Bulk approvals of requests to have access to any of the various systems and assets quickly becomes a security concern. In order to avoid giving into the temptation to rush approvals of these requests without adequate review, organizations must first understand the damage that can result from overusing approvals, why it happens, and how this can be prevented.
Although it is not common practice these days to use the red “APPROVED” physical ink stamp, the act of bulk approving (or denying) requests without the necessary time invested or research conducted is as popular as ever. Though this can occur in any department across any organization, this practice of rubber-stamping is particularly problematic when related to the review of access to IT resources. Bulk approvals of requests to have access to any of the various systems and assets quickly becomes a security concern. In order to avoid giving into the temptation to rush approvals of these requests without adequate review, organizations must first understand the damage that can result from overusing approvals, why it happens, and how this can be prevented.
The Dangers of Too Much Access
User access and how it is managed greatly impacts the risk of insider threats, which have become all too common. In fact, according to a survey completed by Cybersecurity Insiders, over 50 percent of organizations surveyed experienced an insider attack in the last twelve months. Approving everyone for any access they apply for, or not adequately reviewing user access periodically, provides ample opportunity for both malicious and accidental insider threats.
Dissatisfied employees pose a unique risk given their knowledge of the organization and their sometimes nefarious motivations. If they know the approval process is not being monitored or access is not being periodically reviewed, they could easily submit a request to access sensitive data which they could then misuse. It could take months before their activity was discovered.
Accidental or negligent misuse of access is also considered an insider threat. Employees may not understand exactly what access they need and end up asking for and being approved for more privilege than they require; they may even request access to the wrong system or asset entirely. The result is often errors in how the access is used. Failing to govern exactly who is asking for what and why they need it creates an environment primed for increased errors.
Additionally, limiting user access is a key component of many regulations like GDPR, Sarbanes Oxley (SOX), and HIPAA, whether it be through the application of proper approval processes or the periodic review of access. Frequent rubber stamping could result in being out of compliance, opening your organization up to potential fines, or worse.
Certification Fatigue and Information Underload: Why Rubber Stamping Occurs
Approving entitlements without a second glance is dangerous. So why is it so common?
Firstly, those in charge of approving access requests or periodically reviewing large lists of user entitlements are often inundated with them, causing certification fatigue. In order to get through the list and get back to work, they simply grant them all. Essentially, they may be busy enough that the only type of access review or approval that will happen in a timely manner is a careless one.
Secondly, access reviews especially are often presented in a confusing format, or an unreadable one. Spreadsheets with this information are hard to read and may not provide enough context to determine if the existing access is actually needed. There are several considerations which may not be listed in a spreadsheet, like how commonly the type of access requested is granted for a given job role, or if it is only needed for a limited time or purpose. With potentially hundreds of requests in need of action, it’s impractical to expect a reviewer or approver to take the time to research each request.
Ultimately, these kinds of reviews require a human eye and a clear understanding of the context in which the access is requested or has been granted. A balance must be struck between efficiency, accuracy, and security. As long as this process is manual, without improvements in the manner which the data are presented to the user, accuracy is a difficult goal to achieve.