In the first of a two-part blog series, The Seven Deadly Sins of User Access Controls, my colleague Jean Gordon Kocienda provided fresh insights into overly-permissive user access controls as a common underlying cause of data breaches. In this blog, I address the solutions to those “Seven Deadly Sins” with a modern twist on the antiquity typically known as the “Seven Wonders.”
Information Security professionals need to address user access control in the context of today’s complex threats, coupled with a fast changing IT landscape. Long gone are the days of only a few with a need to know and key corporate assets being housed behind the enterprise perimeter. We have shifted to an agile, data-centric environment with increasing user populations who may also be third-party suppliers or contractors needing fast access to assets that were previously off limits. And, it’s not just massive volumes of data that need protecting; it’s access to critical work streams and transactions too.
Great advancements in security technologies over the last decade make it easier to manage user access controls and also quickly pinpoint areas of risk. I am listing what I call the Seven Wonders of User Access Control to repel each of the “sins” that Jean set out in her blog:
- Diligence: User access violations typically occur as a pattern over time versus a single incident. Be vigilant about continuously monitoring for changes in user behavior, identifying disgruntled employees as well as anomalies in network and data activity.
- Necessity: As you deal with an expanded group of users needing access, correlate user access IT controls against Human Resources policies and assessments for third-party contractors and suppliers. Finally, restrict sensitive data and administrative privileges to only those with a need to perform their job.
- Mindfulness: Make sure that your information systems that store, access or transmit sensitive data are always up-to-date with operating system and third-party application security patches.
- Reticence: Require strong authentication to protect against fake users and attacks such as phishing. Use Federated Identity technologies to streamline identity and password management.
- Fulfillment: It’s easy to neglect end-user education but given today’s sophisticated attacks, we need to better invest in training users to avoid common lures and traps.
- Resilience: Everyone’s advocating encryption when it comes to protecting critical data, but equally important is safe storage of the keys to encrypted data.
- Automation: Today there are toolsets that take the grunt work out of segregating user access to different types of information and work streams, making it much easier to eliminate broad access issues.
The Seven Wonders of User Access Controls is by no means a complete list, and every organization will approach user access controls differently. See something missing? Do write and tell us how you are implementing user access controls in your environment.