The phrase “It’s the economy, stupid” by James Carville, a political strategist, pretty much sums up the strategy for Bill Clinton’s successful run for the white house. In the context of this topic, the apt phrase would be, “it’s the unknown, stupid.”
What is the challenge?
Think about a scenario, a mid-size company with 1000+ employees, 50+ applications, 100+ shared folders, 10 different role types, and a 20% employee churn results in a potential million access privilege changes a year or 3000 per day. Add the complexity of shadow IT systems, unknown application footprints, heterogenous environments, remote workforce, poorly documented roles, and responsibilities, and you have an “Access Mess” case.
According to a recent Data Risk report (2021) by Varonis, 44% of manufacturing, 64% of financial services, and 74% of healthcare companies had over 1000 orphaned accounts, resulting a potential security challenge.
Why is this still an issue?
In the past, organizations would have looked at traditional identity and access management solutions to address these challenges, but they have mostly flattered to deceive. The complexity of the architecture primarily arising out of a centralized identity profile with tight integration to the target systems, primarily on-premise applications, has meant inordinately long and expensive implementation cycles.
According to third-party researchers, 50% of identity and access management solutions fail the first time, and even when they are successful, most CXOs believe that they have not gotten enough value out of the system. The impact of the trends mentioned above and the inability of the traditional approach to address identity-related challenges has exposed an underbelly that needs a complete rethink.
Time for a new approach
The industry is abuzz with the next set of terms, such as Zero trust, User Behavior Analytics, and multi-factor authentication systems, to address identity management challenges. While identifying and authenticating the right user to the right application is essential, there is an area that goes relatively unaddressed and linked to Access Governance. With the heterogeneity of access privileges and user types and add to it the complexity brought together by constant churn in user roles; one needs to get their arms around what these identities are supposed to do in the first place.
A few aspects related to Access Governance for the Identity need to be understood well enough to be defended.
- Stale Access: First, at an organizational level, a complete understanding of privileges granted to all user types – employees & contractors. Stale and inappropriate access rights contribute to a large chunk of insider-related threats. Ensuring disabling user access for users on extended leave (sabbatical/parental leave/vacation) is also a good practice to limit potential risks with access.
- Beyond Application Access: while application privileges are important to control, there is an equally important underbelly of privileges that needs to be controlled. For example, endpoint control (access to removable devices/USB blocking/admin rights), network (Internet/Wi-Fi/VPN), shared services (folder/file/printers), cloud services.
- Privilege harvesting: Access rights often end up being equated to power one enjoys within the company, resulting in an uncontrolled access footprint at the company’s highest echelons. These are the same folks who are most likely targets for social engineering attacks. Understanding usage patterns and harvesting access rights based on usage is one way to limit potential risks should the credentials be compromised.
- Financial Impact: Most applications (on-premises/cloud) have user-based licenses. Access harvesting ensures that you pay for what you use and, more importantly, what you need.
The case for user access reviews (UAR)
Per ISACA, “User access review is a control to periodically verify that only legitimate users have access to applications or infrastructure.” This is one of the essential elements of access governance engagement. Organizations must carry out periodic access compliance audits to ensure that any irregularity linked to role v/s access rights gets trued up over time, especially when changes to roles/responsibilities are manual or undocumented.
Ideally, the application business owner should be responsible for driving the user access review control for business users. While the application owner can delegate this activity, the accountability for this control and any violations ultimately resides with them. It is advised that their access review is scheduled at predetermined intervals, either automatically triggered or manually initiated. The review should start with the owner receiving the list of existing users, roles, and privileges, followed by verification of their status and action to update/delete wrong privileges.
In summary
Access governance is a reasonably well-understood concept in regulated industries, with periodic access compliance audits carried out by regulators. For enterprises that don’t have any compliance-related requirements, Access Governance becomes mostly a nice-to-have capability. This thinking needs to change if one just looks at the security risk one is exposed to.
Good summarization of governance in the daily life of citizens is summarized by “Government of the people, by the people and for the people” a bit of twist in the context of the topic could be “Access governance of the users, for the applications by the organization.”