What Megaplex Theaters and Access Management Have in Common

by in Security
How is managing user access to IT resources like managing customer access to movies at a megaplex theater?

Both megaplex managers and IT managers must weigh the cost of enforcing access rules. Megaplex rules generally prohibit theater hopping, the practice of paying to see one movie, then sampling other movies in the megaplex for free. And IT security rules (access governance rules) generally prohibit unauthorized access to data and applications.


Assuming they decide to enforce the rules in some fashion, both megaplex managers and IT security managers must decide how to enforce them.

For example, megaplex managers might decide that hiring a legion of ushers to check customer tickets at every theater entrance would cost more than allowing customers who paid for a single movie to theater hop. So these managers might settle for checking tickets only at some theater entrances, such as theaters showing expensive 3-D movies, and rely on the honor system to govern access to other entrances. Similarly IT managers might put extra safeguards (least-privilege, or need-to-know, restrictions, for example) in place only for their organizations' most critical data and applications, while relying on the honor system to govern access to assets that are less critical.

Managing Least-Privilege Access Governance

Least-privilege-governance statutes abound. You can find them in PCI DSS, GLBA, HIPAA and other national mandates. If your organization is bound by one or more of these compliance mandates, your IT compliance team has much less freedom to craft a governance-access solution than do megaplex managers: your manager must not only prevent unauthorized access to data and applications, but must also be able to identify who has access to what and reduce access to the minimum number of people who need it.

If megaplex managers had to comply with these same mandates, they would have to hire that legion of ushers after all, regardless of cost. And the ushers would need to do more than check tickets at theater entrances. They would also need to check tickets in the middle of the movie, similar to today’s access recertification process, regardless of how customers might feel about this.

Further, they would somehow have to prevent customers who bring their own devices to the theater from stealing movie clips, or downloading their own movies from the cloud, disrupting the corporate-provided film.

Finally, they would need to limit privileged user access (the guys who run the films) and contractor access (the suppliers of popcorn) just as they would customer access.

Implementing Access Certification: The Ultimate Ticket Checker

Fortunately for IT managers, they can limit both compliance costs and user dissatisfaction by adding an automated access certification component to their identity and access management solution (no need for a posse of mid-film ticket checkers here).

The access certification component collects entitlement data across all applications. Management can then review a centralized report to check for things like access creep, which can happen when users change roles while maintaining old access rights. But after management identifies excessive entitlements, what’s the next step? In megaplex words, when you know someone doesn’t have a ticket, you should evict him or her from the theater.

Revoking Access (Access Certification is Useless if You Don't)

Just as ticket takers should evict people without appropriate tickets, IT administrators should revoke unauthorized access as soon as they discover it. However, the staggering number of applications, mobile users and cloud services make manual revocation a challenge. IT administrators can't keep up.

IT compliance often emphasizes access certification to make auditors happy and wrongly assume that IT administrators will have time to revoke access, thereby completely meeting regulations. And since auditors won’t likely catch every missed revocation, it’s possible to meet compliance and still be at risk. From a security standpoint it’s useless to collect and certify access unless your organization has an effective revocation process in place.

Automating Access Revocation

If your organization is already using automated access certification to meet compliance, it should consider an automated access revocation process to ensure security. Identity and access management (IAM) platforms that don’t integrate with financial applications or data stores to automatically revoke access provide a gap that malicious insiders and hackers can exploit. Access creep happens in every enterprise. Keep the creeps in the movies and off your network.


Identity & Access Mgmt