Field Study: Entitlements, Privileges and Information Risk
Posted by Robbie Forkish on Tue, Sep 29, 2009
I came across
a paper written by a team at Dartmouth (hat tip to Bruce Schneier) that describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for 3 weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement - a topic we've delved into on many occasions including
here and
here.
Due to the dynamic nature of large banks - and many other organizations - it is quite common for people to move between internal organizations and be transferred across information boundaries.
The frequent shifting of staff may result in information users collecting system entitlements over time if the system access is not actively managed, resulting in a toxic combination of privileges.
We knew about the gradual accumulation of entitlements over time. But a toxic combination of privileges? What's that?
A toxic combination is a conflict of system access that allows a user to break the law, violate rules of ethics, damage customers' trust, or even create the appearance of impropriety.
How did we get from over-entitlements to toxic combinations?
Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out
As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access.
This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:
And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2:
The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.
Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process easier to manage. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least:
At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant.
We explored in an earlier post whether perfect access control was possible. Unfortunately, the answer is no. So if over-entitlement is the norm, leading to toxic combinations of privileges or entitlements, and access control systems - which are so costly to deploy and manage - aren't able to fully solve the problem, then what's an organization to do? Especially an organization that is highly regulated by SOX, FFIEC and FINRA?
Cloud Compliance is developing an Identity and Access Control (IdAA) solution to manage entitlements (also called privileges, or access rights). We identify users with excess entitlements, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.