The slowing economy and building mortgage crisis are major factors behind layoffs at well-known financial institutions like Bank of America, and the jolting acquisition of once-high-flying Bear Stearns by JPMorgan. With even the most optimistic economists predicting that these disruptions will continue into 2009 and mounting evidence that the vast majority of insider threat originates from disgruntled employees, controlling access to sensitive data has become an imperative.

Increasingly, organizations must shift their technology focuses away from ensuring users “can” get access to appropriate data and resources, to determining whether certain users “should” have access.
Immediately rescinding access to corporate systems and applications is also critical to avoiding costly, public data breaches. Sounds like it should be standard procedure, but the increased prevalence of insider breaches suggest otherwise. Many organizations have either failed to realize the risks of orphaned accounts and segregation of duties (SoD) violations, or do not have the security infrastructure in place to deal with them in a timely manner.

In an acquisition scenario, companies like JPMorgan must ensure a seamless transition for new employees, making sure they have appropriate access to the systems they need to continue doing their jobs, without negatively impacting customers. As a result of these prominent industry events, many organizations are left with questions like: How can we achieve long-term compliance in light of our turbulent business environments? How can we prevent vulnerabilities by removing privileged access from former employees, while maintaining access for those who still require it? Following are select best practices that provide practical advice for IT organizations seeking to implement a more productive, offensive approach to risk management:

1: Establish a Framework for Success
In order to address prominent audit and compliance concerns, many organizations turn to Identity and Access Management (IAM) solutions as a reliable framework for controlling access. If you do not currently have an IAM solution in place, establish a vision and supporting roadmap, but avoid trying to accomplish everything in one phase. I’ve yet to see evidence that this has ever succeeded. What you are really about to automate are detailed business processes for staff on-boarding, change, termination and periodic review. These processes are dependent on business, security and operations policies that will vary by business, location and even management level.

A more natural approach in defining a program around a vision or broad goals for efficiency and control is to begin with concrete projects that support these goals. If you do some quick analysis, you’ll find the pain points. In a retail bank, it might be hiring and firing tellers because the turnover rate is 100 percent annually, but in an insurance company turnover is typically very low. For them, it might be getting the independent brokers to periodically review access rights of everyone in their offices and assert that their access is reasonable and appropriate. For each different industry there are also different compliance regulations to think about.

Remember, incremental progress is better than delayed or unattainable perfection.

2: Build an Identity Roadmap
Any business school will tell you that you can’t manage what you can’t see – and this holds true for user identities.

If you don’t have a current map of who has access to what, then how can you respond to basic questions for the auditors? How do you know if people are over-credentialed? How do you disable their access when they leave? How do you even help them when they call the service desk?

Building this map can be difficult

You do not have flash or javascript support.

Average (1 vote)

Reply

Digg this
Slashdot
Reddit
LinkedIn