http://www.zdnet.com/anchordesk/stories/story/0,10738,2821308,00.html Robert Vamosi, Associate Editor, ZDNet Reviews Wednesday, October 31, 2001 As we take security more seriously, as we put more obstacles between the outside world and the inner secrets of our PCs, we're complicating our lives--in both good ways and bad. On the plus side, we are more securely guarding our private data. On the other hand, as we increase the number of permissions and passwords, we create a bigger job for corporate IT departments. Identity management--a strategy whereby companies centrally control all of a user's various accounts, access codes, passwords, etc.--can simplify this task and, in theory, free up resources to work on network security services. I RECENTLY HEARD this pitch from a PriceWaterhouseCoopers consulting team. I immediately questioned whether a centralized profile system would actually be easier for someone to crack. They cited some persuasive counterarguments. Centralized security, which at first struck me as a bad idea, appears to offer many benefits. Consider your banking habits. You have a checking account, a savings account, a money market account--you may even have an online brokerage account. You might also have a joint checking account with your spouse, under your spouse's name and Social Security number. Now consider your office. You may have access to two or three printers, two or three internal servers, and perhaps a virtual private network (VPN). With all these accounts, you are the common denominator. A centralized identity management system could collect this data into one, easy-to-administer location. NEXT, LOOK AT the risks of maintaining decentralized systems. A small corporate IT force can be overwhelmed with daily permissions requests. I've heard horror stories of IT workers granting users more access than necessary in order to limit their open call tickets, and of accounts vanishing overnight because the overworked IT staff made mistakes. Both cost their companies time and money. Mistakes tend to coincide with times of rapid growth within a company, or when deploying new initiatives. For some reason, companies seem to loathe hiring more IT personnel during such times, leaving the existing IT staff with meager resources and monumental tasks. During an economic downturn, when large numbers of employees are laid off, security only becomes more complicated. Often there are no clear records of what permissions existed for each employee. IT might delete a former employee's main network login profile, but HR may not get around to removing his or her e-mail account until much later. And what about the terminated employee's special access to the remote file server on the 4th floor? Or his special VPN privileges? There are "ghosts," fragments of past employees, swirling within most large corporate systems today. Fortunately, these ghosts rarely cause harm. However, if someone gets advance word of his termination, he might set up dummy accounts and later try to ferret out these ghost permissions, and gain access to systems where he could do some real damage. THIS TYPE OF "inside attack"--an attack carried out against a company by its own employee--is said to account for about 70 percent of all security breaches. An inside attack can be anything that costs the company time, money, or causes the loss of proprietary information. This includes the employee who shuts down the e-mail server with spam or viruses, the employee who locks out co-workers from their accounts and privileges, and certainly anyone who sells or gives away propriety information. Inside attacks are often carried out by former employees, and companies usually don't report them to the outside world, mostly to protect their corporate image. Centralized control of employees' security information allows IT staffs to efficiently provision new employees as well as terminate past employees. In theory, it should make the IT department free to run more audits, be more vigilant with existing accounts, and truly safeguard the primary point of entry into the core system. Other selling points for centralized management: employees are less likely to become a future risk if they know their actions are being monitored, and in general, efforts to contain inside risks restrict outsiders from breaching security as well. Given the benefits, I think we're going to hear more about identity management in the near future. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 04:41:18 PST