the problem of entitlements
the journal of Michael Werneburg
twenty-seven years and one million words
Virtually every organization has the problem of managing IT asset entitlements. Each entitlement is the grant of access rights to a specific person, on a specific asset. Tracking entitlements answers questions such as:
- What asset entitlements should this person have?
- Who has what kind of access to this asset? (E.g. “who can read the payroll register?” “Who has an office key”, “Who has access to the shared drive folder?”)
- What do I have to do now that this person is leaving? What accounts do I close or lock? What shared passwords do I change? What counter-parties must be told of the departure?
- An unauthorized or otherwise unwanted change has been made. Who could have made it?
It can get complicated fast, especially if you're in any way answerable to an auditor, who'll insist that all entitlements be justified by the assignment of a defined role to person with the grants. They'll tie in concepts such as "least privileges" and "segregation of duties" in the approval, custody, and accounting functions. And they're right; if you're going to start dealing with the above questions in a consistent fashion, you'll need to tackle all of that.
And the risks are real. Listing a few of what I like to call "loss scenarios" in this space, you get a sense of the scope of the problem:
- Entitlements are not managed. Inappropriate access is granted to physical and IT assets. Outcomes can include: money and intellectual property is misappropriated, damaging communications are sent from named accounts, embarrassing internal communications are distributed outside the organization, or the office and/or its contents are vandalized.
- Inappropriate parties are responsible for system access oversight. The parties named are not actively involved with monitoring system access or do not have the appropriate skills. Entitlements are not managed (see #1).
- Personnel are handicapped in their roles by unnecessary restrictions on asset entitlements. Countless negative potential outcomes, including loss of personnel.
- Entitlements to production systems are not reviewed. Former or other unauthorized personnel retain entitlements on assets – and/or – unused accounts remain active. Assets are compromised. Outcomes as stated in scenario #1 above.
The answer, I've decided, is two part:
- Get a simple register together that records all the assets in the organization, and all of the people. The crux is the intersecting list that shows the entitlements granted to a specific person on a specific asset, at the time the grant was made.
- Ensure that the book of record (typically HR) is communicating the changes to the parties with custody (IT), and that a third party (an Entitlements manager, for want of a better word) is recording the changes.
This will accomplish a number of things, including:
- Report on entitlements by individual or by asset.
- Determine what entitlements should be granted when someone assumes a new role, based on what a similar (or previous) role-holder has/had.
- Generate a list of entitlements to revoke at the time the relationship with the organization ends.
- Crucially: get agreement by the authorizing parties and IT about who has what entitlement and why.
The register's not hard to get right; it can be managed in a three page Excel spreadsheet. If you know what you're doing, a simple pivot table or two can do all of the heavy lifting on report generation.
This leaves one substantial gap. The roles.
I've decided that they're a superfluous distraction with little bearing on the high-pace environment in which we now work. Who wants to, for instance, keep a client waiting when someone needs access but their "on paper" role doesn't jibe with the entitlement you want to grant? I've found that unless an entitlement is obviously well outside of the grantee's role or skill set, it won't be challenged by an auditor. No one else will even think of looking for a documented reason for a grant; the reason for the grants will be obvious.