UBS did a lot of things right and this article isnt to diminish their work in any way. Instead, its intended to illustrate why permissions need to be limited, and the risks associated with excessive spans of control need to be carefully considered.
Individuals are said to have excessive permissions when they have more rights on IT platforms than what is needed for them to achieve their business role. There are also risks with groups and system accounts having excessive rights. The point is that as the level of access increases, so do the risks to the organization if an account is compromised.
The need to avoid excessive permissions calls to mind the old security maxim about denying all rights and only allowing what is needed a practice that can save untold time and money.
Three Scenarios to Avoid
There are three common scenarios in which excessive permissions are granted.
The first occurs when an organization is founded and there are only a handful of IT people, or even just one person. This small staff has to perform many roles in order to keep up with their daily work and to back one another up. One person might handle all of development, network management and user support. As more people are hired their rights mirror the people before them, and as time goes by everyone has a mix of authorities.
Second, some companies grant all of IT admin authority or give everyone high-level access, as it seems to be easier to set up an account one time and then avoid the management required to deal with restricted authorities.
The problem is that this mentality has a siren song of improved agility but incurs additional risks for the organization. In this situation, one must ask, Are the associated risks acceptable?
Third, some organizations have well thought out security policies, but when incidents happen, additional permissions are granted to a person to resolve the situation but once the fire is out, access is not disabled afterward. This permission creep is very common since some organizations don't have the proper controls in place to ensure that rights are later removed. Also needed: An additional control to routinely review accounts, to ensure that the associated permissions are valid.
In all these cases, the rights that certain individuals have are greater than what they should be for risks to be managed appropriately. As with UBS, excessive rights can lead to malicious activity.
On a greater scale, there are also risks stemming from human error. When people are allowed permissions greater than what their skills and knowledge can support, a great deal of unintentional harm is possible.
Next Page: Happiness is a Double-Signed Check