Poor Access Management Can Lead to Data Breaches

What is access management? 

Access management is a solution businesses use to enforce the concept of AAA (authentication, authorization and accounting) — a necessary element of cybersecurity. 

The AAA premise is that computer systems should let only specific, verified and authorized people or processes access certain data, resources or network environments. Additionally, systems should keep a clear record of who accessed what resources and what those individuals may have done to those resources. While AAA may sound straightforward, its application across complex systems can be challenging.

Access management solutions are often part of broader identity and access management (IAM) tools. Businesses use these tools to help assign and manage users’ digital identities, such as login credentials.  

Within IAM, access management’s role is to assign, verify, control and manage users’ access to specified processes, data or systems. Businesses have multiple avenues for enforcing access management. Each access management approach seeks to ensure only the correct people or processes access specific resources. 

How does poor access management lead to cyberattacks? 

Poor access management can leave businesses vulnerable to cyberattacks in several ways, including the following: 

• Poor access management invites human-based intrusions and errors. Data from Verizon’s 2022 Data Breach Incident Report found that 82 percent of data breaches involved the human element, stemming from credential theft, phishing attacks, employee misuse or mistakes. Proper access management may have prevented many of these breaches.
• Poor access management often means a lack of security measures. A business with poor access management may lack critical — and relatively straightforward — measures, including a requirement that employees use unique, strong passwords, or limits on the resources people can access.       
• Poor access management leads to “privilege creep.” The Verizon report found that business insiders carried out 20 percent of data breaches. These breaches are often associated with “privilege creep,” in which employees end up with more privileges than necessary, allowing them to access resources they no longer need. This unnecessary access increases the risk of an insider breach because employees have significantly more access than they need. It also boosts the chances of external breaches, as hackers have to compromise only one privileged account instead of stringing together multiple accounts. 
• Poor access management leaves complex infrastructure vulnerable. Poor access management allows even more pervasive threats in today’s complex networks. “Today’s environment is much different than when all privileged access was constrained to systems and resources inside the network,” said Tim Steinkopf, former CEO of identity protection company Centrify (now Delinea). “Privileged access now not only covers infrastructure, databases, and network devices but is extended to cloud environments, big data, DevOps, containers, and more.”
• Poor access management puts cloud networks at risk. According to a report from Palo Alto Networks, nearly 99 percent of cloud users, roles, services and resources across the businesses surveyed had excess privileges. Additionally, 53 percent of cloud accounts allowed for weak passwords, and 44 percent of businesses allowed for password reuse. These statistics drastically increase the chances of hackers exploiting existing access management policies to compromise a company’s cloud storage, potentially leading to a massive data breach. According to Palo Alto Networks, companies with such lax access management policies would never be able to achieve comprehensive security.

How access management policies can improve cybersecurity

A well-thought-out and comprehensive access management policy is essential to a business’s security. Just as weak access management policies increase the risk of a breach, strong access management policies increase overall business security. Without these policies, a business won’t have proper visibility into who can access certain resources.

Access management policies can improve cybersecurity in the following ways: 

• Proper access management can reduce credential theft. According to the Verizon report, almost 50 percent of breaches were related to stolen credentials. Credentials were hackers’ favorite data to steal, allowing them to move within a network without suspicion. With proper access management, businesses can lock down user accounts to ensure employees have access only to what they absolutely need. 
• Proper access management can spot and halt potential breaches. Microsoft’s March 2022 data breach response shows how an organization with strong access management policies can stop a potential breach in its tracks. Proper access management can help IT managers spot and halt potential attacks and avoid the fallout of a data breach. Ideally, strong access management would help prevent malicious external actors from snooping where they shouldn’t. 
• Proper access management can detect employee fraud. Access management policies with a strong auditing component can help log suspicious employee activity. This can help organizations flag potential insider breaches and external hackers who hijack a legitimate employee’s account with stolen credentials. 
• Proper access management can stop further hacker damage. Access management could also make it more difficult for attackers to move laterally after gaining initial access to a network. Essentially, this means that access management could prevent a hacker from moving deeper into a network to search for sensitive information. 

Tips for establishing strong access management policies

Robust access management policies are essential for businesses to secure their environments. Fortunately, many access management tips and trends are available to businesses, including the following: 

• Take a zero-trust approach. In addition to implementing multifactor authentication and password vault solutions such as password managers, businesses should work with their IT managers to establish zero-trust architecture. “It’s well past time to secure privileged access with a zero-trust approach, and many organizations can significantly harden their security posture with low-hanging fruit like a password vault and multifactor authentication,” Steinkopf said. If businesses don’t have the necessary technical ability, managed service providers can help businesses build and secure their networks. 
• Prioritize compliance regulations. Businesses should also look to compliance regulations in their industry and establish complementary policies. Complying helps for regulatory reasons while also serving as a guide for access management policy criteria. 
• Audit employee accounts. Businesses should perform frequent audits of employee accounts to check for signs of employee fraud. Closed, “orphaned” accounts belonging to former employees should be shut down and revoked their privileges to stop hackers or former employees from using them. Audits should also look at privileges associated with current employees to stop potential privilege-creep scenarios. 

Access management is a crucial security concept

Access management is a foundational concept that can improve your business’s cybersecurity. Implementing a sound access management policy can help ensure that only the correct, authorized people or processes can access specific resources or data. While access management alone can’t stop cyber incidents, a well-developed policy can greatly mitigate cyberattacks and stop them from worsening. 

With the continuing change in work environments — such as the shift to the cloud, mobile work, and hybrid and remote work environments — comprehensive access management is more essential than ever. 

In particular, a zero-trust approach can help organizations limit malicious access to critical resources. By adopting a zero-trust mindset, Steinkopf said, “organizations can further reduce their risk of becoming the next data breach victim.”

Andrew Martins contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.