Within many organizations, there are simply too many people who have unnecessary access to sensitive information on the mainframe. These excessive access issues are a serious mainframe security threat: the more people with unnecessary access to information, the bigger your attack vector is.
Where do excessive access issues come from?
Excessive access issues usually crop up inadvertently and can go undetected. Here’s an example. Let’s say a team of developers is working on a new application. You give those developers access to some sensitive data, since it’s data they need to properly build the application.
Once the application is built and the developers don’t need access anymore, you forget to take that access away. The end result? You have developers with unnecessary access to sensitive information. This happens more often than you might think.
Perhaps even more concerning, there may inadvertently be people outside the organization, like contractors, or previous employees, who still have access to your organization’s sensitive data. Personnel payroll systems are a common culprit here. When programmers update the software, or when they change tax requirements, they’re given access to production systems.
This becomes a problem when that access isn’t revoked once the project is complete. That means that you’re likely to have people who aren’t employees, or people who might have retired or been fired, who continue to have access. They know their personal ID and password, so they continue to have an inroad into your organization. That is the norm in many organizations, and it creates a compliance risk.
Checking and resolving issues
Here’s the good news: You can take steps to manage and mitigate this risk. Start by establishing a process to check for excessive access issues on a regular basis. By providing users access to only the data they need, you can reduce attack factors.
It’s a matter of compliance – DISA STIGS requires government agencies to do excessive access checking. But, we’ve observed through the years that corporate America is somewhat averse to excessive access checking. These checks can uncover hundreds of thousands of findings, which the organization then has to address.
Resolving excessive access issues can be an arduous process. It means you have to go into every security profile, and take those unnecessary people out. Estimate around ten minutes to resolve each finding, and for tens to hundreds of thousands of findings, that’s a major time investment.
However, the problem doesn’t become so enormous if you’re doing excessive access checking all the time. That’s the best course of action – get your excessive access issues under control, and then implement an ongoing process to check regularly.
Invest in automation
If you’re checking for excessive access issues manually, you’ll be able to find out what groups have access to data sets or resources, but you’re not typically going to drill down to the user level. So, you won’t know if there’s a user in a particular group who shouldn’t have access.
Automation, on the other hand, helps drill down into the detailed level of what people have access to, dramatically reducing the time it takes to verify compliance. Automation can help your organization stay on the right track, so you don’t suddenly find 250,000+ issues to resolve at once.