Legions of hackers, identity thieves, saboteurs, phishers and scammers are assailing business integrity from the outside. Their attacks cost billions of dollars in annual damage (last year’s data losses for U.S. companies amounted to an estimated $50 billion), and force even greater incremental expenses in IT infrastructure and personnel to fend off further assaults. Even more numerous, though, are the rogue administrators, leakers, hapless computer “misplacers” and data compromisers on the inside. Several recent research reports indicate that insiders now account for as much as 85 percent of threats to data security. Many of these internal problems stem from inadvertent mistakes, not malicions intent, but even so, the harm is done.
Both internal and external incidents swell the drumbeat of lurid publicity. Frequent stories about missing laptops crammed with sensitive information, data theft, lost credit card files, employee and customer records, pension and Social Security data, critical business intelligence - a steady flow of security disasters unsettles the entire business environment and diminishes public confidence in many aspects of modern business practice.
Regulatory and industry compliance requirements, Sarbanes-Oxley and PCI, for example, are also driving the hunger for effective access management and auditing solutions.
Managing Access: A Big Ticket Item
The overhead associated with the task of managing appropriate resource access is staggering. Echelon One, a security research firm, has found that within the 700-member information security team at a major U.S. bank, fully 500 people were assigned to work on managing user access rights, also known as entitlements, for employee applications. Many of them spend their time hard coding authorization policies for employees to access specific functions and data within each application.
“As soon as the changes are made, many entitlements are already outdated, meaning the valuable assets fueling the bank’s business are dangerously exposed. Despite the best of intentions, they are no closer to the adherence of financial and compliance controls. Their risk level has not decreased,” according to Echelon One.
In fact, businesses everywhere are struggling with the challenge of how to provide access to key information without risking its misuse. Specifically, they are seeking to supply an increasingly growing and diverse user population, which includes employees, contractors, customers, vendors and partners, with the information necessary to fulfill their role - but not with more than they actually need. Huge risks result from granting broad access to sensitive enterprise data to people who have no need for them.
IT departments are now expending vast resources on internal security in this game of security catch-up. According to Echelon One’s estimates:
- 30 percent of new application budgets are allocated to authorization functions.
- Line-of-business (LoB) managers spend up to 100 hours per year doing manual authorization policy reviews.
- 100-500 hours are typically spent hard coding access policies for each application.
- 40-60 percent of information security budgets are now dedicated to access and identity management.
Clearly, the huge expense of these tasks implies the potential for a high order of savings, productivity gains and security improvements, provided that organizations can escape the need to endlessly repeat the same access management chores.
Databases, Security and Sisyphus
In the famous Greek myth, the gods condemned Sisyphus to perpetually roll a heavy boulder up a steep mountainside, only to have the rock roll back down to the bottom each time he reached the summit. An eternity spent in this exhausting and futile labor was a terrible punishment indeed. The burden of Sisyphus probably sounds a familiar chord for IT shops that must create, enforce, update and audit separate sets of access controls for each application and data store. That’s the way many companies still do it, however, and therein lays an opportunity for them to effect large improvements in productivity and security while shedding costs.
