In a perfect world, every action performed by any user in an organisation could be verified. It could be proven that a user was who he claimed to be, that he had the right permissions to use the services he was using, and that those particular actions could be indisputably tied to him.
In the real world, identity and access management (IAM) is considerably messier. Strong authentication is difficult both to sell to management and integrate quickly into a business' processes, not least because of the number of different combinations of access that can happen in a single day. A user may access company resources from work over the corporate LAN, the same network from home via dial-up, from a remote site via his cellphone or over a VPN on top of a public network somewhere else - this time using his laptop. Four different devices and four different access methods add up to a big headache for the modern CIO, especially as younger employees are demanding access to more services from within the firewall to get their jobs done.
“Mobile devices used to be just about voice and maybe some data,” says Gerard Sofianos, GM of Sybase Mobile, “but we're now seeing a lot of applications that are sending out credit card details, customer data and other sensitive information. It's a big challenge when you look at a big corporate, which has more than 2 000 operatives out in the field every day generating perhaps 10 000 invoices. There's considerable operational risk associated with that data.”
Safe as houses
Today's organisations don't have much of a choice. “Business is starting to realise that mobility is essential,” Sofianos adds. “It doesn't matter if it's blue-collar workers with product scanners or CEOs with PDAs. You need a single strategy that works across the business. The challenge is one of definition and management: what is a mobile device and how can it be managed properly in your architecture? I'm accessing customer price lists within the network and behind the layers of security; if I then send that list out, the mobile devices need to have that same level of security.”
The most robust authentication systems available today are based on two-factor systems. A user is given a PIN to a smart card or other electronic device that generates a one-time password. Only then is he allowed to access a resource based on an electronic policy that associates his identity with what he's allowed to do. Two-factor authentication with a smart card is not perfect, but it does balance good security with reasonable ease of use. The smart card is useless without the PIN, and the internal resource cannot be used without the password generated by the card. If both the smart card and the PIN are stolen, the thief would need internal access to the secured resource.
Customers, guest users, vendors and partners constitute the new threats.
Patrick Devine, security and ID management practice lead, Cornastone
Jenny Dugmore, CEO of FireFlight Mobile Authentication Systems, points out that mobile security and mobile authentication are topical issues at the moment.
“The ability to authenticate yourself using a device that you have is very high priority in the US market,” she says. “We've seen incredible interest in two-factor authentication on mobile devices, especially from overseas. We can load a mobile application onto a phone and provide two-factor authentication using the OpenID standard for multiple applications.”
But, if a smart card gets into the wrong hands, it helps if you have a photo or some video.
Roy Alves, country manager of Axis Communications, says he's seen a significant uptake in the camera portion of his business.
“In the downturn, a lot of crime is being committed and retailers, in particular, are realising that they need to get their security houses in order. The big trend is integrating video with access control and security. Someone can steal an access control card and then have the run of a building. Tying that incident to a piece of video then becomes very important.”
One of the more unusual security threats Alves has come across involves extorting money from local retailers.
“Syndicates are now working in teams in certain retailers where one team will knock over a jar of onions, or something similar, and a member of the other team will pretend to slip and fall on the spilled product. They then sue the retailer for damages. Retailers don't want the bad publicity, so they will rather deal with the incident quietly and settle out of court. That sort of incident is one where a video clip, combined with an existing security system, will obviously help the retailer.”
Insider threat
Outsiders may pose their problems, but the insider is the person with the potential to do the most damage. Recent studies by US law enforcement agencies suggest that up to 90% of incidents in business relating to the loss of assets come as a result of staff who have privileged access to IT systems. Reports show that a staggering 57% of those responsible for the fraud should not even have had authorised system access at the time.
The security breach at Soci'et'e G'en'erale last year was a case in point. The bank's own investigation has revealed that the man at the centre of the SocG'en scandal, Jerome Kerviel, bypassed security by misappropriating passwords and abusing the access he had to both the front- and back-office systems.
Patrick Devine, security and ID management practice lead at Cornastone, says today a network perimeter is no longer defined by network devices. “Instead, the people using the system - employees, customers, guest users, vendors and partners - constitute the new boundaries and potential new threats.”
Amir Lubashevsky, MD of Magix Integration, agrees. “It's not enough to have identity management because the biggest problem is people who have approval. People with administrator rights on the inside have access to all kinds of goodies. If you want to prevent unauthorised access, then the systems demand a different level of maturity of an organisation. The problem is that most companies are unaware of the threat that insiders pose.”
Some customers are starting to realise this, though. David Naude, product manager at SecureData Security, says he's finding that more customers, particularly those in financial services, are asking for more insider protection.
“The old layered approach that protects the organisation from the outside in is being looked at again,” he says. “Customers are asking for solutions to help them understand what their users are doing.”
Most companies have at least some checks in place to prevent employees overwriting or altering sensitive information, but sometimes, read access is all that's required.
“The problem is that read access has serious security implications,” notes Naude, "especially with something like credit card data. That's information that can be exploited without having to be modified. In fact, a thief normally doesn't want to make any changes because they don't want anyone to know the data has been read.”
Customers are asking for solutions to help them understand what their own users are doing.
David Naude, product manager, SecureData
Company secrets are another target that only require read access. Buyile Ngcobo, SI business manager at GijimaAst, says one of the company's clients - a large pharmaceutical manufacturer - is having trouble with its formulas.
“The problem in its R&D department is that access isn't strict enough. People are stealing the recipes and giving them to their competitors. The challenge for us is how to convince them of a proper solution. Even five millilitres of a product can mean enormous losses to the company.”
Mining data
Keeping track of who copies what is certainly possible on a corporate PC, but the trick is to find actionable items in what can be a deluge of audit information. SecureData's Naude says a lot of customers are aware of the copying problem and have collected log data from a variety of systems by default, but they can't do anything with it.
“A lot of it is unreadable and there's too much of it,” he says.
Clint Mason, MD of Invisinet Technologies, agrees getting something meaningful from logs is the key issue.
“The biggest issue in identity management is how to mine the data you collect. You can put in whatever systems you like, but someone still needs to sort through all of the data. That's really where the capacity of internal security needs to come in. Creating an audit trail for the sake of having an audit trail doesn't assist anyone. You have to have the capacity to manage any exceptions. I haven't found customers anywhere who have the ability to mine the data very simply. Although they should be, companies are not concentrating on internal security at the moment. It's more about [reducing] costs and more sales.”
Unfortunately, many employees are under more pressure. As the economy slows, so the temptations increase. Customer databases, salary information and company funds make more inviting targets when money is tight.
Fred Mitchell, security business unit manager at Drive Control Corporation, concurs that if something is copied, there needs to be an audit trail in place. And he speaks from experience.
“I've sat in a job interview with an applicant who had stolen databases from three other companies,” he relates. “My reaction was, 'I'm not going to employ you because then you will have four databases instead of three'. Having your identity verified is one thing, but once you're on a system, what are you doing? What are you copying? Where are you going on the system? That's very important, too. One of the products that we sell monitors who's printing what, for example. If someone is printing a thousand pages, it can end up costing you a fortune.”
Will the downturn hammer the security market? Mitchell doesn't think so. “Security is and always has been a grudge buy. Even though there's a downturn and the market will be eroded to some degree, customers will still need anti-virus and access control - those are needs and not wants. Without it, they will lose more money. The downturn will slow the market down, but won't break it.”
Hard sell
Comprehensive access control and identity management was a tough sell even during the bubble years. Will increased threats from insiders give it the push it needs? That depends on the maturity of the organisation and how it's structured.
Creating an audit trail for the sake of having one doesn't assist anyone.
Clint Mason, MD, Invisinet
For one thing, breaches often fall between the cracks in departments. Does a problem belong to auditing, compliance or internal security? Does finance have a say? When disparate security systems are integrated, it's almost always their interaction points that are attacked. Organisations that recognise this will benefit. Vendors that can help minimise those points for customers will thrive.
Share