When’s the last time you actually managed your Active Directory groups? Be honest. We’re not talking about that last time you added someone to a group. We’re talking about the last time you actually did some homework to ensure that the group had the right members, that the permissions were assigned correctly, etc. It’s probably been awhile, hasn’t it?
The more likely reality is that you’ve been making changes to groups for years without keeping track of what’s already there (that is, the groups’ members and permissions). If left unchecked. this absence of proper management can cause your groups and the security they represent to fall into a state of entropy.
So, should you be worried? Can mismanaged groups actually hurt you?
They can. And in more ways than you think.
Start with the fact that in a recent Ponemon survey, 71% of employees report that they have access to sensitive data that they should not be able to see. On its own, that’s a pretty scary statistic — one that underscores the fact that IT, in general, doesn’t truly know what permissions have been granted.
You might be tempted to think, “It’s no big deal. So they have a few extra permissions….” Be careful of falling into this trap. Without doing some formal diligence, you don’t know exactly how big the “extra” is!
Without wanting to add some salt to that wound, let’s dig a little deeper. The 2016 Market Pulse Survey from SailPoint uncovered some chilling facts about just how exposed companies may be:
- 32% of employees share credentials: In context, this statistic may reflect the number of people who have share credentials in the past rather than employees who are readily sharing credentials all the time. Either way, the person thought to be the only person with access to critical data isn’t the only person. And even though the credential owner may be trustworthy, can the person with whom these credentials are being shared be trusted? The sad truth is this: you just don’t — and won’t — know.
- 20% of U.S. employees would sell their credentials to a third party: And the kicker? They’d do it for less than $1000.
- 42% of employees can access corporate data after termination: It’s evident that many IT teams aren’t following a termination process that includes disabling user accounts.
The security implications of putting all this together are sobering:
- Users have more access than they should.
- They may have shared the credentials with another person.
- Even after they’re gone, their accounts still work.
So, anyone who still knows the credentials can still log on as the user (whether employed or not) and can access more information than the original user should have had in the first place.
When you add this to the fact that the access granted by memberships is overprovisioned (because no one in IT is properly managing Active Directory groups), unintentional access is being granted to more users than you’d care to admit.
Until you have a solid grasp on the current state of your AD groups, you will remain in the dark, unaware of just how insecure your environment really is, and how much you may be leaving your organization potentially exposed to insider threats.