Recertification of access rights to sensitive data
Employee authorizations are subject to uncontrolled growth over time. By combining the automation of access management with the regular review of existing rights, the sense of duty in the specialist departments and data security can be optimised.
Need-to-know is the principle by which employees are to gain knowledge of data in the company only when required. As far as access rights are concerned, they should only receive those authorisations that they really need for their daily work. New employees join the company, employees change departments or work in new projects, trainees wander through various areas in order to gain as much experience as possible. In order not to keep these employees waiting, authorizations are assigned quickly and generously, for example at department level, or comparison users with similar tasks are used. However, it is often neglected to document these rapid authorization changes or to check whether existing authorizations are still required. In practice, there are additional transition periods here, so that the removal of rights that are no longer required weeks later is often neglected or forgotten due to this time lag. Thus the authorizations of an employee continue to increase with increasing company affiliation – whether these rights are actually still needed even after years is open.
In order to prevent this uncontrolled growth in authorizations, auditors recommend re-certification or certification of the authorizations, which should also fulfill the legal requirements such as the Sarbanes-Oxley Act of the financial sector. Data managers should review the existing legal situation at regular intervals. If authorizations that are no longer required are discovered, they should be withdrawn from the corresponding employees as a measure to reduce risk. This recurring process does not lead to much enthusiasm, especially among managers – after all, it means considerable additional effort as well as a confrontation with technical details or mountains of paper full of complex matrices about the complete authorization situation. Such intransparent and unclear information poses massive hurdles which considerably endanger the achievement of the objectives of a review process.
If the “Need-to-Know” principle is to be adhered to, it is necessary to reduce existing hurdles as far as possible. The BAYOOSOFT Access Manager, with its automation of authorization management for file servers, SharePoint and Active Directory, represents a solution approach that has been tried and tested for ten years. The software solution establishes data protection as the default and monitors the actual authorization situation by continuously comparing it with the approved and audited status of authorizations. The technical implementation is completely taken over by the system, and the involvement of the IT administration can be completely omitted if desired. This automation enables authorization management directly by the data managers. They can manage access rights to the resources for which they are responsible in a transparent and audit-proof manner without technical background knowledge and without IT support thanks to a clear and easily understandable presentation of the necessary information. The combination of an assignment of personal authorizations with the use of the integrated profile management for the mapping of organizational structures replaces the need to copy the authorizations of another user or to assign them to entire departments. Together with the possibility to define expiration dates for the automatic removal of no longer needed rights, the BAYOOSOFT Access Manager provides a reliable way to contain the uncontrolled accumulation of authorizations and to promote acceptance by the data managers through transparency.
Regular review of existing rights
To further reduce the risk of unwanted access to sensitive data, the reapproval of all managed access rights on file servers, SharePoint and in Active Directory is used in addition to the continuous comparison of the target system. This feature transfers the permission management concept with intuitive browser operation, simplifying and accelerating the recertification process. Data managers receive an e-mail on the due date informing them of the resources to be checked. The web interface then filters out resources that are not relevant to the process, as well as those that have already been checked, and displays only pending checks. Decisions can thus be confirmed or revoked intuitively and simply by “yes/no”. The possibility of defining multiple data managers for each resource means that processing can be distributed among different heads. This makes the recertification process as simple as possible for data managers. They are not confronted with mountains of paper or complex IT expertise and can work efficiently on their task. This makes it possible to reduce the recertification hurdle in order to guarantee the success of redundant monitoring of data worth protecting in the company.
Knowledge of existing rights and their necessity is also an important factor for compliance with the basic data protection regulation. In order to support the establishment and maintenance of the register of processing activities, personal data must be identified in accordance with Article 9 and the purpose of the processing defined. Here in particular, the use of the redundant security system recertification is relevant to oblige data controllers to take the issue of data security seriously. Reapproval is therefore combined with data protection classifications based on the categories of the Basic Data Protection Regulation. If a resource receives a corresponding classification, it is automatically a candidate for the authorization check and is considered for the following key date.
Changes in authorizations due to personnel or structural changes often lead to a deviation from the “need-to-know” principle and in the long term result in a loss of data security due to uncontrolled growth in authorizations. Through the automation approach, the BAYOOSOFT Access Manager offers permanent monitoring of file server, share point and active directory rights and counteracts this creeping process permanently. At the same time, transparency and awareness of data security within the company are increased. The combination of data protection classifications as the identification of particularly sensitive data with redundant backup through the easily understandable verification of the authorization situation makes data managers responsible for assuming responsibility for fulfilling compliance requirements.
The BAYOOSOFT Access Manager is a tried and tested means to give access management in the company a double bottom for data security and thus to guarantee a permanently audit-proof authorization situation with little operational effort.
Would you like to learn more about the benefits of automated authorization management?
Make an appointment today for an individual product presentation or visit one of our regular webinars. Our experts for authorization management will be happy to introduce the BAYOOSOFT Access Manager to you personally: