Enterprises of all types are coming under economic pressure to increase employee, customer and supplier access their telecoms and IT networks. But the extent of the resultant potential for disruption, downtime and financial loss through misuse of that access may not always be fully appreciated. And, while external online threats such as viruses and worms may be on most business managers' radar screens, internal offline ones may not.

Take personal digital assistants (PDAs) which, in many enterprises, are already everyday tools for e-mail and telephone access. According to the 'Mobile Vulnerability Survey 2004', an analysis commissioned by mobile device security specialist Pointsec Mobile Technologies in collaboration with Infosecurity Europe and Computer Business Review, two thirds of PDAs are used to store client details and corporate information, but many have no security protection. The survey findings suggests that one of the fastest and easiest ways to access corporate data is through unprotected PDAs that are lost or stolen, as they contain business names and addresses, spreadsheets and other corporate documents. The survey found that a third of users do not use password protection on their devices, leaving the information vulnerable to opportunists, hackers or competitors.

"Clearly companies are under-estimating, or are totally unaware of the amount of valuable information which is being stored on personal and business mobile devices", states Pointsec Mobile Technologies managing director Magnus Ahlberg. "Our advice is that companies should ensure that they have a mobile security policy and that all data is protected by centrally managed encryption and password protection. To do this you have to take the responsibility away from the users and make it the companies' sole responsibility".

Don't be beaten with a stick
Another device becoming commonplace in the modern enterprise is the universal serial bus (USB) memory stick. You might think that USB sticks, and other portable storage devices such as iPods and digital cameras, had little to do with enterprise security threats. You might be wrong. In July the Gartner research and analysis company published its 'How to Tackle the Threat From Portable Storage Devices' report in which it noted the growing ubiquity of USB flash drives, MP3 players and the like, and warned that giving staff free rein to use them at work could lead to serious breaches of security and loss of data. Such devices can be used both to download confidential data, and also to introduce viruses into corporate networks.

GFI, a provider of network security, content security and messaging software, points out that while enterprises are investing heavily in network anti-virus software, firewalls, e-mail and web content security, in most companies any user at the office can plug in a USB stick the size of the average keychain and put in or take out 1 Gbyte of data. "Companies are underestimating the danger of the uncontrolled use of USB sticks and removable media at work", argues Nick Galea, ceo of GFI. "Apart from the obvious issue of unauthorised exit of data, there is the problem that users can bring in dangerous viruses and Trojans".

While this danger may not be universally recognised, the number of vendors supplying USB stick/portable storage device security solutions is on the increase. GFI has recently debuted its own LANguard Portable Storage Control (P.S.C.) solution. This is designed to provide administrators with network-wide control of which users can plug in a USB or other removable storage device. In essence P.S.C. installs a small footprint agent on a user's machine. After installation, the agent queries Active Directory when a user logs on, and sets permissions to removable storage accordingly. If the user is not a member of a group that is permitted access, then access to the device/CD/floppy is denied. LANguard P.S.C. includes a remote deployment tool, allowing administrators to deploy the agent to hundreds of machines with a few keystrokes.

Who's who?
But then again, user identity management is also an enterprise security issue that may not receive the attention that it really deserves. According to Stowe Boyd, senior consultant at IT advisory firm Cutter Consortium, opening up of the enterprise to provide appropriate network resources to partners, customers suppliers and the mobile workforce can place a tremendous burden on overworked IT departments, such that the baseline issues of managing user IDs can become problematic. In a new 'Cutter Business Intelligence Report' author Boyd cites estimates that 25% of user IDs within a typical enterprise are invalid or expired. The costs of maintaining these IDs on a real-time basis are often prohibitive, leading to the prospect that ex-employees may still have access to mission-critical IT assets.

"Of course", says Boyd, "letting identities remain in force that should no longer provide valid access to critical enterprise information and applications is a serious security loophole. In addition to these security liabilities, there are problems associated with customer satisfaction: what happens when customers cannot access the information that they need on a timely and relevant basis?"

Boyd observes that, should they fail to implement and maintain appropriate digital identity management systems and processes, companies potentially face the following list of consequences, individually or in combination:

• lower end-user satisfaction rates;

• lower ROI for IT assets;

• higher administrative and development costs for IT solutions;

• exposure to financial penalties for regulatory non-compliance;

• weaker security;

• and an inability to react quickly to new customer, employee, and partner requirements.

What's the solution? "IT buyers should begin by assessing what is needed for digital identity management, and then investigate vendors' offerings across the various business processes and functions affected", reasons Boyd. "Once these individual process or functional requirements are developed, they can be coalesced into an enterprise-level set of requirements. Even when the initial rollout of a digital identity management solution is limited to a single function or business process, such as logistics or bond trading, all the enterprise requirements should be laid down".

Taking the holistic view, as Boyd notes, helps avoid making decisions that are initially based on what is needed in one function or process but that ultimately affect the entire enterprise.
John Williamson