The CISO Den
Published in

The CISO Den

The killer feature that would improve the cybersecurity of all business applications

But has never been implemented yet

Photo by Denise Jans on Unsplash

Making sure that there is a good fit between what users can do with an application and their job description is hard. The main reason is how difficult is to have both the knowledge of what the organization needs and the technical knowledge of what is possible to do with an application, what are the implications security wise, and what is the best way to translate the business requirements into roles and permissions. My Identity Management Vulnerability Taxonomy identifies some that are connected with this issue:

  • IMV202110–05: Active User account exist belonging to a user that currently does not have a relationship with the organization
  • IMV202110–12: Application has too many admins
  • IMV202110–13: User account or role permissions do not match business requirements
  • IMV202110–14: Role business owner is unknown
  • IMV202110–16: User accounts of non-employees do not expire
  • IMV202110–17: The internal manager of a non-employee account is unknown
  • IMV202110–26: No process for approval when a user moves to a new job

While using a ULXAC model of assignment of roles and permissions can certainly help, as it makes simpler to do the business requirement to technical/security requirement translation, the one killer feature is this:

Users should be able to see what other users have permissions equivalent to theirs.

If this was implemented, instead of the burden for the admins to produce lists of who can do what, find valid stakeholders who can validate it, and find the gaps between implementation and what the business needs, the users themselves would be able to pinpoint mismatches, among them movers that retain permissions from previous roles, users that have admin rights but shouldn’t, etc.

This one feature, with the proper training and incentives would give the admins all the information they need to keep applications permission and business requirements in synch with low effort.

So far I have seen zero applications that implement this, and you?

Further Reading

If you are interested in Identity Management you may enjoy checking:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store