The result of human resources related changes due to retrenchments, downsizing and mergers and acquisitions can be more costly than most companies realise. It is therefore becoming even more critical that only authorised users have to sensitive information to support compliance initiatives.
A 2009 Poneman Institute survey concluded that 60% of company data is stolen when employees are laid off. The cost of losing critical competitive data compared to the costs saved from laying off 'excess' staff is huge and most companies have turned a blind eye to this. In order to combat this, it is imperative that companies have identity management systems in place to prevent the loss of critical data.
Identity management within organisations is now well understood but the primary purpose of this is to manage identities, however this is only a part of the process. Managing this is now becoming the biggest security administration headache.
Although the processes for managing identity are linked to those for managing entitlements they are different and are performed by different people within the organisation. Identity management is mainly performed by HR and help desk staff. However, defining and managing entitlements is the responsibility of business line managers together with the IT application owners.
The definition of the appropriate level of access rights to resources needed for a particular job is not easy as it involves a judgment of business risk as well as technology issues. For these reasons, managing entitlements has become the limiting factor in the success of deploying identity management projects.
In an effort to tackling this problem, CA Southern Africa, the IT Management experts, say that there are five elements critical to securing identity management.
The first of these is the principle of least privilege.
This is an important concept for the protection of data and functionality from errors as well as to ensure data security. According to the principle of least privilege, users (and other system components) should only be given the minimum privileges they need to perform their functions correctly.
Secondly, the concept of separation of duties: which is derived from fraud prevention in financial accounting systems. Commercial organisations have recognised that one person performing functions which are in conflict, such as being a supplier while also being a purchaser, increases the risk of fraud.
To avoid this risk it must be possible to separate certain duties. The separation can be static (for example a person with function A can never also have function B) or dynamic where functional separation is applied at the level of individual transactions.
The next principle is that of discretionary access control, this is the access control model implemented by most IT systems in use today. Under this model the user has discretion over what they can do with data to which they have legitimate access. So if they have access to read a .doc or an .xls file they can print it and email it without restriction. This model facilitates data sharing but adds the risk of deliberate or inadvertent loss of data.
Mandatory access control is another important approach: This access control model determines what users can do with data to which they have legitimate access. So while they may be able to view a file they may not be able email it or print its content. This functionality is now reappearing under the title of "Data Loss Prevention" technology.
Lastly, role-based access control is an approach to restricting system access to authorised users based on their 'role' or function, within an organisation. Within the systems role objects represent the various job functions. The permissions to access specific data and to perform specific operations are assigned to these role objects.
People are assigned to particular role objects, based upon their actual function in the organisation, and obtain the permissions to perform the actions they need through these objects. A role based approach simplifies administration and auditing since permissions are obtained through business related role objects. Roles also help to manage separation of duties.
If the above principles are implemented, then a company's risk of security breaches will be somewhat reduced, but only if the systems is managed correctly. However people will always be the biggest risk factor when it comes to security.