One rogue user leads to $400Million Data Leakage

IT security focused publication SC Magazine reports $400 million corporate espionage incident at DuPont. This is a further example of the risk of only one person’s improper access to an enterprise. In this case, data leakage was the issue. It even went beyond the business dollar value and started to take on national security overtones. These are not trivial matters.

There are a number of strategies that a company needs to employ to mitigate this type of event. One of them certainly should be to gain control of the huge number of legacy login accounts floating around in your organization that are currently unmanaged.

There is no excuse for not attending to this as straight forward solutions are available.

GUIDs, CUPIDs, and TRUIDs – making connections

When we talk about matching login accounts to people, groups and systems across multiple silos, we need a reliable mechanism to maintain the connection – a unique identifier. When you are dealing with Enterprise Identity Matching, it is important that you have a unique identifier that will have the appropriate scope to do the job. Using employee number will not do the trick. Let’s look at the details.

Read the rest of this entry »

What to do when you lose your keys? – change the locks!

If you have ever lost your keys, it is a real pain. Most people think it is prudent to change the locks, rather than take the risk that someone might have found them and take advantage of you. Most likely the keys are in the cushions of a couch or found by some harmless, trusting soul. However, why take a chance. Change the locks and sleep better.

Organizations have been losing track of keys (login credentials or login accounts) to their most important computer systems for decades and as I showed in my last post, for larger organizations, this is amounting to about 100K keys where they cannot answer the simple question: who controls this key? Mostly these misplaced keys are in safe hands but, in many cases, they are controlled by an ex-employee, consultant, partner, or current employee who has moved into another area and should no longer have that access. Some may use them against you.

Of course each one of these un-accounted-for keys is a potential negative compliance finding but, also, they represent a ticking time bomb for a business reputation disaster – or worse. For example:

Read the rest of this entry »

Some hard numbers on how bad ID data is out there

Up to now I have thrown out the round number that 20%+ of your login records are likely ‘unmatchable’ using normal techniques. Here is some more detailed data behind that number.

This particular table is a composite and simplification of detailed real-world findings. It is representative of an organization with about 30,000 active employees and considers data for 7 common applications/directories.

This is not a guess or speculation but, resembles what we have found when we do detailed analysis within organizations. Obviously specifics are confidential.

It is my hypothesis that this represents the situation in almost all large organizations. Every organization that we have investigated so far has a problem of this magnitude. You may be the exception but, I would not count on it.

Over the next few days I will dig into some of the details but, for now, here is the chart. Do you find this as shocking as I do?

click here to enlarge