Access Governance - a step towards better information security

Could your documents have turned up on WikiLeaks? If you do not have complete control over user access rights, the answer is YES.

With just 500 users, 100 systems and 100 folders there are potentially a quarter million user access rights to keep track of.

  • Do you know which of these rights provide access to critical information?
  • Do you know who authorized the individual rights?
  • Will irrelevant rights be removed when an employee changes responsibilities?
  • Will new employees get all relevant rights without undue delay?

Much of the WikiLeaks documents were published by a dissatisfied employee with access to unnecessary amounts of very critical information.

The most frequent source of information security breaches is employees (perhaps unconscious) misuse of information and rights and not external hackers or phishing.

To effectively manage all these rights, it is necessary to move towards role based access control.

The dream is a fully automated rights management, but that is very far away in most companies.

I will describe the most important steps towards fulfilling the dream.

Get in control

To get in control of the current situation, I propose the following steps:

  1. Document who has which rights.
  2. Find patterns of rights - some rights may not be related to the individual but to their organizational affiliation, position in the leadership hierarchy, physical location, project-related or otherwise.
  3. Have line management approve the clustered rights that came out of step 2

If you turn steps 1-3 into a standard procedure, you have Access Control.


When you are in control of the current situation, it is time to improve the situation.
I suggest the following process:

  1. Find the critical rights from security policies, accounting rules and other sources
  2. Describe the rules for provisioning these rights based on electronically available information, for example the HR system.
  3. Find violations of the rules described.
  4. Eliminate violations by removing the rights or modifying the rules.

Next steps

The main task is to get steps 3-4 above in place as a standard procedure to stay in control of access rights. With this procedure in place you have Access Governance.

The foundation is now in place to consider automatic provisioning of critical rights. It should also be considered to automate general access rights that every employee need to have, eg. based on organizational affiliation. While all the above should be implemented under all circumstances, automation using an Identity Management System or Access Governance System requires a positive business case.