When hearing the word “clone”, your first thought may be of an experiment in a high-tech lab with scientists in white coats, or perhaps even a trooper from the Star Wars franchise. But when it comes to identity and access management (IAM), cloning is a very real problem.
In this context, cloning has created issues with access thanks to the rise of “access clones”. But what are access clones, and how can organisations prevent them from rising up?
To give you an example of how access clones are created, imagine it’s an employee’s first day at a company – a trader at an investment bank, for example – and one of their new colleagues is showing them around the office. They head across to the HR team to fill in some paperwork, and an HR representative asks who the employee reports into, and which applications they will require access to.
The colleague giving the introductions, who has been with the company for some years, responds that they will both be doing the same job so it makes sense to allow the same access rights. As a result, an access clone is born.
It’s clear from this example that access clones are created with good intentions. HR wants to give the user access as quickly as possible, and the new employee wants to become productive as soon as they can. The people creating the clone aren’t aware of the potential problems that can arise from this scenario, while the clones themselves go unnoticed by those in charge.
However, there is a significant risk here, namely coming from original users collecting access rights over time that should have been revoked when projects reached completion or when their role changed. Revocation rarely takes place in this scenario, and the risk is then multiplied when access clones are created.
Imagine a pharmacist who can use the system to self-prescribe medication, or a trader who is able to approve a huge trade for his or her own gain, without supervision. The risk here is clear, as users are able to circumvent controls and self-approve transactions.
When it comes to combatting the clones, business managers should certify whether access is necessary or not through periodic access reviews. Any unnecessary access can then be revoked, thus enforcing the least-privilege principle. Identity governance solutions can help here, which ensure that certifications have merit and that managers are not pulled away from their core responsibilities of conducting risk management, protecting an organisation’s systems, applications, files, data, and processes from unauthorised use or access.
>See also: The 2016 cyber security roadmap
Identity governance also enables organisations to enforce a separation of duties policy. This could be written to ensure that not one individual has rights to both stage and execute a trade, for example. Subsequently, the entitlements of users across managed applications can be catalogued and any violations of the policy can be corrected.
While identity governance can go some way in helping combat access clones, its impact is limited by the need for human input. Many senior employees view an access review as a distraction from their day-to-day work and look for the quickest way out – often the “select all” or “next” option – which does nothing in ensuring the least-privilege principle is enforced.
However, even if a business manager is looking to be diligent in his or her approach to reviewing access, they may see two employees with the same access and understandably – but incorrectly – determine that both need the same rights. In this scenario, the clones actually work to protect one another.
What’s more, the policies that can be introduced to prevent access clones, like the separation of duties policy, have to be written manually. While they can be automatically enforced, the “human factor” means that an organisation may still be left vulnerable to risk due to an incomplete policy.
There are numerous ways to defend against clones, and from the outset HR should be given a list of applications that a user needs to access based on their role and level of responsibility.
Yet ultimately, access needs to respect the individual. People have distinct individual roles, and each person needs to be able to request access and gain the relevant approvals more easily.
This will come as a result of HR being given better information on the individual, combined with the capabilities of that individual to more easily request access while they do their job.
Of course, that should be paired with easier access for the managers to give and remove access as necessary. All of this will provide convenience to the senior employee while preventing any potential abuse of the system for the wider company.
Sourced by Geoff Webb, VP strategy, Micro Focus