How role-based access control can solve the problem of enterprise data security
Controlling access to sensitive data is of utmost concern for the world’s most complex business and network environments. The amount of security-related data stored across a network is immense for many organisations, and relating all this data to the user’s account information in Active Directory can be tricky and time consuming.
Proper data security includes three sides. Ensuring that new employee access and accounts are created properly when the employee is onboarded is the first step. Ensuring those access rights remain accurate and up-to-date during each of the organisation’s employee’s tenures is the second step in the process.
The third, and most critical step in this process is the revocation of access rights when individual employees leave the organisation.
These phases identified, some of the most critical aspects of identifying roles and protecting them in a network environment, an even more detailed, complex examination of the solutions to achieve these three phases is required. A more in-depth look at solutions for all three of these phases of data security is required.
A simple, but profoundly effective solutions is role-based access control. Developing and using a role-based access control matrix in conjunction with an identity management solution means organisations are able to ensure that accounts for new employees are always created with proper access rights. Thus, the first step of this stage is to define the roles that employees should have in the organisation. This is usually a combination of department, location and job title. While establishing the data access rights, group memberships and application requirements for each role can be time consuming, the end result will allow a template for both new employee creation and an audit point in the future.
Access rights to data nearly always creep into multiple areas over an employees’ tenure with an organisation. Rights are assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of special or historical rights occurs infrequently at best. Software solutions are available to analyse the rights of employees and make the information actionable.
Don’t like audits? Better get used to them. They’re required to successfully manage the information and the access of rights. Here, though, they are not as bad as financial audits. So, once an audit of access rights is performed, it can be compared against the baseline template for each employee role initially established. Any deltas can then be sent to managers and systems owners for verification or revocation of the rights.
The next step in the data security process is one that is often overlooked or not performed in a timely fashion. The termination of access rights to the network, data and all applications, including cloud-based solutions, must be accomplished immediately upon an employee’s termination.
An example includes: a sales manager at a large organisation had terminated sales rep had his network access revoked immediately upon departure. The organisation did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application. The terminated employee realised the account was still “live” and proceeded to download more than 10,000 records during the course of the next 30 days at a cost to the company of more than $6,000.
Imagine the costs if 10, 20 or 30 terminated employees did this very same thing in a short period of time. It happens. The majority of breaches are inside jobs. Though this example may not paint the picture of a hacker breaking into a system, there was no need for the employee to break into anything. The organisation simply left the side door wide open. No key required.
When putting a process in place to handle terminated employees, the most common scenario is a link to the HR system. When an employee is terminated, a synchronisation process needs to be in place to handle the decommissioning of accounts in all internal and external systems.
Using web application programming interfaces (APIs) to automate the process saves time and money in the long run. Where not feasible, an email workflow process should be established so system owners are notified to terminate the account and positive feedback required to establish the work has been completed.
Organisations must implement necessary security measures to insure that access to data, groups and applications are right for an employee during their tenure. Equally critical is the revocation of all account access when they depart. Failure to meet these criteria can lead to theft of data and costly access to external applications.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.
- » What ITIL 4 means for AI and automation in IT service management
- » Why 2019 will be the breakthrough year for AI-assisted application development
- » The cybersecurity angle: Why recent research and investment in quantum and IoT is key
- » Why 74% of data breaches start with privileged credential abuse
- » Why the missing link for enterprise digital transformation is Zero Trust Security