On my desk at home I have two VPN key fobs to jobs I no longer have. I don't even know if they work, but they're sitting there.
At every job I ever held featured dozens of accounts, log-ins, passwords and secret decoder rings, many of which walked out the door with me and most of which remain active. We also used dozens of productivity and collaboration tools, which we set up ourselves outside the scope of the IT department, but nonetheless hold critical and proprietary data.
Luckily for my current and former employers I'm a nice guy with no motivation to cause them harm. I'm also a cautious guy who doesn't leave network doors open and unattended. I'm also a guy with low access. Aside from CMS access, which leaves me capable of taking down a Web site, I don't hold an IT position and was never permitted access to critical systems or data troves. Of course those critical systems are better protected from former employees with continued network access. Yes, but barely, according to a survey of 1,000 IT pros conducted by security vendor Quest Software and Harris Interactive of security policies affecting employees.
Among the survey findings, 51 percent of IT policy makers said they were concerned about insider threats to network security in their company's current infrastructure. A greater threat however might be the former insider - now on the outside, but with insider access and familiarity.
From the report, The Current State of Identity Management:
- One in 10 IT pros admitted they have accounts from previous jobs, from which they can still access systems even though they've left the organization.
- 52 percent of employees admit that they've shared their work log-ins and passwords with other co-workers, spouses and others.
Ten percent of your employees are walking away from their job with a handful of active network-access accounts and passwords as well as a handful of those shared by their colleagues.
Why? Quest, which makes identity management software, wants you to believe it is because the IT department can't manage the account provisioning and decommissioning for the dozens of accounts of dozens or hundreds or thousands of users. They're on to something there.
Consider these two colliding trends:
1. The average user in a 10,000-employee organization manages 14 separate logins and passwords. (ScriptLogic whitepaper: The Business Case for Desktop Authority Password Self-Service. )
Exacerbating the problem further is the fact that different teams within IT often have responsibility for password management on different systems. For example, typically Windows password resets are handled by the Windows help desk, a relatively inexpensive resource... The more systems, the more passwords, and the more people that must be involved...
Fourteen passwords x 10,000 employees = 140,000
2. The median tenure for an employee in the U.S. is 4.4 years. (Employee Tenure Summary, Bureau of Labor Statistics)
That means 35,000 passwords walk out the door every year at each of those 10,000-employee organizations. Turnover is expensive for IT departments.
Software like single-sign-on and identity management would be a help. So would the vigilance to target and decommission accounts and track down wayward key fobs. That would go a long way to protecting critical infrastructure.
But what about the data sitting on the dozens of providers in the cloud? The ones we set up without IT's involvement, maybe without their awareness.
If you count those systems, the average number of passwords employees use to do their job is probably greater then 14, and most of those are outside the domain of IT.
Everyday employees activate accounts for productivity and analytics systems in the Cloud without the support or awareness of IT. I have seen entire departments running a shadow operation on Google Docs, third-party marketing vendors and collaboration tools, where proprietary data sits in spreadsheets, presentations and other tools, available to anyone w/ the password, one IT had nothing to do with.
That shadow system won't take down your infrastructure, but the data breach could be just as damaging.
Google last week announced it would launch two-step verification for its account-holders, but that does little to protect businesses from the inside-outsider with a password, access and, perhaps, a grudge or at the very least, less concern to protect the data.
Single sign-on is just a temporary solution. A step back from passwords all together is even better, and probably inevitable. The Departmenr of commerce is backing a security system for online identity checks that relies on a single-signon program as well as tokens, smart cards and biometrics to verify and approve access.
Passwords don't provide good security because most people choose character combinations that are easily hacked. A universal standard that requires some kind of device or a chip with encrypted data would keep consumer information safer while assuring companies they aren't being scammed, says Don Thibeau, chairman of the Open Identity Exchange, an industry group representing large tech companies such as Verizon , AT&T, Google, PayPal, and Symantec.
Ultimately, the security required to protect dispersed data from access by former insiders would require be a combination of software, policy and enforcement to ensure the IT department knows where the data sits and controls access. That maybe a stretch when insiders insist and the cloud increasingly permits, self-service.