By Marc Hudavert, vice-president & general manager at ActivIdentity
The process of ensuring that a company’s security is not compromised by the departure of staff needs to begin on an employee’s first day in the job.
Although this may seem to paint a bleak picture about a company’s ability to retain and motivate staff it is, in fact, a necessity for a growing number of organisations. With the range of facilities and systems that employees require access to becoming increasingly varied, enterprises are struggling to find ways in which to control new, existing and departing members of staff.
Marc Hudavert, vice-president & general manager at ActivIdentity, offers best practice advice for minimising the risk to which the corporate infrastructure is exposed when staff leave the building for the last time.
Commissioning: To securely commission a new employee in the enterprise, the access rights and privileges of that individual must be determined and controlled through a centralised system. The use of smart card technology can facilitate this process from day one, by requiring the employee to use these devices to access buildings and systems.
Throughout the individual’s term of employment, the privileges linked to their profile can be centrally managed through the same system which commissions and decommissions cards, ensuring that the appropriate levels of security are maintained at all times.
Furthermore, when the employee leaves, the company retains management of the card to prevent unrestricted access to either buildings or IT systems, regardless of whether or not they returned the card.
Passwords: Many businesses use password protection facilities to control access to web-based applications. While this reduces the chances of unauthorised individuals accessing company data from outside the building, the constant need to update, change and respond to forgotten password queries from staff can be a huge administrative burden for the IT department to bear.
However, it’s not a responsibility that users should be allowed to overlook. Some applications use a single password for multiple users, so ensuring that the process of decommissioning an employee is carried out in a timely fashion is paramount to avoiding the disruption of other staff. Password management can also be consolidated through a single sign-on solution, which enables users to access systems and applications through a combination of authentication hardware and a one-time password.
Passwords can be centrally managed and the IT department given the option to automate the changing of passwords without requiring user intervention. The password changes happen without the user being aware, and remain secure because the use of their own password and a physical card or token are still required to complete the authentication.
Hardware: Aside from the software applications that staff use, it’s also imperative that hardware is included in the employee commissioning process. Firstly, an itinerary of all devices supplied to a member of staff must be maintained to ensure that hardware is returned at the point of departure. Not only is it costly if items go missing, it could also constitute a major security threat if the access that they offer is unsecured.
Where employees are provided with smart phones, PDAs or laptops, they should be required to authenticate themselves each time they log on, either through a token-based or smart card solution. During 2007, laptop and smart phone losses contributed to a record 37 million* items of personal data being lost by UK public and private sector organisations. Although it’s believed that most of this loss was accidental, the use of strong authentication tools will considerably reduce the likelihood and negative impact of such data losses in the future. In the context of the enterprise, the point at which they leave the company will see them surrender the authentication hardware, rendering the user incapable of connecting to the corporate network.
Furthermore, it is highly advisable that measures are taken to prevent employees from attaching their own hardware to the network or local device without gaining clearance from the IT department first. This will minimise the opportunities for them to transfer sensitive data or bypass the security measures of the corporate infrastructure.
Buildings: Physical access controls can be flouted intentionally and unwittingly by former colleagues if they hold the door open to someone who has already handed back their keys or ‘swipe card’. More dangerous still is the practice of allowing visitors to access the premises without the appropriate supervision. It’s imperative that staff are made aware of the risks that this can pose to the business and clearly worded guidelines should be issued as part of the induction process.
For many enterprises, the key has now been replaced by a smart card as the main point of access to buildings and a growing number are exploiting the functionality of smart cards to control systems access too. Not only is this enabling them to consolidate controls onto one card, it also means they can centrally control all access rights of staff.
*According to figures released by the Liberal Democrats in January 2008
ActivIdentity is exhibiting at Infosecurity Europe 2009 on the 28th – 30th April 2009 in Earls Court, London. www.infosec.co.uk
Source: EskenziPR
<>