How to strengthen your data security strategy to prevent entitlement creep
Implementing strong security measures to protect valuable data such as professional digital identities, has never been more critical. The need to authenticate individuals tied to multiple applications and data creates a demand for faster, remote access for employees to remain productive. However, it also opens the doors for risk and compromised accounts.
Effectively managing identity security is a crucial factor in preventing business-relevant data from being exposed. The most recent Office of the Australian Information Commissioner’s (OAIC) report on notifiable data breaches found that 45% of data breaches exposed identity information during the last reporting period. The human factor is also a common theme in data breaches, with the OAIC report stating that 38% of data breaches were caused by human error.
In order to mitigate the risk, IT and security teams must start asking the key question of, “Who has access to which data from where?” This is a good starting point for any good data protection strategy that ensures all valuable data is safeguarded from threat actors.
It’s easy to forget that as employees move from one department to another, they often keep their old permissions while gaining new ones. This creates an extended network of access points to potentially unauthorised individuals, enabling a hacker to have more points of entry as compared to targeting someone with fewer privileges.
Granting initial entry via access management is only the “bouncer” of the business, keeping out who isn’t invited but, once entry is gained, the individual has free reign. The key is to focus on enablement and security, providing access to important technology and tools but being able to control permissions. It is crucial for management to know who within the workforce requires certain access, and then modify permissions if the role changes, or restrict - perhaps completely remove - access when not needed.
If done manually, identity management can be time-consuming and tedious, but with the introduction of Artificial Intelligence (AI) and Machine Learning (ML) into identity management systems, these technologies will do the work for you. By 2022, 7.5% of IT operations will be supported by AI or analytics-driven automation. With thousands, possibly millions of digital identities existing across an enterprise organisation, enforcing a least-privilege access model for each digital identity is critical to the overall health of a security program.
Decision-makers should look into the possibilities of autonomous systems that will grant and withdraw authorisations, warn responsible admin of inappropriate rights, and handle user requests. It’s about defining and managing the roles and access privilege of users.
By automating these processes, it frees up time and improves efficiency by streamlining processes, particularly across IT and HR who are primarily responsible for managing the user lifecycle. The use of an identity and access management system can cut the time-consuming manual processes of gathering user data, creating users and establishing roles, and manually managing the identities throughout their digital lifecycle within the company.
The latest OAIC report stated that breaches due to human error increased by 18% in the latter half of 2020. Enabling AI and ML to automate identity management decisions can reduce the risk of security incidents and potential data breaches which result from simple mistakes. Furthermore, being able to enforce security without being dependent on manual recertification or validation ensures access rights are tailored to the specific user based on risk level.
A robust identity access management system, combined with other factors such as awareness training for employees and efficient security tools will form a solid foundation for a strong data protection strategy. The ability to control and monitor who enters and exits systems is vital in supporting and securing your organisation, while simultaneously exercising good privacy practices in order to maintain the trust of employees with their information.