2009 has brought with it a myriad of security challenges, some of which are new and others old. Developments in enterprise security have certainly been no exception, with the Ponemon Institute suggesting that the high staff turnover resulting from the economic turmoil has led to 70% of organisations experiencing data theft from current or ex-employees.
Previously, the focus of IT security has been firmly grounded in securing the firewall, but now IT managers realise that an additional challenges lies in securing and restricting employee access to IT applications and data without impacting the workflow of legitimate employees.
Locking down abandoned user accounts would be an obvious first step in securing corporate data. However, this is a classic and recurring vulnerability in many organisations, particularly when it comes to web-based applications. Many organisations simply neglect to close down access, and consequently user identities are left open and exposed for an unjustifiably long period of time. All this time, the ex-employee will be able to access sensitive and competitively valuable information. The dangers of leaving these routes open are obvious, particularly in today's economy.
Locking down expired user accounts is an essential way to prevent unauthorised access by ex-employees. However, the strongest security infrastructures also tightly manage and control the access rights of current employees. Defining roles within an organisation can help to determine the level of access that should be granted to each user, and therefore, which information they should be privy to. By first analysing what access privileges users require in order to do their day to day jobs, reasonable boundaries can be defined. Access can then also be carefully monitored for anything outside of those defined perimeters.
Technology such as Single Sign-On makes it quick and easy to enrol users and assign access rights, and also terminate access privileges when employment ceases. Strong authentication can then provide the second link to the chain, ensuring only the intended user is accessing that data they are authorised to see. In today's working environment where data theft is frequenting the news and becoming more and more damaging to reputation and success, organisations can increasingly see the value behind a solid security policy.
Too often, security and employee productivity are viewed as being at odds with each other, which is perhaps why many organisations lack adequate precautions to protect their company data, leaving themselves open to data theft. Whereas in the past, a mass of complex passwords has actually been counterproductive to the security ideal, Single Sign-On technologies which condense these passwords into one simple log-in can now actually simplify access for staff, improving productivity. Less log-in credentials means that staff are less likely to write their passwords down, or even password share, improving not only efficiency, but also security.
Second factor authentication such as biometrics, smart cards, tokens and even facial recognition, can also contribute to improving security and efficiency. By selecting the right method of authentication, productivity can be maximised, gaining the support of staff. For example, in an NHS organisation, biometrics often work well as a method for second factor authentication. This is because clinical staff are often based on shared workstations, where they will have to go through the log in process numerous times per day. A good security policy would therefore ensure that employees have the access and information required to perform their job function quickly and easily, but additionally, with the least possible level of access privileges.
The changing face of the IT security landscape has certainly highlighted where key problems lie with regards to access management. With the threat to security now coming from both within and outside the walls of the building, savvy organisations should look to survey and close off every potential entry point to their organisations data through a sound identity management strategy that ensures secure authentication and access. This way, sensitive data can be kept safely where it belongs.
For more information visit www.imprivata.com
