IT data security: how best to guard against fraud
2010 has brought a myriad of security challenges. High profile data breaches have underlined the importance of securing sensitive data
These threats come from external bodies, but also from within a company's own walls.
Despite extensive legislation designed to safeguard sensitive information, data losses and unauthorised access to intellectual property are still worryingly commonplace.
Consequently, organisations need to have more control and visibility over who is accessing data. Without this, they risk losing critical data, but are also subject to fines and damage to their reputations. This can have a significant and lasting effect on customer relationships.
The "insider threat" has meant that organisations are now acutely aware of the need to have clear visibility over who is accessing data, when, and where.
Without the ability to record employee accesses to information and unauthorised access attempts, businesses leave themselves at a disadvantage. Suspicious activity can be missed and consequently internal breaches are more likely. Additionally, complex password policies have also impacted internal data loss. Multiple 'strong' passwords can mean that users turn to password sharing or a 'post-it note' culture, leaving passwords displayed for all to see. This is a convenience-led yet careless approach to security which undermines the very purpose of password-based authentication and leaves sensitive data at risk.
Perhaps more astonishingly, it is common for employees to maintain access to business applications after their employment has been terminated. As businesses look to host more and more applications through web-based systems, this could become increasingly problematic; without appropriate management tools in place, organisations can easily lose track of which applications the user is authorised to see.
Re-assessing the access rights of each employee will ensure data is only accessible on a need to know basis. Using tools like Single Sign-On (SSO), IT managers can simply monitor and report on user access to data and by working with HR or directly with a provisioning system, role-based access to each application can be generated. This kind of account management can also be location specific. A Doctor could access patient files when in the hospital for example, but access may be restricted if he accesses the corporate network from home. Strong authentication (SA) could also play a part here.
A good example of this is physical/logical access to IT where a user is only granted access to the network if he has registered access to the building using a smart card. SSO and SA ensure that IT managers have full visibility over access records and employee access rights, inevitably reducing the likelihood that insiders could inappropriately access information.
Secondly, SSO can also solve the issue of users sharing passwords or writing them down. Condensing multiple passwords to just one username and log-in can significantly simplify the authentication process. Making passwords easier to remember, the burden on the IT helpdesk is also reduced as users are less likely to forget their log-on credentials. Security is also boosted as the need to record passwords is negated.
The final fundamental step to avoiding internal breaches is ensuring orphaned accounts are quickly shut down upon a user's termination or departure. Management functions which allow staff to simply block an account at the click of a button are essential to maintaining a secure corporate infrastructure. Without this fundamental level of access management, businesses are unable to maintain basic control over their most valuable business asset- their company's data.
David Ting, CTO, Imprivata
