Budget Pressure Leads To Access Control Problems

Many IT departments are struggling to manage access control as they cope with leaner budgets, according to a new report from the Ponemon Institute.

The report, sponsored by Aveksa, drew on a survey of 728 IT pros at multinational corporations and government organisations. Among its key findings was that 87 percent of respondents believe individuals have too much access to information resources they don’t need for their jobs. That is up from 9 percent in the 2008 survey.

Failure to enforce access control policies is one of the problems facing organisations concerned with the prospect of rogue employees stealing data. In addition, 59 percent said they either do not have or don’t strictly enforce access governance policies, and 61 percent do not immediately check user access requests against security policies before the access is approved and assigned.

“Access policies are fluid and dependent on internal organisational demands as well as access-related regulations and industry mandates,” said Aimee Rhodes, vice president of marketing at Xceedium, which plays in the entitlement management space. “It is critical to provide continuous audit quality logging and reporting to ensure compliance with standards and regulations as well as the ability for post-mortem analysis should something arise.”

Part of the problem is lack of IT staff. Almost two-thirds (65 percent) of respondents cited not having enough IT staff as a key problem in enforcing access compliance policies, with 55 percent adding they don’t have the technology to manage and govern end-user access to information resources.

“Our study confirms that IT staffs are not only unable to keep up with a rising flood of constantly changing user access requirements and regulations, they are falling behind,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement. “With so few people tasked with governing access across so many information resources, requests and control requirements, these companies are at risk of inappropriate access and misuse. The vast majority of these organisations report that they are subject to access-related regulations or industry mandates, so this lack of access governance could significantly jeopardise their ability to maintain compliance and mitigate key risks.”

About 72 percent of respondents said they can’t quickly respond to changes in employee access requirements, and more than half (52 percent) said they are unable keep pace with the access change requests that come in on a regular basis.

“The current global economic climate has increased the pace of access change at many organisations, while also forcing IT staffs to try to do more with less,” Deepak Taneja, president and CTO of Aveksa, said in a statement. “Businesses are no longer able to throw bodies at the problem with the hopes of addressing their access governance issues. Sustainable compliance can only be achieved by deploying automated access management processes with embedded governance.”