How to manage access to critical data to protect privacy?

Protecting intellectual property and confidential personal, financial, and business information is a business priority, and often a legal requirement. To secure their data and ensure that only authorized people have access to it, organizations use a variety of access management disciplines. Access management includes identity management solutions that control permissions for critical data stores by managing Access Control Lists (ACLs). But identity management solutions in isolation risk access inflation, workarounds, and coverage gaps.

Comprehensive access management deploys identity management within a framework that includes disciplines for data protection, integration with hiring and promotion, and especially monitoring. Monitoring augments access management with a second line of defense, protection against unanticipated threats, a source of feedback for the continuous improvement of access management practices, and an audit trail.

The transition to comprehensive access management disciplines starts with an inventory and classification of data and a definition of appropriate IT security controls, along with the creation of a risk model to establish priorities. Typically, this planning process identifies areas of inappropriate access despite restrictive access rules, along with poorly defined controls, inadequate monitoring, and no real metrics for program effectiveness. Once under way, comprehensive access management relies on tight integration with business processes and frequent audits to maintain alignment with policy. And it depends on monitoring to identify, prioritize, and respond to unauthorized access.