October 08, 2021//Isa JonesLast Updated: October 22, 2021
63% of organizations don’t have visibility into the level of access and permissions their users have to critical systems.
Too many organizations aren’t implementing and enforcing access policies to their most critical assets, like systems, data, networks, infrastructure, and operational technology. Too many companies experience data breaches because they mismanage user access. And too many businesses don’t have insight into who can access their company’s valuable assets and how that access is being used.
There are a variety of policies, strategies, and softwares an organization can implement to better secure critical access and assets. A major one? Access governance.
Access governance consists of the systems and processes put in place to ensure an access policy is followed as closely as possible. It’s good cybersecurity hygiene to have a healthy and strong approach to managing critical access to critical assets, and governance is a way to accomplish this.
Implementing access governance is more complicated than just stating that critical assets and access points are safe. By utilizing a few best practices (and softwares) an organization can start to build out strong access governance and strong critical access management.
In order for access governance to work, there needs to be clear and defined access policies. Access policies are the rules that say who should have access to what and what privileges users should have when accessing an asset. As a best practice, policies should align with least privilege access, meaning users only access the minimum needed to do their job. Governance ensures that only those who are permitted access will be granted access to a critical asset. These policies are a framework, a standard, and a best-case scenario for what assets a user should have access to as part of their job. When put under the umbrella of critical access, these policies must be heavily enforced — no loopholes or secret passageways into those access points. Whether that access is limited by job role, time, or a variety of other factors, following the least privilege principle will create strong access governance and robust access policies.
HR systems are inherently equipped to help an organization define access rights and employ access governance, because they already track job responsibility, function, and changes to employment status. HR systems can set up access by a given job role, and often, have the ability to provision and de-provision access when a given role changes. In addition, these systems have all the data needed for fine-grained access controls. This allows an organization to define access rights by key points in a job cycle — hiring, termination, promotion, etc — therefore building an automatic fail safe within an access policy.
However, HR systems cannot help when it comes to third-parties. Investing in a bespoke system for managing the identities and access of third parties is a also crucial for full access governance, as third parties are often high risk.
Think of access reviews as double-checking your work. You know who has access to what based on the access controls previously set, but are those access controls still in place? Have users been properly de-provisioned or is access creep becoming an inside threat? Access reviews are the process of reviewing all identities’ access rights and ensuring the concept of least privilege is being adhered to. Another way to think of an access review is as a process to identify gaps between an access policy and access rights, and ensure those gaps are legitimate and still required. Conducting regular access reviews — especially for those critical assets and access points — help ensure that any access policies and controls are working the way an organization intended. Access reviews are especially important when dealing with third parties, who’s data and user access will not be a part of an organization’s internal HR systems.
Access governance is just one part of critical access management, but it’s a crucial starting point. Learn more about access governance with our Critical Access Management ebook.