Access Control: Moving Beyond Compliance

Threats to access control is inevitable because of the participation of human control of the technological business environment which creates constant threats, deliberate or accidental, to confidential information.

The rapidly changing technological landscape is ushering in efficient decision making and process enhancements that enable extraordinary growth in global commerce. However, with myriad of devices interconnected to multiple access points handled directly or indirectly by the human workforce is introducing unique challenges to business organizations. Therefore, access control attains a status of paramount importance in the information security management system (ISMS) sphere. The dynamic complexity and the increasingly crippling impacts of inefficient identity and access management demand, more than any other type of risk corporations face today, a diverse degree of prioritization, untiring attention, and resources. Enterprises that regard diligent and effective access control measures as a significant component of information technology risk management can safeguard against evolving threats and monetary loss.

Unauthorized Access is Big Business

The Global Identity and Access Management Market 2016-2020 report by Research and Markets forecasts that the world identity and access management market will advance at a CAGR of 24.73% during the period. The study establishes that business entities confront constant threats from users attempting to gain unauthorized access to classified information.

On the other hand, the 11th Annual Cost of Data Breach Study from the Ponemon Institute and IBM found that the average consolidated total cost of a data breach increased to $4 million in 2016, from $3.8 million in 2015. The study involved interviewing IT, compliance, and information security practitioners representing 383 organizations across 16 industries and in 12 different countries over a period of 10 months.

The research presents detailed information about the financial consequences of a data breach, highlights that the average cost incurred for each stolen or lost record containing classified information grew from $154 to $158. The report puts the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.

Further, a May 2016 online survey by Beyond Trust – titled the Privilege Benchmarking Study 2016 – found that close to three-quarters of government respondents believe lack of efficient access controls puts enterprises at high risk of data theft. In the study involving over 500 senior IT and security experts from around the world, government participants reported that 20 percent of users have more privileges than they require. The survey found numerous discrepancies in the way respondents approach privileged access.

According to BeyondTrust President and CEO Kevin Hickey, “This study confirms one of the unfortunate truths about data breaches today – namely, that many of them are preventable using relatively simple means.” “Companies that employ best practices and use practical solutions to restrict access and monitor conditions are far better equipped to handle today’s threat landscape,” he added. Research and Markets report echoes the same sentiment as it states that organizations’ success depends on how well they can integrate risk management and automated internal control systems with their business activities and decision making processes.

Access Control Compliance is not Enough

However, the intentions of monitoring regulatory compliance have outgrown the capabilities and diligent efforts of effective access control. Success in access control has remained elusive for organizations as they have often aimed at meeting the demands of compliance rather than adopting practical solutions which could actually reduce risk and improve operational efficiency.

While staying compliant is a wise thing to do, businesses need be looking to continuously identify gaps in their security framework, evaluate the efficacy of established controls and modify or implement new controls as necessary. By following this methodology, organizations can significantly boost their compliance standing and at the same time leverage their positive results to formulate strategic action plans and lead by example.

The BeyondTrust report provides five recommendations for enterprises aiming at sharpening their efforts to mitigate privileged access control threats and we completely agree with their recommendations, including:

1. Implementation of granular least privilege policies to balance security with productivity,
2. Conduct vulnerability appraisals to form a holistic view of privileged security,
3. Strengthen business-wide password policy,
4. Improve scrutiny of privileged sessions, and
5. Integrate solutions across deployments to reduce cost and complexity, and improve results.

Organizations worldwide have started understanding their compliance requirements. However, they are still challenged with managing logical access controls and access review due to inefficient processes. Efficient access control processes would allow organizations to create a shared security culture, which in turn would strengthen an information security framework into a formidable fortress.

Organizations with access control as one of the key drivers of the information security management system (ISMS) automatically take care of legislative obligations and don’t need to strain their efforts on access control. Globally accepted standards such as the ISO/IEC 27001:2013 will complement businesses’ efforts for achieving information security and attaining business sustainability in an environment fraught with increasing threats.

Best Practices

Identifying viable resources to aid the organizations efforts for higher level access control can be as simple as password management systems that are often recommended for personal use, but seldom sought as ISMS solutions to access control vulnerabilities. Several of the quality password managers specifically designed for enterprises provide password management for projects, accounts, applications, special options for admins, and search of passwords and projects. A high-level administrator can have more than 70 passwords to manage for an organization, as is the case for one of our administrators.

Many organizations are implementing BYOD (bring your own device) policies and without proper password management these devices can lead to a multitude of vulnerabilities. The password management systems specifically aid in securing frequently used passwords for websites, mobile applications, and two-factor authentication.

Requiring employees to frequently change access passwords is not only annoying every 60 – 90 days, but often leads to weak passwords meeting the minimal parameters set by an outdated policy. Deploying an organization-wide password manager can alleviate many hassles involved in proper password management and maintenance. Many of the top headlines regarding security breaches in high profile organizations over the past couple years have revealed a startling lack of password security intelligence.

Vulnerability testing with special attention on privileged security is a must in any organization. We recommend researching several potential third parties to assist in the penetration testing and choosing the one that is budget-wise, but also can do a quality job on your behalf. Purchasing the least expensive pen-test service may result in a false sense of security and potentially lead to an incident that someone will have to answer for – it won’t be the third-party.

Treating access control as a top priority and top actionable regarding continuous improvement is crucial to any successful ISMS and the security of the jobs for those responsible for the control.