Michael Burling discusses the dangers posed by ineffective provisioning of user access rights and details how a secure enterprise provisioning system addresses specific risk areas highlighted by the U

Criminals are increasingly using IT to commit crime. This is probably due to their recognition that fraud, extortion and money laundering crimes can be committed just as easily in electronic form as they can physically. They realise poor information security offers a quick and easy way to commit financial crime.'

This was the stark warning given by the UK Financial Services Authority (FSA) in Countering Financial Crime Risks in its Information Security report published in November 2004. The report concludes that firms could do much more to address potential risks, rather than responding to attacks once they have occurred. It highlights the need for firms' defences to be continually reviewed to keep on top of the increasingly sophisticated methods used by criminals.

In addition to the emergence of new information security threats, such as phishing, the report also reveals that traditional threats to information security still exist because firms do not invest adequately in their security frameworks. An area of particular concern is the effective provisioning and de-provisioning of user access rights.

Due to the sensitive or embarrassing nature of such threats, real-life examples of security breaches due to ineffective provisioning are hard to come by. However, a number of horror stories do slip through the net.

A network manager, sacked by a manufacturer of measurement and control devices used by the US Navy and NASA, was able to detonate a software time bomb in the company's network, destroying the programs that ran its manufacturing machines. The malicious code was responsible for $10m in losses, 80 redundancies and the loss of several customers.

Then there was the computer technician who was fired from a temporary position at one of New York's prominent publishing houses, and was able to erase all the data on five of the company's eight servers. The company had to shut down for two days and lost more than $100,000.

Finally, there are the hackers who used the login names and passwords of two former employees to crash computer systems at a US software company.

The company estimates it lost $50,000 in revenue because of the incident.

The FSA acknowledges: 'Weak user administration is a common and long-standing failing. Firms need to ensure that only current employees have access to systems, and that these employees have the correct account privileges. Unless user account reviews are regularly conducted, there is a risk that staff will leave or move, and that user accounts will be used for unauthorised access.'

Problems and solutions

The report recognised a range of solutions for small and large firms, from manual user administration to automated identity management solutions that capture and maintain details of employees' access rights across the organisation, using either centralised or decentralised administration.

However, irrespective of the solution firms deployed, a number of common issues arose.

The first area of concern highlighted by the report is 'Failure to reconcile employees listed on human resources systems with live user accounts on a timely basis to identify redundant accounts.' The latest enterprise provisioning technology addresses this issue by including a reconciliation engine as a core element of the system's design. It supports ongoing audit initiatives by ensuring controls and policies are strictly enforced, in order to ensure compliance across the enterprise.

Reconciliation becomes an ongoing process that monitors the resources being managed. If the engine detects any accounts or changes to user access privileges effected contrary to the policies defined within the system, it can immediately undo the change or notify an administrator.

The second area of concern detailed in the FSA's report: 'Failure to delete access rights when a staff member changes responsibilities or departments,' is equally well managed by the latest provisioning solutions. They will automatically reconcile identity information from the majority of HR systems and directories - the trusted sources of information relating to staff responsibilities and departments.

As long as staff changes are reflected in at least one of these trusted sources, the provisioning system will automatically reconcile the change and amend the user group membership accordingly, a process often referred to as role-based access control. The alteration in membership will trigger the appropriate provisioning processes to reflect the change within managed applications; for example, deleting existing user accounts, deleting existing user privileges or entitlements within an application, modification of user rights and the creation of new user accounts or privileges.

The report also expresses concern that many financial enterprises have 'no review of user account access rights or application privileges by the business or IT to determine if a user has excessive rights or incompatible privileges for their job role'. This is a problem easily overcome by a periodic review of access levels.

Leading-edge enterprise provisioning systems can be configured to periodically remind individuals to generate various reports (detailing who has access to what, exceptions, and so on), acknowledge that they have examined the results and are satisfied that they properly reflect the firm's policies.

This allows for greater confidence that proactive controls are working properly.

According to the report, the lack of segregation of duties between IT staff administering user accounts and those who review the appropriateness of account privileges is a problem faced by many enterprises. Segregation of duties is indeed a key vehicle for preventing fraud and detecting errors in the processing of financial transactions. It ensures the same person does not participate in more than one key function of a transaction, and that actions are properly monitored and overseen.

In addition, the report expresses concern over the lack of review of generic accounts used by technicians. Again, new provisioning technology addresses this by providing the capability for enterprises to manage the life cycle of such accounts.

The report also highlights the 'use of personnel accounts for conducting user administration through temporary assigning of administration privileges, rather than using a dedicated systems administrator account' as an additional area for review. This risky practice needs to be eliminated through effective definition and enforcement of policies. Provisioning systems cannot do much to help define the policies, but they can help to enforce them, once defined.

By employing a secure enterprise provisioning system, organisations are able to ensure that only current employees have access to systems, and that these employees have the correct account privileges. In addition, they can eliminate the risk posed by staff leaving or moving into other departments.

Michael Burling is managing director EMEA of secure enterprise provisioning company Thor Technologies, Tel: 01932 268456, E-mail: michael.burling@thortech.com