[ISN] Need to ratchet up security? Start by centralizing the job

From: InfoSec News (isnat_private)
Date: Wed Oct 31 2001 - 02:36:10 PST

  • Next message: InfoSec News: "[ISN] DOD puts telework to work"

    Robert Vamosi,
    Associate Editor,
    ZDNet Reviews
    Wednesday, October 31, 2001  
    As we take security more seriously, as we put more obstacles between
    the outside world and the inner secrets of our PCs, we're complicating
    our lives--in both good ways and bad. On the plus side, we are more
    securely guarding our private data. On the other hand, as we increase
    the number of permissions and passwords, we create a bigger job for
    corporate IT departments.
    Identity management--a strategy whereby companies centrally control
    all of a user's various accounts, access codes, passwords, etc.--can
    simplify this task and, in theory, free up resources to work on
    network security services.
    I RECENTLY HEARD this pitch from a PriceWaterhouseCoopers consulting
    team. I immediately questioned whether a centralized profile system
    would actually be easier for someone to crack. They cited some
    persuasive counterarguments. Centralized security, which at first
    struck me as a bad idea, appears to offer many benefits.
    Consider your banking habits. You have a checking account, a savings
    account, a money market account--you may even have an online brokerage
    account. You might also have a joint checking account with your
    spouse, under your spouse's name and Social Security number.
    Now consider your office. You may have access to two or three
    printers, two or three internal servers, and perhaps a virtual private
    network (VPN). With all these accounts, you are the common
    denominator. A centralized identity management system could collect
    this data into one, easy-to-administer location.
    NEXT, LOOK AT the risks of maintaining decentralized systems. A small
    corporate IT force can be overwhelmed with daily permissions requests.
    I've heard horror stories of IT workers granting users more access
    than necessary in order to limit their open call tickets, and of
    accounts vanishing overnight because the overworked IT staff made
    mistakes. Both cost their companies time and money.
    Mistakes tend to coincide with times of rapid growth within a company,
    or when deploying new initiatives. For some reason, companies seem to
    loathe hiring more IT personnel during such times, leaving the
    existing IT staff with meager resources and monumental tasks.
    During an economic downturn, when large numbers of employees are laid
    off, security only becomes more complicated. Often there are no clear
    records of what permissions existed for each employee. IT might delete
    a former employee's main network login profile, but HR may not get
    around to removing his or her e-mail account until much later. And
    what about the terminated employee's special access to the remote file
    server on the 4th floor? Or his special VPN privileges? There are
    "ghosts," fragments of past employees, swirling within most large
    corporate systems today.
    Fortunately, these ghosts rarely cause harm. However, if someone gets
    advance word of his termination, he might set up dummy accounts and
    later try to ferret out these ghost permissions, and gain access to
    systems where he could do some real damage.
    THIS TYPE OF "inside attack"--an attack carried out against a company
    by its own employee--is said to account for about 70 percent of all
    security breaches. An inside attack can be anything that costs the
    company time, money, or causes the loss of proprietary information.
    This includes the employee who shuts down the e-mail server with spam
    or viruses, the employee who locks out co-workers from their accounts
    and privileges, and certainly anyone who sells or gives away propriety
    information. Inside attacks are often carried out by former employees,
    and companies usually don't report them to the outside world, mostly
    to protect their corporate image.
    Centralized control of employees' security information allows IT
    staffs to efficiently provision new employees as well as terminate
    past employees. In theory, it should make the IT department free to
    run more audits, be more vigilant with existing accounts, and truly
    safeguard the primary point of entry into the core system.
    Other selling points for centralized management: employees are less
    likely to become a future risk if they know their actions are being
    monitored, and in general, efforts to contain inside risks restrict
    outsiders from breaching security as well. Given the benefits, I think
    we're going to hear more about identity management in the near future.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 04:41:18 PST