The internal threat: limiting access related risk
With the recent news that the Information Commissioner's Office (ICO) will be given the power to enforce Data Protection Act fines to organisations that breach the act's terms in April, ensuring the right security measures within a company are undertaken has become even more crucial
A data breach should be sending shivers down every business' spine.
Outside the private sector sphere, the ICO will have the ability to carry out audits on Government departments suspected of having slack access controls in place. The move highlights the need for both public and private sectors to continue to regularly check that stringent access controls and policies are in place to reduce access related risk.
The mass redundancies that took place in 2009, weakened security in two ways. There was a surge in disgruntled employees who may have tried to take confidential and highly valuable company data for malicious intent or financial gain and an increase in orphaned accounts of those who had left the company, that were not closed quickly or effectively and were therefore still highly accessible - both ways leave companies at huge risk.
It is not always malicious. The natural curiosity of employees to view customers' private records or company IP, which is still classified as a data breach, is often done without considering the repercussions. They may just simply be employees taking advantage of a lack of access policy controls at the companies they work at without realising the privacy laws they are breaking and the risk they are exposing their organisations to.
This only highlights the poor controls for how user access is governed at these organisations. To limit risk, be effective and applied consistently, policies need to be instantiated as a set of automated controls not just in the corporate security policy folder.
Organisations need to focus on ensuring each employee has entitlements to information resources that are only 'absolutely necessary' for their particular job function. Employees may accumulate unnecessary access privileges as they are promoted, transferred or put on loan to another department within the organisation, there is nothing strange about that, but users that drag entitlements that are not needed in their new role may create toxic combinations of access that often result in segregation-of-duties violations or create other business risks. These are surprisingly common problems in large organisations, and they are natural consequences of the usual pressure on IT departments to provide access quickly when employees are transferred or promoted into positions that require new sets of access privileges.
Leveraging a role-based access governance approach will enable organisations to put automated, preventative controls in place for access delivery and access change management that ensures user access is appropriate for a particular job function or process role. Access to information resources including personally identifiable information, should be governed based on a valid business reason for access, which will mitigate business and compliance risk.
Brian Cleary, VP of products and marketing at Aveksa.
