Admittedly, devising security permissions on an individual basis is a tedious but necessary chore. "Security and ease of use don't go together and they never will," said Adrian Santangelo, a partner in Full Brain Technologies, an Iowa City, IA, consulting firm, specialising in security. Santangelo fears that in most companies, the default security configuration is access to everything. He recommends that tech leaders head in the opposite direction. "Don't give anyone access to anything and work up from there. It's tedious, but it's the only way to do it," he said. SRI security expert Peter Neumann agrees. Most database systems, he explained, have fine-grain access control, but they're not set up properly. "If you have access to anything, you have access to everything," he said. Unfortunately, in setting individual permissions, CIOs might run into high-level executives who think they should have access to everything. Santangelo tells these executives, "You pay me to do this the proper way, and that's what I'm going to do. You might cause problems, not because you want to, but accidentally." All it takes is someone with an all-access pass to unintentionally leave his or her computer on, and suddenly sensitive data is accessible, he noted. Where tools come into play
However, while administering access manually is tedious, it has also become nearly impossible with the explosion of distributed systems, both internal and external. The situation is exacerbated when security staffers are versed in NT security but not as well versed in Oracle security. The issue will only get worse with the implementation of online privacy regulations. And that's exactly what's spurring the slew of automated security tools. "Doing it manually doesn't scale," said Waveset's McClain. "You need an automated way to deal with a person joining or leaving, or when you acquire a company with 5,000 more users." That's where an 80-20 rule comes into play, he added. With the 80-20 approach, enterprises use automated software to handle 80 percent of the administrative issues, and let the IT staff handle the rest. For example, one Waveset client, a computer manufacturer, has linked its PeopleSoft system to its Waveset identity management system, so that when the HR department adds or deletes someone, that user is automatically added or deleted from the Waveset system. Another advantage to automated identity-management software is that by increasing the so-called self-service capabilities -- letting users reset their passwords or letting their supervisors assign security access to files based on need -- the permissions decision becomes business-based rather than IT-based. While he acknowledged that IT should always be a partner in the permissions process, McClain insisted that "the decision on permissions should be made by who owns the data, not IT." If CIOs need more motivation for taking a granular permissions approach, consider the ounce-of-prevention argument. If a minimum number of people have access to certain databases and files, and there is a security breach, you've already limited the scope of your investigation. "If you've set up permissions granularly," said Full Brain's Santangelo, "you can find a problem more quickly. A stricter policy will help you figure out what went wrong."
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
