There is a digital crime wave in progress. This year 90% of organisations will experience a security breach of some kind, whether by virus, denial of service attack, Trojan penetration, direct external hack or internal security compromise.
Digital crime used to be rare, because companies had just a handful of mainframes. Their use was confined to employees and they had fairly comprehensive security features built in. Things changed with the advent of PCs, which had no built-in security. However, it was the advent of the internet that saw digital crime explode.
From 1997 onwards, the level of digital crime started to double or more each year, according to Cert statistics. A large number of security attacks originate from inside the company or are assisted by someone on the inside. The statistics used to be in the region of 80%, until automated hacking became a common phenomenon and it is now more like 50%.
Automated hacking involves the use of software tools that automatically probe the internet for known security weaknesses. You can download such tools from the web for free and many apprentice hackers use them.
So the level of external danger has risen in comparison with internal dangers, but in reality both have risen dramatically. Cert also tracks known weaknesses in widely used software products and systems. These have been escalating since 1998, roughly doubling each year.
The 2002 FBI Computer Crime and Security Survey found that 85% of respondents detected security breaches in 2001, and 66% of them lost money as a consequence. Only 36% of respondents reported the crime. For the firms that were willing to estimate the cost, the average loss was more than $2m. The worst losses occurred through information theft and financial fraud.
Statistics such as these are useful in highlighting the level of risk, but these cost figures do not help you create a cost/benefit analysis to make a case for investment.
It is not an easy matter to estimate the cost of the security breaches that you prevent, so the benefit to the company is not easy to quantify. Nevertheless, there is a cost and it comes down to:
- The cost of removing the security vulnerability
- The cost of restoring any systems or data that were damaged
- The cost of the downtime for any systems put out of action
- The cost of damage to the company and its brand, if news of the problems leak out
- The cost of any fraud that was perpetrated or consequential cost of stolen data
- Any legal liabilities.
To make matters worse, there is no level of investment that can guarantee 100% security. So this creates a conundrum for the IT director. IT security is, at best, a grudge purchase. How do you make it otherwise?
One approach is to carry out an identity management project.
One of the consequences of large-scale computer networking is that user identity and password management has become expensive and requires a lot of effort. Some estimates suggest that 50% of helpdesk calls are prompted by password management problems - often users simply forgetting the password. The cure for this is a fully automated identity management system - it can pay for itself fairly quickly and will improve password security considerably.
In most large companies, an audit will reveal that there are a large number of distinct environments or applications that require passwords and the definition of access rights. For example, in a US company I visited which had a network of about 1,100 computers, there were 48 different data stores holding definitions of what a user was and what permissions they had, although no user actually appeared in more than 10 of these. Because the data was horribly fragmented, there was no easy way of dealing with simple regular events such as staff joining or leaving the company.
The management of access was a tortuous and error-prone manual activity. It was often the case that months after a member of staff had left, their details and passwords still remained on some of the applications that they had once used. One side-effect of this was that the company was paying for too many software licences because it thought some applications had more users than they actually did. In some companies there have even been examples of salaries still being paid after an employee has left.
To resolve these problems, a central definition of identity is required that is capable of recording all the possible access permissions that a user might have and which can act as the hub of an automated provisioning system for all users. This is what identity management products attempt to provide: single sign-on and the automatic provisioning of capability to users.
There are several IT suppliers with products in this area, including Computer Associates, IBM Tivoli, Novell, and less familiar names such as Netegrity, Oblix, Thor and Waveset. None of them can yet claim to resolve the problem without some work on the part of the IT department, but they can provide a good proportion of the solution.
The return on investment from a well-run project of this kind is fast, with break-even achievable within a year. The primary benefit to end-users is that computer access is simplified and it is possible to get access rights changed quickly and cleanly. The IT department wins through reduced helpdesk and staffing costs and improved security.
Identity management projects pay for themselves and deliver improved security as a side effect.
Robin Bloor is chief executive at Bloor Research
Five good reasons to use an identity management system
- This year, 90% of organisations will experience a security breach of some kind. Half of all security breaches originate from inside the company
- Identity management systems speed up what was a labour-intensive process, reducing costs and improving security by closing down expired rights automatically
- Some companies pay for too many software licences because of out-of-date user lists
- ID management systems can enable end-users to get access rights and passwords changed quickly and easily, reducing helpdesk costs
- The return on investment from a well-run project of this kind is fast, with break-even achievable within a year.