While the new
information technology enables organisations to adapt new strategies,
it also exposes valuable corporate information, mission-critical
business applications and customer information to more risk than ever
before.
Results of international surveys have shown that about 30 per cent of
organisations are sure that not only external hackers but also their
own employees have unauthorised access to the companies' IT systems.
The reasons for this are clear enough:
Many companies have a heterogeneous IT environment with peripheral
administration. As the IT systems have grown historically, each system
has its own administration, making it difficult and expensive to
maintain the integrity and actuality of the user data.
Regularly, user rights are not deleted, when an employee moves within
a company. The administrators know that a new user needs rights, but
they hardly recognise that a user does not need rights any more.
Therefore, employees can accumulate user rights; they actually have
more rights than they really need. In many cases, administrators do
not even know that an employee is leaving the company and has to be
deleted.
When employees have to use several different IT systems, they usually
have to remember a number of passwords. This results in a careless
handling of passwords: They are written down or even attached to the
monitor.
Thus, it's not enough to secure IT systems against external intrusion:
A security user administration is also an important part of a
company's IT security policy.
The first step to meet these risks is a thorough evaluation of current
processes and systems. Based on this evaluation, the processes and
systems can be optimised.
A Central Security Administration allows the management of users in
heterogeneous IT architecture from one point of administration: Users
of different IT systems can be created, changed and deleted centrally.
Such a tool, especially enables the synchronisation of user data with
actual data from the HR department: Thereby, employees leaving the
company can be identified and locked immediately. Also, every change
in personal data, like changing departments, functions or names can
immediately be realised in the user data. Thus, the actuality,
integrity and possibility for auditing of user data are given.
The precise assignment of access rights to IT users is the crucial
part of any user administration: Users should have as many rights as
necessary, but as less as possible. The Role Based Access Control
meets these requirements by assigning a role to each employee,
according to his specific function. These roles contain the necessary
access rights. As the roles have to be based on a thorough examination
of business requirements, access rights can be assigned very precisely
according to the principle of the "least privilege". When the function
of an employee is changing, he is assigned to a new role
automatically. Thus, the accumulation of rights can be prevented
effectively. By a well-planned role concept up to 80-90 per cent of
the administration can be covered, thus reducing administration costs
and enhancing the IT security significantly.
A further solution towards security is Single-Sign On (SSO). A
Single-Sign On (SSO) application severely reduces the number of
passwords to be remembered: Each user needs only one password to
access all systems. Upon any authentication process this primary
password is sent to the SSO application which provides the users
workstation with an appropriate secondary password for the IT system
to be accessed. These secondary passwords are long, high secure
passwords and invisible for the user. As the user has to remember only
one password, he does not need to write it down.
Thereby, data security and user
acceptance are enhanced notably.
A Secure Login enhances the security of the authentication process by
use of smartcards, biometrics, certificates and/or data encryption.
The decision, on which method is the best for your environment, must
be the result of a careful, objective and straight out evaluation of
your systems and processes. It is highly recommended to ask an
independent expert to carry out this evaluation and to establish
security audits at regular intervals.
Connecting ministries, institutions and the public the "Jordan
e-Government Programme" has identified the importance of information
security and is working on solutions on highest international levels.
The writer is the German Technical Coorporation (GTZ) Adviser to the
Jordan e-Government Programme at the Ministry of Information and
Communications Technology (MoICT). He contributed this article to The
Jordan Times.
Friday-Saturday, February 14-15, 2003 |