The turbulent economic climate has resulted in a surge of high profile internal data thefts, proving that data security is no longer just an issue from beyond the firewall. Here, David Ting, CTO, Imprivata, discusses how enterprise security is changing and outlines how businesses can use single sign-on solutions to protect themselves.
2009 has brought with it a myriad of security challenges, and according to the Ponemon Institute, internal changes such as increased staff turnover has led to as many as 70 percent of organizations experiencing data theft from current or ex-employees. The media has regularly reported instances of inappropriate access to sensitive company data which have often resulted in data theft, or tangible damage to the companies’ information databases. Those organizations that do not have clear visibility and control over who is accessing sensitive data risk losing more than their critical data, but also their reputations, and as a result, their customers.
With the ‘insider threat’ becoming a growing concern for businesses across the globe, organizations are being forced to improve their internal security policies in order to combat the risk of data theft. Whilst at first thought, an obvious precaution may be to increase password complexity for improved security, businesses are becoming increasingly aware that over-complicated policies can force users to resort to a post-it note culture, or even password sharing. These high-risk approaches can actually put sensitive data at significant risk, and in order to avoid this risk, security savvy businesses have looked to single sign-on (SSO) solutions to get the benefit of stringent password policies whilst simplifying the end user experience. Gaining the buy-in and support of staff is central to the overall success of any security solution, as human behaviour is the ultimate hindrance or enabler to any security scheme.
SSO can be enhanced further by including a second factor strong authentication such as OTP tokens, finger biometrics, smart cards, active and passive proximity cards, building access cards and even USB tokens. This way, businesses can not only streamline application access, but also strengthen user authentication, all while ensuring proper monitoring of who accessed which information, from where and when. Having this fundamental visibility over user accounts can be a key way to avoid becoming victim to the insider threat.
Additionally, whilst ensuring that only the right users are accessing sensitive information, many businesses make fundamental mistakes as users enter and leave employment. For this reason, it is important that businesses look to de-activate user accounts at the earliest possible opportunity. For example, it is not uncommon for IT staff or security officers to not know all the application access rights that any one user may have, or they may in fact neglect to close down the users accounts even after the contract has ended. This inevitably means that identities are left open and vulnerable for considerable periods of time. With the insider threat being such a concern to modern business practice, this is a risk that many organizations simply cannot afford to take, and yet this very issue could become even more of a threat as businesses look to host more and more applications through web-based systems. With the appropriate SSO management tools in place, organizations can easily track which applications the user has had access to, meaning web-based interfaces could be properly closed so that access is not indefinitely left open which could leave competitively valuable information vulnerable and expose the business to unnecessary risk.
Maintaining clear visibility over all user accounts should be the central concern of any organization at this time. By clarifying whether the number of active accounts matches the number of current employees, businesses can safeguard themselves against any potential insider threats. Restricting access rights in terms of job role is another simple yet effective solution, which can ensure that increasingly valuable data remains protected at all times.
Getting security under control is necessary for good business and enforcing these access rights or profiles is not as complex as it may sound. SSO, strong authentication and a clear visibility over all user accounts are three critical ways to protect one of your organization’s most valuable assets- data. In today’s market, keeping your information safe is more important than ever, not only for compliance but also to give peace of mind - sensitive data can be kept safely where it belongs.
•Date: 25th Sept 2009• Region: UK/World •Type: Article •Topic: ISM
Rate this article or make a comment - click here