Mark Ward from the BBC has published an interesting article concerning data theft and breaches; The PWC report it references also has some useful data on insider threats and the part that Access Control has to play. http://www.bbc.co.uk/news/technology-31164843 ….
Controlling insider staff access is unsexy, but absolutely critical. As with the leak of celebrity images from iCloud see our article on the Naked Ladies (which is giving us some interesting hits on our analytics!) – I would always favour internal theft against external hack as an explanation.
It never fails to astonish us how big companies struggle with this. Of course millions of access points needs an analytic, big data, Identity and Access Management approach because all the evidence suggests that just getting managers to work harder doesn’t work. At idax we’ve been preaching this approach for years now and are building a case history of dramatic governance improvements. The evidence sugges ts that managers supported by analytics is clearly the way forward for IAM.
What the PWC report seems to suggest is that that expecting your managers to spend their time – a scarce and expensive resource at the best of times – to regularly review the Access Rights of their staff may not actually be protecting you.
Our experience is that with the proliferation of technology – mobile, unstructured data, active directory – managers are rarely qualified to conduct full reviewsand are too busy doing their “real” job after all, generally they will have have no incentive, time or point of reference input to do the job justice.
Yes, a system of regular departmental reviews used to be enough for the Auditors, but increasingly they are also questioning the value of a process that seems to deliver more audit points than control.
The answer is one we’ve been promoting at idax for some time now:
- Use analytics to understand the geography of access – who has access to what.
- Use those same techniques to identify the access right that present a low risk to the organisation for lower priority reviews
- Support reviews of high risk items with contextual risk analysis that gives managers a sporting chance of making a good decision.
If this can also be coupled with decision support in real-time at the point in the process at whi ch access rights are granted you can make a real contribution to reducing risk across the organisation rather than just ticking boxes.