Aveksa.com/blog

Access Controls For Database Security Compliance

Dark Reading is covering a lot of stories lately that relate to access governance and risk management.  http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=220600156&cid=nl_DR_DAILY_H

Last week they featured an article on the "Six Steps Toward Better Database Security Compliance" that offered up some best practices related to access controls for information resources.  Ericka Chickowski, the reporter who wrote the article for Dark Reading, was spot on with two best practices mentioned in the article:

###

3. Access Management and Segregation of Duties Figuring out who has access to regulated data, what kind of access they are given, and whether that access is appropriate for their jobs is at the heart of complying with regulatory mandates.

More complicated is the issue of segregation of duties and entitling permissions based on roles.

The task of segregating users based on roles means understanding each user's duties, experts say. And it can't be a one-time task. Organizations need to be vigilant to constantly review roles and entitlements to prevent toxic combinations of privileges.

5. Reporting On Compensating Controls In those instances where organizations have appropriate compensating controls in place, auditors want proof that these controls actually exist...

For example, you may tell an auditor that you're conducting a biweekly review to ensure access controls are appropriate. But if you can't produce evidence that the review is taking place according to schedule, the auditor will likely flag you...

###

As Erica points out, to get governance over user access you need to start with access visibility.  Do you know who has to what information resources?  Do you know what specific access rights they have (read, write, delete, etc.)?  Is the access absolutely necessary in order for that person to do their job?  Once you have a unified view of user access and apply access policy controls (like Segregation of Duties), chances are you will uncover a number of access governance issues that will need to be cleaned up (orphaned accounts, orphaned entitlements and inappropriate access).  We have seen entitlement revocation rates as high as 40% with some of our customers on their first automated collection and certification of user access data.  As mentioned in the article, having an auditable system of record is key to being able to demonstrate compliance.  By the way, spreadsheets are not a "system of record." 

Erica also points out that the use of business roles can simplify the task of compliance by providing a preventative control.  She's right.  Using a role-based approach to governing user access enables organizations to understand what is necessary for access (minimum required) in order to perform a job function as well as what is appropriate from a policy standpoint to ensure that access compliance and risk management objectives are being met.  Using a role-based approach to governing user access also benefits an organization by simplifying compliance and enables access delivery to the business to be streamline.  If you want to learn more about the benefits of role-based access governance you can read a whitepaper we've written on this topic that can found here: http://www.aveksa.com/company/resource-center/index.cfm