Our VP of Products, Paul, shared with Computer Weekly his knowledge on how to best correct common access control mistakes.
As more and more business interactions continue to move outside the corporate firewall, access control to corporate resources on premise and in the cloud continues to be an increasing challenge for businesses. In the modern business environment, what are the most common access control mistakes and how best are these corrected?
The recent increase in large-scale company data breaches, such as VTech (5 million records exposed), Ashley Madison (37 million records exposed) and Experian/T-Mobile (15 million exposed), means data security is now a hot topic for all businesses across the globe. Although many of these breaches were a direct result of malevolent hackers finding technical weaknesses in company IT infrastructures, risks to data security have become apparent because company IT departments are simply failing to provide adequate access controls to employees using its internal and cloud-based systems.
Smaller-scale data loss, however, is often as a result of authorised employees simply exploiting their privileged access rights. This is where user access control can be an extremely challenging area for many businesses, particularly larger organisations and multi-site corporates and especially in light of the increasing BYOD (bring your own device) trend. Many companies either err on the side of caution and apply too many restrictions or steer the other way, towards a complete lack of any meaningful user access control.
Allowing users too much access across systems is an extremely risky business, which is too easily overlooked. Putting a few simple measures in place can drastically reduce this risk, including the ‘principle of least access’ rule (and read-only where possible), which should be applied to deny malware being installed. This will restrict possible access points for any malware or malevolent users as much as possible. Segregating access points by profile (roles, duties and functions) will also help limit what users can access without affecting their ability to work effectively. User access policies should also be mapped out so any shortfalls or oversights are identified, reviewed and re-evaluated regularly to ensure profiles are configured on a need-to-know basis.
The most common mistake that companies allow is the sharing of user account details amongst colleagues. Not only does this offer users the ability to access areas of the company systems they would not otherwise have, but it also removes the ability to track and audit user activity to a specific person should there be any errant behaviour. Companies should either enforce a strict no-sharing policy for all employees or apply some physical restrictions, such as 2FA (Two-Factor Authentication) or lock down to machine or IP address level.
Similarly, many organisations do not implement sufficient auditing of employee behaviour within company systems. It should be made compulsory that businesses audit all employee access, making sure they remind employees they are being monitored. Employees are more likely to probe and test their access restrictions if they know they can get away with it!
Deleting ex-employee’s user accounts is another area where many companies are exposed to the potential for data loss, as employees can often have access to multiple internal systems, directories and cloud-based services during the course of their employment. Companies which operate in highly regulated industries should not only employ a system of automated user provisioning across all internal and external systems, but also an automated user de-provisioning process, so all of their accounts can be terminated immediately upon the employee serving notice.
Whatever measures or policies are put in place, the secret ingredient of user access control is to find the perfect balance between risk and productivity. User accounts and control access should be effectively managed alongside proactive monitoring for inappropriate user behaviour. Policies put in place in any modern business should protect sensitive company, and customer data, whilst fulfilling any regulations or governance the business must abide by, and not limiting employees in a way that would affect them performing their duties in a productive manner.
When striving for this ideal balance, companies must remember that technology can only partially solve the problem, by stopping malevolent actions or plugging security holes. Ultimately, any solution to manage user access must also address the human factor, and be underpinned by stringent employee contractual obligations. A strict code of conduct should also be implemented to prohibit employees from performing any actions that may put company and customer data at risk.