Privilege Accumulation
Most organizations manage user security rights with some form
of a request-based system. Users, their managers or their peers
make access change requests when they need new security rights.
Security rights typically take the form of new login accounts or
new membership in security groups. Access change requests are sent
to suitable stake-holders to review and authorize. Once approved,
access change requests are either automatically or manually fulfilled --
i.e., new security rights are granted to users.
A request-based strategy for managing user access rights can create a problem of privilege accumulation.
While users can be counted on to request whatever privileges they need to do their jobs, they are far less likely to submit change requests to deactivate unneeded privileges. As a result, as user responsibilities change over time, users tend to accumulate privileges, rather than adding some and relinquishing others.
Users with more privileges than they need are a clear security problem. In an organization where compliance with privacy protection or corporate governance regulations (Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, 21 CFR Part 11, PIPEDA, etc.) is mandatory, privilege accumulation represents an unacceptable risk.
A formal model of user privileges would address the problem of privilege accumulation, but such a strategy can be hard to implement where users are dynamic and/or diverse:
- The number of roles required to model user privileges may be close to the number of users.
- Role definition can be costly and time consuming.
- Assigning appropriate roles to every user can be costly and time consuming.
- Ongoing management of both role definitions and user classification can be more expensive than direct user administration.
Approaches beyond formal modeling are required to address the problem of privilege accumulation for these high risk users.