Traditionally, managing access rights to applications and data was seen as nothing more than an IT admin job. But since the Sarbanes-Oxley Act took effect in the US in 2004, it has become a board-level issue.
The Act obliges any company listed in the US to demonstrate that their financial risk is understood and under control. This includes the risk of inappropriate access to financial systems, so companies need to be able to show that they have access management under control and that it can be audited when necessary.
"Sarbanes Oxley is a huge driver for access management among multinational corporations, because it means that external auditors are getting involved," says Jackie Gilbert, co-founder of identity and access governance supplier SailPoint.
However, these organisations also have hundreds if not thousands of applications of material significance. According to Gilbert, the first generation of automated access management tools were expensive to implement, so they would rarely used them with each of these applications.
"The typical company usually stopped at the high return-on-investment applications, such as email or network access systems, where there’s huge payback for automating provisioning."
But when every system needs to be auditable, that approach is no longer up to scratch – which is why SOX is driving organisations to seek more effective access management automation tools.
Most organisations will have a defined process in place to make sure that new employees are given access to the systems they need when they join and that their access is taken away once they leave. But for many, there is an access management blind spot when employees change roles. A promotion or horizontal move within the organisation can significantly affect the access rights of an employee, but often these moves will not receive the same attention as a joiner or a leaver.
The most notorious recent example of this is that of Jerome Kerviel, a former trader at French investment bank Societe Generale. Kerviel lost the bank €5 billion by making risky trades and covering his tracks with access permissions he should not have had.
"The problem was that Kerviel changed jobs, from working in the middle office to being a trader," explains Kevin Cunningham, SailPoint’s co-founder and president. "Those jobs involve access to completely different set of applications. He got away with what he was doing because he could use admin privileges to cover his tracks."
"Job movers are the biggest challenge organisations have because companies are not really tracking what access people have" throughout their tenure at the company, he adds.
IT is not the expert
It is quite understandable why the job of managing access to applications and data has traditionally fallen to IT admins, as it usually involved using highly technical tools.
However, IT admins are not best placed to understand how access rights relate to the various job roles within the business. "You can’t go up to an IT manager and ask whether an employee’s access rights are appropriate," says Cunningham. "They won’t know what access a junior clerk working in the accounts payable department should have, for example."
In the past, says Cunningham, making sure access management was governed by the policies of the business involved a time-consuming process of translating access rights data into terms that business people would understand. "It was hugely inefficient and hugely ineffective," he says.
Instead, he argues, access management tools should be simple enough for a line manager to use, as they are the ones who understand what access their direct reports are entitled to. "The intersection of system access and identity compliance requires a business person," Cunningham says.
NEXT >> How access is used, and the risks of SaaS
Page 2 of 2
It’s not the access you have, but what you do with it
To find out if an employee is using information inappropriately, it is not enough simply to look at their access rights. Often it is how they use the data that they are legitimately allowed to access that reveals wrongdoing.
Cunningham points to the example of materials manufacturing giant DuPont Chemical. The company discovered that an employee was stealing intellectual property to give to a competitor, but not before various trade secrets had already been lost. The employee in question would not have been thwarted by simple access management, because he was operating within his access rights, he says.
"But if anyone had gone in and looked what he was doing with that access, they would have seen that he was downloading 10x more data than any other employee," Cunningham explains. "Sometimes it’s not just what you have access to, it’s what you are doing with that access."
It is unreasonable and possibly illegal, however, to track the data consumption of all employees. Cunningham therefore argues that organisations need to take a risk management approach. This means identifying those employees whose level of access, the amount of time since their access rights were reviewed and their history with the organisation suggest they pose a risk to the security of data.
Identifying these high risk employees allows organisations to limit data usage where it is needed most.
The same risk management approach applies to reviewing employee access rights. The administrational burden of access reviews can be reduced by reducing the frequency of reviews for low risk workers and concentrating resources on high risk staff.
SharePoint and SaaS
There was a time when applications would be deployed and used exclusively within the corporate firewall. But today applications increasingly straddle organisational boundaries, and that is testing the capabilities of legacy access management systems.
According to Cunningham, Microsoft’s document collaboration system SharePoint is an emerging cause for concern.
"SharePoint is the new Wild West of potential data leakage," he says. "Most SharePoint implementations are largely uncontrolled in terms of what data gets put on there. I might have a lot of access control wrapped around my database, but if somebody takes sensitive data from that database and puts it on an unsecured SharePoint site, I’ve lost complete control."
Similarly, business units procuring their own software-as-a-service applications often means that IT cannot impose its access management and governance processes.
"With something like Salesforce.com, the sales department might buy it and deploy it without IT’s involvement," explains Jackie Gilbert, "and you end up with potentially sensitive information being governed by the sales team."
In both cases, the solution is principally technical – access management tools should be built on a sufficiently modern architecture to integrate with current application programming interfaces.
This is becoming a pressing issue, Gilbert says, as auditors cotton on to the fact that the likes of SharePoint and SaaS applications are emerging sources of information risk. "We’re finding that auditors are catching up to the fact that this is something they should be focused on," she says.
Managing the business of identity
SailPoint ensures organisations implement the right identity and access management controls across the business to address access management from a risk perspective. Through its product IdentityIQ, SailPoint alleviates the cost and complexity of solving security challenges, effectively managing user lifecycles, and meeting compliance requirements. It offers a centralized, holistic approach to managing user access across the entire IT environment – from on-premise, enterprise applications to SaaS applications to applications hosted in the private and public cloud. For more information about SailPoint, please visit www.sailpoint.com