Maintaining security during retrenchments

The disgruntled employee may best be personified by the spate of U.S. Postal Service shootings in the early 1990s. But in today's technologically advanced landscape - where not just official employees have access to sensitive information, but so do contractors, consultants and other vendors - an insider bent on revenge can crush a company without having to resort to an Uzi.

In just the past year or so, there have been numerous examples of how much a seemingly trusted person can get away with. Arguably the most stunning instance came early last year when a 31-year-old trader from Société Générale exceeded his system privileges to disguise $7 billion in fraudulent trades. The French bank was forced to raise the lost capital from shareholders.

Société Générale apparently fell short in a number of security areas, but most observers pointed to its inability to control unauthorised access as the chief reason for the event. And, Dorey says, that is one place in the security stance where businesses cannot overlook.

"Anytime someone leaves the company or feels dissatisfied with their employer, there is a threat of data leakage," he says. "It's not surprising that everyone is talking about information and data leakage. But other controls to protect data are pointless if you don't have proper identity and access controls in place."

While the insider threat is certainly a driver, most organisations embark on identity and access management (IAM) projects for two other, more cost-oriented reasons: compliance (to avoid fines) and business enablement (to improve ROI).

Mandates, such as Sarbanes-Oxley, HIPAA and the Payment Card Industry Data Security Standard, require the implementation of strong access controls, while the upcoming Massachusetts data security law, considered by many to be the strictest in the country, also will impose access restrictions.

Meanwhile, a robust IAM framework has a cost benefit for businesses by, for example, freeing up servers and software licenses and decreasing expensive development cycles for individual authentication and authorisation mechanisms, says Perry Carpenter, a research director with Stamford, Conn.-based analyst firm Gartner.

"IAM does have some ancillary benefits that folks will tout as cost-savings mechanisms," he says. "Whether they are ever realised in a company is unknown due to deployment challenges."

For years, companies have been trying to implement centralised IAM, but the process is often slowed or stymied altogether because of the sheer size of such projects, which must connect every piece of the business.

"With access management, either it works or it doesn't," says Brian Holyfield, co-founder of New York-based Gotham Digital Science, a risk consultancy. "Everyone notices pretty quickly. If you don't get it right, the help desk gets flooded with calls. If I can't get in, I can't do my job."

Still, while an IAM implementation may prove too costly and confusing for small businesses to even bother with, it is a must-do within medium and large companies, end-users say.

Technology evolution
The basic concept of IAM is to ensure employees only have access to what they absolutely need access to. Microsoft Active Directory does a good enough job of authenticating users, but does little for assigning privileges across applications, and cannot deal with systems external to the enterprise, experts say.

Technology, however, is maturing, allowing for simpler automation to both accomplish these tasks and meet compliance demands, industry observers say.