Most often, this leads to the distribution of process execution and its verification-often involving multiple authorization steps. SoD enforces the operational checks and balances that prevent noncompliance, fraud, and error by breaking up a process amongst employees or business units. When access accumulates, employees run a greater risk of compliance violations linked to Segregation of Duty (SoD) efforts. Regulatory Compliance/Segregation of Duties (SoD) Regulatory compliance, security vulnerabilities, network pollution, and unnecessary license costs serve as the primary reasons for review and reconciliatory efforts. Consequences of Unchecked Privilege Creep Unfortunately, there is no “set and forget” method to make things easy when it comes to identity management. Combining too much access with service accounts’ background nature makes for a dangerous situation in the event of a breach. Service accounts make this practice of just over-assigning elevated privileges particularly problematic. Without review, your organization may have untold numbers of users navigating your environment with advanced privileges. Giving away the “keys to the kingdom” is never a smart solution. For example, someone may over-provision administrator rights to a normal user to prevent under-provisioning. Further, granting excessive permissions simply due to short term ease remains a common but extremely risky practice with manual provisioning. Many organizations skip these review and reconciliation steps due to the laborious, time-intensive effort required for manual audits and adjustments. Too often, however, the second part goes unaddressed. Access granted for a project must be reviewed and removed after its completion if no longer necessary for the user. When an employee moves within an organization and has their access rights updated, those no longer necessary must be removed. Access Removal – The Second & Most Forgotten StepĪccess remains a two part process: provisioning and removal. For example, a standard user’s “read” access may need updating to a manager’s “read/write” access. If users moving hierarchically (or laterally) continue working with the same resources as before, they may require elevated permissions. Even employees only moving geographically probably require revised access to physical buildings and infrastructure. These more permanent status changes almost always result in the need for new access. Certain applications or licenses (e.g., Adobe) might be required for the project. The project’s relevant files and data may be stored in a specific share or folder. When an employee receives an ad hoc project or assignment, they may require additional access rights. Scenarios that contribute to (or require) access changes for a user account include: Ad Hoc Projects or Assignments Without regular reviews, nearly every user account risks accruing excess privileges. Some user accounts maintain the same access throughout their entire lifecycle, though most will see changes. This remains true whether manual efforts or automating solutions carry out the creation and provisioning process. User accounts require access rights and permissions at their creation, which are typically based off of group memberships. Service accounts are special user accounts assigned to applications or services that operate in the background of your IT environment. The dangers of access accumulation extend beyond employees, however, with service accounts. These information security vulnerabilities most often coincide with promotions, role changes, reassignments, or comprehensive reorganizations. This gradual accumulation is colloquially referred to as “privilege creep”, “access creep”, or “permission bloat”. The “user account lifecycle” defines the collective management stages for every user account over time-creation, review/update, and deactivation (CRUD). Least privilege is critical for preventing the continual collection of unchecked access rights over a user account’s lifecycle. An employee can’t complete their job without the minimum access requirements, yet too much creates compliance and security risks. Least privilege relies on the understanding that pragmatic access straddles a balance. POLP is a fundamental concept within identity and access management (IAM). The “Principle of Least Privilege” (POLP) states a given user account should have the exact access rights necessary to execute their role’s responsibilities-no more, no less.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |