The Dangers of Excessive Permissions: Page 2

Posted September 18, 2006

George Spafford

George Spafford

(Page 2 of 2)

Happiness is a Double-Signed Check

Closely related to excessive permissions is segregation of duties (SOD) control. Essentially, SOD guards against critical processes being under the undue influence of any given person or group. In other words, the tasks involved with critical processes need be split across people and teams in order to maintain checks and balance to ensure the validity of outcomes.

In accounting we know that it’s a bad idea to allow one individual the authority to print and sign checks – it's too eay to write fraudulent checks. In IT we know there are areas where there are equivalent conflicts of interest. We prefer to not allow users to be security or system administrators, developers to do testing, or developers have the ability to update production systems.

To properly address permissions using SOD, organizations need to understand what IT services are critical, and establish reasonable risk levels. From there, roles relative to tasks can be reviewed to see what combinations create a level of excessive permissions.

Avoid any permissions that put process confidentiality, integrity, and availability at an unacceptable level of risk. Where security is compromised, tasks need to be reallocated or compensating controls put in place to reduce risk to an acceptable level.

And remember one key fact about employees’ egos: When reviewing necessary changes, bear in mind that there are often a lot of emotions attached to permissions. So training and awareness activities will be needed to support the organizational change.

Clearly, excessive permissions put organizations at risk. Roles need to be periodically reviewed to ensure that the business is properly supported with segregation of duties; system privileges need to mirror the defined roles. In this day and age, security is becoming increasingly important and permission models need to reduce risks to a level that management is comfortable with.

Page 2 of 2

Previous Page
1 2

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.