Security and Users: Change is the Only Constant
Managing user accounts and access to business IT assets is challenging, particularly as cloud and social computing models introduce new wrinkles in security and identity management. Information has become “mobile” along with the users accessing it, yet management of user behavior is even more complicated that trying to manage a digital resource.
If you look at the history of security breaches, you’ll find that many of them started with a user making a mistake – like losing a laptop or clicking on a phishing email, downloading bad software, or forgetting to report an employee termination to the IT dept – something which inadvertently created a vulnerability that could be exploited. It’s tough to stop breaches because there are so many possible ways for them to happen.
If most security breaches start with a user mistake, then IT departments have their hands full because users aren’t static, unchanging objects to monitor and manage. Users change, sometimes a lot. It is this constant change which undermines the ability for some IT departments to meet the demand to adequately secure company information systems and data. Now is the time to take control of user security and identity management, creating automation and controls to protect business assets in a constantly evolving environment.
It is not simply employee turnover that challenges security management. Certainly, IT departments have been dealing with user account creation and termination for a long time. And sure, users have sometimes been promoted and demoted, resulting in the requirement for IT to increase or perhaps decrease access to information and applications. These are normal and expected activities for a business IT department. Unfortunately, IT often doesn’t hear about the user’s change in status. An account isn’t disabled, access isn’t restricted, and the system is left vulnerable.
Just to pile on, think about what happens when a user is more than just a single system user. It may be manageable when where a single identity and set of credentials governs their access to applications and information. But the proliferation of web-based services and SaaS solutions has made it commonplace for users to have multiple applications and services available to them, each with their own approaches to identity management.
For even a small business IT department, the security of all of these access points and applications must be managed and monitored – no small task when the department may not even be aware that the solution is in use. It is not unusual for file sharing, data sync, or other applications to be implemented in businesses without the knowledge or participation of the IT department. Actually, many services attract users due to their simplicity and ease of use, leveraging the fact that they can be deployed without the “assistance” of IT.
Users are becoming increasingly mobile, accessing information and applications from public and private locations while using any number of possible mobile devices. Vulnerabilities which may exist in public networks and the increased potential for device loss or theft are high on the list of concerns of IT departments managing remote and mobile user access. Mobility is driving many changes in how information technology and access to systems is provided to users, and it is changing user demands for what they should be able to easily accomplish while being mobile.
Businesses need to recognize that their continued existence may rely on keeping their information systems and assets safe and secure. Disaster recovery and business continuity applies not only to loss of physical systems, but also to losses of various forms due to data breach. The disaster recovery and continuity plan (you have one, right?) should not only address situations after they happen; planning by definition is proactive. It is not enough to have a plan to recover from loss or failure; the business must actively engage in activities which will prevent loss and reduce vulnerability.
Part of this plan necessarily centers on managing users and user identities, ensuring that the company knows about all access or user accounts involved and employs strict processes and guidelines for making sure they are constantly up to date and have the authority to do what they’re trying to do. In short, the plan must also be a plan for change, providing change management processes to guide the business as the evolution of information technology and the dynamics of user interaction continue to change.
read more about IT Security and Engaging users to reduce vulnerability
read more about Mobility and the Cloud, Managing BYOD and securing company resources