It’s still quite common for IT and security professionals to be in a state of discord with managers and higher-ups within the departments of an organization. Despite the escalation of cyber risks, with an astounding percentage of those caused by malicious insiders, impatient attitudes from leaders during the onboarding process still leads to the practice of improper user access and identity management.
What is identity governance?
Identity governance is the policy-based coordination of user identity management and access control. The policies that guide access within an organization are crucial to the security of IT and compliance in order to protect customer privacy, as well as the process by which sensitive information is disseminated within.
A common scenario in organizations is a demand for user access for new employees by management, without fully considering the consequences of giving careless access—a symptom of either absent, poorly implemented, or even overly complex access governance processes that permit a higher level of access to employees and fail to oversee and review those policies.
Too often internal users are kept in the system as “ghost users.” A status may be set to inactive without actually removing the user altogether, remaining enabled after the user no longer exists at the company or should no longer have access can cause internal issues. In addition to improper access, many companies leave folders with sensitive information open to all employees within the enterprise, further risking data by improper exposure.
The constant movement of a living, breathing organization with employees coming and going, being promoted and changing titles, creates unique challenges for your security team.
Below we identify five signs that should signal that it’s time to take a closer look at your identity governance policies:
1. Insufficient Access Request Approvals
The process for access approval should be closely monitored within your organization. The individual in the role of authorizing approval for requests should be discerning. A common issue that comes up in an inappropriate approval process includes allowing authorization to persons with no organizational relationship with the user access in the first place. Selection of the approver should be defined by adequate, defined knowledge of correct processes and security functions. The approver should also be considered by department and expertise to avoid instances of privileged access being given with excessive entitlements, resulting in the potential for segregation-of-duty breaches.
2. Illegitimate or Stray Accounts
Accounts that are left active after a user leaves the organization can become orphaned if your Identity and Access Management (IAM) process doesn’t include historical details of the user or if the provisioning process is overly complex. This causes problems because administrators will often not know which accounts to look for and delete. Accounts that are left open can be used to access sensitive information within the organization, but the account naming convention and the metadata give no indication of the account owners. Even when administrators are properly trained on which accounts to look for, they can be hesitant to disable or delete them. However, unless accounts are accurately identified and managed, your organization will be at risk for fraudulent activities.
3. Absence of Segregation-of-Duty Controls
The segregation of some functions is necessary to limit the risk of fraudulent behaviors. For instance, during financial processing. The same person should not be permitted to both raise and release payments on an invoice.
Defining Segregation-of-Duty (SOD) controls is a challenge for organizations, typically from a lack of knowledge about their applications and how they are used across business functions. Often an organization will not have the right tools to adequately identify and manage the controls across large datasets. Instead, the process checks are often run manually with an improvised timetable, usually long after access has been granted and sometimes in reaction to a breach.
Segregation of duties requires several methods in combination to allow these checks to be used in electronic access request processes and breach detection alerts.
4. Self-Governing Processes Used across the Organization
Uncontrolled processes, differing across the organization for similar activities leads to inefficiencies. This is especially problematic for organizations that have multiple access request tools that will each have their own separate localized control requirements. Without the integration of cross-business systems, requests can be duplicated. Other issues arise when there are several administration teams carrying out similar functions. For example, one team that creates the account, one that assigns entitlements, a separate service desk to passwords, etc. Even when due diligence is given to the possible risks, inefficiency can arise from additional approvers who are added to audit, often delaying the access request flow.
5. Lack of Verification at Standard Intervals
When an employee changes positions within the organization, or duties within their positions, there can be issues if additional verification is not achieved. There should be a standard set period of time when accounts that are not being used are disabled, and another set period when they are deleted completely. This standard period of time should be set based on the needs of the organization considering vacation expenditures, etc., but typically four weeks is a proficient timetable for disabling an account.
If your organization is HITRUST® certified or is working toward future certification, the standards dictate that access verification of an individual should be completed every 90 days, unless they have administrative access, in which case it should be completed every 60 days.
If you have found that any of these five signs are afflicting your organization, fortunately, there are many qualified professionals with expertise in identity governance who can guide you to a secure and compliant solution.
Minimize your security risks and improve your compliance posture with Digital Forge. Contact us at (877) 369-1831 or visit our website to engage with a qualified expert today.
You Might Find These Articles Interesting: