Two-thousand nine has been an especially challenging year for information security professionals. Budgets across the industry are tight, regulatory requirements have increased, and new methods for committing fraud or stealing sensitive data are constantly emerging.
In order to be successful in this environment, enterprise identity and access management (IAM) stewards must constantly reassess authentication processes for high-priority resources, seeking to identify when more stringent requirements or improved technology is needed. However, when times are tough as they are now, only the most strategic and cost-effective IAM investments should be put in front of decision makers.
In this tip, we'll discuss ways to provide greater security for high-risk data, systems or transactions without breaking the budget.
The process begins with the identification of functions or data that could impart irreparable harm if unauthorized individuals accessed them. In financial services, this could include funds-transfer systems or repositories that contain credit card information. In the consumer staples or pharmaceutical industries, systems containing marketing strategies or research findings could be deemed the most critical. In each of these cases the key factors that make these critical areas of security focus are intangibles: the company's reputation in the case of the financial services firm, or the additional market share that could be gained by being first to market in the latter case.
The determination of which systems or types of information are the most critical varies from one company to the next and changes as factors such as regulatory requirements, competitors' strengths and criminal approaches change. Security professionals need to ensure they know which systems and information senior management deems most critical to the financial well being of the company and periodically reassess the risks and looming threats those assets face.
The No. 1 cause of information protection problems is human error. Each person who touches a company's information can contribute directly or indirectly to this problem. Strong business practices can be used to mitigate most human-error risks in a cost-effective manner. For example, one way is to segregate privileged access into special administrator accounts to minimize changes made inadvertently in production environments by database administrators and others with privileged access. Most of these users' daily activities, such as reading email or looking at production information or functionality, should be accomplished using their regular account. When they need their privileged access, they should log on with their administrator account. Much like a speed bump in the road, requiring people to switch accounts causes them to slow down and become more aware of where they are and what they are doing.
If you identify specific areas where additional authentication technology is needed to address significantly greater risk, consider using tools already in your security tool bag or creating spot solutions to address those specific needs.
Multifactor authentication is often used to control entry to internal networks from the Internet, and those same tools can be used to create barriers around specific systems or data that need additional protection from either internal or external access. Many companies set up firewalls around the highest risk systems on their internal networks, requiring users to log on to those systems using enhanced authentication tools such as a token or smart card, not just their usual user ID and password. Using the remote access authentication tools already in place to establish islands of additional protection around the highest risk systems on an internal network can be cost-effective in terms of both implementation and ongoing management. This is just one example of how existing tools can be used in new ways to create targeted areas of enhanced security within your network.
Transaction authentication, often used by financial-services companies for customer-facing systems that are likely fraud targets, looks at the user's IP address, the hardware and other factors to determine if they match the identity's usual usage characteristics. If not, administrators can be flagged in real time or additional questions can be asked to gain confidence that the user is who he or she claims to be. This approach can be taken at the macro level, causing everyone who tries to log on to the system to be analyzed, or at the transaction level where it is only applied to people trying to initiate certain transactions such as funds transfers. When looking at these methods, include both the implementation and the on-going management costs of each approach to determine the most cost-effective strategy. One approach may be more costly to implement (due to the need to imbed the calls for additional authentication at the transaction level), but has much lower on-going costs (due to the lower number of users affected by it and therefore the number of staff needed to administer it on a daily basis.)
In these times of tight budgets, if your company has specific data, systems or functionality of higher risk that needs additional protection, explore all of your options, including expanding your use of existing security tools and processes. Finding new ways to build off of existing security investments may provide the needed protection at a relatively low cost. You may be surprised at what you can do with the tools you already have. If not, targeted authentication products can be a cost-effective way to improve security. Weigh the cost of any potential security product against its ability to help address the specific risks that you identify. You'll find that you will be able to strengthen your security posture for relatively little cost.
About the author:
Karen Ethridge holds the CISSP, PMP and CISM certifications. She is the manager of information security at FifthThird Bank.
