User Rights Management
User rights management reduces unwarranted data access by ensuring user rights align with corporate policy. This prevents insiders such as employees, contractors, outsourcers, etc., from accessing data unless there is a business need-to-know. Strictly controlling user access rights to data is mandated by a number of regulations, including SOX, PCI and HIPAA, and is a security best-practice that helps reduce the risk of data breaches due to overly accessible data.
Aggregate and Report on User Access Rights
User rights audits require the ability to regularly aggregate user rights enterprise-wide. Rights must be collected from multiple database platforms and file systems to facilitate timely, manageable audits and reviews. Automated, regularly scheduled rights collection helps ensure an up-to-date view for security and compliance staff as well as auditors.
Perform Access Rights Reviews
Establishing a rights review workflow helps organizations build a repeatable process for reviewing access rights, which is required by regulations like PCI DSS and SOX. In addition to following a regular workflow, organizations should maintain an audit trail of the review process by recording whether reviewers accept or reject existing access rights, and what changes are required.
Identify Dormant Users and Excessive Access Rights
Identifying dormant users and un-used access rights is fundamental to reducing the risk of unwarranted insider data access. Organizations can identify these states by correlating user access rights with actual data access activity by users. Those users that never access the data they have permissions to may no longer be part of the organization, or may not need those permissions to do their job.
Ensure Access is Based on Need-To-Know
Access to sensitive data should be based on a business need-to-know, which typically relates to organizational structure. While user information stored in databases and directory services may include organizational information, this data often falls out of sync with business changes. Supplementing this information with details from human resources information management systems, which better reflect user job roles, helps identify users with access rights no longer required by their job function.
|User Rights Management for Databases||
|User Rights Management for Files||