Posted on Tue, Jul 13, 2010 @ 11:56 AM
Spotted this news article regarding an IT administrator that just got a year jail sentence for stealing and damaging data from his former employer.
http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=225800012&cid=nl_DR_DAILY_2010-07-13_h
This doesn't make a lot of sense to us. If all the credentials were revoked then how did he get in? Was there a backdoor that this IT administrator created on a network firewall or database server? On the other hand, could it have been an access governance control failure due to a lack of process automation for an access revocation request and no closed-loop change validation to ensure all that accounts and entitlement privileges were in fact removed?
Termination of access rights can be a challenge for most organizations when they lack the visibility into a user's access across all information resources and an access change control framework that can respond to events that regularly occur in the enterprise - such as when users join, transfer or are terminated from an organization Aveksa has seen 40% error rate in the timely fulfillment of revocation requests. Why? Too many organizations rely on their IT help desk systems to initiate and track access revocation requests. However, these systems lack the policy controls and request validation capabilities to provide an organization with the business assurance that the access was revoked and the risk of unauthorized access to networks, applications, data and cloud-based information has been mitigated. It's even more important to have an access change control framework in place when it involves a privileged user because the risk of a data loss occurring increases exponentially!
Posted on Mon, Feb 01, 2010 @ 02:54 PM
We have seen countless articles on organizations that fail to remove access when it is no longer required for a person's functional role or when a person ends their relationship with the organization. An interesting article in the December 2009 issue of HR Magazine highlights the importance of access rights revocation from a legal perspective.
###
Be careful what computer use you authorize
The 9th U.S. Circuit Court of Appeals affirmed summary judgment against a substance abuse treatment center's claim under the Computer Fraud and Abuse Act (CFAA) that a former employee committed violations when he downloaded confidential company information for use in his personal consulting business while employed and continued to access the company's system after leaving its employ.
The court held that the employer authorized the employee to access the computer system as part of his job; that in exceeding employer-imposed limitations on access, the employee did not exceed authorized access under the law; and that undisputed evidence did not show either that the company deactivated the former employee's password or that he accessed the company's site after his employment ended.
###
What's interesting about this case is that the court found against the plaintiff (the company) because they did not deactivate the former employee's access credentials to a critical information resource. It's clear from this judgment that organizations have an obligation to proactively protect their information resources, and when failing to put the proper access controls in place the organization may be forgoing its ability to seek legal recourse.
If this organization had dynamic access governance in place, it would have been able to see that there was an orphaned account to a core information resource that couldn't be mapped to an active user in the company's HR system and revoke the account.