Fighting ID theft across the enterprise

November 2010 Access Control & Identity Management

Know the risk and do not pay the price.

It is no surprise to find security remains high on today’s business agenda. But the nature of the threat is changing as technology becomes more sophisticated and is increasingly shaping the way we work.

Organisations have the power to store more sensitive information than ever before and IT developments now pave the way for the increasing numbers of mobile and freelance workers. This has created a complex challenge that many companies are trying to address: how to manage and protect the personally identifiable information (PII) of their workforce.

Identity management goes beyond simply requiring a one-off solution that can be solved overnight. It is time to take this threat seriously and to devise a security policy that is practical and realistic, and that can be monitored and adapted to keep pace with the ID thieves.

What is at risk?

The risk of stolen identity is emerging as a number one issue for organisations to tackle, with the worldwide identity and access management market expected to exceed $5 billion in revenue by 2010. To add to this, an alarming 90% of IT attacks are internal according to Gartner and this figure shows no signs of slowing down. So are businesses doing everything they can to ward off the threat from within? And what is the damage when it all goes wrong?

The task should first be to identify what is at risk, where that danger emanates from and to assess what measures can be put in place to safeguard against this. To battle against the growing threat of stolen identity, organisations must be able to establish, control and terminate their employees’ various user rights.

Organisations most vulnerable to stolen identity are those storing vast amounts of personally identifiable information (PII), such as credit card details and social security numbers. Managing sensitive identity data in a heterogeneous environment is a universal IT challenge. But despite regulations and auditors dictating how identity information is being used and stored, the fast pace and high turnover of today’s workforce means many organisations are left exposed with unprotected systems.

Working with the enemy

Businesses have traditionally guarded against hackers and external threats, but now with staff turnover increasing and more IT dependence on employees like the database administrator, the biggest threat to identity theft is from staff themselves.

Basic errors are being made at the staff induction stage, when organisations do not establish a clear agreement on the access rights that people in different job roles should have. In addition, people often change jobs within the company and it is less common to reduce access than to grant it. As a result, employees end up with more access than is necessary for them to do their current job.

The other side of this is the issue of de-provisioning. Many companies overlook how to deal with the termination of ex-employees' access rights to ensure that systems and applications are not open to them after they have left. Over time, an employee can amass a number of passwords to different applications, and without a centralised ID management process in place, there is no way of knowing what the employee had access to, and therefore what needs to be terminated. Companies need to be able to switch off access as soon as an employee leaves.

Paying the price

The cost of a disgruntled ex-employee compromising a system they still have access to could run into millions. However, though stolen PII will cost an organisation financially, the deficit can be made up over time. On the other hand, in terms of damage to brand reputation and customer relationships – this can be irreparable. Stolen PII reduces customer confidence and has the potential to have a long-term and detrimental impact on any business. Take online services as an example. A case of stolen identity creates a culture of mistrust. If customers using the Internet to check account details or sign up for extra services on a regular basis start to question their safety whenever they log on, the effect on sales could be devastating.

Damage and risk limitation

So what can a business do to protect itself? First evaluate the risk, look at organisational structure and then put a security policy in place that is practical, but not intrusive. It may even be useful to assign a group, for example a Risk Management Committee to manage the whole process, ensuring that a policy is enforced effectively using the right technology. The key is not only to put the controls in place but to also monitor the technology to check it works. It is crucial to log all activity around which systems are being accessed and by whom. Reports can then be generated to reveal patterns and trends of misuse.

By having a security policy in place, organisations can implement identity management technology solutions to manage the end-to-end lifecycle of user identities across the enterprise. This helps businesses to deploy applications faster, apply the most granular protection to resources, and to automatically eliminate latent access privileges. To protect PII, sensitive data can be encrypted into database columns to increase protection against high-end internal and external threats.

Oracle Identity Management offers customers a complete end-to-end solution with enhanced functionality that meets all customer identity management requirements. Oracle continues to strengthen its offering following a raft of acquisition activity, providing the best technology to help customers make smart decisions about their security policy and manage the end-to-end lifecycle of user identities across the enterprise.

For example, Norsk Hydro ASA needed to provide reliable, secure access for its 50 000 users and to administer user rights and privileges consistently and efficiently. The company implemented a security policy and accessed a centralised, secure system that is shared by all applications. This has enabled it to ensure high security and data quality across the enterprise. Without tools like these, Norsk Hydro would never be able to open its systems to external users.

The challenge for Swisscom IT Services was how to improve overall security and manage 20 000 external customer and partner users. Through adopting identity management solutions, the company has simplified the security process to improve productivity and reduce costs. It can now give both employees and external contacts access to the information and services that they need, no matter where they are.

The objective of any long-term identity management policy should be to control, monitor and improve the technology and business processes involved in the project. It is crucial for security policies to be managed closely to adapt to changing circumstances and maximise the business value from IT. Any business which is not keeping its strategy under almost constant review will soon get left behind, and will consequently head into dangerous territory.

For more information contact Oracle, +44 18 924 6332,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.

Eliminating forced gate opening scenarios
August 2019, ET Nice , Home Security, Access Control & Identity Management
When activated by the gate forced open alarm feature, the transmitter transmits a wireless alarm signal up to 750 metres in any direction.