Home page logo

isn logo Information Security News mailing list archives

Need to ratchet up security? Start by centralizing the job
From: InfoSec News <isn () c4i org>
Date: Wed, 31 Oct 2001 04:36:10 -0600 (CST)


Robert Vamosi,
Associate Editor,
ZDNet Reviews
Wednesday, October 31, 2001  

As we take security more seriously, as we put more obstacles between
the outside world and the inner secrets of our PCs, we're complicating
our lives--in both good ways and bad. On the plus side, we are more
securely guarding our private data. On the other hand, as we increase
the number of permissions and passwords, we create a bigger job for
corporate IT departments.

Identity management--a strategy whereby companies centrally control
all of a user's various accounts, access codes, passwords, etc.--can
simplify this task and, in theory, free up resources to work on
network security services.

I RECENTLY HEARD this pitch from a PriceWaterhouseCoopers consulting
team. I immediately questioned whether a centralized profile system
would actually be easier for someone to crack. They cited some
persuasive counterarguments. Centralized security, which at first
struck me as a bad idea, appears to offer many benefits.

Consider your banking habits. You have a checking account, a savings
account, a money market account--you may even have an online brokerage
account. You might also have a joint checking account with your
spouse, under your spouse's name and Social Security number.

Now consider your office. You may have access to two or three
printers, two or three internal servers, and perhaps a virtual private
network (VPN). With all these accounts, you are the common
denominator. A centralized identity management system could collect
this data into one, easy-to-administer location.

NEXT, LOOK AT the risks of maintaining decentralized systems. A small
corporate IT force can be overwhelmed with daily permissions requests.
I've heard horror stories of IT workers granting users more access
than necessary in order to limit their open call tickets, and of
accounts vanishing overnight because the overworked IT staff made
mistakes. Both cost their companies time and money.

Mistakes tend to coincide with times of rapid growth within a company,
or when deploying new initiatives. For some reason, companies seem to
loathe hiring more IT personnel during such times, leaving the
existing IT staff with meager resources and monumental tasks.

During an economic downturn, when large numbers of employees are laid
off, security only becomes more complicated. Often there are no clear
records of what permissions existed for each employee. IT might delete
a former employee's main network login profile, but HR may not get
around to removing his or her e-mail account until much later. And
what about the terminated employee's special access to the remote file
server on the 4th floor? Or his special VPN privileges? There are
"ghosts," fragments of past employees, swirling within most large
corporate systems today.

Fortunately, these ghosts rarely cause harm. However, if someone gets
advance word of his termination, he might set up dummy accounts and
later try to ferret out these ghost permissions, and gain access to
systems where he could do some real damage.

THIS TYPE OF "inside attack"--an attack carried out against a company
by its own employee--is said to account for about 70 percent of all
security breaches. An inside attack can be anything that costs the
company time, money, or causes the loss of proprietary information.
This includes the employee who shuts down the e-mail server with spam
or viruses, the employee who locks out co-workers from their accounts
and privileges, and certainly anyone who sells or gives away propriety
information. Inside attacks are often carried out by former employees,
and companies usually don't report them to the outside world, mostly
to protect their corporate image.

Centralized control of employees' security information allows IT
staffs to efficiently provision new employees as well as terminate
past employees. In theory, it should make the IT department free to
run more audits, be more vigilant with existing accounts, and truly
safeguard the primary point of entry into the core system.

Other selling points for centralized management: employees are less
likely to become a future risk if they know their actions are being
monitored, and in general, efforts to contain inside risks restrict
outsiders from breaching security as well. Given the benefits, I think
we're going to hear more about identity management in the near future.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
  • Need to ratchet up security? Start by centralizing the job InfoSec News (Oct 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]