New day, new data breach. Or at least that’s how it feels.
From Uber to MailChimp, even the most technologically advanced and capable companies seem to struggle with keeping sensitive data safe and secure. And much of it comes down to one major data security pitfall – authorization oversight.
Authorization is the process of granting or denying access to resources or information based on the user’s role, privilege, and responsibility. Authorization oversight occurs when organizations fail to properly manage and monitor these access rights. Overprivileged rights are a giant liability for companies. Many companies – especially large enterprises – don’t use or monitor all of their data access permissions, dramatically increasing the potential risk of sensitive data exposure. Insider threats also pose great risk, as employees can knowingly or unknowingly expose sensitive data if permissions are too loose.
The authorization oversight problem
Authorization oversight leads to increased risk of data breaches, theft, and misuse of confidential information. Indeed, unauthorized access has been a leading cause of breaches for the past several years. Some notable data breaches impacted by authorization issues are outlined below:
- MailChimp (2023) – Recently, a hacker gained entry to the email marketing giant’s records via a social engineering attack, including those of enterprise customers like WooCommerce. This is not the first time that MailChimp has been targeted. Just six months ago a similar social engineering attack compromised records and in 2019, a vulnerability was exploited by attackers resulting in the unauthorized access to account information for a number of Mailchimp users, including email addresses and encrypted passwords.
- DH Health Systems (2023) – DCH Health System in Tuscaloosa, Alabama recently notified its patients of a data breach after it discovered that one of its employees had been accessing electronic medical records of patients for over a year “without a legitimate business need related to the employee’s job duties.”
- Marriott International (2018) – In one of the largest data breaches ever, a hacker was able to gain unauthorized access to the Starwood guest reservation database due to a vulnerability in the database’s web server software, compromising the sensitive information of more than 300 million guests and resulting in $23.8 million in fines. Even more troubling, during the investigation it was learned that there had been unauthorized access to the database network since 2014.
- Uber (2016) – The notorious breach that saw 57 million user’s information exposed, including full names, email addresses, telephone numbers and driver’s license numbers – and led to a conviction of the company’s former CSO for attempting to cover up the breach – was caused by hackers using stolen credentials to obtain a proprietary access key that they used to access and copy large quantities of data.
There were several factors at play with these attacks including social engineering, malware, and application vulnerabilities. But, regardless of how an attacker gets in, if proper authorization and access controls were in place, sensitive data might not have been accessed, stolen, and exploited.
How to fix authorization oversight
Authorization oversight is linked to inadequate access controls. Many organizations rely on manual processes for managing and monitoring data access rights, making it difficult to keep up with the constant changes in user roles and responsibility. This lack of visibility can lead to the wrong people getting access to databases or user accounts, making it easier for bad actors to steal or destroy private data. A study by IDC found 83% of companies have had at least one access-related cloud data breach, and 60% cite insufficient visibility and access controls as a major security threat.
With effective access controls in place, users can clearly understand what data they are allowed to access, and can easily request and gain access to that data quickly as long as it aligns with the company’s security policies. Furthermore, access can be revoked once the data is no longer in use. The most optimal application of this is a zero-trust model known as a just-in-time (JIT) access approach – giving specific users access to specific data for a specific length of time.
Once proper access controls are in place, it’s important to train employees and continuously review access policies. Without proper training and awareness, inappropriate access may be accidentally granted or failed to be revoked. Employees need to understand the importance of proper access management and the consequences of misusing access rights. Organizations also need to regularly audit and review access controls to ensure that they are in line with user roles, responsibilities, and business needs so that they don’t miss warning signs of unauthorized access.
Examples of ineffective access controls | Examples of effective access controls |
---|---|
Not monitoring admin privileges | Providing temporary (just-in-time) access to data as needs arise |
No user segmentation | Requiring users to be continuously authenticated, authorized, and validated |
Providing constant access to the data | Shutting down accounts that are no longer active rather than leaving them dormant |
Having one user sign-in that many others use | Quickly identifying and responding to irregularities |
Not revoking access once a user leaves or changes roles |
Amp up access controls & reduce risk
Authorization oversight is a significant data security pitfall that puts companies at great risk. It’s time for organizations to amp up their access controls. While a JIT approach won’t prevent every cybersecurity threat, when activated properly, it is the most effective way to minimize the risk associated with an attack by granting authorized users just enough privileges so they can access the data they need to do their jobs.
Could the above data breaches have been minimized if proper access controls were in place? Yes.
At their core, all of those breaches come down to privilege issues. At many companies, too many users have too much access to data. In many cases, it is prolonged access to data that isn’t even being used. With sophisticated attacks that are hard to detect, like social engineering, companies must consider implementing zero-trust data access policies to keep sensitive data out of the wrong hands. At the very least, organizations should have time constraints in place for users that don’t need to access sensitive data for their day-to-day jobs.
These kinds of measures often extend beyond the attacked company, as data breaches can also have a cascading effect; for example, how MailChimp customers WooCommerce and FanDuel are now working to protect their own customers. In the case of the DCH Health System breach, had proper access controls been in place, the employee would never have been able to access patient records at all, let alone for more than a year before being caught. And Marriott would have known that their data was being accessed without authorization before four years and $23 million had gone by.