Back to blog

Achieving Visibility into Enterprise-wide Access Risk

Pathlock
October 27, 2016

Achieving Visibility into Enterprise-wide Access Risk

Enterprises are coming to the realization that the only way to achieve proper risk mitigation and remediation is to obtain the Access-Violation-Managementcommitted involvement of the appropriate business managers. The problem is that many business managers believe that systems access is an IT-only issue so they are reluctant to get involved. While IT may drive the methodology of how systems are secured, the business manager is responsible for the policy of the security model – such as approving who has access to their business systems and defining what data the user can access, change, or delete. Unfortunately, it’s been extremely difficult for business users to aggregate and sift through the mountains of access-control data. It has required clumsy data extracts and spreadsheet paste-jobs – only to find that the data is all in technical jargon that means nothing to a business user. In addition, sifting through this data is a labor-intensive, productivity-draining process. For example, a small company might have identified and accepted three instances of risk in its procurement process. This requires a process owner to devote two hours per week to scrutinize vendor changes, pricing changes, and POs processed to ensure there hasn’t been inappropriate activity. So the process owner runs reports to examine the data. Now, what happens at a larger company where there are 12-15 purchasing areas across different divisions? 15 managers spend two hours per week – as much as 120 man-hours per month simply sifting through data haystacks looking for inappropriate or fraudulent activities. In this larger corporation, there is also little assurance that these managers are applying consistent standards during their reviews. There could be different reports, different methods, and different time periods – making a clean audit very unlikely. Given the growing volume and complexity, the only reasonable answer to these challenges is to apply a level of automation to facilitate cross-application risk analysis. When automation makes it easier and faster for the business managers to review and take action, they are much more likely to participate. This automated approach to see user access data across all applications requires a sophisticated infrastructure to collect that access data, normalize security models across multiple applications, and for business (not technical) reporting. That aggregation must span all types of applications – commercial off-the-shelf, custom, and legacy – regardless of where the application resides – on-premise, hosted, or cloud-based. The data must also be collected continuously so that business managers can work with the access data that exists in the application at any given moment. A common, centralized mechanism to enforce access policies enables you to implement a single set of controls that span multiple applications. That eliminates the repetitiveness and complexity of managing access controls in “application silos” and ensures that access policies are applied consistently across the entire organization. To learn more, click here to read the Access Risk Management white paper.