In order to be successful in this environment, enterprise identity and access management (IAM) stewards must constantly reassess authentication processes for high-priority resources, seeking to identify when more stringent requirements or improved technology is needed. However, when times are tough as they are now, only the most strategic and cost-effective IAM investments should be put in front of decision makers.
In this tip, we'll discuss ways to provide greater security for high-risk data, systems or transactions without breaking the budget.
The process begins with the identification of functions or data that could impart irreparable harm if unauthorized individuals accessed them. In financial services, this could include funds-transfer systems or repositories that contain credit card information. In the consumer staples or pharmaceutical industries, systems containing marketing strategies or research findings could be deemed the most critical. In each of these cases the key factors that make these critical areas of security focus are intangibles: the company's reputation in the case of the financial services firm, or the additional market share that could be gained by being first to market in the latter case.
The determination of which systems or types of information are the most critical varies from one company to the next and changes as factors such as regulatory requirements, competitors' strengths and criminal approaches change. Security professionals need to ensure they know which systems and information senior management deems most critical to the financial well being of the company and periodically reassess the risks and looming threats those assets face.
The No. 1 cause of information protection problems is human error. Each person who touches a company's information can contribute directly or indirectly to this problem. Strong business practices can be used to mitigate most human-error risks in a cost-effective manner. For example, one way is to segregate privileged access into special administrator accounts to minimize changes made inadvertently in production environments by database administrators and others with privileged access. Most of these users' daily activities, such as reading email or looking at production information or functionality, should be accomplished using their regular account. When they need their privileged access, they should log on with their administrator account. Much like a speed bump in the road, requiring people to switch accounts causes them to slow down and become more aware of where they are and what they are doing.
If you identify specific areas where additional authentication technology is needed to address significantly greater risk, consider using tools already in your security tool bag or creating spot solutions to address those specific needs.
Multifactor authentication is often used to control entry to internal networks from the Internet, and those same tools can be used to create barriers around specific systems or data that need additional protection from either internal or external access. Many companies set up firewalls around the highest risk systems on their internal networks, requiring users to log on to those systems using enhanced authentication tools such as a token or smart card, not just their usual user ID and password. Using the remote access authentication tools already in place to establish islands of additional protection around the highest risk systems on an internal network can be cost-effective in terms of both implementation and ongoing management. This is just one example of how existing tools can be used in new ways to create targeted areas of enhanced security within your network.
In these times of tight budgets, if your company has specific data, systems or functionality of higher risk that needs additional protection, explore all of your options, including expanding your use of existing security tools and processes. Finding new ways to build off of existing security investments may provide the needed protection at a relatively low cost. You may be surprised at what you can do with the tools you already have. If not, targeted authentication products can be a cost-effective way to improve security. Weigh the cost of any potential security product against its ability to help address the specific risks that you identify. You'll find that you will be able to strengthen your security posture for relatively little cost.
About the author:
Karen Ethridge holds the CISSP, PMP and CISM certifications. She is the manager of information security at FifthThird Bank.
This was first published in September 2009