Access to data is of the highest concern for leaders of the world’s most complex businesses. The amount of data stored on any network is typically immense. Relating this data to your user’s account information in Active Directory can be tricky and time consuming, yet there are security concerns that must be addressed. In this regard, proper data security includes three components: Ensuring new employee accounts are created properly when the employee is on boarded; ensuring those access rights remain accurate for each of the organization’s employee’s tenure; revoking access rights when an employee leaves the organization. The third step listed here is the most important of the three.
These security phases identified, a more in-depth look at solutions for all three of these phases of data security is required.
Access governance and the role of role-based access control
A profoundly effective solution to mitigate these security risks is role-based access control, which, in the real world starts with the creation of a matrix. Unlike the complexities of a dark computer otherworld ravage by a seeker named Neo, the kind of matrix referred to here is the development of a diagram that characterizes the rights of each employee with respect to every object or access they need in the system. Butler W. Lampson first introduced it in 1971. Lampson is an American computer scientist contributing to the development and implementation of distributed, personal computing, and a technical fellow at Microsoft and an adjunct professor at MIT
A role-based access control matrix along, with an identity management solution, allows you to account for the creation of new employees’ accounts and credentials generated with proper access rights. Thus, as first designated by Lampson (though it has evolved immensely) the first step of this matrix stage is to define the roles that each employee should have in every part of the organization. You can identify these roles using a combination of department, location and job title, for example. The end result of a somewhat tedious matrix-building process allows you to create a template for new employees and as an audit point of reference for use in the future.
Access rights of employees usually creeps into multiple areas over the course of an employees’ tenure. The longer an employee works with you, the more likely they are to gain access to systems they don’t necessarily need to perform their primary job. For example, rights might be assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. However, revocation of this access is infrequent at best. Automated solutions can analyze the rights of all employees at any given time and provide lists of actionable information.
RBAC and information audits
Performing information audits can be a challenge, no doubt, but you better get used to them. They are here to stay, and necessary. Once an audit of access rights is performed, it can be compared against the baseline template for each employee role initially established. Any issues can be verified or revoking of the rights can be administered automatically. That said, termination of rights must be done immediately when an employee leaves.
Here’s a real world example of a situation that might strike at the heart of current reality. In experience personally related to me by the manager of an organization I work with, a sales manager for a major corporation had terminated one of this sales reps. The organization did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application used by the sales rep. At some point, the terminated employee realized the account was still “live” and he proceeded to download more than 10,000 records over the course of a month, which cost to the company more than $6,000 before they turned off the former employee’s access.
Perhaps that’s a small drop in the bucket, but imagine if these costs ballooned to 10, 20 or 30 times more. It happens, and like it or not, the majority of breaches are inside jobs. The organization simply left the side door wide open, no key required. When putting a process in place to handle terminated employees, link to your HR system. When an employee is terminated, a synchronization process can take place to decommission accounts in all internal and external systems. Ensure that proper access to data, groups and applications are right for each employee. Revoke accounts when an employee leaves. Failure to do so can be costly.
By Dean Wiech, Managing Director at Tools4ever US.