The employees in your organization are all different. There are people in marketing and finance and HR. There are people who always work from the office, those who always work from home, and those always on the road. Some employees need lots of access to sensitive data and systems to do their job, while others only need basic access to standard applications.
All these different types of employees carry different levels of risk. As the individual responsible for managing all these employees as IT users, it’s up to you to determine those different levels of risk and ensure appropriate security is in place to keep your corporate assets and data protected.
But how do you know the appropriate level of risk for any given employee?
How Risk Level is Traditionally Assigned
Many Identity and Access Management (IAM) vendors suggest assigning entitlements and roles to users. Both entitlements and roles make identity and access management easier.
Entitlements are the privileges needed for an individual to do his or her job. These could include application or system accounts, groups, privileges, or specific business views. In essence, entitlements are the technology or “access” aspect of identity and access management.
Roles are the human or “identity” aspect of identity and access management. They are used to put a descriptive label on the responsibilities of an individual. They are often based on the department of an employee—roles for those in accounting or marketing or HR. An example of a role would be Marketing Manager APAC, or to get even more defined, Sales Associate North America Weekends.
When identifying the risk associated with an individual, each entitlement and role is assigned a point value. An accounting role has a certain number of points, a Salesforce.com entitlement has a certain number of points, and so on.
An employee’s overall risk level is defined by the sum of his or her entitlements and roles. That number aligns to a number structure the organization has set, such as:
0 - 100 points: LOW RISK
101 - 200 points: MEDIUM RISK
201 - 300 points: HIGH RISK
An organization could have more or less risk tiers and distribute the points using a narrower or wider range, but the overall concept holds.
Drawbacks to the Traditional Method
The main drawback to the Traditional Method of assigning risk to users is that the point sums don’t capture the full picture and can be misleading.
Using the point system listed above, let’s say, for instance, that Melanie, an entry-level HR analyst has risks and entitlements that equal 20 points—with the exception of her entitlement for accessing the organization’s employment software that lists individualized data for each employee, including salary and social security number. That entitlement carries a 75 point value.
While Melanie’s total risk score is only 95, one of her entitlements is very high risk and worth 79% of all her points. This could be an indication that her actual risk level may be higher than the sum of her points would appear. Even one high risk entitlement can mean an employee should be treated as a high risk employee.
Taking a Better Approach
When classifying risk, your organization must do so in a way that accounts for anomalies that can occur within entitlements and roles, such as the situation above. Rather than adding all of an employee’s points up, we advocate a more modern approach that instead, uses whatever is the highest risk level given to any of an employee’s roles or entitlements. This modern method takes an approach that is much more inclusive of everything an employee uses and does within your organization.
Our guidebook, Assigning Risk Levels & Choosing Authentication Policies, further explains this approach and how to select the best ways to secure your organization’s users. Download it now to learn more about assigning risk levels, as well as which authentication methods are best for which level of risk.