The Risk of Not Knowing

“The uncertainty of not knowing what risks exist is far worse than being aware of them, and thus being able to mitigate them”

By Marius Agenbag, Managing Director, Ubusha Technologies

When it comes to the critical matter of the security risks facing your business, the only thing worse than being conscious of the numerous risks that exist is not having any idea whatsoever. When it comes to matters of identity governance, access governance and data governance in particular, the uncertainty of not knowing what risks exist is far worse than being aware of them, and thus being able to mitigate them.

Mitigating the security risks your business faces needs to be built on a clear understanding of each of these three aspects of information security. 

“Data governance is about classifying business information and then having a process in place to manage both the data and the individual’s access to it”

Identity governance can be defined as being about managing the electronic lifecycle of an individual within an organisation. Following on from this, access governance is about managing the access – both physically and logical - that such individual identities have within the organisation. This could encompass everything from physical access to the building through to the use of various applications and systems. Finally, data governance is about classifying business information and then having a process in place to manage both the data and the individual’s access to it.

Perhaps the most troubling aspect is that the usual answer to the majority of these questions is: ‘I don’t know’

Once these definitions are understood, the organisation will need to ask a number of hard questions about the business environment, as well as its people, processes and systems. Moreover, it is vital to find ways to answer these questions, in order to begin minimising the risks the business faces. These questions include:

             ·        Do you have a complete list of identities working in your business environment, including contractors and suppliers?

-        Until you know exactly who operates within your environment, it is impossible to put measures in place to secure the business against critical risks.

·        Do you know who has access to your critical systems and – more importantly – is there an audit trail that indicates how they obtained that access and who provided the approval for it?

-        It is crucial to be able to tie an electronic identity to a physical person, and this can only be done effectively if there is a proper audit trail.

·        Do certain users have a toxic combination of such rights?

-        An example of such a toxic combination would be a single user having both the ability to create beneficiaries and approve payments to beneficiaries.

·        Do you know whether the access users have to systems is still relevant and whether such access has ever been reassessed?

-        Whether it is employees moving from one department to another or employees/contractors who no longer work for the business, it is vital to know the answer to this question.

·        Do you have critical data in your environment that is overexposed?

-        While this would typically be unstructured data (file shares, Sharepoint, etc) that requires protection under certain new forms of legislation, there are many types of information data that, if overexposed, could be harmful to your organisation.

·        How is your data being accessed and used?

-        Understanding how employees in different departments utilise important data and looking for aberrations in its use can serve as an early warning that something is amiss.

·        How many service accounts do you have and when last were their credentials changed?

-        In most businesses, the nature of service accounts is such that there are usually multiple versions of an account existing within the environment and often the passwords for such accounts have not been changed in years.

Only once these questions can be answered completely will the true scope of a company’s security and governance risks come to light. Perhaps the most troubling aspect is that the usual answer to the majority of these questions is: ‘I don’t know’.

What is therefore required is for the relevant tools to be put in place to help provide the necessary answers. These tools, in turn, need to be implemented upon a foundation that is based on effective identity management. After all, successful security is ultimately built on the ability of an organisation to tie a specific name to a physical identity, especially when it comes to the issues of access management.

Thus, it can safely be stated that identity governance is the platform upon which the other crucial aspects of governance is built, although successfully minimising the risks an organisation faces requires a combined solution; one that ensures that all three aspects of governance are dealt with effectively.

“Technologies solutions exist that can help to enable effective governance”

The good news is that the technologies exist that can help to enable effective governance. Moreover, these technologies can be combined with effective methodologies, such as advisory auditors’ best practices, in order to deliver a security audit in a manner that is not only fast and effective, but one that is also easily repeatable. This, in turn, makes the process simpler, faster and much more cost effective.

Crucially, because it is technology-based, it is also able to check the company’s entire landscape – where auditors may only check a sample - and can produce a report that will detail every aspect of access information, such as what accounts exist on what systems, and when the passwords for these accounts were last changed. This provides definitive evidence of what risks a company faces and provides a holistic view of all the organisation’s business systems.

“Move from mere risk definition to active risk detection, and finally to risk prevention”

This is, however, only the first step in mitigating such risks. Once the risks are known, it becomes possible to move from mere risk definition to active risk detection, and finally to risk prevention.

With regards to identity governance, such a roadmap could encompass the initial process of determining who works for the organisation. It could then, via reporting, discover whether there are people no longer in the company’s employ that still have access to its systems. Finally, it should lead to a risk prevention strategy that – for example – would put in place structures to ensure that the moment an employee’s contract is terminated, instructions are issued to remove them from all of the systems.

When it comes to access governance, the roadmap would move from being about knowing what should be there and who should be allowed to utilise it, to having ways of determining whether available access is being misused, to a risk prevention strategy that could, for example, prevent an employee from being able to request access to a toxic combination of access (Separation of duties).

“Executives need to be aware that the security and governance industry has matured significantly in recent years and the technology spoken about above already exists and has a proven track record”

Finally, with data governance, the roadmap could include moving from learning whether any information is in breach of compliance legislation, to preventing access to this data, to finally being able to quarantine files that may have been stored in an insecure folder or application.

Ultimately, what this means is that executives need to be aware that the security and governance industry has matured significantly in recent years and the technology spoken about above already exists and has a proven track record.

This means that it is possible to achieve not only risk mitigation, but ultimately risk prevention. As outlined already, the foundation lies in properly understanding what risks the business faces. Once the business moves from a position of ‘not knowing’ to one of ‘knowing’, it becomes a much simpler task to develop a strategy that will enable it to put in place the methodologies and technologies required to mitigate and eventually prevent such risks occurring.