(June 6, 2022) Most information is now stored in unstructured files such as documents and spreadsheets. These files often contain business-critical and highly sensitive data — customer lists, product specifications, and even financials. Least privilege access helps maintain control over these sensitive files.
Yet many organizations take a “share everything” approach to unstructured data. In its 2021 Data Risk Report, which focused on the financial services sector, Varonis found that employees had unrestricted access to almost 13 percent of all files. The average financial services organization has about 75 million files, meaning that every employee can read, modify, copy or delete almost 10 million files.
The principle of least privilege access helps organizations maintain control over sensitive files. The concept is fairly simple: Employees should only be granted access to the applications and data they need to do their jobs. Organizations should routinely review access privileges to ensure they’re appropriate. Inactive or unused accounts belonging to former employees or vendors should also be identified. These are often referred to as “ghost” users in cybersecurity parlance.
The Role of Identity Governance
Maintaining least privilege access requires an effective identity governance program. Identity governance is a framework for managing user identities and access privileges based on company policies. It plays a key role in effective cybersecurity and regulatory compliance and in reducing business risk.
However, organizations often assume that identity governance is an IT project, and end up with a technology-focused solution. Layering technology on top of broken or nonexistent processes creates redundancy and complexity — and the potential for a risky “rubber stamp access” scenarios. To avoid these pitfalls, identity governance projects should involve key stakeholders from throughout the organization.
Line-of-business managers are often in the best position to define user roles and access policies, while IT personnel can help identify systems, applications, and file stores and clarify technology issues. HR should be involved in the process from the perspective of hiring, onboarding, and terminating users and overseeing role changes.
Developing Policies and Procedures
A key component of identity governance is developing procedures for enforcing access policies and keeping them up-to-date. These procedures should require separation of duties when granting and managing access rights, breaking tasks into components so that more than one person is required to complete them. Again, key stakeholders should be involved the ensure that identity governance procedures do not hamper critical business processes.
When developing identity governance policies and procedures, organizations should carefully consider regulatory compliance requirements. For example, under Requirement 7.1 of the Payment Card Industry (PCC) Data Security Standard (DSS), organizations that accept credit or debit cards must control access to cardholder data and grant access on a “need to know” basis. Other regulations have similar requirements.
Identity governance addresses the single activity that creates the most compliance risk – a user accessing and making changes to data without oversight, which could result in that data being exposed. It also helps organizations reduce the risk of corporate espionage and intellectual property theft.
Getting the Technology Right
Once identity governance policies and procedures are defined, organizations can begin developing the technical controls needed to ensure consistency and enforcement across the enterprise. Most organizations maintain user identities and access privileges in Microsoft Active Directory or a similar directory management system.
In many cases, however, management processes need improvement. The Varonis study found that 59 percent of financial services firms have more than 500 passwords that never expire and almost 40 percent have more than 10,000 “ghost” users.
Proper management of file stores is also critical. Organizations should maintain sensitive files in protected folders that can only be accessed by authorized users.
Data breaches continue unabated, and corporate espionage is a serious threat. Regulatory compliance requirements become stricter and more complex each year. Organizations need a sound strategy with stakeholder alignment to ensure effective identity governance and enforcement of least privilege access.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development, and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile