Too Many Staff Have Privileged Work Accounts For No Good Reason, Reckon IT Bods (theregister.com) 99
Around 40 per cent of staff in British and American corporations have access to sensitive data that they don't need to complete their jobs, according to recent research. From a report: In a survey commissioned by IT security firm Forcepoint of just under 900 IT professionals, 40 per cent of commercial sector respondents and 36 per cent working in the public sector said they had privileged access to sensitive data through work. Worryingly, of that number, about a third again (38 per cent public sector and 36 per cent private) said they had access privileges despite not needing them. Overall, out of more than 1,000 respondents, just 14 per cent from the private sector thought their org was fully aware of who had the keys to their employers' digital kingdoms. Carried out by the US Ponemon Institute, a research agency, the survey also found that about 23 per cent of IT pros across the board reckoned that privileged access to data and systems was handed out willy-nilly, or, as Forcepoint put it in a statement, "for no apparent reason." Access management is a critical topic for IT security bods, especially as COVID-19-induced remote working introduces challenges for the monitoring of data access and intra-org flows.
Meanwhile (Score:3)
I've been trying to get the CNC software on my PC updated for seven years.
Re: (Score:2)
Dial up isn't THAT slow!
Re: (Score:2, Funny)
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
It's not about trusting the employee not to use it maliciously. It's about trusting the employee not to make a mistake. Or get tricked by someone into making a mistake. I trust myself, but I don't have my shell running with root authority all the time. And I don't allow checkins to source control without a buddy/code review because mistakes happen. A thousand other checks for "are you sure?" are scattered throughout our design systems. Having to get the right permissions for a task is a good engineering pra
There's a difference between information access (Score:1)
It doesn't help that virtually all access management is done by the cheapest employees money can buy, meaning it can take days or weeks to get access to something because they'll keep screwing up your access request.
Re: (Score:3)
When reading this post I first assumed you were being sarcastic, but by the end I started to feel you might be serious. The opinions you shared are so obviously at odds with the most basic information security practices that it's hard to believe someone could hold these beliefs.
Principle of Least Privilege is a bedrock of information security, and every organization which takes security seriously practices it to some extent. You must have never worked in such an organization or at least wasn't knowledgeable
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
I have a inverse approach. Plan on evrrything being compromised and organise your methods and buisness strategy so that it doesnt matter.
So you build your business strategy so that a breach of customer PII or theft of encryption keys doesn't matter? I'm sure there are some businesses which could get away with that (because they don't store either) but certainly not the vast majority of them. Or at least the vast majority of businesses which grow past a few dozen employees.
Re: (Score:2)
No. Instead you build your business and applications so that PII doesn't go to every corner of the universe. E.g.
Re: (Score:2)
Noah
You run a data warehouse don't you.
Apparently you haven't, or didn't know it, or ... (Score:3)
The standard security practice, which most companies try to do and many get close to, is that you have access to whatever you need to do your job; you don't have access to things unrelated to your job. That's what least privilege is.
For example, in one company I did some work for, all accounting records, every employee's social security number and direct deposit information, was accessible to everyone in the company - thousands of people. That violates least privilege because the sales people and the Cisc
Re: (Score:2)
I have worked in such environments. They are highly ineffiencient, hostile environments that artificialy create problems and obstackles that could have been avoided by better hiring practises.
Hey I get it, I grew up on a farm where we never locked our doors and kept our keys in the car's ignition. It is much easier to ignore security and for many companies the risk is small. But at some point a company really has something to lose if they get this wrong.
Since you will never get it perfect, it is usually in a company's interests to err on the side of too much security than too little. When done poorly that can lead to very inefficient business processes like the ones you describe. But the solutio
Re: (Score:2)
If something is of value to one person, it is likely of value to someone else to steal or destroy it. The more valuable it is, the more likely it is. And the cost of security has to rise to meet that challenge -- cost both in $$$ and in time and talent.
Re: Wrong (Score:1)
Re: (Score:2)
"When reading this post I first assumed you were being sarcastic, but by the end I started to feel you might be serious. The opinions you shared are so obviously at odds with the most basic information security practices that it's hard to believe someone could hold these beliefs."
I think the poster's comment that "Better too much then not enough. You can always disregard if a piece of information is not useful ATM. But you never know how a piece of information is going to come in handy in the future." is almost always correct from a personal point of view, and often correct from a "greater good for society" point of view. Many discoveries have been made because someone who knew seemingly disconnected bits of information was able to put them together in a new and useful way.
I disag
Re: (Score:2)
Oh - I almost forgot. The original article's premise that "Too many staff have privileged work accounts for no good reason" is spot on. I was involved in auditing a critical component of a global financial services firm's technical mechanisms (for carrying out global financial activities of extremely high value), and we found one of their systems to have hundreds of privileged accounts. After bringing this situation to the attention of management, we were questioned as to what we thought was the "right
Re: (Score:2)
My god, you're in marketing, aren't you?
Re: (Score:1)
You are what is called in the corporate espionage business a "high-value target."
A hearty Screw You to security nazis (Score:5, Insightful)
I don't think I've ever worked for a company with any size of IT department, that was not WAY over-zealous in locking things down to the point where work probably took 20% longer than it should have because of security constraints you had to work under.
I realize internal security is important also, the problem IT people seems to have is that they never have good understanding of what is important to lock down vs. what could easily be kept more accessible so that people could get work done.
It seems like pretty much everywhere IT departments are way too much a silo that is not really integrated with the people they are supposed to assist and protect.
Re:A hearty Screw You to security nazis (Score:4, Insightful)
Re:A hearty Screw You to security nazis (Score:4, Insightful)
This phenomenon is part of the problem. You have this theoretically locked down default that is credibly 'secure' but is useless. So everyone gets exempted in practice and ends up on the other extreme, with way *too much* access because no one has time to navigate each one of the nitty-gritty privileges that may or may not matter so they just exempt a bunch..
Re: (Score:2)
A coworker once needed another machine as a compute server. IT refused. He already had a computer, and the one he requested was not one of the standard models as it had too much RAM and a beefier than normal CPU. The manager and director tried to get them to relent, but to no avail. Eventually the VP of finance had to put his signature on an approval. Same IT team that insisted our Macs were overdue for an upgrade to Windows 10, and the DOS based signing machine used by manufacturing (disconnected from
Re: (Score:2)
the one he requested was not one of the standard models as it had too much RAM and a beefier than normal CPU
Not standard. Denied. We can't support an unlimited number of configurations.
Same IT team that insisted our Macs were overdue for an upgrade to Windows 10
We're going to standardize on our OS no matter what
the DOS based signing machine used by manufacturing
We're slimming our software portfolio, and this old crap is out.
I've worked a stint in an IT department responsible for precisely these requests, and I have seen all of these. Portfolio managers especially are a breed apart. And sometimes it works the other way around. We had a piece of software that generated a Ramadan prayer calendar on people's desktops. $100(!) per se
And A Hearty Eat It For Users Like You. (Score:3, Insightful)
Every phishing test, every ransomware invasion, every accidental wire fraud, every event that extends beyond a single user impact is further proof that users cannot be entrusted with privilege access without detrimental impact to the corporation.
IT has to be right every time and all the time. You only need to fuck up with one single; 'Oh, I thought I was typing admin for something else. The email looked legit.'
It ain't easy for either side, but IT has to do what they have to do. If they fail, they don;t onl
You end up killing that which you seek to protect (Score:2)
Every phishing test, every ransomware invasion, every accidental wire fraud,
It's people like you that are the problem. You don''t end up stopping that stuff ANYWAY, meanwhile I can't get a document I need to get work done for three days.
As I SAID IN MY ORIGINAL MESSAGE, some security is important (like anything around wire transfers Obv) but you are treating access to some process document with the same level of security!!!!! Insanity.
I'm thankful though really, because people like you ossify companies
Re: (Score:2)
Yes, "cyber" security is a shit job, as it is virtually non-technical, and you are more like "toilet paper for lawyers". I guess they can't be too technical though, lest they become the witches that they hunt. But keep on keeping on, using tools you don't understand to scan systems you don't understand, to create an auditable illusion of security.
Re: (Score:2)
Every phishing test, every ransomware invasion, every accidental wire fraud, every event that extends beyond a single user impact is further proof that users cannot be entrusted with privilege access without detrimental impact to the corporation.
IT does not make policy. It does not get to decide whether risks are worth taking. They don't get to draw conclusions every incident is proof of jack anymore than Al Gore gets to say every storm is proof of global warming or the state of California gets to say every car accident is proof driving cars should be illegal.
Re: A hearty Screw You to security nazis (Score:2)
Now's a good time as any to remind the class that my employer is a defense contractor that ought to take IT secur
Re: (Score:2)
Security always takes more effort, and usually more time. Just think of your front door: it's faster and easier to enter the house when it's not locked. It's the price you pay for security.
A Metaphor (Score:1)
Just think of your front door: it's faster and easier to enter the house when it's not locked.
Sure.
But IT security is like, what if you left your wallet in the pantry? Better put a few padlocks on that door also, that you have to visit a neighbor to get the key for - on a one time basis...
But wait, the same could be true of any room so better padlock every internal door as well, with all keys managed by an out of state service which you can handily access 10am-3pm, Monday - Wednesday.
That is an accurate m
Re: (Score:2)
Most front doors are locked to prevent casual access, but easily kicked in. This is a sensible compromise. Security "experts" might advise bolts, bars, reinforcements, alarms, etc., but people will choose not to use any of that due to it not being worth the expense or trouble. It is much the same in business, with "cyber" security "experts" advising many things that would increase security but may not be economically sensible. It is important to evaluate the costs and benefits thoughtfully and not just
Re: (Score:1)
Re: (Score:3)
My text editor wants to smoke whatever yours is smoking.
Re: (Score:2)
Most homes in the US are not masonry built, so no matter how strong the door is you can always punch a hole in the wall if you really need to get in. 2x4s, plywood, and drywall, this is what most homes in the US are built from. And even if you have a masonry or ICF house, there are still windows. Then, if you invest in solid doors you need to invest in exterior security rolling shutters.
Re: (Score:2)
I think what is missed in this analogy is the value of the thing being stolen. Come in and clean out a residence. Take everything including the walls and kitchen sink. For most USA homes, you're talking a couple hundred thousand dollars lost, damage to one family. But a corporation that loses control of its network or has its software invaded, you're talking about impact that is potentially across every employee -- lots of families -- plus the lost value to the corporation itself. How much did Sony lose a f
How to get the access you need (Score:2)
Here's the secret on how to get the access you need.
Tell the security team "in order to be able to complete $task, I need [read|write] access to $object". (NOT "I need admin on everything, fuckers.). Cc your boss.
The big problem, which causes both headaches for users and security holes, is 1960s-1970s style thinking of "levels" of security". User wants "admin access", security team isn't going to do that.
The CEO or the head of marketing do NOT need access to re-configure the router. Only the network team n
Re: (Score:2)
Removing accidental negative mod point. I meant to click +1 insightful....
Re: (Score:2)
But it seems like the discussion is off-base. The problem is usually that permissions systems are not structured by what makes sense for use, they are structured around implementation convenience. Also the summary appears to be largely about information access, not whether or not a user's desktop installation is "locked down". Think access to shared drives or databases with legally sensitive information because nobody bothered to create a separate permissions grouping that actually reflects the legal obl
Re: (Score:2)
The problem is usually that permissions systems are not structured by what makes sense for use, they are structured around implementation convenience.
100% agree with this, that is probably the main issue in reality, either a permissions is opening up way too much, or way too little from the standpoint of the people who have to live within the permission system as defined.
Re: (Score:2)
Internal security is critical to security. The premise of external castle and moat style security is outdated by many years. Iâ(TM)ll recommend taking a few minutes to study defense in depth concepts like the kill chain. There is a world of difference between security, security theater and checkbox compliance.
Companies with poor internal security are very easy prey for malicious actors. You donâ(TM)t want your system to be source of a breach, then you get to have your technology seized and your li
Need easy expiration feature (Score:2)
It would be nice if Windows* offered an easy way to put a timer on privileges so that they can optionally expire. Often there are short-term projects or trouble-shooting tasks that require higher-than-normal permissions for a short time. If the admin forgets, they stay in place.
* Most orgs use Windows, I didn't pick it.
Re: (Score:2)
Local admin is needed for some apps / for apps to update / for some active x stuff to run / etc.
Some things needed fixed service accounts.
Some things only have user or admin or for some tasks need full admin rights.
Install pp, restart service are separate perms (Score:2)
Windows actually has separate permissions for all of that stuff. There is nothing, absolutely nothing, that *requires* full administrator.
Identifying which permissions are actually needed takes more time than just letting someine do anything and everything. Which makes sense is context dependant.
Re: (Score:2)
Windows may have separate permissions for all of that stuff But some apps may just check for administrator.
Other stuff works good with UAP.
Now Windows compatibility for say run as XP mode needs local admin for apps.
Other software may not have the same level of separate permissions.
Re: (Score:2)
> Windows may have separate permissions for all of that stuff But some apps may just check for administrator.
True. Maybe I should make a module that lies to the app and says it's in the Administrator's group. Maybe by making a non-privileged group call Administrators. Name the privileged griipt something else, like "Ray will kick your ass if you use this group without asking".
Re: Need easy expiration feature (Score:2)
Windows kind of does. If you use Restricted Groups to set the administrator groups you can manually add someone to administrators and theyre automatically removed 15 minutes later on the GPO refresh.
Re: Need easy expiration feature (Score:1)
Re: Need easy expiration feature (Score:1)
Re: (Score:1)
I suspect Microsoft will charge extra for "fancy" permission features in their cloud-ware. The big tech co's are chomping at the bit to have fee-for-service and fee-for-feature billing.
They view it as more profitable. They get you locked into their product, and then you are stuck paying the fee because switching infrastructure vendors is a pain.
Re: (Score:2)
An account with the the necessary higher-than-normal permissions can be set to expire, though.
Then it can easily be activated later as needed.
Re: (Score:1)
That's not the same thing as a permission expiring. One generally doesn't want the user's entire account to expire when granting them task-specific permissions.
A user account expiring is a useful feature, but doesn't handle the scenario I'm envisioning here.
I suppose the admin could give them a special account just for the task, but that can be awkward to manage for multiple reasons.
And despite that... (Score:4, Informative)
And despite 40% of users having access they don't need, there is probably a similar number who don't easy have access to the information they need.
I've seen more than one company where you had to circumvent the company policies to get your work done at all. (Not only security wise, that's just the worst)
Re: (Score:2)
And despite 40% of users having access they don't need, there is probably a similar number who don't easy have access to the information they need.
I've seen more than one company where you had to circumvent the company policies to get your work done at all. (Not only security wise, that's just the worst)
yep. I worked for a year for an international oil and gas company. They are were kings of ridiculous policy. The CIO was a numbskull and underfunded everything to the extreme where technical debt was piled so high it was insurmountable. Then they made policy after policy to cover their ass for why our systems were ridiculously insecure to the point that the only way you could work as an IT admin was to simply ignore the policy. I left that place as fast as possible.
Re: (Score:2)
In my last job, I was writing proposals to my client, definitely not our biggest income, but percentage-wise just about our most profitable. Then, without telling me, they started a policy that only managers could have access to the server with proposals on it. Since I was "only" a senior engineer, that didn't include me. At first, one of the vice presidents got me access again, but I kept losing it and he eventually retired. So I ended up having to write them on
Re: (Score:2)
And let me guess, they never asked to get access and if they did ask, never provided a justification.
Contrary to popular opinion, marketing does not need access to Legal's files, nor does Bob in accounting need to see personnel files. Restricting access is done for a reason. Specifically, so we don't see stories on here about how people's personal information or corporate secrets were let loose because someone couldn't be bothered to do secu
Re: (Score:2)
It's usually not that evil or stupid, but just some contradicting policies. Like you need to get a sign off from someone, who usually absolutely makes sense to have to get approval from, but that's exactly the person who you're asked to take over for cause he got hit by a bus and his next up the chain of command is on vacation in the amazonas.... something like that.
80/20 rule. (Score:4, Insightful)
You use 20% of the features 80% of the time. That means you have 20% of your time needing other features. That is roughly 400 business hours a year, where you are going to need something more than you normally would.
That means you will need 1 person for every 5 people hired to do a job, that could had been accomplished if they just had higher security rights, a bit higher than they really need.
The thing about having people who do work, is that Humans when they do their jobs correctly will do things, that require more judgement and flexibility than what the computer would do. So you need to give them a bit more tools so they can effectively do their job. If your job is good enough for the basic security. Chances are you job will be shipped off to automation sson.
Makes sense.. (Score:3)
Companies love complex bureaucracy and accountability is all over the place.
A manager will get chewed out if someone on their team fails to get something done because they didn't have access, so the manager just requests permissions as a matter of course.
If that person's access causes sensitive data to be compromised? Well they and/or IT will get blasted, not the manager. So there's only upside for a manager to request more access than needed. Further, IT has no authority to second guess a manager's assessment of business need.
Also, overly complicated organization of data. Data that isn't particularly sensitive but everyone needs may be possible to apply access controls such that it can be accessed but truly sensitive data can still be protected. However people can't navigate the nuance and just grant more access or lump it together because it's too hard to keep straight. For example a manager protects *everything* the same way and gives access to *everyone* to feel like they did their part to protect data, but still lets everyone do their jobs.
"Need" (Score:2)
Depends on definition of "need" - Yeah, I work in IT and have 100% admin access to everything. No, I don't "need" access. But when the boss has issues and HE needs it fixed, guess who goes in to fix it?
Do I give two shits about his financial docs or whatever? Hell no. I never touch that shit. But when he accidentally deletes his Excel files, damn skippy to I swoop in and restore the backup snapshots from a few minutes prior.
I could just as easily tell him to do the same to restore, but he's not a techie, an
Of course we do, but not without reason (Score:3)
Yes, I have more access than I usually need. Yes, many more people in my organization have more access than they know what to do with.
Literally, in that case: not even knowing enough to be dangerous, but having 'full access' to things because... well, nobody in management wants to hear that there are things they shouldn't have access to.
As for my own excuses for greater access, the most common reason is that it takes WAY too long to deal with things in locked-down compartments.
Full administrative access is safe in my hands, of course, it's all those OTHER people that worry the crap out of me...
OK, I worry me too sometimes.
Executive privilege (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Rinse, lather, repeat.
It's like you've never even read a shampoo bottle.
Not so much an IT problem (Score:2)
If you give me an account and su privs (Score:2)
because I need to work on a system, feel free to remove access as soon as I'm done. If it's a system I'm running my apps for clients/customers daily, I'll need to continue to need access to it, maybe forever...
If you're talking about bad/lazy admins running a windows domain (AD) not knowing how to setup user/group permissions, you're gonna have a bad time.
Again, IT wanting money (Score:3)
I have no reason to see the construction crew on the road. Yet I see them, and know exactly when they are doing what.
I have no reason to know which brand of screwdriver my contractor uses, the colour of his belt, the model of his truck, and certainly not his licence plate.
I don't need to know the route the postal truck takes, the garbage truck takes, the brand of gloves, the colour of their hair.
I don't need to know when my neighbours go to work, how many children they have, and who their friends are.
It's not worth the expense of hiding information. I know IT guys want more money. That's not a business case.
We have laws and law enforcement for this.
I confess (Score:1)
Guilty as charged. Clickety-clickety-click...
--
BOFH
Job moves and security rights cleanup (Score:2)
Any decently sized company will have IT people who move between IT groups. However, most retain access in case they are needed to solve a problem during the transition. Add security for projects that they have worked on to the mix. Rinse/repeat for multiple job functions.
Ideally, employees would start with a new account when changing positions, even if it's a minor change, and be given security rights for the new job. The old account would be set to expire within a transition phase.
Re: (Score:2)
Ideally, employees would start with a new account when changing positions
So, no system where an employee would have a account that follows them throughout their career at a company. And a system where management could add and/or delete access control to various pieces of data as needed for their current job function?
Two common causes (Score:2)
Re: (Score:2)
IMHO, they should have thought of that when designing and deploying the application. The team that's assembled and trained to be handling application problems shouldn't be getting the necessary permissions on the fly after it all hits the fan.
When one looks at WHO is saying this (Score:2)
We find the statements are made by agencies with little to no actual experience in the field... And stand to profit from the FUD they're generating.
As in so very much (for too much)... Follow the money
Gack
Not surprising (Score:3)
Employee has access he doesn't need = Possibility that there might be a security breach some time in the future.
Employee doesn't have access he does need = Necessary work isn't getting done right now.
Unsurprisingly, then, there tends to be a bias to giving access.
Re: (Score:2)
Employee doesn't have access he does need = Necessary work isn't getting done right now.
There's another side to this. If the access* to information needed to do 'necessary work' is tightly controlled, it means that management is forced to understand and plan the work needing to be done. This might seem to be counter intuitive (impede the performance of certain jobs), but from a big picture point of view it is better to expose broken work processes and fix them at the appropriate places rather than let them continue on out of control.
Anecdote: When I worked for Boeing (decades ago), I worked w
Software developers share a lot of the blame (Score:1)
Could be advantageous ... (Score:2)
... because "You can't pin it on me, hell everybody here has admin privilege, against my recommendations which, by the way, are documented in the emails where you rejected my list of best practices."
True story.
#4 in the CIS critical item list. (Score:2)
Wrong Perspective (Score:2)
But framing this as a question of "what I need to get the job done" is exactly the wrong perspective to take here...
The thing is, these views are those of people from before a front-of-the-paper, lead-story-on-the-six-oclock-news event
Re: Wrong Perspective (Score:1)
It's not just about security (Score:2)
But if they can compartmentalize you? You're just another easily replaceable machine cog. I can swap you out in a week or two. Sure the new cog will have to be broken in a bit, but the machine wo
This is common (Score:3)
About a decade ago I joined a new job and found out that a whole bunch of support personnel have access to linux commands that can shutdown/restart production applications. They were even given instructions on how to do those things. I realized that people before me gave that access to support folks so that they can walk them through on the phone.
I did my best to eliminate to unnecessary access and was ignroed. Until one day we had a catastrophic outage because a person's ssh key was put on VM hosts allowing him to reboot the server by mistake thinking he was rebooting a VM. That host contained few dozen VMs. My access restriction proposal was immediately called to the meeting and implemented just days afterwards.
In a former life... (Score:2)
... I was a VMS system manager. At one company, I discovered that there were no records of who had been granted what permissions to their user accounts. One DCL script later, I had what I was looking for: a tabular report with privileges listed across the top and a row for each user account with an "x" for a privilege that had been granted and an "X" for one that had been granted and enabled by default. It was quite the "Holy Crap" moment when the report showed that the majority of the user accounts had an
Lock it all down. (Score:2)
Yay! Lock down all the information.
All your employees will know the minimum necessary to do what you tell them to do.
Sure they might fail to excel using the totality of information your company holds, but you wouldn't want them to get to clever would you?
Depends on the company (Score:2)
In small companies, where IT is well-treated and well-respected, the IT department is a valuable part of the business. They also act like it. One extreme example I've seen: a mini-IT department consisting of 2-3 people running full redundant backup infrastructure on a set of virtual machines. To the point that, if disaster were to strike - say, a ransomware attack, the business would be up and running on yesterday's data within minutes. While the IT folk sorted out WTF just happened. That was on top of ther
Especially at smaller companies! (Score:2)
I've been at other small companies where everyone is an Admin to every service. At that start up everyone had root access to all servers, to spite my objects and t
Yes, I can read your email ... (Score:2)
Easy solution to fix permission problems (Score:2)
Only 1 Item needed in multiple Databases (Score:1)
There are many times I just need 1 or 2 items in an application that requires unique access. I don't need to see 99% of the other info and this may only be 1 time per month or quarter, but I cannot get it in a timely manner from others.
And nearly every time have to get password reset, because it is impossible to remember the unique password setup last time that was only used once months ago, and no I don't write them down per policy and security.
Yeah, we did that. (Score:1)
We had WAY too many grandfathered security exceptions in place, so when we did a network revamp, we "fixed" that. Guess what? Processes telling checks to get cut run after hours, and they call an actual person to drive into the office Sunday evening when they didn't plan for this in 'the fix'.
Said person saw NO irony that even the door didn't think they were supposed to be there . .
Windows needs sudo (Score:2)
Sudo was released about 20 years ago and Microsoft still hasn't copied it. You might think I'm joking, but sudo really is the answer here. With sudo, you can grant users the ability to run only certain commands as admin. Old software that needs to be run as admin? No problem. Software wants to update itself? No problem. Some 3rd party software n eeds to be installed? Call IT, it's not whitelisted.
Instead we have an all-or-nothing approach. You either have admin over the entire machine and can do anything, o
Too complex to manage properly (Score:2)
Each person in a large company may need access of varying degrees to 50-100 different applications and services. Managing access via security groups helps, but there is no way to give only an "appropriate" level of access to each person. You'd need one security expert per employee!
Slow to give, slower to take away (Score:2)
Many organizations who are good at creating and applying tailored, position-specific security profiles, struggle when it comes o tracking the security profiles of mobile employees. All too often an employee who has moved to a new position (even in another unrelated department) will discover they still has the security needed for a former position(s), even years later.
Another issue is poorly designed, and inadequate, security profiles, which lead to huge volumes of exception requests. The more often valid e
Access... (Score:2)
... I remember my former employer made us take online trainings about accessing datas you shouldn't be looking at if you have access.
Fixing it is hard (Score:1)
I worked at a large Government agency. Linux and Solaris for the most part were already secure. Very few instances of people having access they shouldn't. For those that did they took it personally. They really didn't want to lose root even though they admitted they never used it.
Windows on the other hand was and is a free for all. I used to pull a listing of everyone that had admin privileges on anything. Most people had no idea they had admin privileges on anything. Those were easy to remove. Then I'd run