Identity and Access Confusion

SECURITY WITHIN Australian organisations is being threatened by the confusion between the concepts of IT security and information security, research firm Frost & Sullivan has reported.

In its ‘Managing the Information Security Risk From People, Both Internal and External’ white paper, the company said people were confused by the differences between hardware and software (the ‘how’), and information (the ‘what’) of IT.

“The risk in focusing exclusively on technology hinders a business from meeting the needs of their everchanging organisations. Nor does it effectively protect organisations from ever-changing threats – both internal and external,” James Turner, industry analyst, security and services, said. Turner said Frost’s recent 2006 Australian Information Security Satisfaction Monitor (AISSM) also found that security standards were slipping.

The report found that 35 percent of respondents reported that a legitimate network user had accessed information they should not have been permitted to view. Another 16 percent reported that a formerly legitimate network user had maliciously compromised data.

Looking at the external threat, the report found that 22 percent of respondents reportedly had proof that a hacker had penetrated their network, while 36 percent had suspicions that a hacker had penetrated them.

Turner claimed that no single security solution can address the range of threats from internal and external sources and recommends clearly defined processes to control access and activity on corporate networks.

Many of these checks and processes can be automated through identity and access management tools – but it is the process that counts. “We need the process defined and clearly understood before we start deploying the technology,” he said. The need for authentication is growing as more organisations are linking their resources and supply chains are becoming supply webs – relationships that run on trust, Turner claimed.

Without authentication an organisation cannot establish trusted identities, and without trusted identities it cannot effectively use technology to leverage the skills of its workforce and partners for growth and profit. “That’s why we should not confuse information security with IT security. Data is generally of greater value than the infrastructure (the technology) that stores and manages it. And it is people, both within the organisation and externally, who are often overlooked as a threat to corporate information.”