In the world of weekly headline data breaches and majore new privacy regulations such as CCPA, CCPR and GDRP – a question is: Who should be responsible and notified of access policy changes?
Access Policy Changes and Sensitive Data
For any organization dealing with sensitive information, such as healthcare or financial institutions, ensuring that the data does not end up in the wrong hands is a critical component of cybersecurity. Securing this information can be made easier by implementing regular access reviews. During an access review, all user access permissions are evaluated, ensuring that they can not access more information than they need to complete their duties.
However, before access reviews can take place, organizations must establish policies to determine exactly which types of users should be allowed access to resources and information. These access policies are high-level requirements that dictate how access permissions get managed. With role-based access control (RBAC) policies, users are given access permissions depending on their role within an organization to maintain the least privilege. As roles evolve, access permissions should as well to ensure that users do not have more access than they need. Plus with RBAC, application owners can update access permissions based on roles themselves, rather than for each individual user.
ISACA outlined a set of best practices for user access reviews which first defined (2) distinct set of users:
- Business users
- IT Users
An IT manager is best for reviewing who has access to the application. These duties include installation, management, data access and updates. These permissions proved very important in the latest SolarWinds attack.
But the biggest task of the user access review is the Business users – users who access the application for business reasons. This is not a simplistic requirement – since application users are often dispersed across multiple groups and regions. Thus delegation down to business-line, on the business side is often necessary.
Thus (2) set of managers are often recommended for review: A systems reviewer and business owners. To do this correctly is not a trivial task.
Regulations such as HIPAA and SOX require access reviews for organizations to maintain compliance. And failure to comply can result in steep fines for the organization affected by a data breach. For example, Premera Blue Cross (PBC) agreed to pay over $6 million to the Office of Civil Rights (OCR) as a result of a data breach that occurred in 2015. In their review, OCR found that PBC was systemically noncompliant with HIPAA policies, which lead to the extensive breach. This non-compliance included a violation in the requirement to “implement sufficient hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.”
The lack of effective controls allowed hackers to remain undetected in PBC’s systems for over 9 months, during which they had access to the protected health information of 10.4 million people, including bank account information, Social Security Numbers, and other personal information. As a result, PBC is required to create and implement a risk management plan, which access controls are required to be a part of. If PBC had an access review plan in place, they would likely have been able to identify accounts given too many access permissions, limiting the damage the hackers could have caused.
What’s the solution?
Tools that help organizations quantify and automate the review process for any access policy changes. YouAttest is exactly this type of tool.
YouAttest 2.0 enables an enterprise to:
- Have multiple Reviewers: Business and System Reviewers
- Integrated RBAC for access and reviews when access policy changes occur
- Automatic Delegation of Business Managers
- Auto-Scheduling of reviews
- Reminders and Status of reviews
- Automated triggers on changes on key account groups and applications
- Full Reports
With consistent access policy changes, proper access policies enforced by a tool like YouAttest, organizations can strengthen their cybersecurity to mitigate the risk of hackers gaining access to sensitive information. By implementing a comprehensive policy to manage user access, data is protected by granting access to only necessary users. Additionally, by maintaining compliance regulations, organizations are protected from incurring steep fines and damages to their reputation.
YouAttest can not only be a valuable part of both your audit toolset and your IT Security arsenal of detective weapons.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest demonstrated how YouAttest can help identify PAM attacks in its Special Webinar on securing SSO and SAML.