Customers mismanaging access

While companies spend millions on stifling data leakage, they are largely doing a subpar job at watching the levels of access various employees have

Businesses may be spending millions on expensive security technologies aimed at thwarting data leakage and compliance violations, but many companies are still failing to sufficiently address access controls for protected information and IT systems.

According to the latest report from Ponemon Institute, most IT workers readily admit that their companies are doing a substandard job of keeping tabs on the level of access available to employees, temporary workers, and independent contractors.

In Ponemon's 2008 National Survey on Access Governance, based on interviews conducted with roughly 700 IT professionals, 78 percent of those people surveyed reported that their employers are not regularly reviewing policies or tools that control admittance to their systems or information.

The situation has resulted in an environment where many workers retain the ability to view sensitive data or manipulate IT systems that they should not be able to access based on their job responsibilities, researchers said.

Some 69 percent of those interviewed said that their companies' access policies were either enforced poorly or not at all, with only 30 percent of respondents stating that their organizations go to the trouble of validating their guidelines.

The overwhelming lack of proactive efforts to keep a handle on issues of access are somewhat shocking based on all the attention being given to data security and compliance issues over the last several years, and many business could greatly improve their overall standing simply by improving their policies and enforcement capabilities, said Larry Ponemon, chairman and founder of research firm.

"Traditional approaches, including homegrown technologies and manual management processes, have proven to be fraught with failure and risk. Unless enterprises acknowledge business as usual is failing, we believe rampant access mismanagement will continue to plague organizations," Ponemon said. "When it comes to access rights, companies don't want to constrain workers and make their jobs harder, but they have to manage things in a more systemic way that look at the risk versus the benefits, and many organizations are obviously having difficulties with that."

Approximately 55 percent of those participating in the survey said that their employers' ability to grant access based on a worker's role and job function is either poor or nonexistent, including 42 percent who said that their companies have no policy to manage things in such a manner.

The rapid pace of change in the responsibilities among today's workforce is one of the biggest hurdles that companies struggle to overcome, said executives with Aveksa, a maker of access control software that sponsored the Ponemon report.

"This entitlement drag issue is a major problem. IT organizations are under pressure and often either valued or devalued by business based on how quickly they deliver access," said Brian Cleary, vice president of Marketing for Aveksa. "Clearly, the findings here show that that while companies are doing a good job of providing initial or changed access, there is no automated way to go back and make a determination to understand if a workers' current level of access is appropriate."

Lessons learned from Jerome Kerviel
Issues of access control are of fundamental importance to corporate risk management, perhaps best exemplified by the recent reports of the activities of Jerome Kerviel, a stock trader at French firm Société Générale who is accused of losing nearly $8 billion of his company's capital in unapproved transactions carried out by circumventing rules built into the brokerage's IT systems.

Had Société Générale been actively monitoring the access controls for its transactional systems, Kerviel likely would have been caught long before he gambled away such a stunning amount of money, the experts contend.

A major factor contributing to the continued loopholes in access management is a lack of support for improving policies and applying technologies used to govern the issue by senior management in many companies, according to the report. Some 74 percent of respondents indicated that senior management in their companies does not view access governance as a strategic security imperative. "It seems that the perception is that it's still tough to get senior executives to sign off on the necessary funding, but situations like Société Générale may help prove how big of concern this really needs to be," said Ponemon.

Another major contributor to the problem is the need for cross-organization collaboration, which complicates issues of access dramatically.

And while 83 percent of those people responding to the survey said that collaboration among business units, audit and compliance groups, and IT security departments is vital to keeping their operations in line with government regulations, 57 percent said those teams never partner to oversee access issues.

"This has to be an area of great concern, because if companies consistently score poorly on compliance audits it's been proven that this actually starts to diminish their reputation and brands," Ponemon said. "And as more organizations suffer losses, there will likely be new regulations put in place that make it even harder to operate; most businesses I know don't want more regulations, but if more people fail to create their own controls, more regulators will get involved."