As the security focus shifts from external to internal threats, user management is not only key to mitigating that risk but some implementations may also deliver some unexpected business value.
This is the view of Mark Baatjes, BMC Software product manager at African Legend Indigo, who contends that management of people is an important component of internal security. "Putting clear policies in place to ensure the right people have access to the right resources reduces risk and improves productivity."
The Ernst & Young Information Security Survey 2004 found that while the threat of external attacks in the form of viruses and other malicious code has declined with the improvement in anti-virus software, the threat of employee misconduct, fraud and systems misuse has increased.
Despite the fact that most respondents indicated an increased concern about the internal threat to security, the survey found that many are failing to provide significant management of these threats.
Baatjes agrees. "Most organisations are able to identify security risks, but often fail to address those threats effectively." He says the solution lies in providing effective user management in conjunction with the traditional tools for defending networks against attack.
"User management through identity management, security policy implementation and system auditing is key to BMC`s business service management approach to security. Tight policy-based access control goes a long way to mitigating internal security risks."
In addition to limiting and auditing users` access to network resources, Baatjes also recommends using a Web-based user authentication service and linking user management to human resources (HR) applications to eliminate the "huge" threat of ghost identities.
"Web-based user authentication means users can reset passwords only for their own user identities and HR integration ensures automatic suspension of users on leave as well as removal of users no longer employed by the company."
User management not only reduces risks to organisations` information assets, but can also deliver savings, concludes Baatjes. "By using Web-based password resetting, companies can save up to 80% of their help-desk costs and by using an auditing tool, around 35% of active licensing costs can be saved by eliminating inactive user accounts."
Share