Combine and standardise physical and IT security measures to minimise risk

November 2007 Access Control & Identity Management

Organisations incur significant overheads, as well as generate increased security risks, when employees misuse or abuse network resources.

Serious losses – of financial and competitive edge in particular – are incurred when intellectual property or sensitive information leaves the confines of the organisation or when computer fraud occurs.

“Users on the inside have access to business critical system resources, making the network susceptible to attacks and exploitation through the use of their privileged status,” says Karel Rode, solutions strategist at CA.

Up to and including the early nineties, an insider was defined as someone who had physical access to a computing facility – typically an employee or the system administrator. Physical security was deemed to be sufficient, as a security guard was able to identify individuals – a precaution that was enhanced by the ‘second factor’ authentication of a swipe card.

“This principle is no longer applicable and an insider is no longer referred to as an employee of the company, as this would give a contractor or temp similar privileges. Additionally, the user may connect via a remote access connection, removing physical access considerations,” Rode says.

“Someone who has achieved insider privileges, by gaining access to a computer, could pose a potential threat. This means that significant technical controls to protect against privilege abuse are needed. Without the proper security policies and governance, it is hard to accurately identify the level of threat and even harder to appropriately implement preventative controls,” he adds.

Reducing the risk

So what can companies do to reduce the risk of information loss, whilst providing staff with the required access to network facilities?

One possible solution would be to merge physical and IT security, says Rode.

Rode suggests that the most practical point of departure would be for companies to look closely at their user populations and determine where the most accurate store of active users exists within the company. This might be the current HR system for permanent staff and some other data store for contractors and temps.

He adds that companies must reconsider their current process for issuing corporate badges to employees. As companies expand in large campus environments, employees might need access to multiple buildings where each location has a different physical access control system. This is a situation that may not be under a company’s control if the company is a tenant and does not have input into the building access systems.

Rode suggests standardising staff security measures. This would make it possible for the company to limit staff access to areas and resources that pertain to their role. Companies could even limit access to certain times of the day. This approach would benefit companies that want to limit shift workers who only need to access selected zones at specified times. Taking things a step further, companies that run IP video surveillance, would be able to track, monitor and record any instances where a violation or failed repeated access has taken place.

“This leaves us with the logical access to systems, resources, applications, files and folders. The logical access scenario will succeed if companies have a data classification standard in place, which they can use within the rule definition process. This will ensure that only designated users with specific group membership or directory attributes can gain access to read, modify or delete files, or access application resources within their designated realm,” Rode concludes.

For more information contact Karel Rode, Computer Associates, +27 (0)11 236 9152, karel.rode@ca.com, www.ca.com




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Read more...
Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

Read more...
The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Read more...
Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Read more...
Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

Read more...
MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Read more...
Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

Read more...
MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

Read more...
MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.

Read more...
Eliminating forced gate opening scenarios
August 2019, ET Nice , Home Security, Access Control & Identity Management
When activated by the gate forced open alarm feature, the transmitter transmits a wireless alarm signal up to 750 metres in any direction.

Read more...