Former employees: A security menace?
Dr. Arvind Krishna, Vice President for Security Products, Tivoli Software at IBM
COMMENTARY--A fact of current economic life is that employee turnover rates are on the rise. Many retailers, for example, have turnover rates approaching 100 percent, which means employees are coming and going at a rapid clip. What many companies don't realize is that when employees leave the business, they often take with them the firm's most precious assets -- the mission critical data that runs the business -- everything from customer account data to sales and inventory data, to confidential business intelligence, and everything else stored in the company's internal systems.
While departing employees routinely return things like laptops and security badges, they hold on to the security ids and passwords that provide access to the company's internal databases. In fact, over 20 percent of accounts on many company systems -- for example, mail systems and mainframes -- come from employees who have left the organization, often even five years ago. Disgruntled employees even go one step further by causing malicious damage to company systems.
So, why haven't companies kept up with this growing security menace? Most are just beginning to realize that the Internet and e-business have opened doors to their business that didn't exist until recently. Companies have rushed to add new applications allowing employees, customers, suppliers and partners to do the things they need to do, which has speeded up work and produced huge productivity gains. Data that was accessible a few years ago only by fax or phone is now a mouse click away. We are all beneficiaries of this incredible change.
A downside to all this e-business progress, however, is that companies have not bothered to integrate the applications they have been building, which has added greatly to the complexity and cost of administering IT. Since applications are neither centrally managed or integrated, end users like employees have multiple sign-ons to the same enterprise, which accounts for all those IDs and passwords we carry around in our heads, and keep forgetting. Help desks now spend much of their time giving out passwords, instead of adding real value to the enterprise.
Add to this situation three more layers of complexity: companies have to keep track of all the new users entering the enterprise, along with which applications they have a right to access; these applications often run on different computing platforms with their own security requirements; and the cast of users keeps changing daily. The end result is a situation in which companies are hard pressed to know who is accessing the business for what legitimate purposes.
A way out of this endless complexity is to create a centralized, integrated IT infrastructure that serves everyone's purpose. Users can get a single sign-on to all the applications they need to access, and the enterprise can get a flexible, low-cost way to keep user authorizations fully updated while ensuring maximum business control.
This kind of security solution is being implemented now at one of the world's leading international food retailers, with more than 8,500 supermarkets worldwide. They are building an e-business infrastructure for more than 420,000 users that is adapted to the unique business requirements of all the people tied to their enterprise -- from employees, to customers, suppliers and everyone else. They will have a single sign-on to the parts of the business they need to do their jobs, and these access rights can be modified easily as their job requirements change.
Moreover, as employees leave the company, they will be able to remove access rights in real time, while maintaining employee access to things like health and pension benefits that are required by law. Similar flexibility will be available to administer access rights for all their other end users. This new centralized infrastructure is designed to save millions of dollars in administering its store operations, at the same time it is designed to enable them to increase their business control of these operations.
And that's important because at the end of the day, IT security is not about setting up unnecessary roadblocks to business activity; it's about enabling people to do the things they need to do to be successful. Security must become a business enabler, not an inhibitor. The Internet and e-business have changed how we do business forever. It's now time to complete the transformation by reducing the complexity and cost of running an e-business. The security tools are well at hand to do that.
Dr. Arvind Krishna is the vice president of security products for Tivoli Software at IBM. He joined IBM in 1990, and since then has held executive, technical management, and research positions in the areas of Web infrastructure, network and computer security, wireless networks and distributed computing.