Ransomware and user access reviews
We have all seen it on the news. Ransomware is running rampant across America. We’ve seen it, hit our core infrastructure. We’ve seen it, hit our financial services industry. We’ve seen a hit our healthcare industry.
And it isn’t going to stop.
For those that are not familiar with ransomware. Let me give you a very brief explanation. Ransomware is a form of malicious code that can be started or invoked through a variety of means, usually through a person clicking on a link, or trying to open a document associated with an email or malicious website. Once this ransomware application is now on your computer or on your phone, it has a life of its own, and its only mission in life is to find data, encrypt it and hold for ransom.
What is the correlation between a user access review and ransomware?
First of all, let me explain what a user access review is all about. User Access Review or UAR, is simply the process of ensuring the end user has access to only the applications and data that they should have access to. If access is no longer required, access is revoked or taken away.
So, how does this help a company’s risk associated with a Ransomware attack?
Well, that all gets back to how we’ve seen access rights and permissions managed over the years. You know the story; an employee starts with an organization, they’re given certain permissions or rights to start, they then move to a different department (new rights) or maybe they have to support numerous departments (new rights) and need access to those departments’ applications and services as well. When that employee changes departments and/or changes roles in the organization, new rights are assigned for this employee to be productive. This happens for the entire tenure of the employee at the organization, accumulating access to systems all along the way. Rarely, if ever removed.
If the particular user in our example above were to be impacted by ransomware, the level of impact on an organization would be significant compared to a user that had only access to the systems they absolutely needed.
User access reviews are one of the best risk reduction activities in organization can take to put themselves in a better security posture. This benefit will help with scenarios like ransomware, or whatever the hack of the day is. By ensuring the user has only access to what they need, exposure is limited to that realm.
If user access reviews are run on a more frequent time frame, you can ensure that that risk is reduced more fully. Where we’d like to go as a community into the next decade is more around the lines of continuous compliance or zero trust. An employee only has access to what he or she requires, and no more on any given moment.
Ironically, user access reviews are one of the items that are that most organizations put off doing. It’s because it’s hard, and because it requires an enormous amount of manual effort in most cases. It’s because the manual process is so cumbersome and complex that it’s wrought with human error. In essence, derogating the value of the actual user access review.
So, back to ransomware and user access reviews. There’s a very strong correlation between the risk profile or risk threshold of an organization not doing UARS and the potential damage exposure if they were to get hit with an attack and then risk profile of companies doing them.
Is there any other reason to do UAR’s?
Yes, most of the time UAR’s are driven by compliance, or regulatory obligations. Sometimes, mandated due to the industry said company falls into. For example, all publicly traded companies are required to perform SOX audits. All Healthcare organizations are required to maintain HIPPA/ HITRUST standards.
Financial Services require PCI compliance, etc. Whatever your data. Whatever your crown jewels. Protect them.
User access reviews are one of the best ways to protect your data and ensure that only the right people have access
SecurEnds help organizations with user access reviews. We help organizations by automating a very manual and complex process. We are a cloud born, lightweight solution that can be deployed in days or weeks not months or years. Redefining IAG through simplicity.
We are highly configuration based versus customization based simply meaning you don’t have to write a lot of custom code with SecurEnds. You make selections in an options and configuration menu.
SecurEnds has approached the world of IGA from the doorway of UAR’s. Once through that doorway, provisioning, de-provisioning, access requests, SOD and strong regulatory posture can all be accomplished to create a full ILM model.
If you’re interested in seeing how user access reviews could be automated in a manner that will change the entire security profile within your company, please reach out and we would be happy to discuss.