In a Ponemon Institute survey of almost 700 experienced IT practitioners from U.S. business and governmental organizations, more than half of the respondents can't say with confidence that the process of assigning access rights is well-managed and tightly controlled within their organizations. That means there are a lot of application or data owners and caretakers that believe their business data can be accessed by people who probably shouldn't have access at all. Where do you fall in this spectrum, and what can you do about it?
Are you reasonably confident that your users have the appropriate rights to access the applications, files and data they need to do their jobs? By "appropriate rights" I mean the ability to access the resources necessary to fulfill a particular job function or business role, and nothing over and above that. If you’re a bit hesitant in answering "yes," then you aren’t alone.
Last year, the Ponemon Institute published the results of its independent 2008 National Survey on Access Governance. Sponsored by Aveksa, the survey gathered information from almost 700 experienced IT practitioners from U.S. business and governmental organizations. More than half of the respondents can’t say with confidence that the process of assigning access rights is well-managed and tightly controlled within their organizations.
That means there are a lot of application or data owners and caretakers that believe their business data can be accessed by people who probably shouldn’t have access at all. This presents a number of risks for organizations, including the potential loss, theft or compromise of sensitive data, as well as non-compliance with company policies and government and industry regulations like HIPAA, PCI DSS and SOX.
Additionally, 73% of the survey respondents report that their organizations determine risk to information based on the inherent risk of different data types rather than based on users’ roles or functions. This result suggests that organizations might find it too difficult to manage access rights at the individual level because of changing business roles and responsibilities with respect to information resources. This practice leaves a wide berth for internal abuse of data because people are trusted when perhaps they shouldn’t be.
The Ponemon report cites several major challenges identified by the survey respondents when it comes to implementing an effective access governance framework:
• Organizations are finding it difficult to enforce access policies in a consistent fashion across the entire enterprise.
• Collaboration among business units and security, audit and compliance teams to ensure accountability for governing access and to understand roles and responsibilities is viewed as critical but is not being achieved.
• Organizations are not able to keep pace with changes to users’ roles as a result of transfers, terminations and revisions to job responsibilities. As a result, they face serious non-compliance and business risks.
• Senior management does not seem to understand the risk of inappropriate user access and what resources are needed to prevent compliance and business risks.
As you can see, the challenges tend to be more organizational/political in nature, rather than purely technical. Nevertheless, there are technology-based access governance solutions that provide the means to bridge the organizational chasms by delivering meaningful insight to who is accessing what data and applications. This visibility means that the entitlements within application resources are understandable to anyone involved in the compliance process, including the application owners, data security practitioners, the auditors and the IT administrators.
Not surprisingly, Aveksa – the Ponemon survey sponsor – offers just such a solution. Aveksa’s Enterprise Access Governance Platform puts access entitlement data in business friendly terms so that data security professionals can work with business managers to certify user access and clean up any issues they have.
The Enterprise Access Governance Platform provides automated monitoring, reporting, certification and remediation capabilities of entitlements and roles. The platform works with existing identity management technology, providing the ability to have a unified view of user access across the enterprise. This allows the organization to aggregate and correlate entitlement with the end goal of designing appropriate roles and supporting policies.
The Enterprise Access Governance Platform automatically collects identity and entitlement information for users across an organization’s network, recognizing that access data information can be spread across multiple applications, directories and user access data stores. The platform normalizes the access data so that the users, roles, and entitlements granted are correlated for analysis and reporting. This normalized data serves as the basis of the platform's compliance management features, which include:
• Regular entitlement reviews and certifications, based on customized workflows and incorporating defined business rules and control objectives.
• Reporting and dashboards, including the analysis of user identities, entitlements, roles and compliance posture.
• Exception management, including further customized remediation workflows that can be triggered by business rules.
• Roles-based approach for requesting access and managing change.
Aveksa’s governance platform has helped TIAA-CREF reduce the time it takes to do a complete entitlements review from four to six months down to just one month.
Susan L. P. Neubauer is the Chief Information Security Officer at TIAA-CREF, the world’s largest investment advisor and retirement planning system for the academic, medical, cultural and research fields. Neubauer says that access governance is an important control point for her company. Initially, TIAA-CREF built a system of databases and spreadsheets to track and review the access control process. However, it wasn’t scalable, leading the company to look for a more automated tool.
Neubauer’s team evaluated several products and selected Aveksa’s platform, largely because its user interface makes the process easy for both the people who administer the rules as well as the business managers who must review their employees’ access rights. The company now has a streamlined way to collect and monitor data pertaining to access to business applications. The entitlement rights are translated into descriptions that, as Neubauer says, “normal human beings can read.” She says the control improved because it is much easier for the business people to understand the entitlements and to take the appropriate action.
It took approximately six months for the company to fully deploy the Aveksa Enterprise Access Governance Platform across its distributed network. Neubauer says the hardest part was deciphering the application entitlement names, such as Q1XYRC or TENTYOUFP, and giving them a description that a business person can understand, such as “Payroll Check Processing.” Now everyone across the organization has a deeper and richer understanding of what the applications are doing; what things are being called; and who has or had access to specific functions within an application. Neubauer says they have improved the effectiveness of the control as well as the efficiency of performing it.
Access governance is not just an IT responsibility, but should be shared by the functions responsible for mitigating business risks. Fortunately, IT tools like the Aveksa platform can provide the common insight for all the responsible parties to perform their jobs.