Entitlement management
Entitlement management is important not only for your security posture, it is also important for your compliance efforts for SOX and PCI.
The problem with entitlement management is of course to know who has access to what. You probably know who unless you have too broad of an access policy on your information. How would you know if you have to broad of an access? You need to scan for large user groups, and global groups. These groups should not be allowed for sensitive and highly sensitive information. Do you know all the instances within your organization of sensitive and highly sensitive information? You can of course use DLP to scan for these information types. The problem is of course that the DLP solutions do not map back to who had access when.
With these questions/problems, what are you to do?
One, you should scan all your information, and identify where you have highly sensitive and sensitive information.
When this has been identified, you need to keep a persistent classification of the information, so a classification solution must be deployed and implemented.
When you have applied the classification, you need to ensure that the large groups and or global groups do not have access to this information.
For information where you need to validate that users who should have access have access, and users who should not have access does not have access, custodians of the sensitive information are required to validate the users who has access. By forcing the validation at the lowest level possible, you can effectively address the biggest problem in organizations today, which is entitlement creep. Entitlement creep happens when employees move from one job to another, or the job changes over time, and access needs change with them. Most often, when this happens, the employee gets access to the new areas needed for their job, but the old entitlements are not removed. By clearly assigning custodianship at as low of a level as possible, this can be taken care of if the custodians are reminded periodically to validate who should have access, and that they are aware that they are also audited agaist their accountability
In other words, the full solution is to map your scanning of sensitive information to your identity management systems, as well as a classification and remediation solution
Thursday, February 07, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment