Data leakage as a result of internal threats can be minimized with good access governance, according to experts...
and IT security pros. But many senior executives are failing to heed the advice, according to a recent survey.
"It seems consistent that access rights aren't being managed particularly well and it seems like many organizations are having much difficulty in getting to the point of execution with an access governance plan," said Larry Ponemon, founder and chairman of the Ponemon Institute.
Ponemon and Waltham, Mass.-based access management vendor Aveksa Inc. recently surveyed 700 IT pros, 74% of whom said that senior management didn't understand the risk of inappropriate user access and the resources needed to prevent compliance and business risks.
The 2008 National Survey on Access Governance was released only a week after a rogue trader—a trusted insider—used stolen passwords and his knowledge of various financial systems to allegedly carry out $7.2 billion in fraud against French banking giant Societe Generale. While the banking scandal boldly highlights that the threat from insiders is real, Ponemon warns that employees usually don't have criminal intent. Employee error resulting from inappropriate access rights also results in increased risk from data exposure, Ponemon said.
"It's not just that bad people are doing bad things, but good people make mistakes and look at information that they don't need," Ponemon said. "If you look at the history of access, once you get it, it's hard for a company to revoke it because, culturally, people see it as an insult."
Intellectual property, customer information and general business information are identified as being most at risk, according to the survey.
Organizations are also not able to keep pace with changing user roles that result from transfers, terminations or revisions to job responsibilities, Ponemon says, because business units don't collaborate with security, audit and compliance teams. Only 57% of those surveyed said such groups in their organizations are working together.
"All of the pieces of the puzzle have to get implemented properly," Ponemon said. "Good access governance begins with good policies. Once those policies are created, they must be enforced in a consistent fashion."
Many high growth firms are also having trouble classifying data and getting a grip on access rights at the individual level because of changing business roles and responsibilities. Of those surveyed, 73% reported that their organizations determine risk to information based on the inherent risk of different data types rather than based on users' role or function (33%).
Ponemon said access governance needs to take into consideration more than just the type of data users handle. Firms should assign access rights based on job function, he said.
But only 27% of respondents believe that their ability to assign access rights based on job function is excellent or good, while 55% of respondents described their ability as either poor or nonexistent.
Data within business unit applications are most at risk as a result of poor access governance. Customer Relationship Management and revenue generating applications are also vulnerable because they typically contain significant amounts of customer information.
Tom Kellermann, vice president of security awareness at Core Security and former head of cyber intelligence and policy management at the World Bank called the French bank scandal a result of failure of sound security practices from within the organization. Most banks focus on the perimeter, he said. Good access governance could have thwarted the incident at Societe Generale or at least triggered an alarm.
"They're too reliant on something we all know–-passwords, passwords, and passwords," Kellermann said. "There's very little comprehension that certificates and certificate authorities can be compromised."