If you got a Starbucks gift card, you’d better use it before your local high-octane java store closes. Under pressure from sagging earnings, the premium coffeehouse earlier this week announced that it would close 300 stores and lay off more than 7,000 workers.
Starbucks isn’t alone in shedding workers. Microsoft, Boeing, AstraZeneca, Sprint and Home Depot are among the household-name companies to slash thousands of jobs this week alone. Since the beginning of the year, U.S. companies have cut more than 125,000 jobs. In 2008, companies large and small eliminated more than 2.1 million jobs – the most since the dot-com bust in 2001.
Regardless of industry or size, all companies reducing their work forces share something in common—all of their employees have some level of access to networks or applications. Every time an employee is let go, a company increases their risk exposure if they don’t handle identity management. According to a new study by security vendor McAfee of 1,000 IT decision makers, 41 percent said employee layoffs resulting from the recession represent the greatest threat to their computer security. That figure outpaces those who believe outside intruders (36 percent) as the greatest threat.
Employees and contractors are among the most trusted users accessing networks and applications, since they need reasonable levels of access to perform their jobs. Organizations often over-extend their zones of trust to employees since they have a natural inclination to entrust them with privileges until their services are no longer needed or they do something to violate that trust.
For large companies executing mass layoffs—such as the 21,000-plus companies last year did—identity management is a major issue, says Brian Wolfe, co-founder and partner at Laurus Technologies, a solution provider in Itasca, Ill., that—among other things—specializes in security and identity management implementations.
“If you have large layoffs and you don’t have a provisioning system, and you’re going to revoke accounts manually, mistakes will be made,” Wolfe said.
Good identity management platforms—such as those offered by RSA Security, IBM, Courion and BMC Software—are more than just access control and single sign-on (SSO) applications. They create and provision accounts across networks and a broad array of applications based on employees’ specific job functions (role-based) or through group policies, manage accounts through the lifecycle of an account holder’s employment and, when necessary, ensure access rights are properly and thoroughly revoked when the person leaves—voluntary or involuntary—the organization.
Identity management remains one of those tricky issues that companies large and small grapple with because of its complexity. Such platforms as those described above are designed for organizations with 5,000 employees or more—the General Motors, Walmarts and Pfizers of the world. And it’s large organizations that need solid, well-architected and well-provisioned identity management platforms during economic hard times and reductions in force. Laurus Technologies service a number of enterprise’s identity management needs, and Wolfe says most are reaping the benefits of their investments now that they have to cut their labor forces.
“For companies we’ve done implementations for, they’re able to bulk operations; they have a pretty easy time of disposing of a large number of accounts,” Wolfe says.
The trouble is many companies don’t have a handle on their identity management situation. It’s not an uncommon occurrence for a network administrator to discover orphaned accounts that belonged to employees that have long since left the company. The situation is critical during a layoff or reduction in force, since an organization needs immediate revocation of network and application privileges to prevent pilfering of data and sabotage of systems.
Security experts will advise companies to tighten their security policies and ensure end point and network configurations are set to prevent actions such as downloading data to a USB flash drive or high-capacity iPod. Security practitioners and experts, such as Wolfe, argue that identity management goes a long way in preventing internal security compromises, since a user cannot access and download data if they don’t have access to the system in the first place.
Waiting to install or upgrade an identity management system after a layoff won’t necessarily prevent a security breach but could help clean up records and find orphan accounts. And that creates an opportunity for solution providers to help their clients lock down their networks and tighten access controls.
“If they’re going to do a [reduction in force, and they don’t have automated identity management, it’s already too late,” Wolfe says. “But provisioning a system and doing reconciliation will find those inactive accounts and close them. You can get a large ROI right out of the gate.”
Not every organization needs a heavyweight identity management system, and organizations with fewer than 5,000 employees often can operate with access control and provisioning systems that reside in local networks and applications. What small enterprise and SMB organizations need is better process and change management policies, and tools such as log management, security information management and post-event analysis tools to detect and remediate the cause of compromises.
Additionally, end point security and data loss prevention technologies—such as those offered by Symantec, McAfee, Websense, Check Point and Microsoft, among others—will help access, misuse and improper transmission of data.