Access Management Questions to Ponder

David Ting
Feb 03, 2012

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.

If you’re looking to review your authentication and access management policies, here’s a quick list of topics to focus on and questions you should ask yourself:

Orphaned Account Clean Up
This is a classic and recurring vulnerability in most organizations, and a priority for getting your house in order. When an employee leaves an organization, too often his access to sensitive applications and information is left open. Organizations run into trouble when accounts can’t be quickly deactivated, or if they lack a direct correlation between employee names and the accounts they were credentialed to access.
By using technologies like single sign-on, organizations can view access records, employee access rights, and accounts that need to be removed. Deactivating orphaned account access is a critical first step towards comprehensive enterprise security.
Questions to ask: Can we track which employees have access to specific systems? If the employee leaves, can we quickly deactivate access? Do you have the means to gain visibility into what application accounts your users access? If you don’t then it is time to think about how to regain some control.

Controlling User Privileges
Too often, security and employee productivity are viewed as being at odds with each other – this doesn’t have to be the case. A good security policy ensures that employees have the access and information required to perform their job function, but at the least level of access.
Questions to ask: Do we understand what privilege levels each individual user has been given? Do they have the lowest level of access privilege required to do their job? What mechanisms do you have to elevate their privilege level, even temporarily and can you control it?

Defining Organizational Roles
Defining roles in an organization is critical to a strong authentication policy. Assigning access by organizational role provides greater insight into what applications users are touching and if access rights are in accordance with the privilege rights provided. Organizations usually have little to no role definition, or go to the other extreme by creating too many roles, which can be unmanageable. Start by getting a handle on who is accessing what. Discuss organizational roles with your business managers to figure out what users need to touch to do their jobs, and then set reasonable boundaries for access outside those defined roles.
Questions to ask: Have we defined roles in our organization? Do the defined roles go far enough? Are our current roles manageable? Again the question goes back to having enough information on what applications your users are actually touching. single sign-on systems that provide detailed reports on usage patterns are invaluable during the role discovery phase.

Testing the Backup Systems
Properly functioning backup systems are crucial to business continuity. Too often, organizations are faced with a situation that requires backup or recovery, only to find out that the procedures, passwords or location of the data are nowhere to be found. Organizations need to ensure they have no dependencies on administrative accounts or employees that may have left the organization. It’s like testing a fire system – you have to make sure it works. In this instance, backup systems will only work if you still have control over them.

Questions to ask: Do we regularly test backup systems? Can we access them? Are they protected with passwords that may reside with employees?
If you ask yourself these questions, and answer “no” to any of them, then you may be at risk. What questions keep you up at night? email me and let me know.