Comment Article
Straight Talking – ID tech tightens up compliance
Organisations are using identity management
systems to cut the risk of data security breaches.
That's a step in the right direction but they still
need a number of other measures.
Most CIOs have a list of compliance regulations
as long as their arm. At the top of that list sits
data protection - the single most important legal
issue by a wide margin, according to a recent
Quocirca survey of 250 German, UK and US
executives.
No one wants to be the next TK Maxx, whose
parent company TJX had more than 45 million
customer records stolen by hackers. More than
60 banks around the world reported fraudulent
transactions based on the stolen credit card
data.
So organisations are turning to identity and
access management technologies. These
systems tie access to resources to the rights
associated with a particular user or role.
This technology lets organisations demonstrate
that effective controls have been placed on who
can access valuable assets, enabling them to
prove they are protecting their data and meeting
the compliance mandates imposed on them.
The technology automates tasks such as
resetting passwords. But, as reliance on
technology continues to grow, the number of
passwords that users have assigned to them has
mushroomed, leading not only to insecure
password management practices but also
causing many headaches for helpdesks that must
reset them manually - which is a cost that is
entirely avoidable.
This still leaves the problem of computer users
having too many passwords to remember. To
solve this issue, identity and access
management systems offer single sign-on,
whereby users authenticate themselves at one
primary interface to gain access to all resources
that they have been assigned the right to use.
© 2008 Quocirca Ltd http://www.quocirca.com
By Fran Howarth, Principal Analyst, Quocirca Ltd
This can be done for all assets in an enterprise
or, through use of federation standards, can be
extended to applications hosted by business
partners or third parties without the need for
users to reauthenticate themselves when
accessing each resource.
Because a user now has, theoretically, just the
one user name and password combination for
accessing all the resources to which they are
entitled, the onus is on organisations to ensure
that the initial authentication event is genuine
and that it could not be an impostor who has
stolen these credentials. To provide an additional
layer of security, strong authentication
techniques are coming into wider usage.
But even the most virtual of organisations has
physical assets of some sort - and many of these
assets are used to store or produce data, such as
storage systems and printers.
Organisations need to ensure such devices are
included in the identity management systems
they put in place - for example, by requiring
employees use a personal swipe card for
securing access to printers and photocopiers,
which can also provide an audit trail of all actions
taken.
Companies should also develop policies around
use of portable storage devices such as CDs and
USB memory sticks and consider using
technologies to block their use so that they
cannot be used to leak data out of an
organisation.
There is also one further step organisations can
take to make sure their security controls are
watertight - they can tie physical access controls
in with logical access to the corporate network.
This means they can not only ensure that a
person is who they say they are but also can tie
identity to their physical location.
By converging physical and logical access
controls, access to the computer network can be
denied to all those who have failed to present
+44 118 948 3360
 Comment Article
their security badge when entering the events through one centralised management
organisation's facilities. system.

Location-based authentication also means that
access rights can be set according to the physical
location of a user logging into the corporate
network.
For example, a user logging in from a remote
location using a VPN tunnel could be allowed to
access office productivity tools but denied access
to the customer relationship management
system or financial records when they are not at
the office.
When all access controls - logical and physical -
and authentication to all types of assets is tied
together in one identity management system,
organisations can manage all authentication
This provides them with the ability to report on
all access and authentication events and to
prove who has accessed what, when, from where
and what they did with the information contained
in those assets.
Because organisations are in the position to
report on all events, they can prove through
audits that the actions they have taken have
been successful.
They can also show, therefore, through those
audits that they are complying with data
protection regulations - as well as satisfying the
requirements of a number of other regulations
with which they must comply.

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

© 2008 Quocirca Ltd http://www.quocirca.com +44 118 948 3360