Why Lax Access Governance Leads to Trouble

February 13 2008 by Fayazuddin A Shirazi


If Societe Generale, had effective access management controls, the bank wouldn’t have had a severe beating in the form of a $7 billion loss, triggered by an overzealous 31-year-old rogue trader, say industry experts. Last month Societe Generale, the second largest public sector bank in France, uncovered massive fraud by a Paris-based trader, which resulted in a loss of over $7 bn to the bank, which security analysts believe is mostly due to lax controls at the bank.

Security experts say that lack of proper access control mechanism in companies has resulted in an unwanted exposure of information to employees, which exposes the company to enterprise risk.

“The loss of more than $7 billion at French bank Société Générale might have been averted had better internal controls been in place to prevent Jerome Kerviel’s apparently disastrous financial trades. And Steven E. Hutchins Architects might not have lost an estimated $2.5 million in architectural data to the alleged actions of a disgruntled employee had the firm implemented better security measures,” says a report published in Information Week . Late last month the Hutchins Architects, a small architectural services firm based in Florida, reported an incident of data sabotage where an agitated woman employee, misinterpreted a help wanted ad in a local news paper, by her employer as a threat to her job and allegedly leveraged her access to destroy seven years of crucial data worth an estimated $2.5 million.

In an interview to CE Online, Brian Cleary, an access management and controls expert and VP of marketing at Aveksa, a corporate security vendor based in Waltham,MA, who explained the significance of safeguarding crucial company information by enhancing access management tools, says that employees have access to too much of information, which is otherwise not required by them at all. “The risk of someone misusing such access to unsought information remains high,” he says.

IT analysts believe the Societe Generale rogue trader had the in-depth knowledge of the control procedures resulting from his former employment in the middle office, which he used while at his new role. “The employee in question managed to drag access permissions to most of the applications from his earlier role at the back office to his new role at the front office,” says Brian. Experts say once the bank changed Jerome Kerviel’s role, it should’ve taken care of sanitizing all the access information he had earlier.

If SocGen, Brian feels, had instituted strengthened access controls and ensured proactive management of the potential business and compliance access risks, it could’ve extenuated the loss at least to some extent. “Had the bank cautiously implemented the automated access certification process, it could have identified the security breach much earlier and mitigated its loss,” asserts Brian Cleary.

According to an IT survey – 2008 National Survey on Access Governance- conducted by Ponemon Institute, an information management and research firm based in Michigan about 78 per cent of 700 IT professionals polled from the public and private organizations, believe both their employees and the independent contractors have too much access to information assets that are not pertinent to their job function, and that access policies are not being regularly checked or enforced by their organization.The survey also found that 69 per cent of respondents believe that access policies in their organizations were poorly enforced or ignored. 55 per cent of respondents rated their companies’ ability to grant information access rights to be poor and in some cases nonexistent.

The most common problem pointed out by the survey is “entitlement creep,” in which workers move to a new business unit and their information access rights fail to get updated to match their new roles. Business units tend to leave this to IT organizations, a failure believes Cleary to appreciate that it’s the obligation of the business units, and not the IT department to understand the role and job requirements of its people. This is what has precisely happened with SocGen and the rogue trader took leverage of the key access to information he had in his earlier role, feel experts.

Brian calls upon the organizations to consider the benefits of having an enterprise-wide access governance process that is based on collaboration among different business functions. “The objective is to have an effective process for managing access rights, ensuring that policies are enforced consistently and understanding the business function that is accountable,” he says.

A Short Guide to Better Access Management

Experts recommend consistent monitoring of access management controls to keep a tab on the free flow of information to employees

  • Implement a well-managed enterprise-wide access governance process that keeps employees, temporary employees and contractors from having too of much access to information assets.
  • Organizations must also ensure that they do not hinder the ability of individuals to have access to information resources critical to their productivity. For accomplishing this, the companies must have a clear understanding on what constitutes sensitive and confidential information based on the roles of the employees who need to access such information for supporting their business goals and objectives.
  • Create well-defined business policies for the assignment of access rights. These policies should be centrally controlled to ensure that they are enforced in a consistent manner all across the company.
  • Understand how best to build an enterprise-wide access policy in ways that would allow senior management to see the risks involved. Policies should define the penalties for noncompliance. With respect to data breaches, it is the cost of notification, customer attrition and loss of reputation that can severely impact an organization’s bottom line.
  • Track and measure the organization’s ability to enforce user access policies. This includes having inputs on how effectively the process, is managing the changes to users’ roles, revoking access rights upon an individual’s termination, monitoring access rights of privileged users’ accounts, and monitoring segregation of duties.
  • Ensure that accountability for access rights is assigned only to the business units, which have the domain knowledge of the users’ role and responsibility.
  • Become proactive in managing access rights. Instead of making decisions on an ad hoc basis, companies must build a process that enables them to have visibility to information accessed by all users. Technologies that automate access authorization; review and certification should be encouraged, as it will limit the risk of human error and negligence.