"KPMG's recent Global Information Security Survey showed that approximately 87% of global respondents suffered security breaches related to attacks on their information resources from outsiders as well as people working for these organisations. Typically these threats are controlled by managing access to information resources, ensuring the confidentiality, integrity and availability of these resources."
"Your organisation's information resources include all data, information as well as the hardware, software, people and processes involved with the storage, processing and output of such information. This includes data networks, servers, PCs, storage media, printers, photo copiers, fax machines, supporting equipment, fall-back equipment and back-up media."
What to protect
Pieters suggests that information resources should be classified to indicate the need, priorities and degree of protection. Information has various degrees of sensitivity and criticality. Some items may require an additional layer of protection or special treatment. "If your information is really sensitive, keep it locked up, and tightly control its physical distribution. As for the other data, rather than dividing it into hierarchical categories that respond to specific policies, create just two categories - unsecured and secured. Unsecured information is that which can readily be distributed, without any sort of encryption or recipient authentication. Secured data should be backed up by whatever prevention, detection, and response solutions have been adopted, based on a thorough analysis of needs."
How to protect
Firewalls and demilitarised zones (DMZs) are commonly used to protect network perimeters, however, according to KPMG's Global Information Security Survey, 82% of respondents still rely on usernames and passwords to validate the identity of users.
Says Pieters, "Logical access to an organisation's information resources needs to be managed in a controlled way, and logical access permissions should be granted on the basis of business requirements. An effective starting point to enforce logical access controls within an organisation is through a formal logical access management policy."
Such a policy should at a minimum address the following areas:
* Allocation of the various roles and responsibilities required to manage and control logical access to knowledgeable staff members;
* The processes that should be followed when user access groups are created or updated.
* The processes followed to allocate users to specific user access groups. Logical access to information resources should be forbidden, unless expressly authorised.
* The process of revoking a user's access rights from a system or network.
* The processes involved in monitoring users access right to systems and networks to ensure that users have the necessary access to be able to perform their tasks and to ensure the integrity and confidentiality of secured information.
* The user access rules and processes applying to temporary and support staff as well as contractors.
In addition to the logical access management policy a password policy should be developed to force staff members to use strong, hard-to-guess passwords. The password policy should address the following areas:
Password issuing and resetting
The process for issuing and resetting passwords should include a method of positively identifying the users, allocating unique passwords; secure delivery and immediate forced changing of assigned passwords.
Standards detailing minimum password requirements
The standards should detail as a minimum:
* A 30 day frequency for password changes.
* Minimum password length of six characters.
* Use of numeric and alphanumeric characters.
* Disabling of account after three failed login attempts.
The restricted use of privileged access passwords
"Powerful system passwords, such as administrator allow unrestricted logical access to systems/application. These passwords should be strictly controlled and monitored. Often the most effective penetration obstacles have nothing to do with an organisation's system software and firewall deployments. An immediate increase in security could be achieved by simply enforcing users to comply with these policies."
Access management in future
"The take-up of strong authentication has been slow. Two-factor authentication ('something you have' and 'something you know') is still used only infrequently as method of authentication and the use of biometrics is extremely small. The reason may be the cost. Biometrics require the installation of a reader for each desktop where the authentication may be required and smartcards and tokens need costly distribution and tracking procedures and systems. At this point in time organisations are still deciding to accept the risk on the basis that the impact of a serious security breach is likely to cost less than the implementation of these strong authentication methods."
"Another sophisticated method of authentication implemented by organisations is the use of digital certificates. Digital certificates are used to encrypt confidential information and messages, verifying the source of this information and ensuring nonrepudiation of a message. The implementation of PKI that supports the use of digital certificates has been slow with our Global Information Security Survey reporting a mere 10% of organisations having fully implemented a PKI."
"The low uptake points to issues with this technology. It is costly to implement and maintain. However, significant improvements in this technology have been made and costs are coming down. Basic PKI systems are now available as part of standard operating systems."
The protection of information resources should form part of an organisation's overall Information Security Strategy and should consider the impact and likelihood of threats faced by an organisation to ensure an adequate return on any investment in an access management solution.