***Editor's Note: If you like this article, don't miss security expert Mike Rothman and ebizQ for this month's special roundtable on SOA Security trends.

The business risks associated with providing users access to information resources include a broad array of potentially damaging events that are caused or made possible by inadequate governance. Such events range from relatively minor policy and compliance violations to disastrous business losses such as the recent fiasco at Société Générale.

The demands of regulatory compliance are among the factors driving corporate IT and security managers to improve their access governance processes, but the issues are broader and deeper than the scope of any regulation.

With nearly every facet of large enterprise'operations now dependent on or supported by automated systems, risks related to unauthorized or inappropriate access can appear anywhere within an organization at any time and spread rapidly through the business. All it takes is a single person with the wrong access. The potential cost to the business in terms of lost revenue and increased expense or in damage to customer relationships as well as the loss of corporate brand and reputation is virtually unlimited.

While access-related risk cannot be entirely eliminated, it can be monitored, managed, and mitigated through a sound approach to governance.

When does access-related risk become unacceptable?

The foundation of any access risk management initiative should be adherence to the principle of least privileged access: legitimate users should have no more access than the minimum required to do their jobs. Unacceptable access risks begin to appear when this principle is violated, and they often result from one of four causes:

Entitlement inertia is the failure to remove previously issued entitlements once they are no longer necessary or appropriate.

Compliance myopia results from the mistaken assumption that compliance with access-related regulatory guidelines ensures adequate access risk management. Just because access rights meet regulatory guidelines does not mean that they are consistent with the rule of least privileged access and other access governance best practices.