Computer Associates International Inc. is addressing a serious security problem that is difficult to solve without automated tools with the acquisition this week of eTrust Cleanup, a mainframe identity management system from InfoSec Inc.
The eTrust package is designed to automatically discover and remove unused, obsolete or rogue user identities that provide an opportunity for hackers to penetrate corporate or government computer systems.
Obsolete or rogue user IDs "are a huge problem because they are difficult to root out and delete," said Chris Christiansen, a security products and infrastructure analyst with International Data Corp. in Framingham, Mass.
"They represent a huge potential liability in terms of security," because many companies dont have effective polices or automated procedures in place for tracking user ID status.
Even when there were procedures in place it was a tedious process that would greatly benefit from automation, he said.
But the security vulnerability was a more important issue than the administrative overhead involved in keeping track of user ID status, Christiansen said.
Making sure that obsolete logons are totally purged from computer systems has become a major issue for government-mandated regulatory compliance, said Ron Moritz, chief security strategist with CA in Islandia, N.Y.
Financial services companies regulated under the Gramm-Leach-Bliley Act, corporations regulated under the Sarbanes-Oxley Act or the Health Insurance Portability and Accountability Act all have to show that they are fully safeguarding customer information, Moritz said.
These companies have to show through audits that that they are in compliance with the information security provisions of these laws, Moritz said. But many companies would still be hard pressed to do so, he suggested.
"Some companies have tried to build their own provisioning and de-provisioning applications," Moritz said.