Courion Automates Computer Access To Keep Data Where It’s Supposed to Be

January, 2008: French bank Societe Generale discloses that it has lost $7.1 billion, thanks to unauthorized trading by a single employee, Jerome Kerviel, who apparently breached various controls on access to the bank’s computer systems.

March, 2008: UCLA Medical Center fires 13 workers and disciplines a dozen others for snooping in the confidential medical files of celebrity patients including Britney Spears, Farah Fawcett, and Maria Shriver.

April, 2008: Financial comparison shopping site LendingTree discloses that several former employees gave mortgage lenders passwords they needed to access confidential loan-request data from LendingTree customers.

May, 2008: Walter Reed Army Hospital discloses that personal information for 1,000 former patients may have been breached by someone using a peer-to-peer file sharing program on a hospital computer.

July 9, 2008 (yesterday): The Washington Post reveals that Supreme Court Justice Stephen Breyer and about 2,000 other clients of a McLean, VA, investment firm had their names, birthdates, and social security numbers exposed to the open Internet by an employee using the LimeWire peer-to-peer file sharing program on a company computer.

Hackers aren’t the only threat to computer-system security and confidentiality rules, many security professionals say. The common elements in each of these recent, high-profile data breaches were rogue insiders with inappropriate levels of access to their organizations’ IT systems. And while you might think it would be easy to control who gets access to these systems—the LendingTree debacle, for example, could have been avoided if the company had simply invalidated the former employees’ passwords when they left the company—the reality is that many big organizations are overwhelmed by the problem of managing their employees’ network access.

Or so says Kurt Johnson, vice president of corporate development for Courion, a company in Framingham, MA, whose “identity management” software helps large organizations automate the once labor-intensive task of administering thousands of computer accounts. “You want to make sure that information gets into the hands of the individuals who need it, but there have to be controls and security over who should get access. You can’t have one without the other,” says Johnson. “Courion’s goal is to enable organizations to increase security with tighter controls—but without requiring more bodies to do the administration.”

The privately held company, which has 130 employees spread across offices in Massachusetts, Georgia, Texas, California, New York, and the U.K., offers a menu of software products—upgraded just two weeks ago—that can be matched to an organization’s specific needs. PasswordCourier—the product that helped to launch the company in 1996—is a basic self-service password management system that helps employees who have forgotten their passwords to obtain a new one after brief, online challenge-and-response session. ProfileCourier allows users to set up the authentication questions used in these sessions—for example, “the name of your favorite childhood pet.” AccountCourier automates the creation and deletion of user accounts; it knows, for example, that ex-employees should have their passwords revoked. CertificateCourier manages the public-key-encrypted digital certificates that many companies use to manage access to internal websites and applications, and ComplianceCourier lets managers quickly review who is using which corporate applications and purge users who’ve been granted improper access. (In that last area, Courion’s product overlaps with those from Ecora, a Portsmouth, NH startup that makes software for tracking and auditing configuration changes in corporate IT systems.)

The company’s newest product, RoleCourier, automates the whole process further by letting organizations define standard job roles that involve access to a predefined set of applications or networks. New collections specialists in a big corporation’s finance department, for example, might be

Author: Wade Roush

Between 2007 and 2014, I was a staff editor for Xconomy in Boston and San Francisco. Since 2008 I've been writing a weekly opinion/review column called VOX: The Voice of Xperience. (From 2008 to 2013 the column was known as World Wide Wade.) I've been writing about science and technology professionally since 1994. Before joining Xconomy in 2007, I was a staff member at MIT’s Technology Review from 2001 to 2006, serving as senior editor, San Francisco bureau chief, and executive editor of TechnologyReview.com. Before that, I was the Boston bureau reporter for Science, managing editor of supercomputing publications at NASA Ames Research Center, and Web editor at e-book pioneer NuvoMedia. I have a B.A. in the history of science from Harvard College and a PhD in the history and social study of science and technology from MIT. I've published articles in Science, Technology Review, IEEE Spectrum, Encyclopaedia Brittanica, Technology and Culture, Alaska Airlines Magazine, and World Business, and I've been a guest of NPR, CNN, CNBC, NECN, WGBH and the PBS NewsHour. I'm a frequent conference participant and enjoy opportunities to moderate panel discussions and on-stage chats. My personal site: waderoush.com My social media coordinates: Twitter: @wroush Facebook: facebook.com/wade.roush LinkedIn: linkedin.com/in/waderoush Google+ : google.com/+WadeRoush YouTube: youtube.com/wroush1967 Flickr: flickr.com/photos/wroush/ Pinterest: pinterest.com/waderoush/