Improve Security and Avoid Breaches by Avoiding Access Creep
By Dean Wiech
Is there anything more difficult to manage or overwhelming to overcome than organizational security issues? Perhaps only managing a company’s most important resources, its people. Security breaches continue to shed light on just how easily hackers can access complex systems and steal important information from organizations and their customers. While this is scary for customers, it is equally devastating to the organizations and those affected. This type of news shocks and scares organizational leaders as they realize that their organizations and their data are not safe, and perhaps that their security measures are not as strong as they may think.
Leaders need to ensure that their client information is truly secure and that employees and contractors only have the access to the information that they are permitted to access. Data is your most important asset. Even if you think you have nothing to protect or worry about, be careful. Perhaps you collect customer information like addresses, names of their businesses, credit cards, etc. as part of client profiles — all valuable assets for those in the data piracy business.
In many cases, breaches are inside jobs. Either because of holes in access rights or because employees and contractors purposefully target your company’s information for their own profit. According to Harvard Business Review, the 2013 Target breach was a result of hackers gaining entry to the retail chain’s systems by using the credentials of one of the company’s refrigeration vendors. At least 80 million insider attacks occur in the United States each year, according to estimates, but the number may be much higher because they often go unreported.
One breach of information can cause major damage to an organization, mostly related to the public’s trust in an organization and public perception of you. Secure information can easily be accessed if the correct measures aren’t in place. Leadership may feel that their network is secure, but many security measures can actually cause additional issues.
Breaches from insiders will continue to take place. Insider access means access to an organization’s most valued information and resources. However, some inside breaches occur as a result of employees having too much access who steal or misuse their access to information. Thus, access is the most common thread to many organizational issues, even if the breach is non-intentional.
Security and access to systems and information by employees and insiders are equally important. We need to have proper security settings in place to ensure only people who should have access do, but we also need access control to ensure that authorized people can only see data they need to do their jobs.
Aside from some of the obvious security protocols – auditing and reviewing security procedures – a number of policies must be looked at (many of which are often overlooked) to ensure security and access of employees to systems. One strategy is to evaluate the amount of access of employees have and ensure there is no “creep.” For example, review whether or not employees have access to solutions that they no longer need or have had since they started with the organization but have no business having now? Have employees left the organization but their former accounts and access rights have not been terminated? There’s a strong possibility this may be the case, and can lead to severe problems.
Even at organizations where all systems and access to those systems is tracked, where all access is stripped out when the employee leaves, de-commissioning employee’s access is often a manual process. Unless policies are enforced, nothing gets changed and access remains. Ask your system admins what approach they prefer? Manual process for managing the access rights or push-of-the-button automation that can be used to power regular audits of the information in question.
Organizational leaders should consider putting in place processes for information audits on a regular basis to ensure records and systems are free and clear of errant information and access rights. To ensure the greatest level of security and access rights, a member of the system admin team should be assigned to and regularly review Active Directory to eliminate or disable unnecessary accounts. This, of course, is an approach to take if the process remains manual. It can easily be automated, too.
Password managers and access management solutions are the simplest means available to mitigate this risk. Organizational leaders need to re-evaluate their security measures and consider if they truly are the best options available or if they are placing themselves in harm’s way more than they are helping. If an organization is handling these things manually, they’re likely to face a severe security risk in the near term, likely the result of an inside breach.
Other factors to consider include eliminating the need to write down access details, such as passwords. Even requiring frequent changes to passwords or mandating the use of complex passwords does not ensure security for the organization. The reasoning is simple: These passwords need to be changed on a regular basis. It is not feasible to think that employees are going to be able to remember several of these ever-changing complex passwords or their rules. This is where automated solutions play a valuable role improving security. Single sign-on, for example, gives the employee the ability to log in with a single set of credentials and thereafter be granted access to all the systems and applications in which they need to access. This single password can follow the organization’s password conventions, but also means employees are less likely to write down credentials to remember them.
In regard to creep, organizations must monitor exactly who has access to what applications and systems. Employees join and leave the organization; employees lend their access information to each other on vacation, or borrow credentials, etc. This often leaves the team leaders with no clear idea of who has access to what and the types of changes they are making in their systems. Again, an automated user account management solution has the ability to allow system admins to see exactly who has access to what systems and applications when those users are logging in and what types of changes they are making. Sure beats the manual approach.
These solutions also allow team leaders to easily make access changes if necessary and correct any issues before they lead to problems; this type of information is also extremely useful when it comes to audits.
Another issue many organizations face is overlooking the disabling of accounts for employees who are no longer with the firm. This is an extremely common problem in regard to accounts for temporary or contract employees who only require access to systems for a short period of time. Since system admins have to manually disable an employee from all systems and applications, doing so can sometimes get overlooked or lost along the way.
This means that an employee who is no longer with the company can still access important information. Automated account management solutions allow for easy disabling of accounts with one click, which means a manager or team lead can easily make changes without having to contact a system admin. In addition, temporary employees’ access can automatically be revoked after a specified period of time so that no manual action has to be taken at all.
Identity and access management solutions, such as the ones mentioned above, help ensure extra security of networks and can deter or prevent security breaches. They also help to create advanced levels of security while maintaining employee’s ability to access information. Eliminating the chokehold some security protocols can have on an organization while protecting data and employees’ access to it. Therefore, taking some time to evaluate current security measures can bring an organization’s security protocols to the next level, but also keep working.
Dean Wiech is managing director of Tools4ever US, part of the global supplier of identity and access management solutions.