Getting the Right Data to (Only) the Right People

This 11th annual observance of National Cyber Security Awareness Month comes at a time when consumer confidence in the digital operations of corporations, government agencies, hospitals and other organizations is already shaken. Within the last year, the information of tens of millions of credit and debit cardholders was compromised by intrusions into retail payment systems. And the number of breached patient medical records has climbed to more than 30 million.

Though many details are still under investigation, the breaches likely have a common cause: stolen credentials for accessing accounts and payment systems. In fact, the 2013 Verizon Breach Report found that 76 percent of network intrusions exploited weak or stolen credentials. As my colleagues John McClurg and Jon Ramsey recently noted, it’s rarely security technology that fails when credentials are compromised; it’s typically human errors that create these vulnerabilities. Users creating simple, weak passwords is still all too common— the most commonly used password is “Password1”—or using unique, strong passwords to access company data, but jotting them down on a piece of paper slipped under the keyboard or on a Post-It note stuck to a monitor.

Even with good security awareness and training in place, user errors will happen. We’ve yet to encounter an organization that’s 100 percent risk-free. So why not take users out of the equation – to the extent you can – with state-of-the-art Identity and Access Management (IAM)? Among other features, today’s IAM solutions enable single sign-on — a single credential with a strong password that gives users and administrators access to all the things that they should have access to, but none of the data or resources that they aren’t authorized to use.

Some high-profile retail data breaches have reportedly been traced to theft of credentials from third-party contractors. Better IAM solutions might have prevented such breaches, which have damaged reputations as well as profits. In today’s security landscape littered with advanced persistent threats (APTs), organizations need strong foundational IAM in place for users, partners and customers alike.

That’s precisely the foundation needed by the Hawaii Department of Education (HiDOE), with upwards of 25,000 employees often tasked with access to 10 or more major applications—previously all with unique sign-ons. By deploying Dell One Identity solutions including single sign on (SSO), HiDOE now provides seamless access to applications or content when, and only when, it detects an authenticated user. “The introduction of SSO represents a milestone in the way HiDOE utilizes its resources,” says David Wu, HiDOE’s assistant superintendent and CIO.

Aside from enforcing strong passwords and making them easier to use, IAM solutions can help eliminate other common human errors, like IT administrators sharing privileged credentials – yes, IT professionals are human too, and our Privileged Account Management capabilities help control and audit administrative access through secure, automated, policy-based workflows. The results are enhanced security and compliance with more efficient “superuser” access administering, tracking and auditing.

Dell Identity One solutions address the entire range of IAM needs, helping organizations simply and completely achieve business agility. They provide a clear path to governance, enable business-driven decision making, offer solution simplicity by building on existing investments, and use a modular and integrated approach to deliver rapid time to value. Among the key steps in implementing IAM are:

  • Having users go through the process of requesting access to the data and resources they need, and having line of business managers grant access (not IT), so that only the right people have access to the right stuff at the right time;
  • Enforcing strong passwords, but eliminating the need for users to write them down by implementing a single sign on;
  • Making sure to carefully control the privileged credentials, so that those very powerful administrative accounts don’t fall into the wrong hands; and
  • Governing it all thoroughly, because auditors will want reports on everything that’s been done to protect sensitive information.

Implemented correctly, IAM can be a business enabler without being a roadblock to productivity. It can prevent users from gaining too much access and becoming internal threats – something all too familiar in today’s security landscape. Yet it can boost business agility by enabling organizations to assign access faster – to the right people – increasing productivity and achieving compliance faster, and with less cost and effort.

At the end of the day, organizations are always caught between trying to secure the enterprise (providing too little access) and enabling the business (too much access).  And as it relates to the protecting the enterprise from the outside, it’s not a question of if they’re going to be hacked; it’s just a question of when. As long as there are humans working with information every day and operating the systems that generate and store that data, bad guys are going to try to hack your organization if they haven’t already. And when they do, foundational IAM can mitigate the damage by providing strong access controls that limit the potential exposure.

Dell Identity One helps organizations address the human side of IT security and protect against common user errors. Learn more at Dell.com/BetterSecurity4All, and share your security stories on Twitter at #BetterSecurity4All.

And for more hands-on experience and answers to your IT security challenges, join us at Dell World 2014, Nov. 4 – 6, in Austin, TX, to learn how to defend against wide-ranging threats and enable business with more connected security.

About the Author: Bill Evans