A cornerstone of security best practices -- and therefore of compliance requirements -- is to limit access to critical resources to only those employees and users who have a legitimate business need to access those resources. As a result, most companies adopt a policy of "least privilege" which is intended to restrict users to access only those applications that are required to do their job.
In the real world, access privileges, also known as access rights, are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.
Excessive privileges result from the reasons noted above as well as a general tendency on the part of most organizations to err on the side of overprovisioning privileges in order to avoid impacting productivity. And in some organizations, excessive privileges account for over half the total authorized rights!
Identity management systems assume that an employee's direct supervisor can make informed decisions about what privileges are required to do their job. But as a Dartmouth team of researchers point out in their field study paper:
As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access.
This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1 from the Dartmouth paper:
This has led to an epidemic of excess privileges.
Auditors have learned in recent years how to uncover excessive privileges, often to the surprise of IT and compliance staff. That's why excessive privileges -- what Deloitte calls excessive access rights -- has been the top audit finding for each of the prior two years.
Cloud Compliance provides visibility into not just who is accessing what, but who should access what. And when excessive privileges inevitably occur, our analytics help determine the root cause and effective remediation strategies. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.
More Top Audit Findings
Identity and Access Assessment (IdAA) Demo
Click here to see the demo!