printer friendly version

Fighting ID theft across the enterprise

Know the risk and do not pay the price.

It is no surprise to find security remains high on today’s business agenda. But the nature of the threat is changing as technology becomes more sophisticated and is increasingly shaping the way we work.

Organisations have the power to store more sensitive information than ever before and IT developments now pave the way for the increasing numbers of mobile and freelance workers. This has created a complex challenge that many companies are trying to address: how to manage and protect the personally identifiable information (PII) of their workforce.

Identity management goes beyond simply requiring a one-off solution that can be solved overnight. It is time to take this threat seriously and to devise a security policy that is practical and realistic, and that can be monitored and adapted to keep pace with the ID thieves.

What is at risk?

The risk of stolen identity is emerging as a number one issue for organisations to tackle, with the worldwide identity and access management market expected to exceed $5 billion in revenue by 2010. To add to this, an alarming 90% of IT attacks are internal according to Gartner and this figure shows no signs of slowing down. So are businesses doing everything they can to ward off the threat from within? And what is the damage when it all goes wrong?

The task should first be to identify what is at risk, where that danger emanates from and to assess what measures can be put in place to safeguard against this. To battle against the growing threat of stolen identity, organisations must be able to establish, control and terminate their employees’ various user rights.

Organisations most vulnerable to stolen identity are those storing vast amounts of personally identifiable information (PII), such as credit card details and social security numbers. Managing sensitive identity data in a heterogeneous environment is a universal IT challenge. But despite regulations and auditors dictating how identity information is being used and stored, the fast pace and high turnover of today’s workforce means many organisations are left exposed with unprotected systems.

Working with the enemy

Businesses have traditionally guarded against hackers and external threats, but now with staff turnover increasing and more IT dependence on employees like the database administrator, the biggest threat to identity theft is from staff themselves.

Basic errors are being made at the staff induction stage, when organisations do not establish a clear agreement on the access rights that people in different job roles should have. In addition, people often change jobs within the company and it is less common to reduce access than to grant it. As a result, employees end up with more access than is necessary for them to do their current job.

The other side of this is the issue of de-provisioning. Many companies overlook how to deal with the termination of ex-employees' access rights to ensure that systems and applications are not open to them after they have left. Over time, an employee can amass a number of passwords to different applications, and without a centralised ID management process in place, there is no way of knowing what the employee had access to, and therefore what needs to be terminated. Companies need to be able to switch off access as soon as an employee leaves.

Paying the price

The cost of a disgruntled ex-employee compromising a system they still have access to could run into millions. However, though stolen PII will cost an organisation financially, the deficit can be made up over time. On the other hand, in terms of damage to brand reputation and customer relationships – this can be irreparable. Stolen PII reduces customer confidence and has the potential to have a long-term and detrimental impact on any business. Take online services as an example. A case of stolen identity creates a culture of mistrust. If customers using the Internet to check account details or sign up for extra services on a regular basis start to question their safety whenever they log on, the effect on sales could be devastating.

Damage and risk limitation

So what can a business do to protect itself? First evaluate the risk, look at organisational structure and then put a security policy in place that is practical, but not intrusive. It may even be useful to assign a group, for example a Risk Management Committee to manage the whole process, ensuring that a policy is enforced effectively using the right technology. The key is not only to put the controls in place but to also monitor the technology to check it works. It is crucial to log all activity around which systems are being accessed and by whom. Reports can then be generated to reveal patterns and trends of misuse.

By having a security policy in place, organisations can implement identity management technology solutions to manage the end-to-end lifecycle of user identities across the enterprise. This helps businesses to deploy applications faster, apply the most granular protection to resources, and to automatically eliminate latent access privileges. To protect PII, sensitive data can be encrypted into database columns to increase protection against high-end internal and external threats.

Oracle Identity Management offers customers a complete end-to-end solution with enhanced functionality that meets all customer identity management requirements. Oracle continues to strengthen its offering following a raft of acquisition activity, providing the best technology to help customers make smart decisions about their security policy and manage the end-to-end lifecycle of user identities across the enterprise.

For example, Norsk Hydro ASA needed to provide reliable, secure access for its 50 000 users and to administer user rights and privileges consistently and efficiently. The company implemented a security policy and accessed a centralised, secure system that is shared by all applications. This has enabled it to ensure high security and data quality across the enterprise. Without tools like these, Norsk Hydro would never be able to open its systems to external users.

The challenge for Swisscom IT Services was how to improve overall security and manage 20 000 external customer and partner users. Through adopting identity management solutions, the company has simplified the security process to improve productivity and reduce costs. It can now give both employees and external contacts access to the information and services that they need, no matter where they are.

The objective of any long-term identity management policy should be to control, monitor and improve the technology and business processes involved in the project. It is crucial for security policies to be managed closely to adapt to changing circumstances and maximise the business value from IT. Any business which is not keeping its strategy under almost constant review will soon get left behind, and will consequently head into dangerous territory.

Share this article:

Further reading: