Tags Strategy, Security, Risk Compliance Governance (GRC)

Who's on first?

Do you know who's rummaging through your systems right now? As John Lamb discovers, you may stumble across quite a few surprises if you start exploring the back streets of your company's network.

Hackers may grab the headlines, but most computer security breaches are inside jobs involving little or no technical knowledge.

Fraud or access to confidential information usually happens when basic security procedures governing access to information breaks down. For example, the former City trader who accessed the customer trading system at his former employer, as his privileges had not been revoked. He recruited his old customers to his new business. In another case, a senior executive emailed technical drawings of his employers' latest products as attachments to his home address, and set out on his own. No one had thought to stop sensitive information from leaving company systems.

"Statistically, 75 per cent of computer incidents are perpetrated by insiders or people accidentally getting inside systems," says Peter Jopling, head of Tivoli Security Management at IBM. "It's rare for corporate systems to be hacked by external people, unless targeted." Many large companies still handle security manually, with telephone help desks to issue passwords and change the accounts that an individual can access. It's a slow, inconsistent system and prone to errors. Each call can cost approximately £10 and this expense comes straight off the bottom line.

When organisations are dealing with hundreds or thousands of people, many of whom may not even be employees but work for business partners, it's very difficult to keep pace. Password calls to a help desk alone can easily amount to a third of all queries. Add in mergers, acquisitions and staff turnaround, and it's a recipe for disaster.

Who goes there?

To solve the problem, many businesses are looking at identity management systems to automate parts of their corporate security, from authentication (who users are) to authorisation (what they can do), as well as monitoring their activities and providing detailed security reports.

Managed security services company Integralis understands the pressures placed on IT departments prior to implementing a dedicated identity management system. Brett Gribble, director of Security Management Solutions, explains: "IT people are often the first to know when someone is due to leave a business – even very senior people within an organisation. This places undue, and possibly mis-placed pressure on IT staff and is better handled by HR.

"Previously, this wouldn't have been possible without an identity management system capable of delegation. Now, an HR department can remove employee privileges through a secure automated interface without overburdening the IT department."

Big changes are taking place in the way systems are secured. The growth of e-business means more systems and files. When everybody in a company needs to log on to a database, the different levels of access required mushrooms – and manual security processes slow down work rates, especially when people forget passwords.

More and more companies are taking a single sign-on approach, which calls for high levels of initial security and close management of the accounts individuals can access. Passwords themselves are under review, because they’re so easily compromised. They’re passed round like canapés or written down and stuck to desktop monitors. Instead, security conscious companies are investing in alternatives such as digital certificates, one time tokens, smart cards and biometrics, which measure unique human characteristics. These are surer methods of authenticating and authorising users, especially in highly networked organisations that may be catering for mobile employees using wi-fi.

For example, the T42 ThinkPad notebook PC is equipped with a fingerprint scanner to ensure that the right person is on the other end of the line. ThinkPads also store sensitive information such as passwords and digital certificates in
tamper-resistant module.

Access all areas?

Automation is vital to security systems: "Identity management is about automating and streamlining resource access in your company," says Jopling. "Manual methods take time and can be set up incorrectly. Security needs to be quick, consistent and able to adapt to business changes."

A good system allows a business to enforce reliable security processes. For instance, when someone wants access to additional files, the system will take care of getting appropriate authorisation as well as alerting administrators to exceptions: "They help you enforce your security policy, by allowing people to do some things and not others," adds Jopling. "You can easily create a workflow process for changes that require an OK from the boss."

Gone are the days when it was possible to call an administrator for a password extension – an automated system holds a directory of users and their privileges, and flags up any breach of company policy. It can automatically reset passwords and manage sign-on. It will handle the steps involved in both setting up an account and closing it, and delete "orphan" accounts, which are no longer acceptable in business today. Identity management systems must include a self-serve password-reset feature, letting a user change their password and unlock system access without calling the help desk. Resetting can be done via a standard browser, with users authenticated by questions only they could answer.

Automating this aspect of security has important cost implications: "We can measure how often you change accounts and the numbers of help desk calls and map its cost," Jopling says. "It's possible to eliminate those overheads almost entirely. Instead of thousands of calls per month, you can reduce them to two or three. Typically, the return on investment is nine to 14 months for larger organisations.

"Then there's the convenience factor: the self-help aspect makes it easier, the speed of making changes goes up, productivity improves, and security policy is enforced."

Identity management can also help a business comply with corporate governance regulations, as only those authorised to see or amend files can do so. They can also provide a record of who has accessed information, proving it has been securely kept.

"An identity management solution lets businesses review existing access control policies, comply with legislative standards and ensure that the right people can access the right information assets at the right time. It can make IT a true enabler for secure data access and organisational compliance," points out Integralis' Gribble.

"It's important that such a project has the buy-in of key stakeholders across a business. It must demonstrate a reduced cost of ownership along with improved security and compliance. This is most often successfully achieved by working with a partner who understands not only the business needs of the organisation and the technologies, but also corporate governance regarding identity management in a corporate environment."

Security is a major issue in business; only with effective tools can senior managers be sure that the vital information on which their enterprise depends is safely under lock and key.

Printer Friendly Email This Article