UBS did a lot of things right and this article isn’t to diminish their work in any way. Instead, it’s intended to illustrate why permissions need to be limited, and the risks associated with excessive spans of control need to be carefully considered.
Individuals are said to have “excessive permissions” when they have more rights on IT platforms than what is needed for them to achieve their business role. There are also risks with groups and system accounts having excessive rights. The point is that as the level of access increases, so do the risks to the organization if an account is compromised.
The need to avoid excessive permissions calls to mind the old security maxim about denying all rights and only allowing what is needed – a practice that can save untold time and money.
Three Scenarios to Avoid
There are three common scenarios in which excessive permissions are granted.
The first occurs when an organization is founded and there are only a handful of IT people, or even just one person. This small staff has to perform many roles in order to keep up with their daily work and to back one another up. One person might handle all of development, network management and user support. As more people are hired their rights mirror the people before them, and as time goes by everyone has a mix of authorities.
Second, some companies grant all of IT admin authority or give everyone high-level access, as it seems to be easier to set up an account one time and then avoid the management required to deal with restricted authorities.
The problem is that this mentality has a siren song of improved agility but incurs additional risks for the organization. In this situation, one must ask, “Are the associated risks acceptable?”
Third, some organizations have well thought out security policies, but when incidents happen, additional permissions are granted to a person to resolve the situation – but once the fire is out, access is not disabled afterward. This “permission creep” is very common since some organizations don't have the proper controls in place to ensure that rights are later removed. Also needed: An additional control to routinely review accounts, to ensure that the associated permissions are valid.
In all these cases, the rights that certain individuals have are greater than what they should be for risks to be managed appropriately. As with UBS, excessive rights can lead to malicious activity.
On a greater scale, there are also risks stemming from human error. When people are allowed permissions greater than what their skills and knowledge can support, a great deal of unintentional harm is possible.
Next Page: Happiness is a Double-Signed Check
Comment and Contribute
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeed
One of the ways around the issues of security and control that make some businesses wary of cloud computing is to build a private cloud -- one that remains within the corporate firewall and is wholly controlled internally. Private clouds also increase the agility of IT an organization's IT infrastructure and make it easier to roll out new technology projects. Download this eBook to get the facts behind the private cloud and learn how your organization can get started.
