Satisfying the insatiable demand of compliance mandates requiring least privilege (or “need to know”) controls has led to growing need for help. Least privilege governance requirements can be found in all our favorite regulations, such as PCI DSS (Requirement 7), GLBA (section 501b), HIPAA (§164.308 and §164.312), and so on. Businesses must be able to identify who has access to what, and reduce that access to the minimum number of people necessary to do the job.
The challenge of running a modern movie theater
Minimizing access is far more difficult than it sounds. It’s the IT equivalent of trying to run a mega-plex cinema. Just because a customer (a business user) has access to one movie (an application or data store) doesn’t mean they should have access to all the other movies available. Some cinema operators have decided that it isn’t cost effective to enforce access to individual theaters, checking tickets only at the main entrance. Other cinemas check tickets at the door to each theater.
It would seem rude to check tickets in the middle of a movie, but in this analogy, that’s what IT is required to do for applications or data that require governance. As you can imagine, just like moviegoers, the users aren’t exactly happy with the interruption.
To make matters worse, the users have decided to bring their own devices into the theater, creating the potential for content theft, accidental or intentional disruption of service, and even the possibility of ignoring the movie on the screen (the application supplied by an organization) and accessing their own content from the cloud.
Add to the movie experience the “insiders” who are dedicated to servicing the theater (privileged users) and suppliers delivering popcorn (contractors), and the challenge is multiplied further. What sort of enforcement effort is really required?
Access Certification to the rescue, sort of
Since it is cost-prohibitive to hire an army of theater ushers (or IT administrators) to move from theater to theater enforcing least privileges, Access Governance software is being adopted to automate the process for information technology.
In particular, the access certification component of access governance works to collect entitlement data (checking tickets) across all the applications or data stores requiring governance, users and their devices, and provides a centralized report for review to management. This is helpful, but how ridiculous would it be for management to then file that report and do nothing else with it?
Obviously, there must be enforcement of policies if a user is found with “access creep.” This is common today, because unlike customers at a movie theater, business users tend to gather access as they remain with a company over longer time periods, especially as they change roles. So, management is required to periodically review the Access Certification report and flag users who have access to things they don’t need access to. But, then what?
Access Certification is meaningless without revocation
The ushers have to do the work of kicking out the theater hoppers. In IT, this often means an administrator has to manually revoke access. It’s not difficult to do for a handful of users flagged in the access certification report, but it quickly becomes unmanageable with a growing number of applications and data stores, mobile users, and the proliferation of cloud services.
So, a backlog grows. And revocation efforts are missed. All the effort of collecting and certifying access is really meaningless unless there is an effective revocation process.
But aren’t many organizations stopping short of effective revocation today? Much of the focus is on completing that annual Access Certification effort for auditors, and once complete, it is assumed that IT administrators will effectively revoke the access to enforce the least privilege principle and complete the satisfaction of regulations.
The Real Risk
Since auditors are only spot-checking the enforcement of these controls, chances are that they aren’t finding all of the missed revocations. So, the old saying that, “just because you are compliant, doesn’t mean you are secure” is applicable in this case.
The risk is evident in examples such as Nick Leeson abusing his access to an error account to hide losses on speculative trades that eventually caused the collapse of Barings Bank, the oldest investment bank in the UK at the time. That happened in 1995, when information technology was simpler – the challenge is greater today.
Just as automation is applied to the process of Access Certification, the process of revocation needs automation to deliver an Access Governance program that not only satisfies compliance mandates, but actually reduces risk. Identity and access management platforms that don’t integrate with key financial applications or data stores to automatically revoke access as directed by Access Governance, including applications in the cloud and on-premises, are providing a gap for malicious insiders to exploit.
We’ve seen how Nick Leeson’s movie “Rogue Trader” ends. Evaluate your Identity and Access Management and Access Governance platforms to make sure the gaps in your processes won’t result in curtains for your business.