***Editor's Note: If you like this article, don't miss security expert Mike Rothman and ebizQ for this month's
special roundtable on SOA
The business risks associated with providing users access to information resources
include a broad array of potentially damaging events that are caused or made
possible by inadequate governance. Such events range from relatively minor policy
and compliance violations to disastrous business losses such as the recent fiasco
at Société Générale.
The demands of regulatory compliance are among the factors driving corporate
IT and security managers to improve their access governance processes, but the
issues are broader and deeper than the scope of any regulation.
With nearly every facet of large enterprise'operations now dependent on or
supported by automated systems, risks related to unauthorized or inappropriate
access can appear anywhere within an organization at any time and spread rapidly
through the business. All it takes is a single person with the wrong access.
The potential cost to the business in terms of lost revenue and increased expense
or in damage to customer relationships as well as the loss of corporate brand
and reputation is virtually unlimited.
While access-related risk cannot be entirely eliminated, it can be monitored,
managed, and mitigated through a sound approach to governance.
When does access-related risk become unacceptable?
The foundation of any access risk management initiative should be adherence
to the principle of least privileged access: legitimate users should have no
more access than the minimum required to do their jobs. Unacceptable access
risks begin to appear when this principle is violated, and they often result
from one of four causes:
Entitlement inertia is the failure to remove previously issued
entitlements once they are no longer necessary or appropriate.
Compliance myopia results from the mistaken assumption that compliance
with access-related regulatory guidelines ensures adequate access risk management.
Just because access rights meet regulatory guidelines does not mean that they
are consistent with the rule of least privileged access and other access governance