Security Steps 5 and 6By Ericka Chickowski | Posted 2009-03-20 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Here are 10 ways to protect your company’s data.
5. IDENTITY AND ACCESS MANAGEMENT
One of the key components of any security program is the control of information access based on individual rights and responsibilities. As your enterprise establishes access policies based on identity, you need to institute technologies that ensure people are allowed access only to the information they’re entitled to see or manipulate.
“You need to have a rigorous process in place to allow you the opportunity to manage access to the maximum extent,” says Mark Ford, a principal in Deloitte & Touche’s Security & Privacy Services practice. He adds that too many application silos across IT infrastructures have resulted in a disordered environment for access control.
“It’s been one of the least looked-at aspects of IT environments for many years,” Ford says. “Identity management is really pulling those pieces together. And by allowing you to start to manage it centrally, it gives you the opportunity to take out some of the bad parts.”
For example, one of the “bad parts” is simply relying on the antiquated user name and password setup that’s so prevalent in IT. Second-factor authentication—biometrics, tokens and the like—is a good place to start. And single sign-on technologies can help you tie together the silos Ford mentions.
It’s also important to find a way to handle identity across different organizations and infrastructures when you’re partnering with other enterprises. For example, at the New York-based pharmaceutical company Bristol-Myers Squibb, Shailesh Patel, senior advisor for identity and access engineering, is responsible for making sure BMS can share information safely with other pharmaceutical companies without allowing those partners access to sensitive intellectual property.
Bristol-Myers Squibb uses CA Federation Manager and CA SiteMinder to control and manage identities on either side of a Web portal. This ensures that only the data the company identifies will be shared and that when BMS employees sign on to partner applications, their credential information will not be compromised.
“This prevents a lot of issues, such as man-in-the-middle attacks and denial-of-service attacks,” says Patel. “Plus, with this sort of implementation, you’re not just making sure information is exchanged securely. You’re also making sure that the identity information is created very easily, and that saves time.”
6. SECURING THE MOBILE ENTERPRISE
As BlackBerry phones, iPhones and other smartphones advance their data-access capabilities, they obviously become more important tools for road warriors and executives. However, at the same time, they become a huge IT liability. Smart management of these devices must be treated as an important piece of the information security puzzle. Be wary, though, of locking down the smartphones to the point that it becomes impossible to use them for business applications.
One major challenge is that the IT department often doesn’t “own” these devices, and IT never owns the network over which these smartphones ultimately transmit information, says Steven Ferguson, senior network engineer for the Technical College System of Georgia in Atlanta. The college uses a security service called Purewire to institute policy-based controls over its end users’ smartphone activities on the Internet.
“We’re able to stop access to a bad Web site before there’s even an opportunity to infect one of our devices,” Ferguson says. “Our approach is to lock down appropriate employee devices with policies so they don’t have access to certain types of data or certain types of abilities to spread data. The service itself protects against internal threats by blocking access to known data mining sites and things of that nature.”