Todd Towles has been around the block enough times to know that regardless of a company's size, IT administrators must always authenticate users and keep tight control of their network behavior. Otherwise, malicious people will have little trouble stealing sensitive information, which can all too easily be used to destroy the company's reputation or commit identity fraud against customers.
Towles is an IT security consultant who today works for a large financial enterprise, but most recently worked for a retail chain closer to the midmarket with about $2 billion in annual revenue and 12,000 or so employees. In both environments, he said, IT managers must always reevaluate the resources that users are able to access.
But global enterprises have more money to spend on controls like two-factor authentication, smart cards and tokens. That technology isn't always affordable for midmarket companies, which typically have $50 million to $1 billion in annual revenue and anywhere from 100 to 5,000 employees. [In the retail sector, midmarket companies could have as many as 12,000 employees and up to $2 billion in annual revenue.]
For that reason, midsized IT departments are making the most of network access controls (NAC) offered by their technology infrastructure providers, including Microsoft and Cisco Systems Inc. Those companies recently unveiled plans for more interoperability between their network access control technologies. Meanwhile, security vendors are trying to entice the midmarket with cheaper authentication tools that are more scalable for growing companies.
NAC, compatibility a big deal
Amer Deeba, VP of business development for Redwood Shores, Calif.-based Qualys Inc., said access controls at mid-sized companies often lack the maturity of what larger enterprises have in place. For example, they may have strong controls for internal employees, but not for outside contractors, many of whom frequently plug into the network.
"That's why NAC is becoming such a big deal," Deeba said. "It allows them to have a security framework where they can make changes that are more automated and customized. With NAC, you can tie together all of your security technology and decide what you want to do with individual users."
Security vendors have been working to develop inexpensive tools that can be used to bolster those controls. But if interoperability isn't part of the equation, IT professionals won't be interested, Deeba said, adding, "Qualys is trying to make security products that are as automated and interoperable as possible."
Other vendors like Issaquah, Wash.-based BioPassword Inc. try catering to the midmarket with offerings that don't require new hardware.
"Midsized customers are telling us they want smart cards, tokens and two-factor authentication, but they want the benefits without the cost," said Greg Wood, BioPassword's VP and CTO. "The big concern is manageability and usability as it relates to cost. We're cost-effective because we are software only."
While midmarket companies have an ever-increasing number of choices when looking for affordable identity and access management technology, Towles said there's no magic bullet. IT administrators can deploy two or three different products and each will provide bits of information about the company's security status. But, he said, "The challenge is in how you integrate all the information in a way that allows you to see the big security picture."
He said products that work well in and of themselves and enable IT administrators see that big picture are of the most value.
Overcoming cultural challenges
No matter how good their identity and access management technology is, midmarket IT managers won't be successful unless they have the support of top executives and everyone obeys the written security policies, said Jonathan Penn, an analyst with Cambridge, Mass.-based Forrester Research.
"In midmarket companies, security isn't always viewed as something that's important or strategic," Penn said. There isn't as much security spending, he said, because executives can't see the return on investment.
Penn said it's up to IT professionals to help their bosses understand what's at stake.
"What works is when IT professionals talk about this in terms of risk," Penn said. "Executives understand the concept of risk, and the IT professional should frame the need for new investment not in terms of cost, but in terms of how it will help the company manage its risk."
It's getting easier to sell investments to upper management, he added, since security vendors are catering more to the midmarket, but regulatory pressure has been the most powerful catalyst in getting executives to take security seriously.
"The PCI Data Security Standard has really motivated a lot of mid-sized companies," Penn said. "They have to be audited, and so suddenly security is a big issue, whereas it wasn't before."
A program that grows with the company
Another challenge for midsized companies is that access management controls that work successfully today may not be sufficient to handle a company's growth, Penn said. Therefore, IT professionals need to develop a scalable program that can be easily adjusted to accommodate more employees and services.
"They need to do some research and talk to vendor references to get a fix on the technology that's the most scalable to their needs," he said.
Scalability is certainly a factor for Keith Gosselin, IT officer for Biddeford Savings Bank in Biddeford, Maine. With 72 employees and $12 million in revenue last year, the bank doesn't fit the criteria of a midmarket company. But the company hopes to grow in the next three to five years, Gosselin said, by opening new branch offices and attracting new customers.
Gosselin though is confident his identity and access management controls will remain effective if the company does indeed expand. He said he has the support of his upper management, and that regulatory compliance has also motivated them to take security more seriously.
As proof of that, the company is moving beyond simple passwords and rolling out a program based on two-factor authentication. The Federal Financial Institutions Examination Council (FFIEC) is requiring banks with online services to implement some form of two-factor authentication for customers by January 2007.
Beyond that, Gosselin shares the view of many security professionals that companies large and small can no longer afford to carry on with basic passwords.
"I personally believe two-factor authentication has become a necessary layer of security," Gosselin said. "Passwords are simply not enough anymore."