Cloud computing makes IT access governance messier

Network access controls harder than ever to set up, survey says

IT professionals are finding it harder than ever to set up access controls for network resources and applications used by organization employees, and cloud computing is only adding to their woes, a survey of 728 IT practitioners finds.

Endpoint security gets complicated

The Ponemon Institute's "2010 Access Governance Trends Survey," which asked 728 IT practitioners about their procedures and outcomes in setting up access to information resources, found the situation worsening over the past two years. In comparison to a similar survey done by Ponemon two years ago, this year's survey found 87% believed individuals had too much access to information systems, up 9% from 2008.

And in a new question asked this year about how use of cloud computing fits with access-control strategies, 73% of respondents said adoption of cloud-based applications is enabling business users to circumvent existing access policies.

Cloud-based services "are often purchased directly by business units without consideration of access governance," says the 2010 Access Governance Trends Survey, published Monday. The survey was sponsored by Aveksa.

It is the people in the business units, rather than the IT department, that have growing influence over granting user access to information resources, with 37% in 2010 saying the business units had the responsibility as opposed to just 29% saying this in 2008.

But this doesn't necessarily seem to be advancing the goal that access-control policies are met, at least in the eyes of the IT professionals, over half of whom said they can't even keep pace with information-access requests. Nineteen percent even said "there's no accountability in who makes access decisions."

The report, which points to a need for greater collaboration between business units, the IT department and internal audit and compliance, indicates cloud computing is making a messy situation even messier in terms of access-control governance.

"The sales operations and business lines are buying into the cloud, sometimes without even calling IT security," says Brian Cleary, vice president of marketing at Aveksa.

For IT professionals, cloud computing "is creating another potential issue that creates stress," says Dr. Larry Ponemon about the survey's findings. "The frustration is on top of everything you're doing on premises, you add another element to access governance."

The Ponemon study also shows that when it comes to procedures, organizations tend to fall fairly equally into three camps: those who rely on more causal and often manual "ad hoc" processes for defining and implementing access controls; those who have "well-defined processes that are controlled by the business or application owners," and "well-defined processes centrally controlled by corporate IT."

There's still widely varying a mix of technical and manual controls, but use of commercial off-the-shelf software was up 6% over the last two years to 36%, according to the survey. The study claims that the ad hoc process in particular "can contribute to excess user access and generally decrease the ability to apply policies and processes consistently across the enterprise."

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies