Many organizations are seeing that some degree of contamination creeps into the rights structure of their file system, possibly because of technical contamination resulting from changes in the server on which the system runs (switching from Novell to NT4 then to Windows 2003 and on to Windows 2008, etc.), or it could also be the result of changes in the organization when IT services are centralized or departments merge.
Nearly every organization cleans house and starts fresh every few years, and the world of folders and rights is neatly structured again, for a time. As time passes, the composition of the organization changes, and so does the composition of the data it uses. A structured system of folders and rights is unable to adapt as flexibly as the organization. Gradually, the structure and the way that rights are assigned no longer correspond as perfectly to the needs of the organization.
Hiring, promotions and departures
The growing discrepancy created by such changes is intensified because contaminated data is copied with every update in the personnel files. As employees are hired, promoted or moved to a different department or leave the organization, rights are allocated based on a structure that increasingly fails to correspond to the actual structure of the organization. If there is no standardized and normalized process for incorporating such changes, the rights structure develops problems that could easily lead to security incidents. The following is an example from actual practice:
When a new doctor is hired at a hospital, he receives certain authorizations; this is arranged by copying the rights from a colleague in a similar position. However, there is a risk that the new doctor will receive authorizations that he does not need at all. For instance, the colleague in this example could have had additional rights to edit files in a project folder. There is also a real risk that the colleague in this example may belong to authorization groups that in turn belong to groups that confer certain rights. These inherited authorizations make it almost impossible to assess the full impact.
In practice, few organizations pay much attention to removing authorizations when an employee’s rights are copied to another employee. The highest priority here is that the new employee can start his or her work immediately; authorization that may go beyond what is actually needed is not the primary consideration. Moreover, the IT department may not always be aware of exactly what shared data and project folders an employee needs to access. The new doctor may unintentionally gain too many rights for folders in the file system without anyone noticing, and gain access to strictly confidential patient information.
Additionally, things often go amiss when employees are promoted. For example, when a medical resident becomes a fully fledged doctor in a hospital, additional rights that are needed in his or her new position are assigned, while the “old” rights are not removed.
Further, when an employee leaves an organization, the user account associated with that employee needs to be locked down right away so access to files and folders is immediately denied. The situation created here is that the user account still has access to the files and folders, but the user account can no longer be used to access them. If the user account is (temporarily) unlocked, all access is immediately reinstated. When a person leaves an organization, it is advisable to consider alternatives, such as transferring the employee’s rights to the manager.
Compliance and audits
Organizations that cannot guarantee that their rights structure is in good working order run the risk of non-compliance with internal rules and/or external laws and regulations. The most common compliance issues involving a contaminated rights structure are:
- Information security: Attaining effective information security requires thorough, accurate checks of the people who can access confidential information, such as patient data. When the rights structure is contaminated, it is impossible to guarantee effective information security.
- Telephone and Internet access: Some organizations have strict policies about who is allowed to access the Internet. In such a situation, Internet access is viewed as an extra authorization, since it may lead to high-bandwidth usage and a decline in employee productivity. When rights are copied, these types of extra authorizations may be copied, too.
- Downloading: Many organizations have a strict policy in place about downloading and installing software on an employee’s own workstation. In many cases, employees are unable to install any other software once their PC has been installed and set up. These measures are intended to prevent infection with viruses that are difficult to remove. When rights are copied, particularly from longer-term employees in similar positions, things regularly go wrong. Employees who have been working in the organization for more than 10 years have often been granted the right to download software.
The rights structure for folders is a living entity. It changes from day to day and involves a great deal of human interaction. It would be unrealistic to imagine that contamination of the rights structure could ever be avoided altogether. When humans interact, mistakes are made. However, it is possible to automate and standardize human actions as much as possible.
For example, management tasks – such as creating a user, deleting a user, resetting a password, etc. – can be automated. When an organization introduces solutions for doing so, the way that access rights are granted can be set up effectively and securely by using an automated procedure, or by changing the access rights when an employee leaves the organization or changes jobs. The solutions ensure an automatic link between the employees’ contract details in the personnel system and Active Directory. Arrangements can be made for employees not on the permanent payroll (external workers, temp workers, partners, etc.), to have a specific time frame set for their user account. After this time, the account will automatically be disabled.
By combining these solutions with role-based access control (RBAC), organizations can not only automate user management, but authorization management, as well. According to the RBAC method, authorizations are not awarded individually, but on the basis of roles that are defined based an employee’s department, job, location, and cost center. Based on the role that a person plays in the organization, an account can be created when a new employee starts working there, which will give him or her access to exactly the applications he or she needs to do their work. The manager does not have to take additional action, such as granting extra rights, and when a person’s role changes the change in the personnel system is the trigger to adapt the rights to the new role and to discontinue the previous rights.
Dean Wiech is managing director of Tools4ever. Dean has worked with businesses for more than 20 years, consulting and helping them identify solutions that make their businesses more secure, efficient and easier to manage.
He’s worked in nearly every sector, and counseled small, mid and large sized businesses for years. Dean is currently responsible for Tools4ever operations in the United States, including direct sales and managing the technology and consulting team, along with the day-to-day operations of the company.
He attended the University of Akron and studied chemical engineering before deciding to pursue a career in technology.