December 16, 2021//Isa JonesLast Updated: June 13, 2022
The Colonial Pipeline hack, in the end, came down to poor access management. The hackers found their way into operational technology (OT) through a VPN password that had never been de-provisioned. A small error that cost millions.
The access provisioning lifecycle is a part of every organization’s access management policy. Whether it’s giving a new hire their email password or deciding which users get access to which servers, it’s a series of decisions, privileges, and, ultimately, risk that permeates organizations of all kinds and sizes. How to manage that access, however, is more complicated than just assigning a login or removing access.
It’s complex, involves multiple parties, and if not managed properly, can result in a devastating breach that shuts down gas lines across the southeast United States, costly fines, or the loss of valuable assets and sensitive information.
The access provisioning lifecycle is the process, or cycle, of granting and denying access rights to specific users for specific access points and assets. Internally, this kind of access provisioning is often handled by an HR department, and access is changed depending on a job role.
A new hire would automatically, through HR, be provisioned access to what they needed for their job. If their role changed, or they left the organization, that access would change or be de-provisioned as well. Building out this user access provisioning policy is a crucial part of access governance.
For internal users, best practice dictates that user access provisioning is based on job duties and roles, and are closely linked to HR to better manage user access. Access provisioning can be an automated process or done manually, but there needs to be oversight to prevent access creep, improper access, or in the case of the Colonial Pipeline hack, a lack of de-provisioning that leads to a breach.
For vendor identity management or third-party access rights, the access provisioning process looks different and carries with it the most risk. Third-party access is usually temporary in nature, and because those users are external, there’s no HR system in place to monitor or automate access.
There are a variety of solutions to this problem, but it should be noted that third-party access is the greatest point of risk for an organization, and 51% of breaches come from third parties.
As noted above, it only takes one password to give hackers access to your organization’s most valuable access points and assets.
With lateral movement being a part of 60% of attacks, it only takes one unlocked door caused by a poorly managed access provisioning lifecycle for a bad actor to find others. In addition, 63% of organizations lack visibility into the level of access users have to their critical systems. When best practices of access provisioning and de-provisioning aren’t followed, the consequences can be both costly and catastrophic.
Risks of poorly controlled access provisioning include:
The slow accumulation of access rights is the silent threat lurking in your organization’s system. If access rights aren’t regularly reviewed, an employee can accumulate access to assets they no longer need.
When a secretary in accounting moves to a different department, they no longer require access to the assets of their former department. If an employee needed access to a critical asset for a one-month project, they shouldn’t still have access a year later. But if access isn’t regularly checked, the sheer amount of access any single employee has can creep higher and higher, increasing the insider threat risk alongside it.
Sometimes employees are given too much access, and they can take advantage of that – whether maliciously or unintentionally. The secretary in the accounting department of a hospital doesn’t need access to private patient records, just as an ER doctor probably doesn’t need access to hospital branding files. Only give employees the least amount of privilege necessary to achieve a job function.
Third-party data breaches are making headlines consistently, and it’s for a reason. Third-party access is difficult to manage, and if not done properly and meticulously, more is at risk than just that one access point. The “hack one – breach many” trend isn’t going away.
The effects of the SolarWinds cyber attack are still being felt years later, and it all happened because SolarWinds is a third party vendor for thousands of organizations. That’s thousands of critical access points that can be exploited with one unprotected user access right.
Managing user access is crucial to securing your organization’s critical access points and making sure every user only has the access they need to complete a task. Here are some best practices for managing the access provisioning lifecycle:
Access governance, or the systems and processes that make sure access policy is followed as closely as possible, helps your organization implement a user access provisioning policy that works for your organization while keeping what’s most valuable safe. Access governance best practices include:
If access governance is the overall policy, access controls are the little details that make that policy work. Implementing access controls give visibility into what users have access to what assets. If a notification shows a user accessing a critical access point they shouldn’t, that can be remedied in the moment, preventing a potential breach.
Kinds of fine-grained access control measures include:
A periodic inventory of access rights to certain networks and systems is the clearest way to gain visibility into who has access to what.
Every access control could be in place, but it’s always better to double-check than face the consequences. User access reviews can be manual, but there’s also software, like SecureLink Access Intelligence, that conducts automatic reviews to help maintain internal system control.
Handling access provisioning and de-provisioning can be tedious and prone to human error. Learn more about how enterprise access software can streamline the process with ease and efficiency.