Identity 360 - An Imprivata Blog

Managing the Increasing Vulnerability of a Decentralized Workforce

More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive.  Being productive is good.  Behaving less responsibly is not.  I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:

• 33 percent of respondents said they "don't see anything wrong" with sharing their work computers with friends and family
• Nearly half (49 percent) of respondents now say they are using their own personal devices to access work files

So what's wrong with this picture? Yes, opening up remote access for telecommuters, consultants and contractors is important for enabling productivity and work/life balance in many cases, but there is often only a nebulous process for shutting access down.  And if remote workers are behaving badly, then that opens new potential for security vulnerabilities.

Without interlocking IT access with physical-access privileges, there's no telling where someone is accessing the system from, or if multiple people are simultaneously using the same credentials.  This makes it impossible to trace any action back to an individual.

I want to restate the problem: most organizations have a nebulous process for shutting access down to remote workers (past and present!).  In many cases, consultants can still access files/networks from old engagements.  Think of the Lending Tree debacle from earlier this year.  Old employees sharing of passwords with outsiders with remote/Web was the culprit there, but it highlights an important issue.  How many of us know people who claim they can still log in remotely to their former accounts?

Remote access is very problematic, because it bypasses the layers (guards, turnstiles, badge readers, etc) that safeguard computer access within the building so it is extremely risky to leave open.  This is the reason almost all compliance requirements mandate the shutting down of access as part of an employee/partnership termination process. 

I've had discussions with many consultants and found that as businesses shift to a more de-centralized, deperimiterized model, remote access is increasingly important for business operations, but at the same time it cannot be left unmanaged.  The challenge: Remote access is often orphaned because it falls between physical, IT and the networking group - companies shut off physical access, but nobody informs the network manager responsible for remote access so most often times access privileges are left open.  Responsibility for the user account is unclear, so even though your company has stopped paying the employee/consultant and shut off physical access, the remote access isn't shut off.  Good, bad or ugly, how do you manage your remote access?

-David Ting

There's a lot of news and opinions on the web as the blogosphere continues to grow.  As a result, the web can be overwhelming on one hand and full of wonder on the other as you sort and click through the rabbit hole of conversations on the other side. 

In light of this, I thought I would provide a short list of great blogs and resources that I follow from the identity management circles that are worth checking out and engaging with: 

Kim Cameron's Identity Weblog - Kim covers all the bases of identity and gets into really good online dialogue with others out in the identity ether

The Virtual Quill - Dave Kearns' "rants, raves, and musings about identity from the Old Man in the Corner."  If you know IDM, you surely know Dave's name. 

Digital ID World - Eric Norlin keeps an eye on the uber-trends on the business side of identity management as well as the technology behind it.

Virtual Identity Dialogue - Mark Wilcox focuses on IDM and directory services stuff and delves into the development side.

Clayton Donley's Blog - Clayton combines topical takes on trends, with a regular post of other blogs/news to check out.  Worth a read.

The Healthcare IT Guy - Shahid N. Shah keeps close tabs on issues in the healthcare space.  If you're in this space (or have clients there), check out his blog regularly.

The Health Blog -WSJ's Theo Francis and Jacob Goldstein post throughout each day on the business level trends, issues and current events in the healthcare arena.

SecurityDreamer - Steve Hunt's among the most vocal and thoughtful on topics surrounding physical-logical security convergence.

Zalud's Security Blog - Security Mag's Bill Zalud chimes in on security happenings with an editor's bent.

So what IDM blogs and outlets to you follow?  Let me know - I'd love to add ‘em to my reading list.

-David

We have met the enemy, and he is us

Insider threat is among the biggest challenges security folks face in 2008.  The perimeter is dissolving with increased reliance on distributed computing and the mobile workforce, making it more difficult than ever to put up definitive walls around the enterprise.  It's a simple reality that we all have to deal with.  Check out last month's 2008 Global Information Security Workforce Study conducted by Frost & Sullivan for ISC(2) and SearchSecurity.com's coverage.  Two-factor authentication using biometrics as well as physical-logical convergence will gain speed in dealing with the insider threat.

All of a sudden it feels like potentially anyone can be impacted. Check out the stories that have made headlines worldwide, from breaches of Britney Spears' and Farrah Fawcett's medical records to LendingTree customer data being compromised by former employees with still-active passwords.  These are scenarios where better access management and strong authentication would have made the difference. The side benefit of implementing strong authentication is often the elevated awareness that security is taken seriously.

And now the feds are involved.  They're investigating ties between hospitals and the tabloids to source and pursue the leaks of celebrity medical files.

It's clear insider threats will only become more frequent.  It's simply too lucrative, and too easy to hide behind a digital identity.  As an enterprise, you better know who your people are, what they are doing, and from where.  Or at least get the message out that preventative steps are in the works! (more on this in a future blog).

I actually just had an interesting podcast discussion on this subject with Network World's Keith Shaw that you should check out. 

What are your stories?  How are you dealing with the insider threat? 

--David Ting, CTO