The Marine Corps motto, “Semper Fidelis” — Always Faithful — has always been revered by those who have served in “The Corps” as a pledge of brotherhood to one another. Whether in battle or in peace time, Marines have honored this sworn bond to stand united.
But even this sworn bond can be broken.
Such was the case recently when Marine Jobson Cenor allegedly accessed Marine Corps personnel records and provided a list to a co-conspirator containing more than 100 names and social security numbers of fellow Marines stationed with him in Afghanistan. The co-conspirator then filed false tax returns on behalf of those Marines, collecting $54,000 in tax refunds.
It doesn’t matter whether it’s the Marine Corps, a government agency or a private business, though; identity and access management is imperative as the cyber security threat of insiders accessing information for nefarious purposes is ever present. While international headlines have been garnered by outside hackers like the LulzSec group, which hacked Sony’s customer database last year, or the hacker conglomerate “Anonymous” which has targeted government systems, it is the “inside job” that still poses the greatest threat to most businesses. It’s as the old African proverb tells us, “When there is no enemy within, the enemies outside cannot hurt you”.
So organizations need to look within themselves first and foremost when it comes to developing a defensive perimeter around their data with a program of identity and access management (IAM), group management software and audit controls. Keys to establishing IAM battle plans include:
*Utilizing Intelligence from the Field: allow access through a program of data-driven membership based on business changes made to authoritative sources such as your human resource system employee attributes and a user provisioning system
*Coordinating Security: set the frequency and time when rules are automatically enforced, while also determining who can create rules and when
*Knowing the Strengths and Weaknesses: test the rules and review results before rules are enabled; this allows organizations to view identity matches from the target and source including missing, removed, and new members
*Engaging the Rules: employ a wizard-driven rules engine that connects with critical authoritative data and works with business attributes to drive group memberships, while also supporting rule exceptions, to maintain group membership dynamically based on your data points and self-service group management
*Monitoring Risk: define a strategic automated approach for protected, trusted and compliant group access certification, which includes automated alerts that continuously monitor group integrity and detect potential security exceptions as they happen
*Reporting on the Outcome: use integrated reporting to manage group membership access governance risk compliance to see who was added, removed or stayed in the group after each business change and monitor results
Employing these tactics as part of an identity and access management solution can help defend a company from being exposed by one of its own rank and file.
To learn more about Avatier’s identity management solutions watch the Gwinnett Medical Center user provisioning and password reset case customer case study.
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.