This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
Authentication and access control are challenges for distributed companies, especially with partners and customers needing access to the network. How have you handled that?
One of the things we had been trying to accomplish was the synchronization of IDs and passwords across the corporation. There were people trying to remember 10-plus passwords. The second thing was to give our users the ability to reset a password without having to call the help desk. Our vendor, Avatier, said, 'Give me your analyst for an hour and we'll have it in production in an hour.' That was a challenge, I thought. But within an hour it was running. We had a pretty robust access control system we built internally and it was based on users requesting access, rather than access being granted based on roles.
Strong authentication, such as tokens or smart cards, has been touted as the panacea. Have you considered going down that road?
Yes, we have looked
Have you tied your physical security with your information security at this point?
Not at this time. We've seen a couple of things out there and that seems to be where the industry's going. I think there's a lot of cost involved there, but at some point it's something that we'll need to investigate. We have network security and physical security relatively separate. But all information security starts with physical security.
If you have physical access, you can probably get the data. So I think that integration needs to occur more, but with the right driver and the right investment. You have to balance it with the business need and the cost.
Download the full interview with Mike Roberti at searchsecurity.com.
This was first published in October 2007