Streamlining Enterprise Security

It is, sadly, often the case that the greatest IT security threats to your business are not to be found on the outside but among legitimate service users. Sloppy security practices (e.g. the setting of very weak passwords) among employees can expose companies to significant levels of risk. This article gives an excellent overview of how insider risk can be minimized through the implementation of an Identity and Access Management (IAM) solution.

The Identity and Access Management Advantage

It comes as no surprise that the largest threat to corporate security originates from within the organization. The impact of insider threats can damage relationships with key stakeholders including customers, inevitably resulting in loss of sensitive intellectual property and ultimately - revenue. The most alarming repercussion from such incidents is that in most cases the enterprise had a corporate security policy that was capable of avoiding the intrusion had processes been followed. When the incident is reviewed it is clear that a lot of the time the fault doesn’t lie with the policy or processes themselves but with people, information systems budget, lack of resources and systems that permit discretionary configuration.

An organization with many facilities, thousands of employees and partnerships with 3rd party contractors may find it can be an extremely difficult task to provision resources inline with corporate policy, with limited resources from the service desk and budgetary pressures of the current global financial crisis. It becomes a crucial role of the CIO to ensure that the organization is capable of cost-effectively streamlining the tasks of provisioning roles & responsibilities of all resources and that each entity is accountable.

The largest security hole in the network is, by far, the user. Your business needs to efficiently provide access for extranet partners, suppliers or vendors to confidential information securely and seamlessly. An Identity and Access Management (IAM) solution allows businesses to mandate strict automated process control and build compartmentalized roles to deal with specific job requirements. If a new user is introduced in to the organization the accounts and privileges necessary to complete the job description can be rolled out across the enterprise automatically. The customizable provisioning or revoking of resources along with self-serve portals that can allow the user to reset their own password decrease the service desk overhead enormously. This means employees don’t waste time requesting passwords, while service desk operators don’t waste time resetting user accounts on multiple directory servers, application servers and workstations.

An employee may have many roles in an organization and it can be a difficult task to remove all access to the resources assigned to the user when they change positions or leave the organization In the situation of a disgruntled employee the tedious task of removing access is a perfect and large enough window of opportunity to steal intellectual property, sensitive financial records or customer data. The IAM solution allows an administrator to revoke all of the employee’s access instantly with enterprise wide lockouts. Resources can be controlled with least-privilege not only in policy but enforced so that employees can not make changes that breach security policy. If a process was to change in accordance with a new security standard or practice the manager can easily sign off on the new workflow and implement the changes.

In the earlier days before sophisticated attacks were conducted by hackers, a person could simply take a dictionary list and brute-force password credentials because weak mnemonic practices were used by people to remember their passwords. It still amazes me how many penetration tests we conducted that reveal simple dictionary words and usernames for accounts with significant security privileges. This threat can be addressed by enforcing all passwords across the enterprise conform to strict standards specified in the enterprise security policy.

Centralized management of the IAM solution allows administrators from different business units to be able to export and review details usage reports. In several products this data can be exported to other reporting technologies for further review and analysis. This makes compliance reporting and tracking information disclosure painless because the IAM will track the user accesses and activities within a business role. This provides evidence to auditors that processes are being enforced across the board and that users are not provided with access to unnecessary assets.

Today’s economic climate may make the executive board a little nervous to invest in a successful IAM solution due to technology, training and human resource costs. Stigma regarding IAM has propagated throughout the industry because of failed solutions due to lack of resources to manage the project and administration of the identity solution. An outsourced solution can provide the benefits of IAM without the huge initial cost of ownership. A managed service provider can supply experts to deploy, configure and maintain the infrastructure, whilst your organization specifies and constructs policy and process models. This ensures you have a sophisticated low cost solution with a high return on investment.

Identity management helps increase the overall business to maintain strict, auditable control over employees, partners, customers and suppliers. It is an invaluable tool that automates many business processes to ensure the organization is safe and secure. The ability to aggregate and centralize management of time consuming tasks decreases administrative overhead, enforces compliance, streamlines security processes and allows information security managers to have enormous control over their business.