Anyone who has seen the show Hoarders knows how people who fill their houses with unneeded stuff can literally bury themselves in junk. Security and risk (S&R) pros who manage employee access to apps, databases, and systems should notice the Hoarders parallel when it comes to IT access: Many employees unknowingly acquire access over time, as they change roles, move to other departments, or get assigned to special projects. As these employees gain more access, they usually never relinquish it. Such access hoarding creates additional avenues into sensitive data that can be compromised either by malicious insiders or external attackers.
S&R pros can fight back against bad access hoarding practices with processes and tools akin to the different services that can remove your own junk — everything from rotting pumpkins to 30-year-old newspapers. For example, role-based access control (RBAC) can logically group the commonly used apps by job role. S&R teams can then single out only the access rights that need to change to efficiently add and remove access for people who have changed roles. They can also use an RBAC-based approach to target recertification campaigns toward the exceptions that sit outside of the RBAC model. Another sound approach is using time-based controls that automatically revoke access for special projects after a defined interval (e.g., two weeks). S&R pros can also benefit from quantitative models that provide risk-based context and recommendations that help managers avoid “rubber stamping” approvals.
Just like hoarding material possessions, the underlying issues here are complicated and demand multiple approaches. I encourage you to read my most recent report, “Best Practices: Identity Management And Governance,” in which I outline 10 best practices to follow to minimize the risks of access hoarders.