|
 |
[an error occurred while processing this directive] | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
However, while administering access manually is tedious, it has also become nearly impossible with the explosion of distributed systems, both internal and external. The situation is exacerbated when security staffers are versed in NT security but not as well versed in Oracle security. The issue will only get worse with the implementation of online privacy regulations such as the Health Insurance Portability and Accountability Act and the financial services industry's Graham-Leach-Bliley requirements. And that's exactly what's spurring the slew of automated security tools. "Doing it manually doesn't scale," said Waveset's McClain. "You need an automated way to deal with a person joining or leaving, or when you acquire a company with 5,000 more users." That's where an 80-20 rule comes into play, he added. With the 80-20 approach, enterprises use automated software to handle 80 percent of the administrative issues, and let the IT staff handle the rest. For example, one Waveset client, a computer manufacturer, has linked its PeopleSoft system to its Waveset identity management system, so that when the HR department adds or deletes someone, that user is automatically added or deleted from the Waveset system.
Another advantage to automated identity-management software is that by increasing the so-called self-service capabilities--letting users reset their passwords or letting their supervisors assign security access to files based on need--the permissions decision becomes business-based rather than IT-based. While he acknowledged that IT should always be a partner in the permissions process, McClain insisted that "the decision on permissions should be made by who owns the data, not IT." If CIOs need more motivation for taking a granular permissions approach, consider the ounce-of-prevention argument. If a minimum number of people have access to certain databases and files, and there is a security breach, you've already limited the scope of your investigation. "If you've set up permissions granularly," said Full Brain's Santangelo, "you can find a problem more quickly. A stricter policy will help you figure out what went wrong."
The security paradox: Granting access while maintaining control How does your company plan to improve identity management? TalkBack below or e-mail us with your thoughts. TechRepublic provides insight, advice, and technical information written by IT professionals for IT professionals. Have the top IT experts by your side today--FREE!
[an error occurred while processing this directive]
|
|
[an error occurred while processing this directive]
|
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
