“After drawing up rules and policies for an organization then comparing that to the organization’s actual practice or current implementation, Eurikify found that almost 1 out of 3 people have “out of pattern” (i.e., wrong) rights assignments ( 32%), which equates to 38% of the organization’s resources being used by these “out of pattern” users.
While not as pressing immediately, 1 in 3 (33%) have redundant or parallel access rights. Not an immediate problem, but it could be trouble when the person leaves the organization. Often, removing one access right gives us the false sense that there’s no other access right, but these redundant and parallel rights prove otherwise.
Eurikify also found a whopping 66% of people with access rights that bypass groups while another 25% are listed in overlapping or redundant groups. While it isn’t necessary to assign rights completely via roles or groups (for a personal folder, for example), this practice can get out of hand when someone needs to access a resource quickly and temporarily – ever notice how often “temporary” becomes “forever”?
The most troubling stat Eurikify found, at least to me, is that roughly 30% of accounts are “orphans” – no longer used, no longer needed but lurking, waiting to be the entry point for a security breach.”
Role based access control with decent provisioning tools is obviously a good solution to this kind of problem. It also fills requirements that you might face due to Sarbanes Oxley – Sara Gates, SUN’s VP of identity management, has more on this.