• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Password Manager
  • Download evaluation
  • Releases
  • CC Certification
• Solutions
  • Reduce IT Support Cost
  • Improve User Service
  • Security, Governance and Regulatory Compliance
• Support
  • Customer Portal
  • Request Support Help
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Certified Resellers
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Partner Programs

Overview Privilege Accumulation

• 
• 
• 
• 
• 
• 
• 

Privilege Accumulation

Most organizations manage user security rights with some form of a request-based system. Users, their managers or their peers make access change requests when they need new security rights. Security rights typically take the form of new login accounts or new membership in security groups. Access change requests are sent to suitable stake-holders to review and authorize. Once approved, access change requests are either automatically or manually fulfilled -- i.e., new security rights are granted to users.

A request-based strategy for managing user access rights can create a problem of privilege accumulation.

While users can be counted on to request whatever privileges they need to do their jobs, they are far less likely to submit change requests to deactivate unneeded privileges. As a result, as user responsibilities change over time, users tend to accumulate privileges, rather than adding some and relinquishing others.

Users with more privileges than they need are a clear security problem. In an organization where compliance with privacy protection or corporate governance regulations (Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, 21 CFR Part 11, PIPEDA, etc.) is mandatory, privilege accumulation represents an unacceptable risk.

A formal model of user privileges would address the problem of privilege accumulation, but such a strategy can be hard to implement where users are dynamic and/or diverse:

• The number of roles required to model user privileges may be close to the number of users.
• Role definition can be costly and time consuming.
• Assigning appropriate roles to every user can be costly and time consuming.
• Ongoing management of both role definitions and user classification can be more expensive than direct user administration.

Because of these challenges, role-based approaches tend to work well only for static, uniform populations of users, but do not lend themselves to users that change responsibilities very quickly or that have unique access requirements. Unfortunately, the highest risk users in most organizations are exactly those whose privileges are hard to model -- back-office users with access to sensitive data.

Approaches beyond formal modeling are required to address the problem of privilege accumulation for these high risk users.

© Hitachi ID Systems, Inc. . All rights reserved.