It’s no surprise to anyone at Aveksa that insider access threat is a growing problem, as identified by Verizon’s 2010 Data Breach Investigations Report.
“For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent.”
“Identity and access management are essential controls that companies need to block — or at least, slow down — attackers.”
Verizon 2010 Data Breach Investigations Report
While many organizations focused their security efforts on hardening the perimeter and putting in a layered security approach for external attacks, little has been done to have this same level of protection against insider threats (with the exception of where regulatory requirements define the risks and specify the controls).
Companies must certainly put controls in place to detect breaches. However, progressive organizations are focusing their efforts on implementing an access control framework that includes both detective as well as preventative controls.
Risk management best practice requires an organization to minimize a high level of inherent risk (such as with users that have the highest level of privileges within an information resource). But it’s not just users with root and system administration level privileges that can be a threat to an organization. It could be a user that has access to sensitive information. Do they really need this access in order to do their current job? Does having these entitlements create a toxic combination of access that violates a regulatory mandate or introduces a potential business risk? These are the questions that organizations need to be able to answer in order to provide the assurance that insider access risks are being properly managed.
The reality is that organizations aren’t doing a good job governing user access at any level. Why? Because the amount of change to user access is constantly happening. A 2010 Ponemon Institute study commissioned by Aveksa on Access Governance Trends found that on a monthly basis 10% of all users in an organization will require some change to their access.
Ponemon 2010 Access Governance Trends Survey
Implementing an access change management control framework that detects access change events, pre-determines what access is appropriate for a user to have given their functional role in the organization, and knows what they no longer need for access will enable the management of the complete life-cycle of a user’s access while providing a set of dynamic controls that will minimize access related risks.
