Tuesday, July 27

How to clean up years of permission bloat

Since joining NetVision a few years ago, I've spoken to countless organizations who are faced with clean up duty. For years, administrators have granted permissions, added group memberships, created countless new security groups, delegated rights in Active Directory and have been mostly in a reactive mode. That is, they grant permissions in response to some member of the business asking for new rights. Unfortunately, business managers have not had motivation to request that permissions be revoked when appropriate. So, in many cases, there are hundreds or thousands of security groups that nobody seems to know what they're for or how they should be used. And some big percentage of the user population has access to files/folders that they shouldn't.

In an ESJ article titled Coming Clean: Getting a Handle on Permissions and Group Memberships, NetVision CEO David Rowe discusses the challenge and explains how you can regain control over network access rights.

2 comments:

Antonio said...

I keep permission bloat from occurring because any access rights granted have an expiration associated. This forces audits to renew access grants, and creates a system that slowly decays 'closed' instead of 'open' if ignored.
This has saved us in some past SOX audits.

Sergei said...

This is not an unusual problem. Many organizations face the same issues of permissions that get out of date and out of hand. Over time it becomes more and more difficult to find what the justification for someone's access was.

The way some have chosen to deal with this problem in the past is through manual recertification of access on a periodic basis. To give an example, a business critical application is chosen, accounts are pulled in to a spreadsheet and account owners are identified. Then someone, or a group of people goes through the list and verifies that the access is still valid today. The group of people can be managers of account owners, or managers of a specific business area to which a group of accounts has access access to.

That was then. Now there are many products that make this process streamlined and repeatable. Have a look at Aveksa, Sailpoint, Tivoli Identity Manager and others. With Tivoli Identity Manager the recertification process plugs in to an already established identity management lifecycle. Presumably one of the main problems - identification of account owners, their managers and the audit trail of that access has already been addressed by the identity management product. At this point recerts are scheduled on a rolling basis for critical apps or critical access only within those apps. It is still a somewhat manual process, so getting buy-in to do these recerts is another challenge.