Inefficiencies in User Access Request Management
Why IDM doesn’t protect your ERP
The 4 threats to your ERP posed by inefficiencies in user access request management
This five-part blog series will discuss why IDM is not enough to protect your ERP system. This series will explore the following:
The threats to your ERP posed by user access request management
Top challenges with current IAM tools
Risk-based approach for application access governance
Policy-based identity governance and administration
Access control capabilities & access governance options
In part one we will discuss the four threats to your ERP that user access request management poses. These four threats center around various types of user accounts and privileges: Orphan accounts, rogue accounts, entitlement creep, and privileged user accounts.
Data is the New Oil
Data is considered the new oil, and threats to your company's most valuable asset are materializing daily. The number of identity and access management threats your business is facing is growing at an alarming rate. There are several IAM tools and solutions on the market that help respond to these threats. However, the question you should be asking is, is IAM a robust enough solution to deal with them?
Orphan accounts (or orphaned accounts) are user accounts that stay open with access permissions even though they aren't used or needed. These accounts no longer have a valid business owner. Ideally, your organization has a clear provisioning and de-provisioning process to manage user access, ensuring no orphan accounts exist but in the real world, access management can sometimes lag behind bad actors.
It doesn't take much effort for a malicious actor to find orphan accounts to target and use to gain access to your company, as no one is actively monitoring these accounts. They typically arise when someone leaves the company or someone moves job roles.. However, contractors, suppliers, and consultants also pose a threat as often they are not deprovisioned in a timely manner. Without efficient automated processes and controls, it’s a real challenge to know who has access to what and, more importantly, what they are doing with that access. Leaving accounts open increases your threat surface, which can lead to a breach.
A rogue account is an account created beyond the control of your provisioning system. Bad actors typically create these accounts and employees are targeted with phishing, spoofing, and other scams to steal company information and do damage. This stolen information can be used to access business systems which in turn can lead to a data breach. The most targeted users for these scams are employees with access to business systems and databases who have administrative access. Admin accounts offer the best information to bad actors because these accounts typically grant access to other users in the system. Once cybercriminals, bad actors and unauthorized users gain access to these accounts, they can grant themselves access to the keys of the kingdom.
Entitlement creep occurs when individuals accumulate unnecessary permissions and access to your applications, databases, and services over time. For example, an employee working with the same company for five or six years will likely have access to various applications. Over time they may no longer use or need certain access as they shift between roles and departments. Entitlement creep increases security risks in two different ways:
A user account with excessive access becomes compromised due to lost or stolen credentials. In that case, the excessive access privileges can provide the malicious actor with a larger attack surface to steal sensitive information or otherwise harm your network.
An employee with excessive access leaves your company under acrimonious circumstances. The employee could use such access to inflict harm in your systems.
Additionally, entitlement creep can cause compliance issues. In heavily regulated industries, users with access to sensitive data that they shouldn't have can result in non-compliance. Compliance failures, when discovered, come with high costs and reputational damages.
Privileged user accounts provide administrative or specialized access to enterprise systems and sensitive data based on elevated levels of permissions. Privileged user accounts should not be confused with privileged users.
Privileged users are often IT team members and are typically system administrators responsible for managing an environment or an IT administrator of specific software or hardware. They need elevated privileges to:
Install system hardware/software
Reset passwords for others
Access sensitive data
Make changes in IT infrastructure systems
Log into all machines in an environment
Privileged user accounts (also called service accounts) aren't directly associated with a user. These accounts are used to enable servers, databases, and applications across the network to communicate with each other securely.
Examples of privileged user accounts are:
Accounts that run and manage Windows applications, services, and scheduled tasks
IIS application pools (.NET applications)
Networking equipment accounts that give access to firewalls, routers, and switches
Service accounts like these can be more challenging to discover and secure because they don't have a unique privileged user responsible for them. If your privilege management strategy only focuses on privileged user accounts, you will miss the riskiest types of accounts.
Organizations today are tasked with supporting numerous devices, applications, and systems with key access to data. Security teams struggle to keep up with the complexity of providing correct access in a timely, reliable manner. Managers or application owners often find themselves rubber-stamping approvals or copying access of an existing user because of the extensive time and resources required to review manual requests. Mitigating identity and access management risks require an innovative, automated solution that makes the process of user access requests and approvals easy to complete and adopt across your business.