Do You Know Where Your Data Is?
When employees leave a job, none should have access to proprietary data and organizational information. However, according to a survey by Cloakware, 14% of former company employees still have access to such information. The question is: What do data center and IT managers at SMEs need to be doing to make sure they have access management under control? This is of special concern because layoffs and job cuts are happening at an alarming pace over the past few months.
Access Reasons
Rob Grapes, chief technologist at Cloakware, says there are many reasons former employees still have access to company data and information after they’ve left. Grapes comments, “It may be that they actually took the data with them before leaving the organization, perhaps on disk or USB token. Sometimes employees—especially administrative employees—have had remote access to their employer’s networks to perform administrative tasks after hours, and these mechanisms were not disabled with their departure from the organization.”
Chris Wraight, senior director of security management at CA, says another reason is due to a lack of data-use controls across the enterprise. “Without these controls,” Wraight says, “employees will be able to misuse data. Misuse takes many forms, including saving files to portable media, emailing or transporting data, and more. In addition, organizations need to consider that a user’s access to data should change depending on their identity.”
Kurt Johnson, vice president of corporate development at Courion, says many companies lack insight into which applications and systems each employee has access to. He notes, “Companies don’t revoke access to particular systems because they aren’t even aware that an employee had access in the first place. In fact, a recent survey conducted by Courion indicates that 53% of large enterprises have limited or no knowledge of which systems or applications their employees have access to.”
Be Concerned
David Ting, co-founder and CTO of Imprivata, says with the current state of the economy, layoffs are more frequent, often spanning different areas of the company affecting users with many different access privileges. “Deprovisioning access for multiple employees to multiple data sources is a significant effort if an efficient employee access management system is not in place,” says Ting.
Ting says even the threat of future layoffs in this increasingly competitive job market has the potential to drive unethical people to steal company-owned data that may be useful to them in the future or make them a more attractive hire to a new employer. “Without proper access management controls in place,” Ting says, “there is no deterrent to prevent terminated employees and contractors from helping themselves to corporate assets on their way out the door.”
Grapes says, “Most former employees are ‘good’ by nature, but it has been proven that with minimal controls and a sense of impunity, even good employees will do bad things.” Grapes notes that if companies have adequate security standards and practices in place, they can deter at least two-thirds of the insider attacks from good-natured people compelled to do bad things due to circumstance alone.
Take Action
According to Johnson, the first step to getting access management under control is to implement a comprehensive IAM (identity and access management) strategy that includes automated provisioning and deprovisioning of employee access. “Ultimately, an integrated IAM solution should be able to define policy, apply policy by enabling specific access rights, monitor and detect user activity, remediate access rights or policy, and validate that user access rights are consistent with policy,” he says.
Johnson says organizations should utilize such solutions to ensure that only the right people have access to the right resources and are doing the right things. He adds, “Aside from the obvious security benefits derived from having visibility into and control over access rights, there are numerous ancillary business benefits, such as improved operational efficiencies, increased employee productivity, and improved compliance reporting, that can also result.”
In Wraight’s opinion, putting a strategy in place for integrated identity and access management is key. “Ensure that it considers provisioning and deprovisioning users, but it also needs the server resource protection aided by access control,” he says. “The strategy should consider an initiative to protect servers in a cross-platform environment. This protection should encompass server access as well as privileged users, in addition to devices and applications.” Wraight says the strategy should also ensure that it delivers centralized technologies and reporting tools to facilitate audits and prove compliance.
Knowledge & Timing
Ting says there are two things IT managers need to control access and prevent data breaches: knowledge and timing. “IT managers need to know how each employee is accessing the company’s network,” he says. “Setting policy isn’t enough; with today’s tech-savvy workforce, IT managers need to be able to have controls in place that protect their data and show exactly when, where, and how employees are using it.” Ting says this way, there are no surprises when you discover a rogue personal device or hotspot that has been exposing your network.
Ting says timing is also just as important. “While technology-based solutions for access management make it much easier to understand and connect the physical and logical identities of an employee—enabling both to be shut off at the same time—IT managers need to, at the very least, have a policy in place that directs staff to shut off building and IT access at the same time,” Ting says. He says automating this process with employee access technology will make it a one-step process, ensuring that access is eliminated at the same time.
The most difficult part of managing and mitigating insider threats, according to Grapes, is maintaining a balance that enables individual access to this data as part of the job, yet secures and monitors use of these critical resources. Grapes concludes, “Companies need to intensively monitor and manage access to critical information assets in all facets of the organization with proactive warning systems to circumvent critical incidents and limit exposure to agency credentials and vital information. These companies must remember that even trusted insiders need to be scrutinized.”
Special Issues For The Mobile Workforce
“Telecommuters or mobile workers are likely the future of the workforce but are also a huge pain for IT managers,” says David Ting, co-founder and CTO of Imprivata. “These workers need to be able to access company systems and data as needed on their terms. There is little that can be done about the mixing of company work on personal devices—even if work is done on a company-owned device, the network it’s done on is still the employee’s.”
Ting says the technology you use to manage system access must also have built-in controls to authenticate mobile workers. Ting says that while building in fraud preventions, there have to be flags that go up to warn IT managers so any intruders can be shut down before gaining access.
Reproduced from an article published by Processor
© Processor
The original article can be viewed here:
http://www.processor.com/editorial/article.asp?article=articles%2Fp3118%2F3...
Permalink Bookmark Digg this story
