The Biggest Risk Might Surprise You
Part of the control process is to assign user risk scores. A new employee who has not been vetted has a very high risk score. Contractors are high risks, as well. Internal-user risks vary from application to application. An IT guy trying to get access to financial systems, for instance, will have a high risk level, and even if he has a legitimate need for access, the system can be set to grant him only a short window of access.
Other high risk users are ones many organizations overlook. Power users, especially those in executive suites who access most applications, are very high risks, as are high level IT people. “At the very least, the scoring prompts discussions,” Finney said. “You have to ask yourself just how powerful these users should be.”
This raises another problem. You have this high risk user base out there, and there’s only so much you can do to curtail those risks. Now what? Many organizations simply monitor, audit, and try to enforce policies on a case-by-case basis. Unfortunately, this places yet another burden on overworked IT staffs, turning them into traffic cops. Users are always trying to do something they shouldn’t, whether it’s clicking on a potentially dangerous link in an email message, visiting a compromised website, accessing inappropriate content, or pulling data out of applications that they shouldn’t even have access to in the first place.
This problem led the City of Miami Beach to rethink how it enforced end-user policies. “I didn’t want to be put in the position of always policing end users,” said Nelson Martinez, Jr., the city’s systems support manager. “Why not find a way to force the end user to comply with IT policy whether they think they’re complying or not?”
The City of Miami Beach turned to eEye’s integrated threat management solution to do just that. “Now, I can create a policy footprint. IT determines what users shouldn’t be able to do, what websites they can’t visit, what programs they can’t download, and eEye enforces that,” Martinez said.
Users can no longer get around policies via rights, which is a notorious problem with Windows. Even if a user has administrator rights, the policy will still be enforced.
“After all, you can have the best security policies in the world,” Martinez said, “but if end users don’t follow them or if they can get around them, you’re in trouble.”
Jeff Vance is the president of Sandstorm Media, a writing and marketing services company that focuses on emerging technology trends. You can contact him at [email protected] or visit www.sandstormmedia.net.