- FBI warns Hit Man e-mail scammer back
- 20 tech habits to improve your life
- Industry mourns slain Cisco exec
- 10 Firefox add-ons for better browsing
- Wireless LANs face scaling challenges
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
A couple of thousand years ago the Roman poet Juvenal asked "Quis custodiet ipsos custodies?" That is, who will watch the watchers? In over 20 years of consulting, hand-holding, troubleshooting and securing networks one of the most frequently asked questions I hear from business leaders is "How do I keep sensitive data from the prying eyes of the network administrators?"
The answer has always been "trust."
Now "trust" is a concept we come across almost daily in the identity management world where we even assign degrees of trust (or degrees of reliance) in data, identity providers, credentials, tokens and other authorization tools and artifacts. But "trust" in the administrators goes back to an older, broader meaning: "Firm reliance on the integrity, ability, or character of a person or thing." There is only so much the technology can do, I always said, because someone has to be in charge of maintaining the technology and if you maintain it, you can subvert it. This did mean that a rogue admin could subvert the entire company, though.
That concept of trust, unfortunately, no longer can be used in this age of regulatory compliance as the driver of identity management. It's no longer enough to believe that the administrator is trustworthy, you need to be able to demonstrate it. You also need to be aware of the problems that can occur because of an unwarranted trust in your IT personnel - and others.
Consul Risk Management CTO Kris Lovejoy recently published a thought piece called "The Enemy Inside", which is a look at the threats insider attacks can pose to your enterprise as well as some basic steps you can take to mitigate potential problems. Two things really caught my eye. First, do you think you know the profile of an "inside attacker"? According to the Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT Coordination Center, the profile of an inside attacker shows he is generally:
* Male
* 17-60 years old
* Holds a technical position (86% chance)
* May or may not be married (50% chance)
* Racially and ethnically diverse
In other words, just about everyone in your enterprise.
The second eye-opener was the role of stupidity in security threats, according to Lovejoy:
* "Organizational stupidity: Systems administrators are highly sensitive to environmental stress (Source: CIA's personality profile of an average IT worker). If the systems administrator is overworked, mistakes will happen. Unfortunately, in the security world mistakes can have incredibly significant and negative impacts.

Aging network systems and old habits have dictated how businesses spend their IT budgets. As a...
Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch OfficesThis paper reviews the problem of creating a network where the dynamic availability of services is...
Enterprise Data Center Network Reference ArchitectureUsing a High Performance Network Backbone to Meet the Requirements of the Modern Enterprise Data...

The standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
Stay out of the headlines: Detecting and preventing network intrusionsHow do YOU stay out of the headlines? There is no denying that risk exists in our computer-driven...

We have so many holes punched in our firewalls today that many industry insiders question the value...
IP address management in 2008 - six things to knowRead this Network World Special Brief to learn how Enterprise IT managers must update their...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment