As originally published in Forbes.
Data security is too often discussed at the macro level of data slicing, virtualization, and issues related to public vs. private clouds – extremely important concerns. I have been guilty of this, and of focusing on corporate firewalls and security concerns that arise outside of them (see above). This traditional focus shouldn’t surprise us. A firewall provides a distinct barrier that either has or has not been breached. When breaches occur, we ask the usual questions: Who? How? To what did they gain access from the outside or leak from the inside? How should the company react, if at all? How can the company increase IT’s transparency? These are natural and important questions, but they all share one fundamental shortcoming: They are being asked after the breach. More vital questions need to be asked ex ante about what transpires inside a company’s firewall, and particularly the relationship between identity access management (“IAM”) and data security, a subject critical enough to have drawn Gartner’s attention with the upcoming Gartner Identity and Access Management Summit – its second within five months.
Inside The Firewall
As companies begin asking security questions about what transpires inside the firewall, they will first have to confront both (i) the identity of their users, and (ii) those users’ scope of permissions. According to Nick Nikols, Vice President and GM, Identity, Security, and Windows Management for Quest Software, it is common to find incorrect resource access permission in almost all organizations. Nikols told me:
Typically there are very few measures to prevent misuse, because employees are already trusted. They have the key and are in the building and can get access to the data center and other assets inside the firewall. Few enterprises have tests to pass. This isn’t sufficient anymore. You can’t trust everyone on the inside, and that’s where the majority of threats come from.
The consequences can be severe. “One mistake can result in leaked intellectual property, complex audit failures, fines, lawsuits, and regulatory investigations. Identity access must thus be systematically managed, which can be a complex process.”
Given IAM’s high stakes, it is a balancing act between at least three internal corporate stakeholders: (i) senior management, (ii) IT, and (iii) Legal. Management needs to know that IT has implemented and is enforcing stringent IAM systems and protocols. This must include the stratification of privileges among users, as well as checks and balances on the manner in which IT itself uses passwords. According to a recent InformationWeek survey of 300 IT professionals, two-thirds of whom work for companies with 10,000 or more employees:
[O]ne in four IT professionals say they know at least one IT co-worker at their business who has used privileged login credentials to inappropriately access sensitive information. Furthermore, 42% report that IT staffs freely share passwords and access to multiple business systems and applications.
Matthew Schwarz, Are Your IT Pros Abusing Admin Passwords? (InformationWeek Oct. 19, 2011). IT personnel routinely share master (“all-account”) passwords. While this practice is more often than not followed to simplify workflow rather than born of malice, it raises serious questions about the accountability of individual members of IT when something in fact does go wrong, e.g. poor decision-making that results in resource downtime. See Orin Thomas, The Importance of Managing Privileged Accounts (Quest White Paper 2010).
Each of the issues set forth above requires a framework for access governance. IT administrators, while simultaneously making their own departments more transparent, need tools to find, fix, and then secure weaknesses in their systems. Individual-level security must be established around sensitive information so that it is not exposed to undue risks and abuse. Risks include over-privileged users; unsecured files and folders; improper group memberships; weak local computer policies; and passwords that never expire. IT must ensure that when colleagues leave the company, they no longer have access to organizational resources.
Access governance is inextricably linked to managing passwords, which are a part of daily professional life. Managing access to sensitive accounts is complicated even for IT professionals. Who truly needs the keys to the castle? At what point do too many keys compromise security and accountability? A simple password is no longer just a password, and these are not simple questions.
How must these questions be addressed today in the context of cloud computing, when IT staff within the firewall to some extent manage—but certainly can’t completely control—data outside it and held by third-party cloud providers? Cloud computing highlights the potential for serious disconnects between management and IT. For example, what if the Vice President of a division implements a cloud-based Customer Relationship Management solution without IT’s prior knowledge? What if senior management agrees based on cost concerns to shift to a software-as-a-service such as Google Apps for Business without IT’s buy-in? These are not idle concerns, and they are “hypotheticals” experienced daily.
Compliance With Government Regulations
Information Access Management with appropriate systems is a “must have” business process in light of government regulations that require management of privileged accounts. The Sarbanes-Oxley Act of 2002, for example, ushered exacting standards for publicly traded U.S. companies’ boards and management, as well as public accounting firms. Sarbanes-Oxley requires strict IAM controls because the financial information of publicly traded companies resides on their own servers. IT must implement controls to minimize the risk of inaccurate financial statements (e.g., as a result of an unscrupulous but password-authorized party altering figures) or the misuse of financial records. For IT, this is not a one-time shot. IT must continually ensure that its controls are effective. This means being able to inspect, document, and repair access controls to remain compliant. Nick Nikols adds:
Government regulations such as Sarbanes-Oxley mean that network administrators and their management need tools to implement, maintain, and report on access controls across the whole range of computer systems and data stores in their enterprise.
Identity Is Core To Data Security
Identity Access Management is not the first thing that comes to mind when one thinks about data security. IAM occurs primarily within the firewall, whereas one customarily worries about external threats to the enterprise. One of IAM’s main areas of focus is passwords, about which those outside of IT rarely think. To be perfectly honest, most don’t know what IAM is.
This corporate myopia needs to change quickly. IAM is a critical business (not just IT) function without which companies will find themselves (i) quietly losing intellectual property, (ii) featured in the news for prominent security breaches from without and leaks from within, and (iii) non-compliant with federal and state regulatory data security requirements.