January, 2008: French bank Societe Generale discloses that it has lost $7.1 billion, thanks to unauthorized trading by a single employee, Jerome Kerviel, who apparently breached various controls on access to the bank’s computer systems.
March, 2008: UCLA Medical Center fires 13 workers and disciplines a dozen others for snooping in the confidential medical files of celebrity patients including Britney Spears, Farah Fawcett, and Maria Shriver.
April, 2008: Financial comparison shopping site LendingTree discloses that several former employees gave mortgage lenders passwords they needed to access confidential loan-request data from LendingTree customers.
May, 2008: Walter Reed Army Hospital discloses that personal information for 1,000 former patients may have been breached by someone using a peer-to-peer file sharing program on a hospital computer.
July 9, 2008 (yesterday): The Washington Post reveals that Supreme Court Justice Stephen Breyer and about 2,000 other clients of a McLean, VA, investment firm had their names, birthdates, and social security numbers exposed to the open Internet by an employee using the LimeWire peer-to-peer file sharing program on a company computer.
Hackers aren’t the only threat to computer-system security and confidentiality rules, many security professionals say. The common elements in each of these recent, high-profile data breaches were rogue insiders with inappropriate levels of access to their organizations’ IT systems. And while you might think it would be easy to control who gets access to these systems—the LendingTree debacle, for example, could have been avoided if the company had simply invalidated the former employees’ passwords when they left the company—the reality is that many big organizations are overwhelmed by the problem of managing their employees’ network access.
Or so says Kurt Johnson, vice president of corporate development for Courion, a company in Framingham, MA, whose “identity management” software helps large organizations automate the once labor-intensive task of administering thousands of computer accounts. “You want to make sure that information gets into the hands of the individuals who need it, but there have to be controls and security over who should get access. You can’t have one without the other,” says Johnson. “Courion’s goal is to enable organizations to increase security with tighter controls—but without requiring more bodies to do the administration.”
The privately held company, which has 130 employees spread across offices in Massachusetts, Georgia, Texas, California, New York, and the U.K., offers a menu of software products—upgraded just two weeks ago—that can be matched to an organization’s specific needs. PasswordCourier—the product that helped to launch the company in 1996—is a basic self-service password management system that helps employees who have forgotten their passwords to obtain a new one after brief, online challenge-and-response session. ProfileCourier allows users to set up the authentication questions used in these sessions—for example, “the name of your favorite childhood pet.” AccountCourier automates the creation and deletion of user accounts; it knows, for example, that ex-employees should have their passwords revoked. CertificateCourier manages the public-key-encrypted digital certificates that many companies use to manage access to internal websites and applications, and ComplianceCourier lets managers quickly review who is using which corporate applications and purge users who’ve been granted improper access. (In that last area, Courion’s product overlaps with those from Ecora, a Portsmouth, NH startup that makes software for tracking and auditing configuration changes in corporate IT systems.)
The company’s newest product, RoleCourier, automates the whole process further by letting organizations define standard job roles that involve access to a predefined set of applications or networks. New collections specialists in a big corporation’s finance department, for example, might be