Poorly managed access rights are a breach waiting happen
21 May 2015 | 0
Poorly managed access rights for employees that see them with either inappropriate or excessive privileges are a risk to information security, and a potential breach waiting to happen, according to a report by analyst Forrester.
Entitled “Wake-Up Call: Poorly Managed Employee Access Rights Are a Breach Waiting to Happen,” the report states, “in their quest to maximise employee productivity, firms are exposing themselves to unnecessary risks and increasing their chances of a data breach by using outdated approaches to verify employee access … security and risk (S&R) professionals must enhance existing access governance processes with data and complementary technologies to deliver better risk insight and intelligence.”
The report “provides practical guidance that S&R pros can use to gain better visibility over identities and entitlements to mitigate risk while empowering employees.”
The author, Merritt Maxim, analyst, Forrester writes, “Many of the highest-profile data breaches of the past 18 months … have involved compromised identities of individuals authorised to access some part of a business’ computing environment.” The report goes on to say that “usage and event data can provide important intelligence to help further understand potential risks and empower [security and risk professionals] to take the appropriate remediation to mitigate that risk.”
One of the vendors cited in the report that “can capture activity information on log-in and data access,” Varonis, commented that the findings tallied with previous research by the Ponemon Institute in 2014. That study found 71% of employees reporting that they have access to data they should not see, and more than half said this access is frequent or very frequent.
The Forrester report lists several reasons for these excessive employee entitlements, such as “the sheer volume of sensitive data that employees can access is forever increasing … Declining storage costs have led some businesses to mistakenly store and retain more data than necessary.”
“Most security teams follow inconsistent procedures for conducting access reviews,” says Maxim, and “employees accumulate unnecessary access to sensitive data during their tenure … because of job changes, special projects and re-organisations.”
“There has been so much focus and investment on protecting the perimeter,” said David Gibson, vice president, Varonis, “but the most fundamental building blocks of security that protect the data from inside – need-to-know access and activity monitoring – are often left behind. Unnecessary access can lead to disaster in several ways.”