Customers mismanaging access

Businesses may be spending millions on expensive security technologies aimed at thwarting data leakage and compliance violations, but many companies are still failing to sufficiently address access controls for protected information and IT systems.

According to the latest report from Ponemon Institute, most IT workers readily admit that their companies are doing a substandard job of keeping tabs on the level of access available to employees, temporary workers, and independent contractors.

In Ponemon's 2008 National Survey on Access Governance, based on interviews conducted with roughly 700 IT professionals, 78 percent of those people surveyed reported that their employers are not regularly reviewing policies or tools that control admittance to their systems or information.

The situation has resulted in an environment where many workers retain the ability to view sensitive data or manipulate IT systems that they should not be able to access based on their job responsibilities, researchers said.

Some 69 percent of those interviewed said that their companies' access policies were either enforced poorly or not at all, with only 30 percent of respondents stating that their organizations go to the trouble of validating their guidelines.

The overwhelming lack of proactive efforts to keep a handle on issues of access are somewhat shocking based on all the attention being given to data security and compliance issues over the last several years, and many business could greatly improve their overall standing simply by improving their policies and enforcement capabilities, said Larry Ponemon, chairman and founder of research firm.

"Traditional approaches, including homegrown technologies and manual management processes, have proven to be fraught with failure and risk. Unless enterprises acknowledge business as usual is failing, we believe rampant access mismanagement will continue to plague organizations," Ponemon said. "When it comes to access rights, companies don't want to constrain workers and make their jobs harder, but they have to manage things in a more systemic way that look at the risk versus the benefits, and many organizations are obviously having difficulties with that."

Approximately 55 percent of those participating in the survey said that their employers' ability to grant access based on a worker's role and job function is either poor or nonexistent, including 42 percent who said that their companies have no policy to manage things in such a manner.

The rapid pace of change in the responsibilities among today's workforce is one of the biggest hurdles that companies struggle to overcome, said executives with Aveksa, a maker of access control software that sponsored the Ponemon report.

"This entitlement drag issue is a major problem. IT organizations are under pressure and often either valued or devalued by business based on how quickly they deliver access," said Brian Cleary, vice president of Marketing for Aveksa. "Clearly, the findings here show that that while companies are doing a good job of providing initial or changed access, there is no automated way to go back and make a determination to understand if a workers' current level of access is appropriate."