– Kurt Johnson, vice president of corporate development at Courion Corporation (www.courion.com), says:
It should be noted that the proliferation of web-based applications, particularly Salesforce.com, and ubiquitous collaboration tools like Microsoft SharePoint, make it even harder for organizations to keep track of which systems employees are accessing, without the use of automated access management tools. A 2008 survey conducted by Courion found that more than 36% of companies do not monitor SharePoint usage on their networks, yet 87% consider SharePoint a source of concern for sensitive data leaks.
Even when an organization can recognize all of the systems an employee has access to, there can be a lag time between when an employee is let go and when HR communicates to IT that an employee has been terminated. A recent Courion survey found that 48% of organizations take more than one business day to alert IT about employee terminations. During this lag time – which can sometimes be days or even weeks – former employees can access data and subject an organization to untold data breaches.
Probably the single biggest reason former employees are sometimes able to access company information is the time and effort it takes for a company to manually de-provision an employee. For companies not using automated provisioning and de-provisioning systems, it can take hours to de-provision access for a single employee as employees often have access to more than a dozen separate applications. In the case of a wide-scale layoff, it could take several weeks to manually de-provision all terminated employees.
Why is access management important?
In a tough economy with wide-scale layoffs, internal threats posed by disgruntled former employees become as significant a threat for IT mangers as external hackers. In this regard, access management is becoming a key component of IT security. By analyzing trends such as when active employees access applications and for what reasons, IT managers can observe anomalous usage (e.g., a sudden amount of high activity within an SAP database at 2 a.m.) that can indicate employee misconduct. For example, according to press reports, Abdirahman Ismail Abdi resigned from a position as an internal auditor at the California Water Service Company (CWSC) in San Jose and, later that evening, logged onto some accounts where he still had access and transferred $9 million to offshore bank accounts in Qatar.
IT managers should also be concerned about the threat of collaboration between disgruntled employees and cybercriminals, who are increasingly approaching and bribing employees to provide them with sensitive data or access to the systems housing the data. Under normal circumstances, employees typically refuse to conspire with cybercriminals; however, disgruntled employees could be more tempted to make money and facilitate cybercrime. It’s not surprising that employees are the most dissatisfied at the time when they are unexpectedly laid off. If access to a recently-terminated employee’s accounts is not quickly turned off, “zombie accounts” will exist, which can be an easy vector for cybercrime. IT managers should make disabling access a priority to protect their organizations against the vulnerabilities that zombie accounts and unhappy ex-employees can cause.
What does an increasingly mobile and telecommuting workforce bring into play?
From an IAM viewpoint, the same rules that apply to assuring the access and security of traditional workers apply to mobile workers and telecommuters. Likewise, IAM systems have gained the capacity to provision devices – such as laptops and smart phones. Thus, when an employee no longer works for a company, IT can block device access to internal company systems at the same time that network access is de-provisioned.
For some companies, managing access rights for contractors is especially complex because they are often not included in a single consolidated HR system of record the way employees are. The provisioning/de-provisioning solution should be flexible enough to integrate with systems besides the core HR system to track and manage access rights for contractors as they enter and leave the organization’s employ.
Courion offers such solutions as the AssetLink Connector, which extends its core Access Assurance capabilities to provision and manage access to a wide variety of assets including mobile phones and laptops. Courion also offers a RIM Connector, which integrates with the Blackberry Enterprise Solution, to automatically provision and de-provision access to Blackberry devices and support compliance with such regulatory requirements as HIPAA. It is important that organizations consider all of the access points that employees utilize to view company data, and that they take steps to ensure that all communication streams are protected.