Computer Associates International Inc. is addressing a serious security problem that is difficult to solve without automated tools with the acquisition this week of eTrust Cleanup, a mainframe identity management system from InfoSec Inc.
The eTrust package is designed to automatically discover and remove unused, obsolete or rogue user identities that provide an opportunity for hackers to penetrate corporate or government computer systems.
Obsolete or rogue user IDs “are a huge problem because they are difficult to root out and delete,” said Chris Christiansen, a security products and infrastructure analyst with International Data Corp. in Framingham, Mass.
“They represent a huge potential liability in terms of security,” because many companies dont have effective polices or automated procedures in place for tracking user ID status.
Even when there were procedures in place it was a tedious process that would greatly benefit from automation, he said.
But the security vulnerability was a more important issue than the administrative overhead involved in keeping track of user ID status, Christiansen said.
Making sure that obsolete logons are totally purged from computer systems has become a major issue for government-mandated regulatory compliance, said Ron Moritz, chief security strategist with CA in Islandia, N.Y.
Financial services companies regulated under the Gramm-Leach-Bliley Act, corporations regulated under the Sarbanes-Oxley Act or the Health Insurance Portability and Accountability Act all have to show that they are fully safeguarding customer information, Moritz said.
These companies have to show through audits that that they are in compliance with the information security provisions of these laws, Moritz said. But many companies would still be hard pressed to do so, he suggested.
“Some companies have tried to build their own provisioning and de-provisioning applications,” Moritz said.
Keeping track of user
But it is a complicated process, and experience has shown that many companies are not as effective as they should be in keeping track of user IDs for employees, contractors and consultants, he said.
A Meta Group Inc. research report indicates that most companies are remarkably ineffective when it comes to tracking down expired user IDs.
Meta Group estimates that on average employees are assigned 16 IDs to gain access to various applications during their stays.
But when they depart, only about 10 of those IDs are deleted, leaving 37.5 percent of themselves behind.
This occurs because companies dont have integrated systems for tracking all application access permissions, Moritz said.
It may be easy to track the standard access rights that are given to all employees and contractors, he said.
But typically, workers are also one-time or continuing access to specialized applications that are beyond the standard log-on process.
They are also the ones administrators typically miss when workers move on, Moritz said.
All of those missed user IDs “could create a lot of problems for a company” if a former employee or consultant contrives a way to regain access to the system.
They might do this by asking a friend or fellow consultant still working at the company to check if a certain account is still running.
If so, it provides an opportunity for that person to access and possibly compromise data, set up fraudulent accounts and end up costing a former employer substantial amounts of money, according to Moritz.
“This is not necessarily something that is common, but it is not uncommon either,” he said.
There have a number of such incidents in the past, and with the heightened concern about the integrity of personal records and identity theft, enterprises want to pay closer attention to user ID security, he said.
Until it acquired eTrust Cleanup from InfoSec, CA resold it as a third-party application.
It will now become part of CAs Trust product family, which includes CA-AFC2 Security or the eTrust CA-Top Secret Security packages for the IBM z/OS mainframes.
The eTrust Cleanup acquisition “provides us with the last piece that we needed [for ID and access management], and that is the mainframe piece,” Moritz said.
The company had already implemented identity management applications on smaller-scale server platforms, he said.
The real value of having eTrust Cleanup as part CA security product family “is being able to have control over future development” of the product, he said.
The company will be able to more fully integrate user ID provisioning and de-provisioning so “we can administer all level of account lifecycle from one interface,” Moritz said.