Access-related risks represent one of the biggest obstacles organizations must address in a complex threat landscape—and they are lurking everywhere. Whether from changes in the business, like hiring, promotions, or transfers, from business growth and transformation, including M&A activity, corporate reorganizations, or new product introductions, from infrastructure changes, like new platforms, applications, and systems, or from insider threats, which can arise intentionally or unintentionally, access risks present a constant threat to the business.
Based on results from the 2020 Identity and Access Management Report, view this on-demand webinar, featuring Mike Lynch, Senior Sales Engineer at Core Security, a HelpSystems Company, and Holger Schulze, CEO and Founder, Cybersecurity Insiders. Learn how your organization can leverage identity governance and administration (IGA) to mitigate identity-related access risks within your business.
This webinar takes a deep dive into the latest report findings, including:
- How identity governance and administration enables organizations to close the gap on access-related risks
- How unauthorized access incidents are reduced in organizations that leverage strategic IGA programs and solutions
- The latest trends, challenges, gaps, and solution preferences for IGA
- How protecting privileged accounts is essential in reducing access risks
- How the right IGA framework can bolster risk management and enhance your overall security posture
- [Holger] Welcome to today's Cybersecurity Insiders webinar; Closing the Gap on Access Risk. Thank you for joining us today and taking time out of your busy schedules. Today's webinar is brought to you by Core Security. Core Security provides leading edge cyber threat prevention and identity governance solutions to help prevent, detect test and monitor risk. My name is Holger Schulze, I am the founder of Cybersecurity Insiders, the online community for cybersecurity professionals and I'll be your moderator today. And now it is my pleasure to welcome our featured presenter. Mike Lynch. Mike is senior sales engineer at Core Security. Mike, thank you for presenting today.
- [Mike] Great, thanks for having me.
Avoiding Access Related Incidents
- [Holger] Absolutely. All right, let's let's dive right in. And yeah, we recently conducted a survey with Core Security to better understand and identify the latest trends, right? Key challenges, gaps, and solution preferences for Identity and Access Management, IAM, right? Organizations of all sizes and industries responded to the IAM trends survey, and we're going to publish the detailed report shortly. So you will see this in just a few days, but today we'll explore some of the key results from the survey regarding issues surrounding access risk and then provide actionable information to help you and your organization to stay ahead of the curve and avoid access related incidents, you know, things like insider threats or regulatory fines and such. Now, Mike, let me ask you, why don't you kick us off by perhaps laying out a foundation of some of the risks that you see, you know that are associated with access management? Mike.
1. Top Access Related Risks
a. Abandoned Accounts
- [Mike] Great, absolutely. So I've got a list here of some of the top access related risks and I just want to go through each one of them real quickly to make sure everybody has a good understanding, because I think there's a lot of challenges organizations are facing as it relates to access. Today I just want to go through these and take a closer look. So it's starting in the upper left hand corner. We've got, what are called abandoned accounts. An abandoned account is basically an account that belongs to an employee or a contractor but hasn't been accessed in a specified amount of time. The amount of time varies from one organization to another, but typically it's somewhere on the low end, like maybe 60 days on the low side, and upwards of 90 - 180 days, or even longer for some organizations depending on the type of business that they have and type of information and applications that are implemented.
So, the reason why abandoned accounts indicate a potential risk is that they can be used by an attacker to gain a foothold in your environment. Since the account's abandoned, there isn't anyone in the organization using it to notice any changes or irregular activities that might be done by an attacker trying to use that account. So when accounts aren't shut off and they lay around, those are particularly good targets for these attackers. Usually the presence of an abandoned account is a sign that there is a lack of process or a broken process that would normally remove or disable the account when it's no longer needed. So for example, I've worked with organizations before where a large number of events and accounts within the organization are pointed to a specific problem with an offering process for contractors, so they started noticing all these contractors with these abandoned accounts. And so they use that information to figure out they had a broken process. Once it was fixed, a big chunk of those abandoned accounts went away and, they reduce the risk for the organization.
b. Orphaned Accounts
Moving down underneath abandoned accounts we've got orphaned accounts. An orphaned account, a little bit different definition than abandoned account. An orphaned account is an account that doesn't have an owner. So it may be being used in the organization but you don't have a good defined owner for that account, and since there's no account owner, there's no one in the organization that's responsible for the account. So oftentimes these accounts will get ignored when you do things like access reviews when those are scheduled. For example if you're doing a manager review of access but there's no manager assigned to the account, there's no owner, then you know that account won't get reviewed during the review process. Orphaned accounts are often created outside of a formal IGA process which explains why there's not an assigned owner. Most often they're created out of band by an application owner or a domain admin, and basically someone went directly into the system and created the account and they didn't did it outside of the approved process or outside of the IGA system.
c. Over Provisioning & Under Provisioning
Next going around counter-clockwise, we've got over-provisioning and under-provisioning. And basically I would say at a high level over-provisioning and under-provisioning of access, is usually due to a lack of R-bac or role-based access controls. A well-defined role makes sure that users get the appropriate amount of access needed for their jobs and responsibilities. So those are probably the most common reasons for that. A lot of times it can also happen because you're copying access. So, you've got a new employee that's being brought on and you go look at somebody who does something similar to them and you just copy their access and say, "Well they're both accountants," "so they should both get the same things." And that's not always the case, and so that's oftentimes when you'll see you know, over or under-provisioning. I think a lot of people really understand over-provisioning, right? It's usually pretty clear that it's a risk because it means a user has more access than is necessary to perform their job function. Usually that's pretty clear to people that I talk to.
I think most people though don't think under-provisioning is a risk, but I just would challenge you to ask yourself if a person or a user in your company doesn't have all the access they need, in other words, they're under provisioned, then how are they doing their job? So I would say, you know, they either aren't doing everything that needs to be done, because they don't have the access, or where the risk really comes in is they're going to somebody else to get the access they need. They're going to a team member or somebody else that has credentials for that, and they're using those. They're borrowing credentials from another employee and obviously this is something that you don't want to happen.
d. Privileged Access
And over on the right side, we've got privilege access. And, you know, I think it's really important to understand why privileged access exists in your environment, as well as what risk it could introduce. Obviously, organizations need privileged access, I'm not saying that's not the case, but you know you've got to really have a good understanding of it, and really privileged access comes in two different flavors. There's what I call IT privileged access, which is what I think most people think about when they think about privileged access. So that's privileged access where it's like an administrator or a domain-admin type of access, right? You've got access to things on the system level, the network level, the operating system level, and, you know, it gives the user access to assist them on network related things. And so when I hear people talk about privileged access I think that's what they think of most often.
But there's also what I'm going to call application privileged access. So an example of this would be, I'm an accountant, right? So I don't have a lot of operating system privileges or network privileges, but within the accounting system, you know, I've got the privilege or the ability to approve purchase orders over X amount of dollars. So while I can't modify systems and the network, I can do some financial damage to the organization by approving purchase orders that maybe shouldn't be approved. So that's what I call application privileged access. And the problem with this is that when most organizations are doing audits most of them focus on the IT privileged access, right? They're focused on the people kind of have the keys to the kingdom. And the account that can approve a purchase order can do a lot of financial damage if the right checks and balances aren't in place. So it's important to include those in all of your privileged access checks.
e. Segregation of Duties
And then next we've got segregate, you know lacking Segregation of Duties. So, you know, Segregation of Duties is the concept of preventing toxic combinations of access. So, you know, the classic example kind of going along with my account example previously is, I've got a accountant that can both create a purchase order and approve a purchase order, right? And that's probably a combination of access you don't want to have especially in larger organizations. You want those checks and balances in place. In smaller companies, maybe just because of staffing levels, you might just have one person that's doing that function, but even then you could still have the right checks and balances in place and make sure you understand the risk. Now, the other important thing to understand about SoD is that it can scan across multiple systems and applications So don't just think of somebody not having a combination of access in one given application, but think about how it expanses across your entire enterprise. If they've got the certain access in SAP, then we don't want them to be able to do this other function in a separate application. And so SoD often spans across different systems and applications in the enterprise, and then finally kind of just wrapping up on this slide is poor password management.
f. Poor Password Management
That's another big risk. And, you know, it's important to strike a balance between password strength and complexity policies and difficulties in users remembering, and having to constantly reset passwords and unlock accounts. So, you know, extremely strong and complex password policies you know, while they're important, they often increase the chances that a user is going to forget that password onto the core system or get locked out. And this means that they might have to call the help desk or use some sort of a self-service password management system. I mean, I talk to organizations all the time, they're just getting flooded with calls to the help desk for password reset requests. And usually that's a function of the password strength and complexity. The other thing I see a lot, are organizations that are extremely secure when it comes to password complexity but when it comes to the user calling into the help desk to reset their password, that process is very weak. You know, meaning that maybe easy for someone else to call in and act like a given user and gain access to applications through the help desk, because they don't have a very stringent policy for, you know authenticating who the person is calling in.
Three Common Sources of Access Risk
1. Business Changes
And then kind of, kind of moving here, the common sources of access risk. I see those in three chunks; there's business changes, there's infrastructure changes, and there's insider threats. Business changes, things like hiring, promotions, transfers, terminations, M&A activity, new products, you know, all of these things can, you know, there are things that are going to happen in an organization but there are things that can lead to risk. These are typically the points where there are big changes in access, so that the first three bullets; hiring, promotions and terminations are what we call the user life cycle. Those are typical stages that your employees would go through and possibly contractors, and, you know the typical points in the life cycle where those people gain and lose access.
So that's where it's important to have a good process in place to make sure users get timely but also appropriate access. I see it all the time, M&A activity, you know often leads to bulk changes in access, you know or the addition of new users to the organization, you know you purchase another company and all those users from the other company that are coming over and need to be onboarded and they need to be added to the system and given access, and that can often lead to a lot of risk. And then, in the same way, adding new products. You add a new product and, a lot of people in your organization now need to have access to that, and how do you add that on in an efficient, but safe way. So those are some of the challenges I see from access risk for business changes.
2. Infrastructure Changes
So kind of similar infrastructure changes are the same kind of thing, except this is basically, you know, similar to business change. It's an infrastructure change, it can introduce a lot of access changes at once. So if there aren't good places and processes in place, users can gain more access than is necessary and it can be over-provisioned, which brings additional risk to the organization. So basically the introduction of new applications systems and platforms usually means that the new access will be assigned and also the potentially old access from systems that these are replacing may have to be taken away.
3. Insider Threats
a. Inadvertent Threat
And finally, another common source is what I call the insider threats. So basically there's, you know there's three types of insider threats. There's the inadvertent threat, which is where an insider takes an action and unknowingly puts the organization at risk. So think like a phishing attack, right? Somebody gets an email they click on a link, open an attachment, you know unknowingly introduce risk into the organization, and then there's negligent threats.
b. Negligent Threats
So that's like a negligent insider may not intend to put the organization at risk, but, do so non-maliciously by behaving in insecure ways. And these insiders may be non-responsive to security awareness and training exercises, or may take make isolated errors by exercising bad judgment. So a good example here is somebody who, you know writes a password down on a sheet of paper and keeps it on their desk or in a drawer. They kind of know they shouldn't be doing that, but you know, they just do it because it's easier than if they can't remember a complex password.
c. Malicious Threats
And then finally, malicious insiders they typically will exfiltrate data or commit other you know, negative acts against the organization typically with the goal of financial rewards or other personal gains, you know this is often because, they're looking for like a second stream of income and they'll typically exfiltrate data slowly to personal accounts to avoid detection. Another example of this is like a disgruntled employee who might aim to deliberately sabotage a company or you know, steal its intellectual property. And as you can imagine, all of these factors can have a significant impact on the organization if they're happening all the time. Holger, can you share some of what the survey results reveal as it relates to business impact and some of the access risks I mentioned?
1. Business Impact
- [Holger] Yeah, absolutely, thank you, Mike. And so, as you said, right, we asked our survey audience what negative impacts they experienced over the past 12 months from, you know, unauthorized access to sensitive data or applications or systems, right? And the results were mixed ride with disrupted business activities showing up at the top as the most significant, most frequent negative impact, followed by system downtime and reduced employee productivity right here at the number three spot. And then Mike, this coincides with some of your earlier points, right? That there are so many different, areas of access risk and avenues, if you will, for threat actors to enter an organization and our systems with very different motives right? Now, with all of these negative business impacts, it's no wonder that, you know, 90% of survey respondents view identity and access management as very important or even extremely important to their organization's overall risk management and security posture. The problem is though that 54%, more than half of organizations are only at best somewhat confident in the effectiveness of their company's IAM program. That is a big gap between aspiration and reality, which means there's a lot of room for improvement, and Mike, I think you're going to talk to some of these opportunities for improvement in a minute. As it relates to over provisioning, nearly half of respondents are only somewhat confident in their ability to verify users and verify that they don't have excess of access privileges. Also, 75% of organizations have at least a few users with more access privileges than required. 75, so almost eight out of 10 organizations see that they're over provisioning and that's perhaps a good number of organizations and server respondents that may not even have full awareness of the extent of that. But Mike, on this note, let me ask you, can you provide perhaps some insight or best practices that you know, organizations use to start closing the gap on access related risks that we talked about earlier?
2. Closing the Gap on Access Related Risk
- [Mike] Yeah, definitely. So I think there are three main areas I'd like to advise organizations that we work with to focus on. And they are basically having strong policies, periodic access reviews, and prioritization of role-based access. A lot of people call it R-bac, and basically I'm going to go into each of these into a little more detail, but these are probably the three main areas that I think companies need to focus on to mitigate asked access risk. So, you know, starting off here, we've got strong policies. You know, having strong policies in place is extremely important, especially in establishing a solid foundation for an IAM program. And, you know, all too often, many smaller- medium sized organizations start off with manual processes and management, but as the organization grows, so do the number of devices and applications giving access and we can quickly snowball, if there aren't clear policies in place.
a. Strong Policies: Abandoned Accounts, Privileged Access, Password Management & Entitlements
Many of the assets access risks I mentioned earlier in the presentation stem from poor or no policies in place, and these include abandoned accounts, orphaned accounts, privileged access governance, poor password management unnecessary and unused entitlements, Segregation of Duties and nested access. We talked about abandoned and orphaned accounts earlier and it's important to understand these types of accounts, what they are and come up with definitions that make sense, for your organization. It may be appropriate for your organization to have more lenient policy because of your type of business and risk tolerance. For example, I've seen manufacturing facilities who have floor workers that rarely log in to active directory or certain types of applications.
So, you know, for them, they want to have a longer threshold before they start declaring those accounts abandoned. Otherwise, they're going to be fielding calls to the help desk because people can't get access when they need. So, you have to kind of use your best judgment there and look and see how these things make sense in your business. You've got privileged access governance, you know, I talked about this earlier in the example of, you know, the accountant, you know a lot of people think of privileged access as what I call IT privileged access, but, you know, look at other people in your organization that have privileged access, even within your applications. So you got to take a really good look at that as well.
Next, we've got poor password management. You know, again, we talked about that earlier in the presentation, but you know, you've got to make sure you strike a good balance between the password strength and complexity that you have for people and you know, what options you give for them to manage their passwords if applicable, you know, if they need to reset an account, a password or unlock an account, you know is there an easy way to do that? Are you going to tax your help desk?
One of the items I didn't talk about earlier was unnecessary and unused entitlements. I see this a lot, typically, when I work with an organization and I'm going through their entitlements, and the pieces of access and their catalogs, and libraries of people that people could access, I typically will see in the neighborhood of at least 50% of the entitlements that that company has are unnecessary or they're unused completely. They have nobody assigned to them. And so this is, you know, it's really good to kind of clean up. I think it's natural that it happens because over time companies add more applications and they're quick to add the security groups and the access for those applications, because you know, it's necessary, but when it comes to removing the old access or removing the old groups that may no longer be needed, companies are a little less hesitant to do that, because, they're afraid. When I talk to people, I ask them, "I'm like, why do you do that?" And they say, "Well we're afraid we're going to break something." So over time, those kinds of things build up and it makes the environment complex and makes it hard for people to know, you know, what's what should be there, and what shouldn't.
b. Segregation of Duties
We talked about Segregation of Duties earlier. You know, the example I used was, you know the accountant who could create a purchase order and approve a purchase order, you know you might not want combinations like that. And then another interesting one, is nested access. So this goes to the complexity of an organization or an environment where I see oftentimes people only focus on that top level of access that people have. So for example, if you take active directory the supports, the idea of nesting, if you look at what somebody has at the top level and only focus on that, you know you're going to miss what people really have access to, what they effectively have access to down in the nesting.
I see a lot of people overlook that nested access and compliance reviews and certification reviews, and it also just contributes to the complexity of the environment. So that's something that you really need to look at. I would keep in mind, it's not enough to just create the policy but you need a way to enforce and monitor how things are going, and you know, what, you know, determine up front what you're going to do when you find access that violates the policy. So for example, you know you've got abandoned accounts, well, what are you going to do when you find an abandoned account? You know, what's the policy are you going to delete it? Are you going to, you know, notify somebody, et cetera.
c. Periodic Access Reviews
The second area there is doing periodic access reviews. So, you know, I think a lot of people on the call are probably familiar with that. It's, you know, it's having somebody go through a review process to review the access. Common types of access reviews that I see probably a manager review and application owner review are the two most common types. So the manager review, you know, is kind of what it says. A manager is going to go through and review the access of their direct reports and, you know, certify or attest to the fact that it's all the access is necessary or maybe there's something that's not needed. Now, the problem to be aware of with manager reviews is that a lot of times the managers may not even know what access the employees need, right? They don't know all the details. They might know they need access to SAP but when it comes down to all the little individual permissions, they may not know that. And we'll talk about a solution for that a little bit later, similar to manager reviews you got your application owner reviews where the owner of the application let's take SAP again.
They're going to review all the people who have access to the SAP application, and they're probably going to be in a better position to know this person has a certain job title and they've got SAP access and this is probably what they should have. So they're going to be in that, and they're going to have that role specific knowledge or the application specific knowledge. If you're implementing role-based access controls or roles within your organization, then you're going to want to periodically do role reviews. So this is where you're going to have a role owner somebody in the organization assigned and that has responsibility for that role, and you're going to want to review that periodically to make sure it has the right access. Are you giving people that role? And then after they get it, they're going immediately and requesting always requesting three or four other things. If so, maybe, you need to review that role definition and add those items in.
And then the last thing, just to talk about this concept of micro certifications, when a lot of people that you talk with think about roles are, think about access reviews, they think about a broad review, right? I'm a manager reviewing all my direct reports, I'm an application owner reviewing all the people who have access to the application. Micro certification, think of that as a less of a time-based review, and more of an event based review. So somebody has hit a threshold they've maybe they begin been given a combination of access that's not appropriate. They've done something that they changed jobs. They've done something that we might consider that could potentially introduce risk into the organization, so maybe we want to notify their manager and let the manager look at just that specific event based risks, right? Don't review all the access the employee has but just look at the specific access around the risks. So they're much more targeted, they don't happen on a certain frequency they happen on an event basis. All right.
d. Role Based Access
And then finally, you know, as we go through and we look, we've got the role-based access, okay? So this is basically a third way that we're going to talk about that organizations can mitigate risk. And this is by focusing on something I mentioned earlier R-bac or role-based access control. And so the key here is to have well-defined roles. I mean, well defined roles are really important to understanding risk in your organization. You want to use a solution to help you design these roles that takes a visual first approach to role design. I see way too many organizations that try to use spreadsheets to tackle and take on the role problem. I mean, the reality is that in larger organizations, spreadsheets just aren't effective in helping to understand access and figuring out, you know what various departments and job functions have in common. Another thing is key is understanding the underlying analytics for access and defining roles. This is another area where again I see a lot of people trying to use spreadsheets.
I think it's just natural to try to use spreadsheets to try to solve some of these types of problems and, you know, from talking with different people I can understand why spreadsheets fail to hit the mark. It's because, you know, in the underlying analytics they just can't understand that and understand the access in the way that you would need a solution that can analyze all that access data for you, and very easily allow you to see what common access users have. Finally, even better, you need a solution that can make real recommendations based on the data you're analyzing. So it's one thing to be able to look at the data and easily understand it and build your own roles, but you know, having a technology that can, you know look at all your different departments, your job titles, and job codes, your managers, your applications, and, you know, we'll make recommendations for roles that you might want to consider, you know going through, again and going through that stuff with a spreadsheet can just take forever. And so, I mean, Holger, I believe there were some role-based questions in this year's survey. Does that align with the results?
- [Holger] Yeah, absolutely, it does. And the role-based access control actually ranked number one among our survey respondents, right? As the most important IAM capability. What's a little surprising though, is that, even though so many organizations feel, you know it's an important element of their IAM program, about half, right? As we said, 54% are only somewhat confident in their ability to design roles, right? And Mike, on this note, let me ask you is this an area where many organizations, you know are looking to simplify or enhance their capabilities and if so, how can Core Security help Mike?
Increasing Confidence in Role Designing & Access Management
1. Visual First Approach
- [Mike] Yeah, absolutely. So, I mean, I think there's a number of ways to role design. Core Security provides a visual first approach, like I mentioned earlier that allows organizations to move beyond spreadsheets, you know, for creation and management, ongoing management of roles and access reviews. And, you know, really this enables organizations to quickly see common user entitlements, you know, rapidly identify outliers and enhance access certification accuracy. You know, we're able to utilize underlying data intelligence to group like-access together in clusters which makes it easy to see which users are missing access and you know, which users have outlying access. And here's how the visual first approach and analytics work in a real type scenario. So you can, you know, you can see on the screen now, we're looking at users that are in the QA department and you can see the matrix in the upper right-hand part of the screen, the blue dots represent access, you know, and we've clustered the data together.
So it's very easy to see visually what entitlements and what access those users have in common. You know, so if you're going to go in and build a role around this, you know you might select something along the lines of what's highlighted there in green. Also the Core Security software can also look at the data, and in addition to, you know, looking at what's been loaded and considering the roles you've already built, it can actually go in and highlight other access automatically that you might want to consider, either to include in your current roles, or you might want to create separate roles altogether that handle that access. So, you know, you get all the visualization and the data intelligence to make your own decisions. The system can also look at the data, look at any roles you built, and it can make suggestions. We call them Smart Roles on other types of access that you might want to consider.
2. Identity Solutions
Core Security also does a lot more than just role design, we have a complete identity solution. Starting on the left, we've got our Access Assurance Suite which is our IGA offering. It does things along the lines of automated provisioning. I talked earlier about access around the user life cycle so we can help organizations automate that through our provisioning solution. We can do access reviews and compliance management with that suite as well, as well as providing a portal to do access requests and approvals and managing that whole process. We've also got our Visual Identity Suite which was what I just showed you on the previous slide. And that really helps companies, you know take advantage of that visual first approach to role design as well as access certification.
We've got Core Access Insight, which basically does intelligence analytics for access data to help identify and prioritize risks. A lot of the things I talked about earlier, abandoned accounts and things of that nature can be done through Core Access Insight. We actually, we actually have a Core Password and Secure Reset our self-service password reset and account unlock solutions. So we provide whole series of workflows for organizations that they're looking to, you know, come up with better password management policies, they're looking to offload calls to the help desk. We've got a lot of solutions there that we can provide a lot of different methods to do authentication and help with those types of problems. And finally, we've got Identity and Access Manager BoKS that helps out with privileged access management, and this solution is really mainly focused around a Unix type environment.
And so, you know, kind of just, you know ending the presentation here, I'd say, you know, IAM technology could help you with do more with less. It actually helps a lot of our organizations who work with me in ever increasing audit demands, especially if you're looking at doing access reviews and certifications. It can also help your business become more secure and prepare for growth. You know, the ultimate goal being to quickly reveal and remediate access risk in your organization to help your business become more secure. If you want to get started right away, we provide something called an Access Risk Quick Scan to help you get started, a quick scans and exercise where we take a snapshot of your active directory environment and use our access insights solution to look at potential risk. And then we, you know, and those are a lot of the things we talked about earlier, abandoned accounts, orphaned accounts, unnecessary entitlements, things of that nature. And we, you know, we look and do a quick analysis and provide a report to you on that. So, all right, at this point, I think we can open it up for questions.
Q & A
1. How to Assess Success of Review Process
- [Holger] Yes, thank you, Mike. And before we take the live audience questions that are coming in, how do you prevent managers from rubber stamping? Right? How do you know that the audit and review process is actually working?
- [Mike] Okay, yeah. That's a good question because we talked a little bit about, I mean obviously we talked about doing access reviews, right? And one of the big problems I didn't talk about rubber stamping a lot but one of the bigger problems we see with manager reviews in particular is that, you know an access review is not, you know it's not something that let's be honest, the managers enjoy. Typically they're being asked to make a lot of decisions. If I've got, you know, 20 people that report to me and each of those people, you know, has a hundred different entitlements, you know I've got 2000 different steps, I've got to take, there are 2000 different pieces of access I've got to go through and review and, you know, managers, that's just very time consuming.
So what we see is this thing called rubber stamping where, you know, a manager starts out with a review and eventually they get to a point and they're like, look I can't, I've got other things I got to do. I can't take all this time, and so they just go and take the rest of the items that are there, and they just go accept, accept, accept, and they don't really look at them and give them the time it takes, and so this obviously leads to, you know it might lead to them not completing the review. It might lead to them making, you know, bad decisions right? They didn't really think about what they were doing, and so when you go to the second part of that question and ask, well, how do you know if the audit review process is working?
In order for the process to "work," it's got to be something that the reviewers, in this case the managers can actually complete. So, you know, if you've got your managers going in and actually performing the review process in a timely manner and not complaining about things, then, you know they're going through and, you know looking at the access and making the decision. And then, you know, when you look at those decisions they're making, you know, are they, when you review those decisions, are they actually need to clean up, right? Are they identifying access from a particular user that, you know, was appropriate to be removed? You know, for example, somebody may have moved from one department to another or one job title to another. And when that new managers reviewing access they may find that there's old entitlements or old access that was never removed from the old job function. Things like that are what let you know, that the audit and review process is working.
2. Finding Optimal Frequency of Access Reviews
- [Holger] There you go, thank you, Mike. The next question, you mentioned periodic access reviews. How often do you typically recommend auditing your employee access privileges?
- [Mike] Okay, that's a good question. So, and you know, the answer is going to be a depends on a couple of factors. So what I see is, for a lot of organizations that don't have, you know an IAM solution in place, they don't have software and good processes for doing reviews and it's very manual for them, they're probably going do it obviously very infrequently. And, you know they may do it only as often as they're mandated, right? They may do an annual review or maybe a semi-annual review of access. And it's typically they do that infrequently because it's very time consuming, It takes a lot of resources and a lot of focus off the organization. And so when you introduce a technology that helps you do those reviews, what I see is people that they're able to do reviews more frequently, right? And so that enables them to uncover risks sooner rather than maybe having it sit around for six months or a year within the organization.
So when you ask about recommendations, what I typically see people doing is maybe annually or semi-annually, or maybe quarterly they'll do what I'll call a blanket access review, right? Where, they'll do like a manager review let's say, and they'll review all the applications and review all the employees, you know and that happens typically, you know maybe annually or semi-annually. But then what they'll do is they'll take certain types of applications, like, you know applications that have a lot of information. Maybe they got PII in them, or their critical applications to the business, and they'll take those and single those out and do reviews on that much more frequently. So they might do reviews on those types of systems, quarterly, maybe even monthly, you know, and they're more focused, and they want to place more importance on those.
3. Communicating With Leadership to Prioritize Risks
- [Holger] Excellent, thank you, Mike. It looks like we have time for one more question. Do you have any tips for getting buy-in and support from leadership to prioritize access risks? Mike.
- [Mike] Okay, so this is a good question because a lot of times when I talk with people, you know so sometimes when we talk with people, it's after something has happened, right? A breach has happened or, you know, something has happened that's elevated risk up to a management level or a board level. And so, you know, there's more focus now on solving those issues, and so sometimes we'll get calls from customers or prospects that are in that state, something's already happened to them and, you know, management's already aware of the risks, but we do talk to a lot of people who, you know they do have issue trying to get leadership to understand the risks and prioritize the risks.
When I talk with them obviously you can always try to educate leadership but to be honest with you what I've found is, it's best to show, if you can actually show the risk in your organization, that's much better than trying to just educate them on potentials. And so, you know, I mentioned earlier, the Access Risk Quick Scan, or, you know, if you can actually go into some of your data and look at it, you know and identify abandoned accounts or identify orphaned accounts, things of that nature if you can go through the data obviously we can help you do that, or you can just do it yourself, but if you've got a way to go in and grab that information out and actually present that to leadership, I've found that that's the best way to have them understand and prioritize that risk.
- [Holger] Thank you, Mike, for sharing your insights on how to better manage access risk. And with that, we're at the finish line for today's session. Now, as we're closing this webinar, I'd like to thank all of you for joining us. I hope you enjoy today's presentation, Mike, again thanks so much for your insights, it was a pleasure, and thank you for presenting today.
- [Mike] Great, thanks for having me.
- [Holger] This concludes today's session. I hope we will see all of you again at one of our future webinars. Thanks everyone, have a great day, stay safe.
Discover the most intelligent and efficient path to mitigating identity risk in your business.
Get a live demonstration of our identity governance solutions from one of our experts.