Organizations develop policies governing access to sensitive apps and information, both to protect their intellectual property and their client’s data, and to ensure compliance with relevant laws and regulatory frameworks. However, compliance with these policies can be challenging in real-world conditions.
What is policy-violating access?
Policy-violating access is access that goes against aspects of a company’s data or security policies in a way that might threaten the organization’s compliance with regulatory frameworks, risking fines or other sanctions, or expose the organization to potential fraud or data theft. Some examples include:
- Segregation of duties violations: Segregation of duties is a best practice designed to prevent fraud and error, especially in finance and information security, requiring that no single identity be able to control an entire process alone. For example, the same person should not be able to create new vendor records and also approve payment of invoices. As well as being a best practice, some compliance frameworks, including Sarbanes-Oxley (SOX) require companies to be able to demonstrate that they have implemented segregation of duties for key processes.
- Sovereignty violations: organizations that operate globally often need to comply with different sets of local laws and regulations governing privacy and data, such as the General Data Protection Regulation (GDPR) in the EU, and China’s Data Security Law (DSL). These regulations often require that data collected in a particular region not be stored or accessed outside it. For example, a multinational company operating in China may need to ensure that only employees located within China can access data about Chinese customers.
- Misconfigured identities: organizations may require all users, or at least all privileged accounts, to use multi-factor authentication, or to change their password at set intervals. Any permissions held by accounts that don’t adhere to internal rules can also be understood as policy-violating permissions.
Why is policy-violating a problem?
- Compliance penalties – the most obvious risk of policy-violating access is that of penalties or sanctions from enforcing agencies, such as the Securities and Exchange Commission (SEC), which can impose fines into the millions of dollars.
- Increased risk – policy-violating permissions can leave your organization vulnerable to the problems your policies aim to prevent, such as fraud by internal actors, or compromise by external threats.
- Loss of trust – in the wake of a security incident, companies found not to be effectively enforcing their own security and access policies are likely to take a reputational hit leading to loss of existing customers or difficulty securing future business.
How to clean up and prevent policy-violating access?
- Understand and monitor the true access permissions of all identities. If your governance tools rely on vague and potentially misleading role/group names, you will not be able to detect policy-violating access.
- Break down data silos that prevent you from missing policy-violating access. For example, business processes begun in your CRM may be fulfilled via your ERP, by bringing all access permissions into a single control platform, you make it simple to detect issues like segregation of duties violations that you may miss taking an app-by-app approach.
- Make sure you have all the metadata you need to detect policy-violating access. For example, detecting sovereignty violations relies on
Check out our field guide to bad permissions to learn how you can crack down on policy-violating access, and check out our short demos to see how Veza can help you review and rightsize permissions across your organization and visualize and control who can do what with your data.
About Veza
Veza is the Access Control Platform that enables identity governance. The platform helps companies to monitor privilege, investigate identity threats, automate access reviews, and bring access governance to enterprise resources like SaaS apps, data systems, cloud services, infrastructure services, and custom apps.
