Consider this: only 17% of firms have a mature approach to access management. For the 80%+ of firms who aren't properly managing access, that means two times more breaches and $5 million more in costs, on average. You understand the risks of open access -- through your own home-grown or purchased security reporting tool, you find that there are hundreds of thousands or even millions of folders with open access privileges. You know where each folder is and you might even know which folders contain sensitive information.
But now what? Running a report on one of these tools hasn't reduced your risk, it's just uncovered it. The next step would be to remediate that risk…sounds simple, but what are the actual steps to do so?
You might try just removing the open access group. But this could – and probably would– remove legitimate business user access or, even worse, break a service account’s ability to run a business critical application.
You could replace the open access group with the accounts that have been accessing it in the past. But if the open access group is permissioned on a folder where users don't typically request access, then you might be breaking the permission inheritance structure that will just have to be redone
You could find a logical grouping of folders where users do typically ask for access and make the permission changes on the top folder and push the changes down. This collection of folders would include more than just the folders with open access, but it means you would only have to make the permission changes once. But you don’t actually know who SHOULD have access. You only know who currently has access.
Another option could be to find business owners for each folder collection and ask them who SHOULD have access. But finding owners and then asking them to respond to an IT survey is a cumbersome manual process hated by both IT and the business and would take hundreds, if not thousands of emails.
The most holistic approach is to actually reduce risk. That involves its own workflow: finding folder collections, determining ownership, certifying permissions with an escalation system, and making the permission changes from the top of the collection to all subfolders with new permissions that can easily be managed long-term.
It’s not as simple as “removing the open access group.” This holistic and BAU-ready risk reduction process is what we've learned over 10 years of cleanup experience. This process is what we’ve perfected. This process is what SPHEREboard has automated.
Don't have a security reporting tool to find issues like open access? We do that too, and better than everyone else. We help prioritize risk reduction by showing data in actionable ways: pivoted on whatever you find important whether that's business-defined departments, staleness, the severity of security issues, and the classification/sensitivity of data and users.
Want to see real automated risk reduction? Schedule a demo and ask for a free Proof of Concept to see SPHEREboard with your own data.