Do we still need entitlement reviews?

This blog is based on an article that Mark wrote for SC Magazine. Read the original piece here.

The conversation around security often focuses on hackers getting in. We talk about phishing scams being on the rise, using topical issues such as COVID-19 to trick users into clicking fraudulent links, and other innovative tactics attackers use to access networks.

However, what happens when an attacker gets into your network? Too many employees can access data that they shouldn’t be able to, and this puts companies at huge risk, allowing attackers to access sensitive information.

Moreover, an estimated 90 percent of tech crimes are committed by employees, and most data breaches are simply about access and opportunity. 75 percent of employees say that they have access to data they shouldn’t, and 25 percent of employees would be willing to sell company data to a competitor for less than £6,000.

These stats are concerning. Whether malicious or not, insider threat is a huge problem in business that needs addressing. To a certain extent, entitlement reviews serve the purpose of lessening that threat. If access to sensitive information and data is only given to those who require it, the chances of that data leaking out of the company lower significantly.

Despite this, entitlement reviews are a dreaded task for many managers. Typically completed manually, they can be time-consuming, thankless, and often prone to errors, with little demonstrable benefit. As a result, managers and businesses frequently question the necessity of entitlement reviews.

They can be viewed as a waste of valuable time, and even outsourcing the task can quickly become very expensive and slow when completed manually. After all, not every company will suffer the misfortune of being hacked. Realistically, the chances are low, but if and when data is leaked, there are major consequences and heavy prices to pay.

The wrong question

A lack of regular entitlement reviews, performed properly, will put businesses at a much higher risk of a wide range of potential problems, not to mention risking non-compliance with regulation. For example, former employees could potentially gain remote access to the company network and email system, the system could be compromised through the use of vendor passwords that never expire, there could be a misuse of dormant administrative accounts that are still active, or employees that move departments might keep their old privileges. Quite simply, if you perform entitlement reviews regularly, you’re more protected from these risks than if not.

Maybe we are asking the wrong question when we wonder whether we still need entitlement reviews. At the end of the day, they clearly play an important role in protecting sensitive information. However, manually performing the task is often at the bottom of every manager’s list.

Instead of asking whether we even need them any more, we should be thinking about how we can make them easier and more effective.

How can we make the process quicker and easier?

Managers shouldn’t have to trawl through countless files to help protect their business from insider threat, sifting through spreadsheets figuring out who wrongly has access to what data.

Any company that needs cyber-security (arguably every company on the planet, considering how digitally reliant we are today) needs entitlement reviews in some form. That’s a lot of potential man hours.

But businesses no longer need managers to spend countless hours reviewing each individual’s access to data, it’s all available through technology. Idax’s solution instantly analyses access rights across your organisation and provides insights into which employees have unusual rights compared to their peers – effectively performing the entitlement review for you, within minutes.

Our solution puts the user experience first, a significant change from hours of pouring over spreadsheets, reviewing every access right your employees have. Our intuitive user interface makes it easy and convenient to engage with the process, ultimately making the results more reliable.

There really is no excuse for companies to be avoiding entitlement reviews, potentially exposing themselves to massive consequences as a result. We do still need entitlement reviews, but they’re much easier to complete today than ever before.

Machine Learning – is Amazon the answer.

Amazon Web Services Logo


A really great insight from Travis Greene on the launch of AWS Machine Learning cloud service and the impact it may have on IT Security.

I agree wholeheartedly with his commentary, but here are a few additional insights from work with our clients in the identity and access management space and the world of analytics. @idaxsoftware.

Read More

Data Theft, Breaches – IAM

BBC News LogoData theft, breaches and what that has to do with IAM

Mark Ward from the BBC has published an interesting article concerning data theft and breaches; The PWC report it references also has some useful data on insider threats and the part that Access Control has to play. .

Controlling insider staff access is unsexy, but absolutely critical. As with the leak of celebrity images from iCloud see our article on the Naked Ladies (which is giving us some interesting hits on our analytics!) – I would always favour internal theft against external hack as an explanation.

It never fails to astonish us how big companies struggle with this. Of course millions of access points needs an analytic, big data, Identity and Access Management approach because all the evidence suggests that just getting managers to work harder doesn’t work. At idax we’ve been preaching this approach for years now and are building a case history of dramatic governance improvements. The evidence sugges ts that managers supported by analytics is clearly the way forward for IAM.

What the PWC report seems to suggest is that that expecting your managers to spend their time – a scarce and expensive resource at the best of times – to regularly review the Access Rights of their staff may not actually be protecting you.

Our experience is that with the proliferation of technology – mobile, unstructured data, active directory – managers are rarely qualified to conduct full reviewsand are too busy doing their “real” job after all, generally they will have have no incentive, time or point of reference input to do the job justice.

Yes, a system of regular departmental reviews used to be enough for the Auditors, but increasingly they are also questioning the value of a process that seems to deliver more audit points than control.

The answer is one we’ve been promoting at idax for some time now:

  • Use analytics to understand the geography of access – who has access to what.
  • Use those same techniques to identify the access right that present a low risk to the organisation for lower priority reviews
  • Support reviews of high risk items with contextual risk analysis that gives managers a sporting chance of making a good decision.

If this can also be coupled with decision support in real-time at the point in the process at whi ch access rights are granted you can make a real contribution to reducing risk across the organisation rather than just ticking boxes.




Predictive Analytics: JPMorgan


Predictive Analytics: JPMorgan rolls out a program to identify rogue employees before they go astray.

A really interesting article on Bloomberg about how JPMorgan are using predictive analytics to identify outliers in their trading organisation:

“JPMorgan Chase & Co., which has racked up more than $36 billion in legal bills since the financial crisis, is rolling out a program to identify rogue employees before they go astray”

It looks like they’re taking many multiple inputs, comparing it to known patterns of rogue activity by back-testing to determine what activity is significant and then using that to predict future behaviour. At idax we’re working with a number of the big banks and I know of at least two other organisations that are doing something very similar, so no surprises there given the size of the fines.

However this raises a couple of questions in my mind. Firstly, to what degree are these tests successful. We all know that the problem tends to be false positives – you can find the outliers, but you find ten times as many other people too. Which begs the question: Is the major benefit of these exercises PR, or can you really find the bad guys. I guess we’ll find out.

But secondly, I’m guessing that they’re using a learning algorithm where you improve over time by adding more data and more business intelligence, referred to as “supervised” learning. It’s very effective but tends to be quite high maintenance. What we use at idax is, “unsupervised” learning, where you need no business knowledge and no back testing data. The advantages are: It’s much quicker to set up – hours rather than weeks; you get results straight away; there’s loads of high quality actionable information; and for access control, it doesn’t cost the earth.

NB: Bloomberg get a 9/10 from me on the article. Minus 1 for mentioning “Minority Report”. Can we please move beyond Tom Cruise.