Controlling how staff access computer systems is a challenge
that businesses in all sectors face. The
experience of French bank Society Generale offers some sobering
lessons for any business considering identity and access
management.
Jerome Kerviel, a junior trader at Society Generale, hit the
headlines in January when he used his knowledge of the bank's back
office systems to cover up unauthorised trading that cost the
company £3.6bn.
Kerviel joined SocGen in the back office compliance department
in 2000. He was transferred to the front office as a junior trader
in 2005. He later used his IT knowledge and passwords collected
over the years to circumvent controls and make high risk trades
without authorisation.
Drew Wagar, senior manager at professional service firm KPMG,
says a lot of organisations are now attempting to ensure they do
not suffer the same fate as SocGen. "The biggest problem is people
getting access rights in one part of an organisation and retaining
these rights when they move to another."
Other frequent ID and
access management bad practices include passwords not being
frequently changed, being shared and users logging on as other
people.
But technologies and procedures to protect information can be an
obstacle to good business in some industries. PJ Di Giammarino, CEO
at financial services think tank JWG-IT, says it can be challeging
to put extra levels of staff authorisation on systems because
companies can miss business opportunties if they put hurdles in
front of workers.
Single-sign-on technology, which provides one log-in for
multiple applications, is ideal. But introducing this type of
technology can be difficult, because different business units
commission and develop systems under different budgets, he
says.
SocGen is in the middle of an £80m project to ensure no repeat
of an incident which shook the investment industry. The bank is
going as far as considering the use of biometrics to identify users
of particular systems as genuine.
According to Gartner, large companies are investing in
technology to help them restrict the use of passwords. More
companies are using software that can create a password for one
time use rather than allowing multiple people to share a password.
Adoption of this type of technology grew 50% worldwide in 2007,
says the analyst firm.
Controlling access is not always easy in large corporates and
can even be seen as an obstacle to business. But an incident on the
scale of the SocGen fraud has put the issue at the top of corporate
agendas. CEOs will ask CIOs to play a key role in introducing ID
and access management technologies, policies and procedures.
Box: Lessons from SocGen
Passwords should be frequently changed
Passwords must not be shared
Users must not be logging on as other people
Businesses cannot neglect security because it slows things
down