Enforce Principle Of Least Privilege Using Access Certification
As organizations grow, the number of employees, contractors, applications and application type( legacy on -premise, public cloud, SaaS etc) increase. This makes for a complex Identity Governance & Administration(IGA) problem. Identity Governance & Administration(IGA) helps organizations to map identity, discover entitlements, check segregation of duties (SOD), do access review and certification or attestations. As per Gartner, compliance with the “Principle of Least Privilege” is at the heart of any robust Identity Governance & Administration (IGA) program. Recently, Beaumont Health was in news owing to a breach that went back few years. Beaumont Health confirmed that medical records of 1,182 patients were accessed over a period of 20 months*. A former employee accessed the medical records of patients without authorization. Unfortunately, this is just another example of “Principle of Least Privilege” not followed. The principle of least privilege says that a user account or service account should have just enough privileges essential for the role.
While many well meaning Identity Governance & Administration (IGA) programs start with adherence to “Principle of Least Privilege”, overtime identities accumulate privileges. Employees move roles, and change department. A well thought out, properly designed, and implemented access certification process is an efficient and cost effective way to achieve security. These reviews provide meaningful information to application owners to validate that an account belongs to an active employee or that the account is authorized to have access to a given application, data and folder. Additionally, these access certifications allow application owners to evaluate accounts for segregation of duties (SOD).
Although certain compliance standards (e.g. HIPAA, FDA – 21 CFR, PCI DSS, GDPR, CCPA, FDDC and SOX) mandate a frequency for such certifications, leading organizations world over tie the frequency and type of access certifications with the risk profile of the application. A standard application is reviewed once a year while a financial application holding PCI information gets reviewed every month. Usage based certifications allow organizations to monitor what each user ID does, including what data they access. Privilege based certifications help organizations find excess privileges. A trigger based access certification helps upholding “Principle of Least Privilege” when the employee changes departments, changes role or is no longer with the organization.
Companies do realize the business value of access certification. However, most of the commercial products, many of which are on the Gartner Magic Quadrant for IGA, are costly to acquire, require a third party implementer, and often very difficult to customize to meet all the certification needs of a company. This unfortunately drives organizations to do manual certifications. Manual certifications are time-consuming, error prone, and limited in scope. When it comes to compliance oriented access certifications, organizations need to look at lightweight bolt-on products that give a way to uphold the “ Principle Of Least Privilege” while being cost effective.