Corporate IT Forum members are minimising internal
security threats - whether accidental or intended - by sharpening
processes and policies around access management and implementing
solutions for identity authentication and authorisation, writes
Ollie Ross, director of research atThe Corporate IT
Forum.
But access management isn't a quick-win technology project. It's
a long-term commitment demanding significant organisational buy-in,
a thorough examination of business and company processes, probably
unprecedented co-operation between functions or departments, and
very often a shift in company culture.
Accrued access
Because
access
management means ensuring staff get access only to the
information and systems they require to do their job - regardless
of company status or seniority - it inevitably means taking away
access from some who have previously enjoyed it such as senior
executives, time-served employees and "movers and shakers" within
the business.
In fact, it's these groups - where trust is very often implicit
and access-all-areas is associated with power and position - where
the risk of malfeasance carries the greatest impact and gaining
buy-in to change is hardest.
It's common for those progressing through and up an organisation
to carry their "access" with them as they move, and here lies a big
challenge. While there's often a major driver to provision access
so that people can take up new positions, there often isn't an
equivalent driver to decommission access.
However, the business risks and security implications must be
fully understood by all departments involved in the position change
and an audited process must be put in place for movers as well as
starters and leavers.
Priviliged accounts
Another focus for IT security chiefs is that of
"privileged accounts" - elevated access granted to computer
room staff, systems and database administrators and the like in
order to fulfil their administrative requirements.
Here again, the risks are high and strict rules and procedures
around rationing privileges, authorisation checking, usage and
password monitoring are required to manage the lifecycle of these
accounts. Some members of Tif's specialist security service have
even instigated mandatory training courses and compulsory
examinations for would-be privileged account holders.
I've not mentioned tools so far, not because there aren't any,
but because most organisations only turn to tools once they have
outgrown their manual process, and the wisest know that you should
never try simply to automate existing processes.
Tools are invaluable, but secondary. They belong to the later
stages of an effective access management programme and should be
considered only once you have identified who needs what and what
processes you use to control this.
Ineffective access management poses business risk >>
Read more expert advice from the Computer Weekly Security Think
Tank >>