User access continues to be poorly managed

Findings gathered from a Ponemon Institute and Aveksa survey of 728 experienced IT practitioners at multinational corporations and government organizations show that ineffective access governance processes expose enterprises to serious noncompliance and business risks.

The 2010 Access Governance Trends Survey tracks the perspectives of IT security and compliance practitioners on access governance, measuring how well organizations control user access and prevent misuse that could negatively impact their business. Survey results indicate that many organizations face significant information security risks because of a lack of resources, budget and IT staff – heightened by ad hoc or inconsistent approaches to access management activities across the enterprise.

According to 2010 results, cloud computing has emerged as a key factor affecting organizations’ access governance processes, with respondents reporting that its adoption enables business and end users to circumvent existing access governance processes.

Key findings of the survey include:

User access rights continue to be poorly managed – Eighty-seven percent of respondents believe that individuals have too much access to information resources that are not pertinent to their job description – up nine percent from the 2008 study.

Organizations are not able to keep pace with changes to users’ job responsibilities and they face serious noncompliance and business risk as a result – Nearly three out of four organizations (72 percent) said they cannot quickly respond to changes in employee access requirements; and more than half (52 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.

Policies are not regularly checked and enforced – Fifty-nine percent of organizations do not have or do not strictly enforce access governance policies, and 61 percent do not immediately check user access requests against security policies before the access is approved and assigned.

Organizations lack budget, resources and staff for effective access governance – Nearly two-thirds (65 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies. Fifty-seven percent of organizations reported that they don’t have enough technologies to manage and govern end-user access to information resources. Further, with organizations struggling to contain costs in a recessionary climate, 63 percent say they do not have enough resources to do so.

Cloud computing is expected to impact access governance processes – Nearly three out of four (73 percent) respondents said that adoption of cloud-based applications will have a very significant or significant impact on users’ ability to circumvent existing access policies.

“Our study confirms that IT staffs are not only unable to keep up with a rising flood of constantly changing user access requirements and regulations, they are falling behind,” said Larry Ponemon, chairman and founder, Ponemon Institute. “With so few people tasked with governing access across so many information resources, requests and control requirements, these companies are at risk of inappropriate access and misuse. The vast majority of these organization report that they are subject to access-related regulations or industry mandates, so this lack of access governance could significantly jeopardize their ability to maintain compliance and mitigate key risks.”