Today’s dynamic business environment brings increasing technology complexity and challenges to secure corporate information, writes David Lello, MD of Global Security Solutions.
Business and information strategies, governance and policies supported by people and technology components assist in the achievement of a sound information security environment.
Traditionally, information security is seen as a technology or security policy problem. Now, more than ever, we can appreciate that information security is a fundamental business issue.
We have seen in a number of cases in Europe and America where fraud has been committed, the latest and most significant being that of a trader at Société Générale, who defrauded his organization by compromising basic user privileges.
Identity & Access Management (IAM) is a mature security discipline which ensures that good governance is established around the management of user identities within the organisation and the respective information to which they have been granted access. Many cases of fraud could be eliminated through implementing the controls of IAM.
IAM implementations are complex and can be costly as they impact on the entire organisation, typically all users and all systems are affected. IAM is similar to an ERP project which if done as a mater of course often results in failure. It is for this reason that a well defined and proven methodology be used to ensure the appropriate control points are addressed to ensure a successful implementation.
The methodology used to define the way forward is based on Capability Maturity Model (CMM) best practices; many projects have been successfully deployed using this approach. It supports the intention of implementing iteratively in a structured repeatable way, ensuring tangible results early in the project.
The function of managing user identities and their access privileges starts with the definition of processes. The best technology in the world will be unsuccessful without the definition of these processes. In smaller and even mid size companies the implementation of IAM can be done solely with the implementation of processes.
In nearly every organization that I have engaged with, due to the nature of technology implementations, inconsistent processes are applied from one business system to the next. This results in some applications being well managed (normally the mainframe) and typically the varied distributed environment not being well managed. What is required is to implement a consistent set of processes which must be defined across the organisation.
The processes for IAM must not be limited to the Joiner, Mover & Leaver processes as we see described by Sarbanes Oxley legislation. It is most important that we also, in these projects define the processes for Segregation of Duties; this will ensure that users are not able to retain access privileges to “create” and “authorise” transactions, thus closing the loop.
It is also advisable to define and implement Role Based Access Control (RBAC), which will ensure that when a user moves from one position to the next, his/her access privileges change according to the job function.
In the definition of RBAC, a handful of successful companies have managed to simplify the job of Role Mining. With products such as Eurekify, RBAX and Bridgestream it is far easier to understand the default system roles in the organization, by analyzing user account data.
The problem arises when traditionally in large companies the user account data is flawed at the outset. After years of internal transfers users have accumulated access they should not have. User attestation can reduce this risk but ultimately a top down approach of Role Definition is required in accordance with a job function where user access privileges must be defined.
Do not become another statistic, make sure that the correct controls are in place to manage users and their access.