Faced with an increased technological competition; manufacturers need to innovate and protect their intellectual property constantly. Protecting themselves against economic espionage attacks is essential to secure the company’s assets. The damages caused by industrial espionage have been measured in Germany in a study from the University of Lüneburg. An increase of 250 percent in just four years shows the alarming development. This danger threatens not only large companies but also SMEs that produce technological innovations. The IAM (Identity and Access Management), well designed and implemented, can contribute greatly to sustainably defend a company’s systems and its sensitive data against these external threats. Thanks to the detailed verification of identities, IAM prevents unauthorized access from inside and outside.
The risk of being a victim of industrial spies is increasing. A low economic growth is often an additional driver. By stealing critical information from competitors, industrial spies or their contractors try to avoid high expenses on research or development. They also intend to enrich themselves by selling the information to a competitor. The attackers operate online or they may attract disloyal employees with benefits such as money or other privileges to steal the company’s secrets. To avert such threats to business, it is important to have a foolproof identification of identity and access control, combined with auditing of all accesses and access attempts. IAM provides solutions for Identity Management, Access Management, Auditing and Reporting. In addition, the Evidian Identity & Access Manager offers other modules, for example a single authentication (single sign-on or SSO) and automatic right provisioning. The authentication methods allow different degrees of secure connections to systems and applications with particularly sensitive data.
Good practices suggest identification of each person authorized to access the information system. The identity management is centralized by the IAM system. This centralization contributes to define a unique identity for each user, but also to associate them with existing user accounts and therefore to exclude duplicate or orphaned accounts (for example, employees who have left the company). Non updated user accounts with all access rights are the preferred way of entry for spies.
A thoughtful allocation of access rights to each identity is crucial to the quality of the protective shield against espionage. In general, the following rule applies: as many access rights to systems and applications as required, no more, no less. This approach limits the possibility of attacks. The centralization of rights administration by the IAM ensures also that the allocation of individual rights or groups of rights stay up-to-date when organizational structures, tasks or responsibilities of employees are changed.
IAM, the key role
The Predykot project clarifies the strategic role of identity and access management developed in a modular way. Predykot is an official European research project (ITEA-2) led by Evidian. It aims to guide the security policy management as required by business processes and related data, and dynamically adapt security policies to each change in business processes. Thus, business and organizations must be able to move to the next level of Governance, Risk Management and Compliance. To achieve this ambitious goal, several major European manufacturers and players in the field of security are grouped in Predykot directed by Evidian. Innovations developed in the project should also be integrated into the standardization process.
The combination of SSO with IAM contributes to the protection against industrial espionage: in the background, the authentication means – usually the ID / user password – are combined with the access rights collaborator. This automation has the advantage of not requiring employees to remember countless passwords, one for each system and application. The password cribs (which are still coveted by data spies) become unnecessary. The SSO has another advantage in terms of defense against espionage for the company: using this automation, the defined workflows can be triggered, for example, to quickly provide user accounts system rights and corresponding applications. Thus, the assignment of existing access rights is quick and false manual assignments of rights are excluded. Otherwise, these two elements, obsolete or false right assignments can be misused by spies.
Moreover, the SSO formally tends to secure authentication to access systems and applications with sensitive data through strict procedures such as tokens, smart cards with certificates or biometric information. Otherwise, the spy knowing a user’s username password combination would automatically have access to all systems and applications to which the employee has been authorized. If the processes of connecting the inside and outside are secured by strong authentication, industrial spies have no chance of forcing access with identities and permissions of employees in order to obtain sensitive data.
However, all this does not help the company to protect itself from malicious employees who work on behalf of industrial spies and who have access to strategic or competitive information stored in systems and applications. In this case, it is legitimated people that copy data and apparently have the right to then transmit them to others. Therefore, the Audit and Reporting tools integrated into the IAM are even more important. They give the company the means to record, evaluate and reference from a central point all employees’ accesses. The toolkit also allows recording, analyzing and preventing any process modifications of atypical copy in some target applications. If application access is still differentiated by attributes such as for certain contents or documents, then the chances of employees copying and transmitting sensitive information are reduced. If the Audit and Reporting extend to the level of contents and documents, unauthorized access attempts are also automatically recorded and saved to ask the concerned employee for an explanation.
The Auditing and Reporting are particularly important for administrators’ control. Considering their field of activity, they have access rights extended to systems and applications and are the favorite prey for industrial spies. It is essential for the company to flawlessly record, evaluate and reference everything the administrators do. It is on this condition that we can track access and unusual behavior and detect any eavesdropping attack. In addition, prior to the allocation of administration and access rights, it is necessary to verify precisely which permissions are actually required for the administration of systems and applications, and which are unnecessary.
Many companies create for their IT administrators a more or less pronounced hierarchy, which provides a certain security level by restricting the authorizations and mutual control. In this constellation, the super administrator is at the head of the hierarchy, which must be checked in detail by the Auditing and Reporting functions in the IAM.
The automatic provisioning of rights should never be underestimated in terms of defense against industrial espionage. Through the IAM module, we can design and implement request and authorization of right processes governed by workflows. Using the request and authorization of right processes, it is easy to see who has requested access rights and special administrative rights, and who authorized these requests. Any allocation of rights in the company becomes clear at the central level, enabling to detect immediately possible employees’ attacks. Where sensitive data might be the target of attacks, it is recommended to secure the authorization to grant rights with multiple validations: done by several people. Thus, he cannot grant permission without one or more other people being informed.
For market and technology experts, there is no doubt: the IAM and its integrated modules provide priceless services in terms of defense against industrial espionage. Well thought out and implemented, the IAM becomes a defense system that can be adapted freely by employees in accordance with the security policy. In parallel, the company ensures with the IAM the access control at a strategic level, easily governable, which also gives it greater transparency in terms of IT security, governance and compliance.
Article adapted from the interview in German Erwin Schöndlinger (Director Evidian Germany) appeared on www.datakontext.com