The challenge of enforcing user access

Post by Glenn Folkes, Regional Sales Director

I recently read that 86% of users have too much access. It is a staggering number because most organisations have already adopted a mature access governance framework.

It highlights that access administration still remains a challenge (and a significant security risk).

I can understand how this happens. Typically, organisations adopt an accepted access control framework like MAC, DAC, RBAC, ABAC or least privilege.

Determining a roles minimum viable access, requires knowledge of a user’s duties, as well as how roles, groups, or access rights are defined in systems. It’s a complicated, resource intensive task for any company. Unfortunately, it gets out of date quickly.

Why? Organisations are dynamic. Teams merge, businesses are acquired, and role descriptions change. No surprise then, that organisations struggle to maintain their user access profiles, and the value of the framework they invested in. Sad, but true.

I’ve also noticed that once user profiles are out of date, companies often lose the ability to deny access requests. Quite simply the organisation has lost the map of what appropriate user access looks like.

So then a request comes through an ITMS, the Manager has approved it, it gets provisioned. The problem here is that Managers change roles all too frequently, there is no accountability in this process and user access quickly becomes a hodge-podge.

The security and compliance issues quickly start to compound and in this context, user access reviews and audits become even more important.

Audit and review processes cut through the techno-babble of your access management strategy. So by examining the processes you follow to grant access, effective audits should be driving business improvement.

In most instances however IT, auditors and reviewers are working with out of date data. And it leads to Compliance Theatre where reviewers sign off on user access based on stale information. It doesn’t improve security, it doesn’t prove compliance and it doesn’t protect the organisation.

I know the world of user access is messy, but there is a path forward if you have clear visibility of who has access to what.

As always, I’d love to chat