The core of your organization’s security stance is built on a massive number of individual permissions to both on-premises and cloud-based resources. With the increase in cyberattacks, concerns around insider threats, and the growing need to meet multiple compliance mandates centered around data security of various types of data, it seems like permissions should be a primary focus for most IT organizations.
And yet, it’s just not the case. IT is certainly installing layered security solutions, establishing new policies and processes, and thinking about IT security in terms of both compliance and governance. But, somehow, amid this, IT isn’t concerned about whether the basis for all this security—the permissions assigned—is even correct in the first place.
So, why isn’t IT managing permissions—truly managing them; as in, performing periodic mandated reviews of every assignment, getting with department heads or line of business owners to validate both the permissions and the accounts they’re assigned to, and even attesting to the need for specific assignments as being necessary for business operations. It just doesn’t happen much these days.
There are three fundamental reasons why IT organizations aren’t managing permissions on an ongoing basis. Do any of these sound familiar?
- IT has “permissions are static” thinking – Permissions don’t change, right? That depends on basis for the assignment in the first place. Roll the clock back even five or 10 years, and IT was very much thinking “technology first,” meaning IT decided what access was necessary and made the assignment. But today’s IT is slowly but surely realizing IT needs to ask the business what permissions are needed and make the necessary changes. It is possible for the SharePoint permissions assigned 10 years ago for an earlier version of SharePoint to be sufficient today, but that’s not the point, is it? IT is assuming the permissions haven’t changed over time, rather than validating this to be true.
- It’s (literally) the last thing you want to do – Reviewing, validating, modifying, and assigning permissions sounds like a lot of monotonous and boring work. Without an access rights management solution in place, we’re talking about weeks of time spent manually collecting every assignment. And even after the manual work, most of us would agree, a ton of permissions still probably weren’t found.
- It doesn’t seem important – You’ll note the use of the word “seem.” As long as permissions are 100% correct, they’re not important (as they’re doing the job and securing the organization). But if you consider the needs of organizations have changed over time, as have the applications used, the security concerns, and the compliance mandates, it’s far more likely permissions are, in fact, not correct and are, therefore, of the utmost importance. After all, if permissions aren’t correct, neither is your assumptions about the organization’s risk, its security stance, and its adherence to compliance. And, to be fair, if you’re not looking at permissions at all (which is the premise of this post), you can’t possibly know whether they are or aren’t correct.
So, why aren’t permissions being managed in your organization?
It may be one or more of the reasons above, or maybe it’s just too overwhelming a task to take on, so it gets put off for some point in the future. Truthfully, the task may require a third-party solution to manage access rights to get it done accurately and in a timely fashion.
Regardless of the reasons, it’s necessary to manage permissions as a daily function of IT. Without doing so, IT’s work around security and compliance is based on an insecure foundation. So, it’s time to make it a top priority and look for ways to incorporate good permissions management practices into every aspect of IT.
For more detail on how the mismanaging of permissions affects the organization’s ability to fend off cyberattack, and what to do about it, read the whitepaper Mismanaged Rights: A Cyberattacker’s Greatest Ally.