Tom Olzak

Permissions Creep: The Bane of Tight Access Management

In Access Controls, Data Security, Insider risk, Risk Management on October 1, 2009 at 10:33

Organizational role changes are common.  People are promoted, move from one department to another, or responsibilities change for the roles they’re in.  The result over time, commonly known as permissions creep, is a bunch of user accounts for which least privilege and segregation of duties no longer apply.  The solution is a documented and aggressively followed job change process.

First, let’s look at the issue of job changes.  A job change process should use an authoritative source, such as your human resources system, to track role changes.  If you assign a job code to each employee based on his or her position, then this is pretty easy.  One approach is to compare a nightly extract, including employee ID and job code to the previous night’s run.  A difference in job code indicates a change in position.  If your HR system produces a report listing job changes, then you already have what you need.

For organizations with an automated provisioning system, the next step is easy.  Feed the changes to the provisioning server and let it do its thing.  Otherwise, hand it off to a system administrator for manual changes to directory services and all relevant applications.  Whether automated or manual, the process is the same.  For each affected account, remove all current access and replace it with the approved access for the new job role.  This assumes you’ve defined access by application, AD group, etc. for each job code.  If you haven’t, this is a big job so you’d better get started…

Some admins might simply reverse access based on the original role.  This is not effective, especially for an employee who’s been around a few years.  Exceptions to base access settings may have been added over time as the employee’s manager added additional responsibilities not commonly given.  Changing responsibilities causes problems, particularly when an employee’s job never changes and the job change process isn’t invoked.

If you have employees who have worked for your organization for many years, especially those who demonstrate the ability to perform a wide variety of tasks, they have probably been given special permissions in addition to those approved for their organizational role.  These exceptions were likely approved by a data owner and are on file for the auditors.  So far, so good.  However, the dynamic nature of business inevitably shifts these responsibilities around, removing the need for access but not the actual access itself. 

Dealing with permissions creep caused by variable responsibilities over time requires actual reviews of employee access.  Schedule periodic reviews by data owners, managers, etc.  Use the results of these reviews to adjust access to reflect employee job responsibilities today.

Finally, there is the question of location.  For non-healthcare organizations (HIPAA free), this might not be a problem.  However, when you have to manage patient information visibility based on role and location, access reviews take on an additional dimension.  Make sure reviews and job changes take into account where the employee is working and adjust need-to-know controls accordingly.

Managing permissions creep isn’t exciting, but it is a necessary part of securing information assets.

%d bloggers like this: