UBS did a lot of things right and this article isn’t to diminish their work in any way. Instead, it’s intended to illustrate why permissions need to be limited, and the risks associated with excessive spans of control need to be carefully considered.
Individuals are said to have “excessive permissions” when they have more rights on IT platforms than what is needed for them to achieve their business role. There are also risks with groups and system accounts having excessive rights. The point is that as the level of access increases, so do the risks to the organization if an account is compromised.
The need to avoid excessive permissions calls to mind the old security maxim about denying all rights and only allowing what is needed – a practice that can save untold time and money.
Three Scenarios to Avoid
There are three common scenarios in which excessive permissions are granted.
The first occurs when an organization is founded and there are only a handful of IT people, or even just one person. This small staff has to perform many roles in order to keep up with their daily work and to back one another up. One person might handle all of development, network management and user support. As more people are hired their rights mirror the people before them, and as time goes by everyone has a mix of authorities.
Second, some companies grant all of IT admin authority or give everyone high-level access, as it seems to be easier to set up an account one time and then avoid the management required to deal with restricted authorities.
The problem is that this mentality has a siren song of improved agility but incurs additional risks for the organization. In this situation, one must ask, “Are the associated risks acceptable?”
Third, some organizations have well thought out security policies, but when incidents happen, additional permissions are granted to a person to resolve the situation – but once the fire is out, access is not disabled afterward. This “permission creep” is very common since some organizations don’t have the proper controls in place to ensure that rights are later removed. Also needed: An additional control to routinely review accounts, to ensure that the associated permissions are valid.
In all these cases, the rights that certain individuals have are greater than what they should be for risks to be managed appropriately. As with UBS, excessive rights can lead to malicious activity.
On a greater scale, there are also risks stemming from human error. When people are allowed permissions greater than what their skills and knowledge can support, a great deal of unintentional harm is possible.
Next Page: Happiness is a Double-Signed Check
Happiness is a Double-Signed CheckClosely related to excessive permissions is segregation of duties (SOD) control. Essentially, SOD guards against critical processes being under the undue influence of any given person or group. In other words, the tasks involved with critical processes need be split across people and teams in order to maintain checks and balance to ensure the validity of outcomes.
In accounting we know that it’s a bad idea to allow one individual the authority to print and sign checks – it’s too eay to write fraudulent checks. In IT we know there are areas where there are equivalent conflicts of interest. We prefer to not allow users to be security or system administrators, developers to do testing, or developers have the ability to update production systems.
To properly address permissions using SOD, organizations need to understand what IT services are critical, and establish reasonable risk levels. From there, roles relative to tasks can be reviewed to see what combinations create a level of excessive permissions.
Avoid any permissions that put process confidentiality, integrity, and availability at an unacceptable level of risk. Where security is compromised, tasks need to be reallocated or compensating controls put in place to reduce risk to an acceptable level.
And remember one key fact about employees’ egos: When reviewing necessary changes, bear in mind that there are often a lot of emotions attached to permissions. So training and awareness activities will be needed to support the organizational change.
Clearly, excessive permissions put organizations at risk. Roles need to be periodically reviewed to ensure that the business is properly supported with segregation of duties; system privileges need to mirror the defined roles. In this day and age, security is becoming increasingly important and permission models need to reduce risks to a level that management is comfortable with.
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.