In-Depth

Access Control: 10 Best Practices

Properly implemented, access controls only give employees access to the applications and databases they need to do their jobs. At many regulated organizations, such controls are too often manual, outdated, and largely ineffective. Here's how to overhaul your access control program.

• By Mathew Schwartz
• 03/27/2007

What is the importance of automated IT access controls in regulated environments?

Consider the case of DuPont: Between August and December 2005, a research scientist about to leave for a new company admitted he downloaded more than 22,000 sensitive abstracts from DuPont's electronic data library. He was also able to access an additional 16,700 files, most of which didn't relate to his job function. This access was 15 times greater than the next library user, and reportedly involved $400 million in trade secrets, yet DuPont didn't discover the inappropriate access until December 2005, after the employee gave notice. Furthermore, he had already uploaded some of the documents to his new work laptop in February 2006 before federal authorities finally caught up with him.

When it comes to insiders abusing their access rights, DuPont isn't alone. According to a Forrester survey of 28 companies who experienced a data breach in 2005, the leading cause—contributing to 39 percent of all incidents—was "authorized users exploiting their privileged access rights."

The moral is that just restricting access isn't enough to stop a malicious insider from misbehaving. With that in mind, how can companies better administer user accounts, control access, and watch for signs of inappropriate access behavior?

Start with these 10 best practices:

1. Create an Access Baseline

Begin by having your IT department record and generate a baseline of current access levels and controls in place. By doing this, "you'll see the holes in your current processes" and quickly nab any gross offenders, such as "someone who's running a business out of their cube," says Ellen Libenson, vice president of product management at Symark Software. "Then you just go through people's roles in the company, and based on need-to-know access, you define who really does need to have access" to specific functionality.

2. Automate User Provisioning

Organizations must watch for signs of inappropriate access activity. Yet according to a new survey of 600 organizations' identity and access management practices conducted by the Ponemon Institute, 58 percent of companies use "mostly manual monitoring and testing" to monitor access policy compliance; cue the DuPont breach. Indeed, using manual processes makes detecting unusual behavior difficult.

Look to user provisioning software—defined by Forrester Research analyst Jonathan Penn as "the administration and audit of users' accounts and privileges"—to help. User provisioning has six components, he says: a framework for managing access control policies, usually by role; interconnections with IT systems; workflows to guide sign-offs; delegated administration; password management; and auditing. By automating these processes, organizations ensure employees only get access to the information they need to do their jobs. If their job role changes, so will their access levels.

3. Find the Business Case

Experts says most access control programs today are driven by regulatory compliance concerns, but companies should also identify a business case, to ensure they get the most from their investment. For example, automating account provisioning, de-provisioning, and password management means companies require fewer IT people to handle account administration, and will also save in help desk costs.

Access controls can also boost overall employee productivity. "Compliance requires you restrict access to information only to the people who are authorized to read it, but by doing so, and restricting it appropriately, you actually get the right information to the right people more quickly," notes Sumner Blount, director of solutions marketing at CA.

4. Tie Access Controls to Your Environment

The precise access controls that your company needs depends on your IT environment, and the regulations you face. "Is an eight-character password always better than a six-character password and worse than 10 characters? Is strong two-factor authentication—often defined as a best practice—required to log into the lunch cafeteria menu Web site?" asks Forrester Michael Rasmussen. "Ultimately, a best practice in your control environment is what works best for you."

When determining which access controls to enforce, check your applicable regulations. "For Sarbanes-Oxley (SOX) and Gramm-Leach-Bliley, the control is being able to audit, review, and declare who has access to what," says Rajiv Gupta, CEO of Securent. Meanwhile, HIPAA mandates need-to-know access to people's personal health information, and the Payment Card Industry Data Security Standard restricts access to people's personal financial information. Basel II, Canada's Personal Information Protection and Electronic Documents Act, and the EU Data Directive, among others, also mandate access restrictions. Finally, states' data disclosure laws take a different tack: companies who suspect people's personal data has been inappropriately accessed must notify every affected state resident.

5. Segregate Access Using Roles

SOX, among other regulations, demands segregation of duties: developers shouldn't have direct access to the production systems touching corporate financial data, and someone who can approve a transaction shouldn't be allowed to given access to the accounts payable application. Most companies approach this problem by continually refining role-based access controls. For example, perhaps the "sales executive" role can approve transactions but never access the accounts payable application; no one can access the developer environment except developers and their direct managers; and only application managers can touch production systems.

6. Apply the Doctrine of Least Access

No matter the regulation, auditors increasingly want to see the doctrine of "least privilege" applied. Namely, "if you don't need to work with it, you shouldn't have access to it," says Libenson. This is a good starting point for setting access controls.

Another good starting point: immediately restricting access for IT personnel , and especially for the employees who administer the access controls, since they typically have the necessary access levels and knowledge to do maximum damage should they turn into a malicious insider. Furthermore, many IT staff already take a questionable approach to data privacy. According to one poll of almost 650 IT professionals conducted last year, 10 percent admit to regularly abusing their security privileges and inappropriately accessing corporate data.

7. Channel Big Brother

As the revelation of inappropriate access by IT employees suggests, employees are more apt to test access restrictions if no one is watching. Hence companies should audit all access, and remind employees their access is being watched. "If people know their activity is being tracked, they're less likely to do something," says Libenson.

8. Terminate Orphaned Accounts with Extreme Prejudice

Do your former employees' access rights expire when they give notice, or last step out of the building? Given the threat posed by disgruntled ex-employees, immediately suspending their access should be a no-brainer. Yet the de-provisioning process at many companies is still manual. "The typical complaint we hear is, we have over 10,000 employees, and one employee could, over the course of their career, have been given access to 10 servers and 20 applications, and we have to go to each server and pull them out of each access control list," says Libenson.

Until those credentials get pulled from the access list, the former employee still has insider access levels, and thus poses a security risk. "It's not a case of having to create a back door to get access," she says. "We hear of people's e-mail working for a year after they've been terminated." In short, companies in regulated environments must implement automated user provisioning, which notably includes automated de-provisioning.

9. Proactively Monitor for Unusual Activity

While an effective security program includes passwords or possibly two-factor authentication, passwords and key fobs can also be lost, stolen, or access rights abused. That's why experts recommend companies monitor access patterns to watch for unusual activity, such as a large spike in a user's access to an electronic library containing sensitive information.

According to Ponemon Institute, only 14 percent of organizations today "are proactive and use preventive approaches" to manage access. Yet unusual access patterns—based on the time of day, week, or job role—can be one of the best signs a malicious insider is at work, or an outside attacker managed to steal someone's access credentials.

10. Control Remote Access, plus Applications and Databases

Apply access controls and auditing to all remote access too. Indeed, as an organization's perimeter expands, it must also define fine-grained roles for consultants, business partners, and supply chain members, to quickly give them appropriate access. Access levels for applications and databases need to be controlled, starting with anything that touches a Web application, since these are highly vulnerable to attack.

Today, applying such controls can require manual integrations or ad hoc security add-ons. In the future, however, organizations will increasingly be able to "externalize the access control from the applications themselves," says Gupta, thanks to XACML (OASIS eXtensible Access Control Markup Language), which he dubs "the de facto standard for entitlements." While XACML-compatible applications are not yet widespread, he says XACML will eventually make access control easier to extend across applications, between business partners, and via Web services.