ID tech tightens up compliance

Organisations are using identity management systems to cut the risk of data security breaches. That's a step in the right direction, says Fran Howarth - but they still need a number of other measures.

Most CIOs have a list of compliance regulations as long as their arm. At the top of that list sits data protection - the single most important legal issue by a wide margin, according to a recent Quocirca survey of 250 German, UK and US executives.

No one wants to be the next TK Maxx, whose parent company TJX had more than 45 million customer records stolen by hackers. More than 60 banks around the world reported fraudulent transactions based on the stolen credit card data.

Exclusive column: The Naked CIO

See what this CIO really thinks…

The Naked CIO: Cut the bull

The Naked CIO: Offshore - or off their trolley?

The Naked CIO: Shadow of the job axe

The Naked CIO: Identity crisis

The Naked CIO: Innovation - same old story

So organisations are turning to identity and access management technologies. These systems tie access to resources to the rights associated with a particular user or role.

This technology lets organisations demonstrate that effective controls have been placed on who can access valuable assets, enabling them to prove they are protecting their data and meeting the compliance mandates imposed on them.

The technology automates tasks such as resetting passwords. But, as reliance on technology continues to grow, the number of passwords that users have assigned to them has mushroomed, leading not only to insecure password management practices but also causing many headaches for helpdesks that must reset them manually - which is a cost that is entirely avoidable.

This still leaves the problem of computer users having too many passwords to remember. To solve this issue, identity and access management systems offer single sign-on, whereby users authenticate themselves at one primary interface to gain access to all resources that they have been assigned the right to use.

This can be done for all assets in an enterprise or, through use of federation standards, can be extended to applications hosted by business partners or third parties without the need for users to reauthenticate themselves when accessing each resource.

Because a user now has, theoretically, just the one user name and password combination for accessing all the resources to which they are entitled, the onus is on organisations to ensure that the initial authentication event is genuine and that it could not be an impostor who has stolen these credentials. To provide an additional layer of security, strong authentication techniques are coming into wider usage.

But even the most virtual of organisations has physical assets of some sort - and many of these assets are used to store or produce data, such as storage systems and printers.

Organisations need to ensure such devices are included in the identity management systems they put in place - for example, by requiring employees use a personal swipe card for securing access to printers and photocopiers, which can also provide an audit trail of all actions taken.

Companies should also develop policies around use of portable storage devices such as CDs and USB memory sticks and consider using technologies to block their use so that they cannot be used to leak data out of an organisation.

There is also one further step organisations can take to make sure their security controls are watertight - they can tie physical access controls in with logical access to the corporate network. This means they can not only ensure that a person is who they say they are but also can tie identity to their physical location.

By converging physical and logical access controls, access to the computer network can be denied to all those who have failed to present their security badge when entering the organisation's facilities.

Location-based authentication also means that access rights can be set according to the physical location of a user logging into the corporate network.

For example, a user logging in from a remote location using a VPN tunnel could be allowed to access office productivity tools but denied access to the customer relationship management system or financial records when they are not at the office.

When all access controls - logical and physical - and authentication to all types of assets is tied together in one identity management system, organisations can manage all authentication events through one centralised management system.

This provides them with the ability to report on all access and authentication events and to prove who has accessed what, when, from where and what they did with the information contained in those assets.

Because organisations are in the position to report on all events, they can prove through audits that the actions they have taken have been successful.

They can also show, therefore, through those audits that they are complying with data protection regulations - as well as satisfying the requirements of a number of other regulations with which they must comply.