With the recent release of the official Star Wars: Episode VII trailer, our attention is once again on clones. They’re the good guys for a while – until they aren’t.
In case you missed the first six films in the franchise, the clones are an army created for the good of the Republic. But their programmed loyalty results in their use by an evil leader for his own nefarious purposes.
In the context of identity and access management (IAM), the technology has led to the unintended consequence of cloning. Not in the physical sense, but from an access perspective.
The rise of the access clones
Imagine a new hire (let’s call him Nick) is being on-boarded as a trader at an investment bank. One of his friends (let’s call him Ben) who works there is showing him around on his first day.
At some point, they wander into the HR office where there’s some paperwork to fill out. The HR representative asks Ben who Nick will be reporting to, and Ben helpfully replies, “We both will report to Frank, but I’ll be his mentor for a while, since I’ve been here for a few years already.”
The HR representative says, “OK – I’ll need to know what applications Nick will need access to, so I can request it for him.”
Ben replies, “I’m not really sure, why don’t you just give him the same access that I have because we’ll both be doing the same job.”
And thus, an access clone is born.
The silent risk that builds from access cloning
Like their sci-fi counterpart, access clones are made with good intentions. The new business users want to become productive as quickly as possible and they need access to applications and information to do so. Access clones go unnoticed by the people in charge, while the well-intentioned people creating the clones don’t realize the potential problems they’ve created.
But the risk is very real. It arises from the tendency of users to collect access rights over time that should be revoked when they change roles, or they complete projects. Access revocation in these scenarios is seldom performed, resulting in “access creep.” By cloning the access creeps, risk is multiplied.
The risk primarily comes from users who are able to circumvent controls and self-approve transactions for personal gain, using cloned access like an emperor uses clone troopers. Imagine a trader who can stage a massive trade and then approve it himself without oversight to move a market for his own benefit. Or a pharmacist who can use the system to self-prescribe OxyContin.
Access governance vs. the access clones
One way to combat the clones is to have business managers perform periodic access reviews and certify whether that access is necessary or not, with unnecessary access revoked, either automatically or manually. This is a detective control to enforce the least-privilege principle that makes up so many regulations, and is the primary component of an access governance program.
Separation of duties can also be enforced via policy with access governance solutions. For example, a policy can be written that the same person should not have rights to both stage and execute a trade. Then, by cataloging the entitlements of users across managed applications, violations of the policy can be identified and corrected.
When access governance fails
Access governance is helpful but is limited by the human factor. First, the access certification process is prone to rubber stamping. Most business managers see access reviews as a distraction from their more productive work, and are more inclined to look for the “select all” and “next” buttons on their approval.
But even if an organization has convinced business managers to give access certifications the diligence needed, they may look at two employees that have the same access and determine that both must be necessary. In that case, the clones actually work to protect each other!
Second, separation of duties policies can be automatically enforced, but they are still written by humans that have to consider the scenarios to create the policies in the first place. Incomplete policy will leave the organization vulnerable to risk.
Perhaps the best defense against access cloning is to reduce the need to clone in the first place. If hiring or business managers are presented with a list of applications or information that a user should have access to, based on their role, then there is less need to clone another user’s entitlements. A self-service access request and approval system, with built-in separation of duties enforcement, satisfies both the need of business users for convenience and the need of the organization to prevent abuse of privileges.
The combination of access governance and self-service access request and approval provides the best approach to strike back at the access clones.