Have you ever noticed that when you buy your first house you start with a set of keys and over time, you accumulate possessions? Perhaps it is the baby’s first bassinet. Next comes the stuffed animals and the Legos. Before you know it, you’ve acquired the next-gen video game console followed by the next next-gen video game console. It’s not until you sell the house that you realize you’ve accumulated all of these belongings, but never purged the ones that are no longer needed.
There is a striking similarity between this scenario and the entitlements lifecycle at a company. IT and Information Security organizations typically do a good job documenting and executing the ‘new hire’ business process. That is, the HR department hires a new employee and begins the process to get the employee their network account. This is the proverbial keys to the front door. When the employee leaves the organization, HR performs their termination process and takes back those keys. This is called the hire-to-retire process.
However, organizations historically have much more difficulty managing the entitlements an employee accumulates throughout their tenure. This slow layering of entitlements is called entitlements creep as users slowly gain more and more access to systems and role-based access controls (RBAC) without removing access that is no longer needed. Examples include the domain administrator who was promoted to a managerial role, the corporate buyer who moved on to procurement management and now has approval responsibilities, and the engineer who had access to intellectual property but no longer needs the detailed design specs.
I often hear justification of entitlements creep with comments such as What’s the big deal, It’s just a little extra access, and We trust our employees. Why is this a significant problem in Information Security and to companies throughout the world?
Consider the statistic that 60% of data breaches were a result of insider threats (both unintentional and/or malicious). How many of those threats could have been prevented if the employee’s access was removed when it was no longer required? Additionally, if the organization is a publicly traded company, failure to remove RBAC in a system could result in segregation of duties (SoD) violations. One classic SoD violation is the ability to create a new 3rd party vendor for a company and also approve payments for that vendor. This violation creates the possibility for a malicious actor to establish a fictitious vendor and then make fraudulent payments to that vendor. These SoD violations could even result in a material finding from the company’s external auditors and could result in a documented finding in the company’s annual report.
So how does an organization prevent entitlements creep? There are multiple considerations that determine how a company can best address this risk. Company size, budget, and cybersecurity maturity are all factors. For example, large organizations with significant cybersecurity budget and structured organizational charts could use an Identity Governance Management platform to automatically provision users based on their job. As an employee moves to a new position, the required system access is automatically added while obsolete access is removed. Less structured organizations may choose to use workflow processes to request new access. This process can include management validating the employee’s existing access in addition to approving the newly requested access. Lastly, management could conduct reviews of system access and RBAC on a routine basis. This process could be automated through an Identity Governance Management platform or it could be as simple as populating a spreadsheet and asking management to review the content.
Regardless of how an organization goes about access reviews, the most important thing is that they acknowledge and address the risks of entitlements creep. Doing so will reduce the potential of a data breach, reduce audit risk, and ultimately improve the overall posture of cybersecurity within the organization.
~ Joe Klein, SideChannel Principal Consultant.
