Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
25 November 2016

Moving beyond Least Privilege Access principles

Having been at the GRC Dreamzone event in Paris, I have been at the forefront of the futuristic thinking in terms of Security and GRC related themes. With an eye on the future, many of the traditional principles have been brought into question, including least privilege access.

As implementation partners, we are often attempting to bridge the gap between technical solution and business challenge. In order to build an appropriate security solution, we appreciate that it requires knowledge of the business but also requires technologists to translate that into an effective solution design.

That can lead to a “lost in translation” scenario where a beautifully elegant solution may not fit the business risk requirements, can be ruined by poor business decisions or rendered outdated as the business evolves. This is especially true if the security is designed on the least privilege principles as the authorisations are deliberately intended to provide just enough access but no more. This means that your business approvers must also understand that and make good decisions accordingly, which often proves a challenge especially if they do not fully understand the technical design. 

Given that applications are no longer isolated but are integrated and combined to form a patchwork quilt of application and access, perhaps it’s time to remove the constraint from the technical aspects and re-focus on empowering the business to make appropriate risk based decisions?

If the business requirements change, do we really want to have a time-consuming change request process to make changes to the building blocks of authorisation through a technical team, and have that repeated across all impacted applications? Why not have authorisations updated based upon business understanding of the potential risk or better yet, dynamically, based upon user information or situations e.g. change of operational unit, assignment of project or travel requirements / location?

The major challenge here is defining an authoritative source for that user information. If you are to place reliance on this data, it will need to be full, accurate and timely. Many organisations have tried it with both active directory and HR based data sources and it always proves problematic but if we can overcome that information management challenge, what then?

Perhaps change to a policy based approach that allows “most permissive” rather than “least privilege”. Use policies to allow or deny based upon user attributes automatically. That way, you can reduce the need to manage granular restrictive access authorisations but still retain control through the policy statements or rules.

You can still deny access as a default if required, but reduce the effort in administrating individually restrictive roles down to a granular level that only security technical analysts understand. Place the controls in the hands of the business by allowing them to make the policies (with guidance) in language they understand. If the policies are right and the user source data is complete & accurate enough, authorisations can be assigned dynamically to reduce overheads and still retain the controls over access.

 

 6 Benefits of an Integrated Approach