Security professionals are generally most concerned with outside hackers, malicious insiders and accidental data loss.  However, if they don’t focus on internal processes around their organization’s employees’ changing roles and responsibilities, organizations are missing a key area of risk.

Manual processes within IDM could introduce mistakes and open the door to both privilege creep and account latency.  Automation of new employee onboarding, promotions or transfers, administrative requests and terminations reduces risks and implements processes that alleviate these mistakes.

New employee onboarding

If done manually, the security implications of hiring a new employee can be daunting and prone to error.  The provisioning process starts: computer access, id and password, network access, and application access are all just the tip of the iceberg.  HR processes have to be followed; FERPA or HIPAA tests need to be passed.  Automation of this process guarantees new employees base system access and allows security teams to focus on the more challenging processes below.

To accomplish this, the hiring event starts the automated process of providing least privileged access.  By providing this,  new employees should only have access to the initial set of self service functions such as enrolling in benefits.  This allows the account provisioning to be triggered automatically from other IDM solutions that may be in use without introducing institutional risks.  Granting higher privileged access is covered in the next section.

Newly hired, promoted or transferred workers

When a person starts new job functions or his/her job changes, it is imperative that the PeopleSoft privileges are accurate, made in a timely manner and can be monitored. Automating this procedure guarantees access changes don’t go unnoticed and lowers a company’s risk of data breach and privilege creep. Privilege creep occurs when employees move from job to job inside of an organization and system access no longer matches their role within the organization.

To accomplish this, job codes should be mapped to privileges so that automated processes can be built to modify privileges upon changes in job responsibilities.  That way the system naturally mitigates privilege creep through job migrations.

Administrative access requests

Some administrative functions are very specialized and cannot be automatically assigned based on job codes in the HR application.  Therefore, tracking the systems is absolutely critical.  These high privileged users have access to the institutions most prized data or intellectual property.

Organizations should establish a change control process over administrative privileges that may be project related or on going. Tracking and understanding what access a user has within each application, network device and computer is critical to managing their movement throughout the organization or out of the organization.

Terminations – there goes the data!

Termination is a critical security event.  When an employee is terminated (whether involuntarily or involuntarily) the clock is ticking on restricting their access.  An article from the Wall Street Journal suggests 50% of employees take data with them upon termination.

To address this concern, access must be removed from numerous systems precisely and efficiently especially for high privileged users.  When an employee gives a two-week notice, data security requirements should log or remove all access besides base HR self-service functions to ensure data loss is kept to a minimum.

Automating this process involves tying the termination request to the modification of the users privileges. To accomplish this, the termination will trigger a removal of all roles and permissions other than base self service HR functions. This has to be done immediately upon the termination event and logging all access for these users is critical.

While some organizations believe hacks come from only external sources, these companies may be missing an even larger threat: internal, privileged users. According to the study, titled Ponemon Institute’s Survey on Data Security Breaches, sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. While some attacks can be unintentional, to protect your organization from internal aggravators, there are a couple of steps your business can take.

Start by defining the policy

High-privileged users by definition have access to the most sensitive information within the organization. Their access is coveted by both external hackers and malicious internal users. Safeguarding your company requires an in-depth look at current security policies and how they could be improved. There should be guidelines put in place detailing what access each member receives, as well as strict account management practices. This can include requiring privileged users to change their passwords biweekly or bimonthly to ensure important data is always secured or implementing a least privilege arrangement. This practice gives users the bare minimum for their positions’ needs when it comes to access.

In addition, your company could eradicate “all powerful” accounts that allow entitled users access to almost all information in a business’s system. Instead, delegate access to particular data to different people, using a specific identification password or username that can be tied to that person. Certain actions within the system would then be accessible by only people who have been granted that permission. Multifactor authentication would limit and verify which privileged users are able to complete specific behaviors within the system.

Multifactor authentication can prevent malicious insiders from hacking into secure data.

Add extra security measures

Users with great power, also comes great responsibility.  Our security survey results show greater than 80% of respondents expect high-privileged users to utilize  increased security measures such as multi-factor authentication.  Privileged users with particular leverage should still have to meet and pass certain security requirements for access to data and functions. To keep company information as secure as possible, it is important to increase protection by implementing specific protocols, including data masking.

Data masking is a smart backup for multifactor authentication. If a user is able to make it through one level of security but cannot view other data, the system hides secure information. Only the most basic, non-harmful data is visible. Continued failed login attempts at every level of authentication would result in increased masking of secure materials.

Log employee actions

The phone rings, the caller accuses someone of changing their data because their paycheck was not deposited into their account – now the response has to begin.  It’s vital to monitor users’ conduct within the system at every level. Specifics are necessary to audit people’s access as well as perform incident response. High-privileged users impact and influence on company data must be tracked within the overall data security solution. Although this security measure is difficult to complete, it can be done with the correct logging software. With a firewall that includes analysis of a user’s record and behaviors within the portal, companies can have a better idea of what secure information is misused.

High-privileged users can wreak just as much havoc on a system as external hackers. In fact, 25 percent of respondents said a malicious insider was the cause of a company breach in the past year, according to Forrester Research. To avoid system intrusions, whether vengeful or not, it’s vital for your company to have a security policy in place to monitor users. Multifactor authentication, data masking and logging analysis are all beneficial tools to protect your organization’s critical information.