Identify to comply
Strategies can ensure good control through identity management
Fran Howarth: Security policies are only useful if an organisation can ensure they are enforced
Compliance is a word on everyone’s lips. But it does not just mean regulatory compliance. Rather, all firms need to ensure that compliance is enforced.
One of the most pressing concerns for organisations is ensuring that sensitive data does not leak out of the company, potentially leading to damaged reputations or financial loss.
To guard against this, organisations are increasing their investments in security technologies, from point solutions such as content filtering to prevent leakages to full-blown identity management systems.
While hackers are targeting specific organisations or individuals to steal valuable information, looking for vulnerabilities in networks that can be exploited, most of the incidents of data loss that have been in the press recently were caused by inadvertent actions of employees or, in some cases, by carelessness.
According to a latest survey by the Computer Security Institute, insider abuse of network access may be the most
prevalent security problem facing organisations. This was reported by 59 per cent of respondents. Identity management systems solve the problem of policing who is accessing what, when and what they have done with the information afterwards.
Such information is vital for proving through audits that effective security controls have been put in place and that organisations comply with set policies.
Putting in the hard work
This fact is not lost on organisations. The same survey found that, after compliance with regulations and data protection in
particular, solving identity management issues is seen as the second most pressing concern for companies.
However, putting in place an identity management infrastructure is a long and arduous task.
During a recent webinar in which Quocirca participated, attendees were polled on what identity controls they had implemented. All firms polled indicated they realised the importance of compliance auditing and securing access to computers, systems and data, with most putting such controls in place in their businesses.
But security policies are only useful if a company can ensure they are enforced. One of the best ways to do this is to tie all actions taken to the individual perpetrator.
Respondents were asked whether they thought user name and password combinations were sufficient for tying a user’s identity to their actions.
Our results showed organisations agree that stronger authentication is required for users, with most on the road to supplying network users with some form of additional security token providing an additional layer of security.
However, all organisations experience employee churn and not all staff members leave with a rosy view of the company.
To prevent anyone causing deliberate harm at a time their loyalty is likely to be weakest, access rights should be revoked as soon as possible after their employment has ceased preferably immediately.
Still a long way to go?
Yet the results of the poll indicate that 44 per cent of organisations open a considerable window of opportunity for miscreants to do their deeds. It is harder bringing someone to account when they are no longer your employee.
The poll suggests that compliance is an issue facing every organisation. Also, all respondents accept they do need stronger authentication of network users.
Such authentication provides more reliable evidence that security policies are being enforced by making individuals more accountable for their actions.
Identity management systems ease the burden of proof required for passing compliance audits but for many organisations, watertight identity controls remain a nirvana yet to be reached.