Fighting ID theft across the enterprise

Access & Identity Management Handbook 2011 Access Control & Identity Management

Know the risk and do not pay the price.

It is no surprise to find security remains high on today’s business agenda. But the nature of the threat is changing as technology becomes more sophisticated and is increasingly shaping the way we work.

Organisations have the power to store more sensitive information than ever before and IT developments now pave the way for the increasing numbers of mobile and freelance workers. This has created a complex challenge that many companies are trying to address: how to manage and protect the personally identifiable information (PII) of their workforce.

Identity management goes beyond simply requiring a one-off solution that can be solved overnight. It is time to take this threat seriously and to devise a security policy that is practical and realistic, and that can be monitored and adapted to keep pace with the ID thieves.

What is at risk?

The risk of stolen identity is emerging as a number one issue for organisations to tackle, with the worldwide identity and access management market expected to exceed $5 billion in revenue by 2010. To add to this, an alarming 90% of IT attacks are internal according to Gartner and this figure shows no signs of slowing down. So are businesses doing everything they can to ward off the threat from within? And what is the damage when it all goes wrong?

The task should first be to identify what is at risk, where that danger emanates from and to assess what measures can be put in place to safeguard against this. To battle against the growing threat of stolen identity, organisations must be able to establish, control and terminate their employees’ various user rights.

Organisations most vulnerable to stolen identity are those storing vast amounts of personally identifiable information (PII), such as credit card details and social security numbers. Managing sensitive identity data in a heterogeneous environment is a universal IT challenge. But despite regulations and auditors dictating how identity information is being used and stored, the fast pace and high turnover of today’s workforce means many organisations are left exposed with unprotected systems.

Working with the enemy

Businesses have traditionally guarded against hackers and external threats, but now with staff turnover increasing and more IT dependence on employees like the database administrator, the biggest threat to identity theft is from staff themselves.

Basic errors are being made at the staff induction stage, when organisations do not establish a clear agreement on the access rights that people in different job roles should have. In addition, people often change jobs within the company and it is less common to reduce access than to grant it. As a result, employees end up with more access than is necessary for them to do their current job.

The other side of this is the issue of de-provisioning. Many companies overlook how to deal with the termination of ex-employees' access rights to ensure that systems and applications are not open to them after they have left. Over time, an employee can amass a number of passwords to different applications, and without a centralised ID management process in place, there is no way of knowing what the employee had access to, and therefore what needs to be terminated. Companies need to be able to switch off access as soon as an employee leaves.

Paying the price

The cost of a disgruntled ex-employee compromising a system they still have access to could run into millions. However, though stolen PII will cost an organisation financially, the deficit can be made up over time. On the other hand, in terms of damage to brand reputation and customer relationships – this can be irreparable. Stolen PII reduces customer confidence and has the potential to have a long-term and detrimental impact on any business. Take online services as an example. A case of stolen identity creates a culture of mistrust. If customers using the Internet to check account details or sign up for extra services on a regular basis start to question their safety whenever they log on, the effect on sales could be devastating.

Damage and risk limitation

So what can a business do to protect itself? First evaluate the risk, look at organisational structure and then put a security policy in place that is practical, but not intrusive. It may even be useful to assign a group, for example a Risk Management Committee to manage the whole process, ensuring that a policy is enforced effectively using the right technology. The key is not only to put the controls in place but to also monitor the technology to check it works. It is crucial to log all activity around which systems are being accessed and by whom. Reports can then be generated to reveal patterns and trends of misuse.

By having a security policy in place, organisations can implement identity management technology solutions to manage the end-to-end lifecycle of user identities across the enterprise. This helps businesses to deploy applications faster, apply the most granular protection to resources, and to automatically eliminate latent access privileges. To protect PII, sensitive data can be encrypted into database columns to increase protection against high-end internal and external threats.

Oracle Identity Management offers customers a complete end-to-end solution with enhanced functionality that meets all customer identity management requirements. Oracle continues to strengthen its offering following a raft of acquisition activity, providing the best technology to help customers make smart decisions about their security policy and manage the end-to-end lifecycle of user identities across the enterprise.

For example, Norsk Hydro ASA needed to provide reliable, secure access for its 50 000 users and to administer user rights and privileges consistently and efficiently. The company implemented a security policy and accessed a centralised, secure system that is shared by all applications. This has enabled it to ensure high security and data quality across the enterprise. Without tools like these, Norsk Hydro would never be able to open its systems to external users.

The challenge for Swisscom IT Services was how to improve overall security and manage 20 000 external customer and partner users. Through adopting identity management solutions, the company has simplified the security process to improve productivity and reduce costs. It can now give both employees and external contacts access to the information and services that they need, no matter where they are.

The objective of any long-term identity management policy should be to control, monitor and improve the technology and business processes involved in the project. It is crucial for security policies to be managed closely to adapt to changing circumstances and maximise the business value from IT. Any business which is not keeping its strategy under almost constant review will soon get left behind, and will consequently head into dangerous territory.

For more information contact Oracle, +44 18 924 6332,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Simple steps to protect yourself against identity theft
November 2019 , Access Control & Identity Management
Are you doing enough to reduce the risk of having your identity stolen?

Looking ahead with mobile access technologies
Access & Identity Management Handbook 2020, Technews Publishing, HID Global, dormakaba South Africa, Salto Systems Africa, Suprema, Gallagher , Access Control & Identity Management, Integrated Solutions
Given the broad use of smartphones around the world and the numerous technologies packed into these devices, it was only a matter of time before the access control industry developed technology that would ...

Mobile access is more secure than card systems
Access & Identity Management Handbook 2020 , Access Control & Identity Management
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new technology.

This is the future. This is what we do.
Access & Identity Management Handbook 2020, ZKTeco , Access Control & Identity Management
ZKTeco has created a unique range of visible light facial recognition products combined with a flexible Android platform.

The security of biometrics
Access & Identity Management Handbook 2020, ViRDI Distribution SA, IDEMIA , Technews Publishing, Suprema , Access Control & Identity Management
Hi-Tech Security Solutions asks whether your personal biometric data is safe from prying eyes.

A picture spoofs a thousand cameras
Access & Identity Management Handbook 2020, NEC XON, Hikvision South Africa, Technews Publishing , Access Control & Identity Management
Hi-Tech Security Solutions looks into the reliability and effectiveness of facial biometrics as well as the concerns about privacy.

IoT and behavioural authentication
Access & Identity Management Handbook 2020, CA Southern Africa , Access Control & Identity Management
IoT represents an increasing security risk to individuals in the form of pervasive, always-on monitoring of your personal activity with a potential compromise of your most personal security credentials.

Border crossing and national identification
Access & Identity Management Handbook 2020 , Access Control & Identity Management
Amidst a choice of technologies, diversity of policy frameworks, and emergent priorities, countries that intend to upgrade their identification systems today find themselves drawn into a complex vortex.

T&A by biometrics in the cloud
Access & Identity Management Handbook 2020 , Access Control & Identity Management
Time and attendance solutions have evolved from punch cards to cost-effective and more accurate cloud-based biometric systems.

Scalable access solution
Access & Identity Management Handbook 2020 , Access Control & Identity Management, Integrated Solutions
Bosch Building Technologies makes access management simple, scalable and always available with Access Management System 2.0.