Rob Grapes, chief technologist from Cloakware (www.irdeto.com/cloakware.html), says:

Why do former company employees still have access to proprietary data and organizational information after they’ve left the job?

There are many reasons that company employees still have access to company data and information after they’ve left. Here are a few examples:

  • They may have taken the data with them before leaving, perhaps on disk or USB token. Other studies have reported that employees do not necessarily understand that just because they have access to the data that they don’t actually have the rights to copy it.
  • In some cases, employees have maliciously created new, unauthorized entry points to their networks, such as the case of network administrator Terry Childs from the City of San Francisco.
  • It may be that a former employee is leveraging the sympathies of a remaining employee to gain access to the data.

Why should managers be concerned about access management in light of the current rate of layoffs/job cuts?

Companies are realizing that access management is far easier to implement and maintain than complex encryption, key management or rights management systems.

What can managers do to make sure they have access management under control in their enterprises?

  • Access management is not a one-time task; it is an ongoing management effort that can be aided by many automation tools and utilities to simplify efforts, enhance efficiency, improve coverage and enable the least level of privilege while allowing administrators/users to do their jobs.
  • Recertification is a relatively new initiative to review on a regular basis the rights/permissions assigned to a user or role. It is recommended that organizations of all sizes begin to recertify the permissions assigned to their users and administrators.
What special issues does an increasingly mobile and telecommuting workforce bring into play?
  • Mobile and telecommuting users stretch the boundaries of the “trusted network”. Fortunately, there are many tools to help establish trusted connections for remote sessions; however the registration model for these tools can sometimes break down as you go beyond mobile and telecommuting workers to “trusted” partners rather than insiders.
  • Federated identity systems will help with this new model of trust, yet few organizations have fully embraced the federated trust model to date.