Can you say for sure who has access rights to your sensitive data?

The CIO-level business angle on the latest tech

Are you reasonably confident that your users have the appropriate rights to access the applications, files and data they need to do their jobs? By "appropriate rights" I mean the ability to access the resources necessary to fulfill a particular job function or business role, and nothing over and above that. If you’re a bit hesitant in answering "yes," then you aren’t alone.

Last year, the Ponemon Institute published the results of its independent 2008 National Survey on Access Governance. Sponsored by Aveksa, the survey gathered information from almost 700 experienced IT practitioners from U.S. business and governmental organizations. More than half of the respondents can’t say with confidence that the process of assigning access rights is well-managed and tightly controlled within their organizations.

That means there are a lot of application or data owners and caretakers that believe their business data can be accessed by people who probably shouldn’t have access at all. This presents a number of risks for organizations, including the potential loss, theft or compromise of sensitive data, as well as non-compliance with company policies and government and industry regulations like HIPAA, PCI DSS and SOX.

Additionally, 73% of the survey respondents report that their organizations determine risk to information based on the inherent risk of different data types rather than based on users’ roles or functions. This result suggests that organizations might find it too difficult to manage access rights at the individual level because of changing business roles and responsibilities with respect to information resources. This practice leaves a wide berth for internal abuse of data because people are trusted when perhaps they shouldn’t be.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Are you reasonably confident that your users have the appropriate rights to access the applications, files and data they need to do their jobs? By "appropriate rights" I mean the ability to access the resources necessary to fulfill a particular job function or business role, and nothing over and above that. If you’re a bit hesitant in answering "yes," then you aren’t alone.

Last year, the Ponemon Institute published the results of its independent 2008 National Survey on Access Governance. Sponsored by Aveksa, the survey gathered information from almost 700 experienced IT practitioners from U.S. business and governmental organizations. More than half of the respondents can’t say with confidence that the process of assigning access rights is well-managed and tightly controlled within their organizations.

That means there are a lot of application or data owners and caretakers that believe their business data can be accessed by people who probably shouldn’t have access at all. This presents a number of risks for organizations, including the potential loss, theft or compromise of sensitive data, as well as non-compliance with company policies and government and industry regulations like HIPAA, PCI DSS and SOX.

Additionally, 73% of the survey respondents report that their organizations determine risk to information based on the inherent risk of different data types rather than based on users’ roles or functions. This result suggests that organizations might find it too difficult to manage access rights at the individual level because of changing business roles and responsibilities with respect to information resources. This practice leaves a wide berth for internal abuse of data because people are trusted when perhaps they shouldn’t be.

The Ponemon report cites several major challenges identified by the survey respondents when it comes to implementing an effective access governance framework:

• Organizations are finding it difficult to enforce access policies in a consistent fashion across the entire enterprise.
• Collaboration among business units and security, audit and compliance teams to ensure accountability for governing access and to understand roles and responsibilities is viewed as critical but is not being achieved.
• Organizations are not able to keep pace with changes to users’ roles as a result of transfers, terminations and revisions to job responsibilities. As a result, they face serious non-compliance and business risks.
• Senior management does not seem to understand the risk of inappropriate user access and what resources are needed to prevent compliance and business risks.

As you can see, the challenges tend to be more organizational/political in nature, rather than purely technical. Nevertheless, there are technology-based access governance solutions that provide the means to bridge the organizational chasms by delivering meaningful insight to who is accessing what data and applications. This visibility means that the entitlements within application resources are understandable to anyone involved in the compliance process, including the application owners, data security practitioners, the auditors and the IT administrators.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.