ€“ congratulations! Youโ€™re ready to take on the next compliance audit!

But โ€“ if some of the things we mentioned got you thinking or if you are unsure what measures your company currently has deployed, it may be time to dive into the subject of access management a little more.

If you would like to find out how tenfold can help you automate workflows, manage access rights centrally and wing audits, sign up for our free webinar!

Video Overview

Watch Our Demo Video to See tenfold in Action!

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.