Neil Chaney looks at the risks posed by unauthorised internal access to corporate data, and explains how to regain control

In a recent survey conducted by Novell, more than half of the UK's workforce said that they would seek revenge against their employer if they lost their jobs. If it was due to an unpleasant termination or layoff, the majority said they would continue to access corporate networks (50%), use their laptops if they were not taken back (55%), use cell-phones (58%) and steal proprietary or confidential information (67%).

Of potentially even greater concern is that 6% said they would plant a logic bomb or delete critical computer files, and 4% said they would release a virus on their employer's networks.

Unauthorised data access is a growing problem. A recent discussion with a leading utility company determined that some 6,000 members of staff had access to elements of its confidential, online corporate information - a triumph of modern computing somewhat tarnished by the fact that they had only 4,000 current employees. The remainder no longer worked for the company, or were contractors who had finished their contracts.

A London bank expects its management staff to access 11 different computer applications. Each of these applications is secured through the use of a unique login name and password. Each login name and password has its own syntax and strength controls (number of numbers or capital letters required, whether passwords can be reused or not). Each manager has to remember 11 different combinations. Nobody can, so they all write them down on scraps of paper. They do this regularly as they keep losing the notes.

Another recent survey asked security managers of commercial organisations to send in the passwords they used to access their computer networks so that they could do some research into password patterns. Fifteen per cent of security managers provided their current passwords to this third party organisation. Fortunately it was a responsible one, with no ulterior motive in mind.

The Department of Trade and Industry says that fewer than one third of the nation's companies have policies on security and employee terminations.

Yet it is a well established fact that a company is far more likely to suffer computer fraud through the actions of an existing or ex-employee than from an external, unknown source. Identity theft or fraud will cause some $221bn. (£130.3bn) of damage this year, according to RSA Security.

Everyone can relate a story of how somebody got access to something that they shouldn't have, and abused the privilege. But the stakes are getting higher. In the US, legislation such as the Sarbanes-Oxley Act of 2002, the Gramm-Leach Bliley Act (GLBA) of 1999, the Health Insurance Privacy and Accountability Act (HIPAA), and the California Database Security Breach Information Act (SB 1386) provide for criminal and civil penalties against officers of companies who fail to take adequate action to protect information.

In Europe the legislation (Basel II, Higgs etc) is equal to, if not greater than, that seen in the USA. Senior directors of companies now have to certify the integrity of their financial records. All this applies in an environment where cyber security incidents are roughly doubling each year (Carnegie Mellon University CERT Co-ordination Centre). It has reached the stage where, according to the Meta Group, some company directors are refusing to certify financials until the security of their financial systems is verified. The risk of unauthorised access to systems needs to be managed, not just to protect the assets and information of the business, but to keep corporate officers free from prosecution.

Audit requirements are also becoming more stringent as external and internal auditors take some of the heat. The time and cost taken to comply with audit requirements are increasing. Where the onus is on the end user organisation to prove compliance, a set of monitored audit trails proving who was granted access to what and by whom can demonstrate responsible corporate governance, as well as reducing audit cost.

Securing information

So how can the directors of our corporations ensure that all necessary measures are taken to secure key information and the systems and networks that store, manipulate and transmit it?

The Business Software Alliance in its paper Information Security Governance: Toward a Framework for Action cites the following major information security requirements.

- Risk assessments. Risks must be understood and acknowledged, and the security measures that are taken must be commensurate with these risks.
- A security organisational structure.
- Creating, communicating, implementing, endorsing, monitoring and enforcing security policies across an organisation.
- Making every member of the organisation aware of the importance of security and training them in good security practices.
- Access controls to make certain only identified and authorised users with a legitimate need can access information and system resources.
- Considering security throughout the system life cycle.
- Monitoring, auditing, and reviewing system activity as a routine and regular function.
- Regularly tested business continuity plans

Identity management is the key, and one of its fundamentals is to ensure that only those who need access to information, get it. This requires a central repository of authorised user information and automated, controlled registration and de-registration of those users across the applications.

The software available to perform this task is called user provisioning, one of the basic building blocks of identity management. The good news is that utilising user provisioning software not only improves service levels, security and auditing, but pays for itself within a timeframe that even jaundiced finance directors would consider good value.

Without user provisioning software, the task of registering and de-registering users will normally fall to the relevant experts for each element of the computing infrastructure. Data base administrators perform user administration tasks for databases, UNIX administrators for UNIX, Windows administrators for MS Windows. A request to add a new user will need to pass through all such departments, and each expert or system administrator will need to do their bit in registering the user for the software for which they are responsible. The process is time consuming, error-prone and, typically takes days or weeks to complete, with users rarely getting immediate access to the business processes they need.

Mistakes are often made in the registration process due to the complexity of the task and the supply of erroneous information by business users; the help desk gets overwhelmed with user administration requests and cannot live up to its service level agreements, and end users get frustrated and become less productive.

Centralised administration

User provisioning software centralises the user administration function.

Most, like OSM's COSuser software, work on the principle that the organisation grants access to its applications according to the role that a person plays in their organisation. For example, an individual in the marketing department based in Leeds requires access to the centralised CRM system and the Leeds-based email and office server. At its simplest, user provisioning software permits a user's name and department to be entered, his or her role(s) in the company to be defined, and the user provisioning software will then register that individual on every application, database, middleware and operating system instance to which they need to have access. Based on a predetermined set of business rules, the users' profiles are set up and they are granted the minimum access requirements that they need to do their job. When they leave, they can be immediately disabled from all applications.

The result is that access to applications is restricted to users who need to have that access, and the access is granted at the appropriate level. Leavers are removed immediately. Links through to a corporation's human resources system are common. The level of automation removes a huge administrative cost burden from the organisation, and allows new employees to be productive as soon as they join the company, rather than having to wait days to be set up across all the different applications they need to do their job. One UK group has estimated that manually administered environments require at least one full-time equivalent for approximately every 500 to 1,000 users.

All user administration transactions are audited so that directors can prove their governance, and any bypassing of the role-based system can be quickly highlighted.

Sounds good? Well it gets better. The central repository of authorised users allows other benefits to be layered on top. Password synchronisation is an example. Depending on the organisation's policies, a user making a password change anywhere can have that password propagated across all their applications. This means only one password to remember, which in turn means it does not normally get written down and stolen. Each password can be made stronger and cycled more frequently.

Web browser based workflow engines are often linked through to such software, so that end users can easily request new accounts, passwords or shares, and have those requests routed automatically to managers for authorisation, before being committed to the system. This takes the load off the help desk, enfranchises the end user and improves service. Some user provisioning packages will also track the assets provided to users, such as laptops, mobile phones, or home telephone lines. When users leave the company, they are not only disabled from all applications but a report of the items that need to be reclaimed or cancelled is produced for those who need to take the appropriate action. Goldman Sachs claims to have paid for their user provisioning project purely out of reclaimed assets.

So what is the catch? Well there is none really, provided that you take a process-led approach to the project. As with any process engineering, you can never underestimate the importance of: senior management buy-in and monitoring to prevent politics getting in the way of a successful implementation; consultation and planning across departments to gain their co-operation and acceptance; a phased implementation plan, and strong project management. If you do this, and pick the right vendor, then you can enjoy the benefits that are driving user provisioning forward as one of the fastest growing sectors of the security software market.


User provisioning software can reduce the risk of inappropriate access to online information by:

- ensuring that only those employees and contractors who need it, get access to information
- automating the registering of users to reduce the chance of erroneous access rights being granted
- disabling all employees immediately they leave the company so that they cannot access the computer environment once they have left
- removing the need for privileged access by administration staff to register or de-register users
- recovering company assets from leavers so that laptops etc are tracked and recovered
- reducing the number of help desk calls on password related issues
- strengthening passwords to reduce the chance of their being cracked by outsiders
- synchronising passwords so that users only have one to remember
- checking user information automatically against an authoritative source
- auditing all registrations.