How to Ensure Compliant User Access with Role-Based Access Governance

By Brian Cleary  |  Posted 2009-08-27

How to Ensure Compliant User Access with Role-Based Access Governance

Employees across all industries are quickly finding out that peeking at records that contain information about their favorite celebrity will now cost them their job. The natural curiosity of employees to view the private records of politicians and well-known figures is increasingly leading to firings and criminal convictions.

Most of the these workplace incidents are not tied to bad intentions or identity theft; they are simply employees taking advantage of access policy gaps at the companies for which they work (without realizing that they are breaking privacy laws and exposing their organizations to risk).

An example of this trend occurred when it was revealed on Nov. 22, 2008 that Verizon had fired several employees who had looked at the cell phone records of President-elect Barack Obama. Politicians and celebrities are just like everyone else, and they use cell phones, apply for passports and seek healthcare at major hospitals.

Employees at these organizations need to realize that, unless there is a job-related reason for them to access these records, even sneaking a peek for curiosity's sake is a very bad idea. However, the real problem here is not the natural nosiness of employees, but rather the poor controls for how user access is governed at these organizations.

President Obama has been a prime target of these types of attacks, with three different unauthorized data breaches on his private records in the last year alone. This type of incident is something that is fast becoming a daily trend with companies that store sensitive personal records of politicians and celebrities.

While organizations are quick to point out that they have specific policies related to accessing sensitive information, too often these policies are confined to a three-ring binder on a bookshelf in the IT security or compliance office. It is wishful thinking to believe that employees will heed these policies through training alone and make them part of their daily operating practice and procedure.

Access-Related Snooping Breach Examples

Access-related snooping breach examples

Some recent examples of access-related snooping breaches include:

Political candidates' passport records

In the spring of 2008, the passport records of presidential candidates Barack Obama, John McCain and Hillary Clinton were all illegally accessed by State Department workers. In fact, since that first disclosure, three employees of the State Department have pled guilty in court to illegally accessing the records data of politicians and celebrities.

The latest court case was settled on January 28, 2009. As part of his guilty plea, Gerald Lueders acknowledged that between July 2005 and February 2008, he had logged into the State Department's Passport Information Electronic Records System (PIERS) and viewed the passport applications of more than 50 politicians, actors, musicians, athletes, members of the media and other individuals.

Joe the Plumber

In October 2008, government computers in Ohio were used to illegally access personal information about Samuel Joseph Wurzelbacher, otherwise known as "Joe the Plumber." During their October 15, 2008 debate, presidential candidates Barack Obama and John McCain referred to "Joe the Plumber" constantly. In the days following the debate, information on Wurzelbacher's driver's license or his sport utility vehicle was retrieved illegally from the Ohio Bureau of Motor Vehicles database three times.

UCLA Medical Center 

In March 2008, it was revealed that a total of 126 employees had been fired from UCLA Medical Center (according to the Los Angeles Times). Workers inappropriately accessed the records of Britney Spears and Farrah Fawcett, and one employee sold this information to a national tabloid-in violation of the Health Insurance Portability and Accountability Act (HIPAA).

Shands Jacksonville Medical Center 

In October 2008, 20 employees of Shands Jacksonville Medical Center-including nurses, admissions workers and patient relations staff-were fired for inappropriately accessing Jacksonville Jaguar Richard Collier's medical record. Collier had been hospitalized for more than a month following a shooting in Riverside.

Preventing Access-Related Snooping Breaches

Preventing access-related snooping breaches

What can an organization do to prevent this type of incident? There needs to be more focus on ensuring that the entitlements that employees have to information resources are required for their particular job function. It is not unusual, for example, for employees to accumulate unnecessary access privileges as they are promoted, transferred or temporarily assigned to another department within the organization.

Users that drag excess entitlements into their new role may create toxic combinations of access that often result in Segregation of Duties (SoD) violations or create other business risks. These are surprisingly common problems in large organizations, and they are natural consequences of the usual pressure on IT departments to provide access quickly when employees are transferred or promoted into positions that require new sets of entitlements.

Organizations that leverage role-based access governance are able to put automated controls in place for access delivery and access change management. This ensures that users' privileges are appropriate to their particular job function or process role.

As a result, access to personally identifiable information is effectively governed based on a valid business reason for access, which mitigates business and compliance risk. Specifically, role-based access governance should address the following three things:

Controls automation

Organizations need to implement automated controls for access delivery and change management which ensure that policies are being applied in a consistent fashion and access-related risk is avoided. A process based on event-driven controls needs to be put into place to address change (join, move or leave) to a user's relationship with the organization. Organizations that leverage enterprise business roles will not only strengthen their policy framework through a set of preventative controls, but will also be able to speed up access delivery and ensure better accuracy.

Remediation and Validation

Remediation and validation

When change is required to a user's access, ensuring that the change request took effect (entitlement assignment or revocation) is critical. Having an automated, closed-loop remediation and validation process will ensure that application owners and system administrators have executed on the access change request in a timely fashion.

Access review and certification

Whatever the cause, organizations that do not certify access on a regular basis are most susceptible to "entitlement creep" and to prolonged exploitation by system intruders whose access, once established, goes unnoticed. Review and certification provide a set of detective controls that are typically required by many regulations and industry mandates, a few of which are HIPAA, the Sarbanes-Oxley Act (SarbOx), the Payment Card Industry Data Security Standard (PCIDSS), the Federal Information Security Management Act (FISMA), and Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) guidelines.

By putting a roles-based access governance approach in place, an organization will be well on its way to managing the business and regulatory risks of inappropriate access to its information resources. The right solution requires a strategic approach for access governance that is based on automated business processes and controls for managing the constant change to user access, while ensuring visibility and accountability of access across the entire enterprise.

Brian Cleary is Vice President of Products and Marketing at Aveksa. Brian is responsible for all of Aveksa's marketing activities including product marketing and management, marketing strategy and development. Brian brings more than 15 years of success in directing technology marketing initiatives for both emerging technology companies and top-tier enterprise software vendors to his position. Most recently, Brian served as vice president of marketing for OpenPages. He also served as senior vice president of marketing at Computer Associates (CA).

Prior to CA, Brian directed the corporate marketing efforts at Netegrity (acquired by CA in 2004). Brian was also a member of the senior management team at both Allaire Corporation and Macromedia. Brian is an author and frequent speaker at industry events on the topic of governance, risk and compliance management. He can be reached at

Rocket Fuel