Maintaining security during retrenchments

Carpenter says advancements have been made in user provisioning (and de-provisioning) and role/entitlement management. The latter, he says, allows businesses to analyse workers to determine what attributes describe them.

"The old way that things worked was that John Doe transfers or gets promoted," Carpenter explains. "He asks for additional access, but his old access never goes away - and it may be totally inappropriate for him to have that. Properly done role management would make sure that as the attributes change that describe the user, the appropriate role gets assigned to him, which results in appropriate access."

Sachin Nayyar, chief identity strategist for Santa Clara, Calif.-based Sun Microsystems, says role-based access also can improve organisational efficiency by eliminating the need to manually determine what rights someone should have.

"Most companies will create access by copying another person," he says. "But when you don't have role-based control, you [will give] extra access."

Bilhar Mann, senior vice president of security product strategy at Islandia, N.Y.-based CA, which recently acquired role management firm Eurekify, says the capability is especially important for firms specialising in IT and biotech, where intellectual property is a core asset.

"They are finding that finer-grain access was needed," he says. "It wasn't sufficient to have a broad stroke approach."

While role-management may be the IAM technology de rigueur from the perspective of vendors, many end-users - even larger firms - are not quite ready for it.

"Most companies falter in trying to create pre-defined roles," Pioneer's Reissmueller says. "There are just so many combinations of what a user needs, and trying to automate that becomes near impossible. Most people doing automated user provisioning are creating a few generic roles and then tweaking. You just create generic definitions that hit most of your population and then tweak it from there."

At Atlanta-based Equifax, the 7,000-employee credit reporting agency with some 40 locations across 14 countries, the act of automatically classifying individuals by role would require a lot of coordination across many environments.

"It's a destination that we'll not necessarily ever get to," admits David Galas, VP of technology. "It's very complicated."

Instead, Equifax leverages Sun's IAM suite to automate user provisioning and de-provisioning, which means either creating an account and assigning authorities to it, or deactivating it once someone departs, he says.

On their first day of work, all Equifax employees start with the same clean slate. They sit down at their PCs and only have access to email, Galas says. Using their Windows NT login, though, they are able to request additional access through the company's intranet. Each request is manually vetted.

"We have a baseline of as minimal access as possible," Galas says. "Everyone gets an email account. However, if you need access to any system, including even basic things such as Windows file shares, you need to go through this process."

The IAM system is connected with human relations, so on their last day, users' privileges automatically are cut, he says.

So-called orphan accounts, though, remain commonplace. A survey conducted last year by Symark International, an IAM solutions provider, showed that 27 percent of 850 respondents reported more than 20 orphaned accounts exist in their organisations. Another 30 percent said it takes more than three days to cut access, and 38 percent admit to having no way of knowing if a former employee used their account to access data.

"It becomes more important now that the economy has turned down," Holyfield says. "There needs to be no guesswork and no fire drill involved. There needs to be a checklist that says that when this person gets laid off, we need to do these things and make sure their access has been cut off."

Beyond pure IAM
Of course, to combat insider theft, whether it is intentional or accidental, IAM alone will not stop all malfeasance, experts say.

An individual's rights may be strictly controlled, but if they are legitimately allowed access to confidential company data, other controls must be put in place. A survey from information management firm Cyber-Ark Software revealed that 47 percent of privileged users working in IT admitted to poking around in areas they should not have - but to which they were permitted.