SocGen teaches lessons in ID and access management

Controlling how staff access computer systems is a challenge that businesses in all sectors face.

Controlling how staff access computer systems is a challenge that businesses in all sectors face. The experience of French bank Society Generale offers some sobering lessons for any business considering identity and access management.

Jerome Kerviel, a junior trader at Society Generale, hit the headlines in January when he used his knowledge of the bank's back office systems to cover up unauthorised trading that cost the company £3.6bn.

Kerviel joined SocGen in the back office compliance department in 2000. He was transferred to the front office as a junior trader in 2005. He later used his IT knowledge and passwords collected over the years to circumvent controls and make high risk trades without authorisation.

Drew Wagar, senior manager at professional service firm KPMG, says a lot of organisations are now attempting to ensure they do not suffer the same fate as SocGen. "The biggest problem is people getting access rights in one part of an organisation and retaining these rights when they move to another."

Other frequent ID and access management bad practices include passwords not being frequently changed, being shared and users logging on as other people.

But technologies and procedures to protect information can be an obstacle to good business in some industries. PJ Di Giammarino, CEO at financial services think tank JWG-IT, says it can be challeging to put extra levels of staff authorisation on systems because companies can miss business opportunties if they put hurdles in front of workers.

Single-sign-on technology, which provides one log-in for multiple applications, is ideal. But introducing this type of technology can be difficult, because different business units commission and develop systems under different budgets, he says.

SocGen is in the middle of an £80m project to ensure no repeat of an incident which shook the investment industry. The bank is going as far as considering the use of biometrics to identify users of particular systems as genuine.

According to Gartner, large companies are investing in technology to help them restrict the use of passwords. More companies are using software that can create a password for one time use rather than allowing multiple people to share a password. Adoption of this type of technology grew 50% worldwide in 2007, says the analyst firm.

Controlling access is not always easy in large corporates and can even be seen as an obstacle to business. But an incident on the scale of the SocGen fraud has put the issue at the top of corporate agendas. CEOs will ask CIOs to play a key role in introducing ID and access management technologies, policies and procedures.

Box: Lessons from SocGen

Passwords should be frequently changed

Passwords must not be shared

Users must not be logging on as other people

Businesses cannot neglect security because it slows things down

Read more on IT risk management