User Access Frequently Certified Despite Infrequent Reviews
A global survey released today by Courion Corporation reveals that one-third of the 1,250 IT decision makers in large enterprises don’t think their enterprises have accurately assessed their level of IT risk from both internal and external threats.
The survey points out that almost a quarter of the companies (23 percent) say they don’t have a formal IT risk management program. Even those that do don’t regularly review user data access rights.
That’s no surprise. As with many security surveys I’ve read, contradictions abound. For example, over two-thirds (67 percent) of respondents say their company has a formal IT risk management program. Of these, nearly 91 percent say identification of user access is a core component of that program, and 90 percent say identity and access management are part of the program.
How often are individual user access or entitlements reviewed? Not very. Thirteen percent say at least monthly, and a quarter (26 percent) say quarterly. After that, regular reviews aren’t a priority. Nearly one in five respondents (19 percent) say they review access or entitlements yearly, and nearly 24 percent make such reviews “occasionally but not at regularly scheduled intervals.”
Despite such lax reviews, 59 percent of organizations require their business managers “to determine and/or certify the proper access rights of employees working under their supervision,” and 53 percent require resource/asset owners “to determine and/or certify the proper access rights of employees working under their supervision.” Even more frightening: 79 percent say they are “identifying/certifying access to sensitive data.” One has to wonder: how can you make such certifications with a clear conscience?
User access reviews makes good business (and security) sense. Given that security admins tell me that their biggest threats are internal, not external, it would be wise to focus again on who has access to what.
Such reviews can turn up a host of problems. For example, 56 percent of respondents in Courion’s survey identified users who still had access from a prior job role, and 36 percent found “zombie” accounts (access for terminated employees). Nearly half (48 percent) of respondents discovered users with “excessive rights” and 39 percent found “inappropriate privileged/super user access” rights improperly granted.
Access monitoring is all that’s deficient. Organizations have room for improvement in monitoring user activity or data movement. Only 64 percent say their organization actively monitors user activity for systems and applications; 87 percent monitor data on the network or in the data center. Only 36 percent monitor “the movement of sensitive data with a data loss prevention” application.
-- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 04/12/2011