Many business leaders I speak with now have great concern for data protection law and regulation compliance, which is certainly prudent. However, often when digging into the details of their compliance plans and activities, I find most of the effort and budget is going towards initiatives for firewall and perimeter protection, with increasing implementations for encryption.
These are definitely important! But when I ask about any plans they have for improving their authentication methods, a large number, with perhaps the exception of the online banks, say something similar to, “Oh, we are comfortable with our current authentication solution; our passwords must be strong, and must change every 90 days. And we have not experienced any problems with our access control systems. So, we should already be in compliance with these types of legal requirements.” But will single-factor re-usable passwords continue to be an acceptable practice for authenticating enterprise users as incidents continue to occur on an ever more frequent basis?
Similarly, when I ask about plans for improving access control methods, many business leaders have a response similar to, “Our access controls are based upon departmental responsibility and manager oversight. We have used this method for several years. It seems to work fine, and we have trust in our managers’ capabilities.” Will the old way of establishing and managing access controls still be acceptable as the insider threat continues to negatively impact businesses and their customers? Will these practices pass muster with regulatory oversight agencies that check for compliance?
I just posted a paper exploring these issues, “How Access Management Compliance Supports Good Business”
Agree? Disagree? Let me know what you think!
Tags: access control, authentication, awareness and training, Information Security, IT compliance, policies and procedures, privacy, regulatory compliance, risk management