Connect with us

Hi, what are you looking for?


Identity & Access

How Access Governance is Like Running a Movie Theater

Satisfying the insatiable demand of compliance mandates requiring least privilege (or “need to know”) controls has led to growing need for help. Least privilege governance requirements can be found in all our favorite regulations, such as PCI DSS (Requirement 7), GLBA (section 501b), HIPAA (§164.308 and §164.312), and so on.

Satisfying the insatiable demand of compliance mandates requiring least privilege (or “need to know”) controls has led to growing need for help. Least privilege governance requirements can be found in all our favorite regulations, such as PCI DSS (Requirement 7), GLBA (section 501b), HIPAA (§164.308 and §164.312), and so on. Businesses must be able to identify who has access to what, and reduce that access to the minimum number of people necessary to do the job.

The challenge of running a modern movie theater

Minimizing access is far more difficult than it sounds. It’s the IT equivalent of trying to run a mega-plex cinema. Just because a customer (a business user) has access to one movie (an application or data store) doesn’t mean they should have access to all the other movies available. Some cinema operators have decided that it isn’t cost effective to enforce access to individual theaters, checking tickets only at the main entrance. Other cinemas check tickets at the door to each theater.

123RF Stock Photo

It would seem rude to check tickets in the middle of a movie, but in this analogy, that’s what IT is required to do for applications or data that require governance. As you can imagine, just like moviegoers, the users aren’t exactly happy with the interruption.

To make matters worse, the users have decided to bring their own devices into the theater, creating the potential for content theft, accidental or intentional disruption of service, and even the possibility of ignoring the movie on the screen (the application supplied by an organization) and accessing their own content from the cloud.

Add to the movie experience the “insiders” who are dedicated to servicing the theater (privileged users) and suppliers delivering popcorn (contractors), and the challenge is multiplied further. What sort of enforcement effort is really required?

Access Certification to the rescue, sort of

Advertisement. Scroll to continue reading.

Since it is cost-prohibitive to hire an army of theater ushers (or IT administrators) to move from theater to theater enforcing least privileges, Access Governance software is being adopted to automate the process for information technology.

In particular, the access certification component of access governance works to collect entitlement data (checking tickets) across all the applications or data stores requiring governance, users and their devices, and provides a centralized report for review to management.  This is helpful, but how ridiculous would it be for management to then file that report and do nothing else with it?

Obviously, there must be enforcement of policies if a user is found with “access creep.” This is common today, because unlike customers at a movie theater, business users tend to gather access as they remain with a company over longer time periods, especially as they change roles. So, management is required to periodically review the Access Certification report and flag users who have access to things they don’t need access to. But, then what?

Access Certification is meaningless without revocation

The ushers have to do the work of kicking out the theater hoppers. In IT, this often means an administrator has to manually revoke access. It’s not difficult to do for a handful of users flagged in the access certification report, but it quickly becomes unmanageable with a growing number of applications and data stores, mobile users, and the proliferation of cloud services.

So, a backlog grows. And revocation efforts are missed. All the effort of collecting and certifying access is really meaningless unless there is an effective revocation process.

But aren’t many organizations stopping short of effective revocation today? Much of the focus is on completing that annual Access Certification effort for auditors, and once complete, it is assumed that IT administrators will effectively revoke the access to enforce the least privilege principle and complete the satisfaction of regulations.

The Real Risk

Since auditors are only spot-checking the enforcement of these controls, chances are that they aren’t finding all of the missed revocations. So, the old saying that, “just because you are compliant, doesn’t mean you are secure” is applicable in this case.

The risk is evident in examples such as Nick Leeson abusing his access to an error account to hide losses on speculative trades that eventually caused the collapse of Barings Bank, the oldest investment bank in the UK at the time. That happened in 1995, when information technology was simpler – the challenge is greater today.

Just as automation is applied to the process of Access Certification, the process of revocation needs automation to deliver an Access Governance program that not only satisfies compliance mandates, but actually reduces risk. Identity and access management platforms that don’t integrate with key financial applications or data stores to automatically revoke access as directed by Access Governance, including applications in the cloud and on-premises, are providing a gap for malicious insiders to exploit.

We’ve seen how Nick Leeson’s movie “Rogue Trader” ends. Evaluate your Identity and Access Management and Access Governance platforms to make sure the gaps in your processes won’t result in curtains for your business.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.