– Chris Wraight, Senior Director, CA Security Management (www.ca.com), says:
Former company employees still have access to proprietary data and organizational information after they’ve left the job for a number of reasons. Any instance where former employees still have access to corporate systems and data is a serious business and compliance issue. From a technical security perspective, this is a problem that identity and access management can help solve. When an employee joins a company, they are granted access to systems, servers, applications and data based on their role or identity in an organization. Ideally that new employee should have access to all the information he or she needs to be productive when they start their job on day one.
The converse is true when an employee leaves a job or is terminated. The expectation by the business and auditors is that all access granted to that employee is terminated immediately. Some possible reasons why access may not immediately be terminated include:
• The HR staff or systems did not communicate to the IT staff or systems that an employee has left the company.
• Third party applications that a business might use that aren’t federated into an organization’s access management system may not learn of an employee’s termination immediately, and that individual would still have access to that application.
There are several reasons data center and IT managers need to be concerned about rogue and unauthorized access to their systems:
• Generally, failure to manage server resources and their access has been directly responsible for high profile data breaches. In October 2008, a fired computer engineer for a large mortgage broker was arrested and charged with planting a malicious software script designed to permanently destroy millions of dollars worth of data from all 4,000 servers operated by the mortgage company. Despite his dismissal on October 24, his highly privileged computer access wasn’t terminated until late into the evening because of bureaucratic procedures in the procurement department, according to court documents.
• Compliance. Regulations such as HIPAA, PCI DSS, Sarbanes-Oxley, the EU Privacy Directive, Basel II and others all have a requirement for compliance that server access is controlled, tracked and logged. Sarbanes-Oxley adds a “segregation of duties” requirement to ensure that complex business processes are distributed among resources to provide checks and balances.
• Intellectual property confidentiality. One industry survey showed that 59% of former employees admitted to stealing confidential company data. They did it while still employed, but if they had access after being terminated, nothing is to stop them from keeping the flow of corporate IP coming their way.
• Access to virtualized servers. Organizations are adopting virtualization technology to reduce total cost of ownership and improve quality of service of IT systems. An effective solution must ensure that only authorized users perform authorized operations on the hosting system. And, all sensitive administrative activities on both the hosting operating system and guest virtual machines must be closely audited for compliance requirements as well as risk mitigation.
What special issues does an increasingly mobile and telecommuting workforce bring into play?
A privileged user management system should be able to maintain its policies across the enterprise, regardless of where the user is. In addition, the system should have a ‘break glass’ workflow that facilitates one-time use passwords when necessary, with appropriate approvals. An example would be an IT crisis on a weekend that can be fixed remotely, but privileged access to a server or application is required. The system should allow an IT senior manager to approve a special, one-time (and time limited) use password that allows an IT specialist access to resolve the issue. And, like any other privileged user, their actions have to be recorded and tracked for audit purposes.
How do you keep track of privileged users and what they do?
Use software that can manage who the privileged users are, and what they are allowed to do. The software should also track their actions and easily produce reports for compliance audits. Ideally, the software should be able to simultaneously manage server access as well as privileged user access to devices and applications across operating environments.