If someone eavesdrops on a company’s communications, the company loses more than just information. It also loses the trust of its customers. If an employee manipulates company data – on purpose or by accident – the integrity of the data can no longer be guaranteed. If IT fails in security, management has to deal with the loss of integrity, authenticity, availability, and trustworthiness. That’s why legal requirements (like the Sarbanes-Oxley Act) demand that a company implement comprehensive risk management systems and continuously monitor risk.
But how can a company protect itself effectively from attacks? How does it regulate internal access to its data? Risks arising from attacks and misuse can be reduced by encrypting data and communications in combination with a well thought-out strategy for identity and risk management. When a company combines role and authorization concepts with authentication, single sign-on, the encryption of digital documents, and digital signatures, it creates a successful trio of guardians for enterprise security.
Every employee plays a role
A purchasing agent must calculate prices and query current inventory levels, delivery dates, and orders. But an employee in the warehouse needs only to view customer data and enter orders. An accountant needs different data than an employee who works in logistics. That’s why it’s important for a company to have a security concept that gives employees exactly the roles and authorizations that correspond to their functions and tasks: segregation of duties. A company can also freely define the type of access. The bandwidth of rights includes viewing, creating, changing, and deleting data and content. This approach can implement and realize user roles and rights according to a companywide security policy – and the first step toward enterprise security has been taken.
Reducing administrative effort
The reciprocal dependence of IT and business processes is not to be underestimated: changes to business processes affect IT and vice versa. For example, consider the situation that develops when one company acquires another. It would take far too much effort to maintain all the new user profiles and rights manually. If the acquisition affects employee information (HR data) in meta directories, solutions for customer management, or directory services, ideally an identity management solution should maintain the data.
Of course, user data must be regularly maintained during ongoing operations – when employees leave a department or when areas of responsibility change. An identity management system also simplifies these day-to-day tasks. Because the changes are linked to employee information in HR systems, the meta directories, and the directory services, they automatically trigger changes to access authorizations. Compared with the manual administration of user rights, access data, and passwords, an identity management solution requires significantly less effort. Yet security managers, business managers, auditors, and help desk employees can still create and change user rights manually. This feature is helpful, for example, when creating teams with special access rights for a specific project for a limited time.
Two factors for security
The second element of the security trio is strong authentication, which many identity management systems implement with single sign-on. First, logging on with a smartcard or a security token and a PIN is much more secure than the traditional method of using a user name and password. Smartcards and security keys are a stronger defense against counterfeiting than simply using passwords. Second, this type of two-factor authentication is more comfortable for users because they only have to authenticate themselves once.
With a digital certificate and the corresponding private key, users are automatically logged on to all SAP applications – without having to enter more authentication data. The hardware and the related operating systems are especially embedded in the security token. It’s impossible for an unauthorized party to read all of parts of the private key from the token.
Digital signatures – no opportunity for manipulation
In addition to a role concept and authentication, it’s helpful to secure the data and documents themselves. That’s where encryption and digital signatures come into play, completing the security package. Encryption hinders unauthorized access to data – within a company or beyond its borders. A digital signature also protects a document from manipulation – and the identity of the sender is always transparent.
Digital signatures also improve workflow. Many departments still handle files, invoices, vacation requests, and similar documents that require a legally valid signature with paper forms. But when some documents exist electronically and others on paper, media breaks result. A legally binding digital certificate can avoid media breaks and simultaneously reduce the time and effort needed for processing because paper no longer needs to move through a department manually. Instead, everyone involved in the process can access a document electronically.
Data is properly considered to be a company asset. Protecting it is therefore a core precondition for commercial dealings. And legal requirements make such protection increasingly important, making identity management a core topic of IT security. Analysts and experts – like those at Gartner – regard it as one of the most important IT topics in the coming years.