Deloitte, in
The 6th Annual Global Security Survey, reports that excessive access rights was the top "internal/external audit finding over the past 12 months" -- for the second year in a row.
Why did excessive access rights remain the top audit finding in 2008 after all the attention it drew by being the top audit finding the prior year? Why is this a hard problem to solve?
A cornerstone of security best practices -- and therefore of compliance requirements -- is to limit access to critical resources to only those employees and users who have a legitimate business need to access those resources. As a result, most companies adopt a policy of "least privilege" which is intended to restrict users to access only those applications that are required to do their job.
In the real world, access rights are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.
Excessive access rights result from the reasons noted above as well as a general tendency on the part of most organizations to err on the side of overprovisioning rights in order to avoid impacting productivity. And in some organizations, excessive access rights account for over half the total authorized rights.
Auditors have learned in recent years how to uncover excessive access rights, often to the surprise of IT and compliance staff. That's why excessive access rights has been the top audit finding for each of the prior two years.
Cloud Compliance provides visibility into not just who is accessing what, but who should access what. And when excessive access rights inevitably occur, our analytics help determine the root cause and effective remediation strategies. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.
More Top Audit Findings
Identity and Access Assessment (IdAA) Demo
Click here to see the demo!