Internal security vulnerabilities are the most likely ‘attacks’ a business faces. Many of the biggest attacks actually originate from inside your enterprise and come from fully authenticated users - your employees. Some of these intrusions stem from employees bypassing security standards, while others are caused by employees who may not know the security standards. But the threat we’re seeing more and more is the employee we refer to as the access hoarder.
You’ve probably encountered access hoarders in the past or even in your current job. They demand to be involved in as many processes and systems as possible, even ones that aren’t completely necessary for their role. Sometimes as these employees demand more and more new access, they also become less willing to give up any older access privileges they hold, even as their role changes and such privileges are no longer necessary.
Access hoarders typically don’t hold any malicious intent toward your organization. In fact, it’s usually much the opposite. They’re often some of the most ambitious employees within the company, seen as helpful and dedicated. Though while that’s true within their core job function, from your perspective as IT staff, these access hoarders are actually posing increasing amounts of risk to the company.
As access hoarders pile up access entitlements, they’re also piling up log-ins and passwords. And as those increase, the potential entry points for people who truly do have malicious intent, including those from outside your organization, also increase. Some say access is power. And in the identity management world, that rings true. As access hoarders become more powerful, it becomes more difficult for you to track what they’re doing and mitigate potential security risks they may be creating.
One specific type of access hoarder who can present you with interesting challenges is the high ranking access hoarder. Someone who holds a director, VP or even executive title. Those at the top of the corporate ladder hold and have access to your organization’s most sensitive information. Depending on their specific role, they may also understandably require increased access to systems. But what if that executive refused to relinquish access to systems they no longer need as they climb the corporate ladder? A COO may hold access privileges to all the systems he or she used from the time they started at your company as a junior manager all the way up to being named COO.
So how do you handle an access hoarder who outranks you?
You have to mitigate the risks this executive is posing to your organization, while not making them feel like you’re also mitigating their value or role within the organization. It can pose quite the challenge.
There are a couple different ways you could approach this scenario that I’ve seen work well.
The first, and easier of the two, is to take a proactive, forward thinking approach. You could develop corporate policies for employee access designed to minimize organizational risk. Involve the executive staff in developing the policy so you have their explicit sign off and agreement. In completely understanding the risks over-accessed employees present to the company, it’s likely they will agree with you on setting strict company-wide policies for employee access. Then, in the event any high ranking employee begins to show signs of access hoarding, you can point to the corporate policy. You don’t have to be seen as the bad guy since that policy was approved by the executives.
The second approach could be slightly more difficult because it’s reactive. Let’s say you walk into a new company that does not have a corporate policy for employee access and notice there’s a high ranking access hoarder. While you want to develop a corporate policy and take the steps mentioned above, you also notice that access hoarder is opening you up to an unusually high amount of risk. You can’t let that risk sit idle as you work through developing a policy and getting it approved.
But as a new person, it can be an awkward conversation to have with that high ranking access hoarder. I’ve found this situation to be much more comfortable, and I’ve made much more progress, if I approach it as an educator rather than someone trying to shut them down. Explain the potential vulnerabilities and present your case not as limiting access, but limiting risk. Be sure that the access hoarder doesn’t feel singled out - you want to limit risk among all employees, not only that single individual. Convey that you’re having a similar conversation with people across the entire company. Also be sure that you explain how access management helps reduce risk not only for the company, but that individual. If they are the entry point for an external attack, it could have productivity and efficiency repercussions for them.
And perhaps most importantly, make sure that this high ranking access hoarder knows you will always provide them access when they need it. It’s likely that they became an access hoarder because it was such a pain for them to get the access they needed in the first place. They don’t want to go through an arduous process again. Let him or her know that you’re available to get them the access they need quickly and easily. Limiting risk doesn’t mean placing roadblocks in front of people to prevent them from doing their jobs.
No two scenarios are exactly the same, and there are other ways to handle high ranking access hoarders, but these are two I’ve seen to work effectively for a number of people in the past. If you have your own success story to share, please leave a comment. We can all learn from each other.
To learn about how Identity Automation’s technology can help you with managing access hoarders and other users, read more here.
Comments