Connect with us

Hi, what are you looking for?


Data Protection

Attack of the Access Clones – How Organizations Can Strike Back

Attack of the Clones

With the recent release of the official Star Wars: Episode VII trailer, our attention is once again on clones. They’re the good guys for a while – until they aren’t.

Attack of the Clones

With the recent release of the official Star Wars: Episode VII trailer, our attention is once again on clones. They’re the good guys for a while – until they aren’t.

In case you missed the first six films in the franchise, the clones are an army created for the good of the Republic. But their programmed loyalty results in their use by an evil leader for his own nefarious purposes.

In the context of identity and access management (IAM), the technology has led to the unintended consequence of cloning. Not in the physical sense, but from an access perspective.

The rise of the access clones

Imagine a new hire (let’s call him Nick) is being on-boarded as a trader at an investment bank. One of his friends (let’s call him Ben) who works there is showing him around on his first day.

At some point, they wander into the HR office where there’s some paperwork to fill out. The HR representative asks Ben who Nick will be reporting to, and Ben helpfully replies, “We both will report to Frank, but I’ll be his mentor for a while, since I’ve been here for a few years already.”

The HR representative says, “OK – I’ll need to know what applications Nick will need access to, so I can request it for him.”

Advertisement. Scroll to continue reading.

Ben replies, “I’m not really sure, why don’t you just give him the same access that I have because we’ll both be doing the same job.”

And thus, an access clone is born.

The silent risk that builds from access cloning

Like their sci-fi counterpart, access clones are made with good intentions. The new business users want to become productive as quickly as possible and they need access to applications and information to do so. Access clones go unnoticed by the people in charge, while the well-intentioned people creating the clones don’t realize the potential problems they’ve created.

But the risk is very real. It arises from the tendency of users to collect access rights over time that should be revoked when they change roles, or they complete projects. Access revocation in these scenarios is seldom performed, resulting in “access creep.” By cloning the access creeps, risk is multiplied.

The risk primarily comes from users who are able to circumvent controls and self-approve transactions for personal gain, using cloned access like an emperor uses clone troopers. Imagine a trader who can stage a massive trade and then approve it himself without oversight to move a market for his own benefit. Or a pharmacist who can use the system to self-prescribe OxyContin.

Access governance vs. the access clones

One way to combat the clones is to have business managers perform periodic access reviews and certify whether that access is necessary or not, with unnecessary access revoked, either automatically or manually. This is a detective control to enforce the least-privilege principle that makes up so many regulations, and is the primary component of an access governance program.

Separation of duties can also be enforced via policy with access governance solutions. For example, a policy can be written that the same person should not have rights to both stage and execute a trade. Then, by cataloging the entitlements of users across managed applications, violations of the policy can be identified and corrected.

When access governance fails

Access governance is helpful but is limited by the human factor. First, the access certification process is prone to rubber stamping. Most business managers see access reviews as a distraction from their more productive work, and are more inclined to look for the “select all” and “next” buttons on their approval.

But even if an organization has convinced business managers to give access certifications the diligence needed, they may look at two employees that have the same access and determine that both must be necessary. In that case, the clones actually work to protect each other!

Second, separation of duties policies can be automatically enforced, but they are still written by humans that have to consider the scenarios to create the policies in the first place. Incomplete policy will leave the organization vulnerable to risk.

Preventing cloning

Perhaps the best defense against access cloning is to reduce the need to clone in the first place. If hiring or business managers are presented with a list of applications or information that a user should have access to, based on their role, then there is less need to clone another user’s entitlements. A self-service access request and approval system, with built-in separation of duties enforcement, satisfies both the need of business users for convenience and the need of the organization to prevent abuse of privileges.

The combination of access governance and self-service access request and approval provides the best approach to strike back at the access clones.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...