Issues in Compliance for Instant Messaging
Compliance is always a large concern, especially with attacks and data breaches increasing. It is important to understand the industry and regulatory requirements that need to be enforced within your corporation and security environment. One area that experts are beginning to see as an issue is instant messaging. This is a communication method that is hard to regulate and record, which could pose problems with industries with strict compliance standards.
In a recent article by Dmitry Shapiro, CTO at Akonix Systems, Inc., “Instant Messaging and Compliance Issues: What You need To Know” the issues that are becoming ever present with IM are discussed. The main issue is the sheer volume of users on these IM systems, totaling in the 100s of millions. This is not to mention what IT managers are most afraid of, which are the public IM systems, such as AOL Instant Messenger and Yahoo Messenger.
Although IM is a functional tool for communication there are key areas with which there is a lot of concern for compliance issues:
- Record Retention
- Information Security
- Theft
- Copyright Infringement
These issues are ever rising with the number of users and amounts of information on these systems. With the public IM services, the control a manager could have with an internal system is taken away. Tasks such as auditing, logging, and deleting records are all issues when the manager cannot oversee the whole system, and the web of IMs being created.
Without compliance and monitoring, the one thing that is apparent is that risk will increase. Shapiro says that the main issues to watch for are:
- Organization of records
- Retention of records
- Tamper Proof Records
- Record Retrieval
- Off-Site Copies
And many more…
With such acts as the Sarbanes-Oxley Act, HIPAA, and GLBA the ability to control, monitor, protect, and delete records is essential. These regulations are going to require IT managers to remain compliant and come up with ways to monitor their users IM behaviors. If this is not done, IMs will be a strong source of theft and cybercrime.
Access Control: More Critical in Today’s High Risk Environments
Filed under: Authentication Security, Authentication Trends, Data Security
There are too many opportunities available in large organizations for people to try to gain unauthorized access to networks and databases. With the downturn in the economy prompting layoffs, downsizing and consolidation, companies are seeing an increase in the incidence of insider hacking. The insider threat is the hardest to detect, yet it poses the greatest risk to data security and regulatory compliance. Numerous user authentication actions, such as using expired and weak passwords, making password changes, and striking out, could signal a security risk. Some of these events may require immediate attention if the security of the enterprise could be compromised.
Controlling access is a critical requirement for protecting customer and financial data, and even more imperative for safeguarding corporate assets during these difficult times. The news last year that a Countrywide employee with access to sensitive data had been arrested for taking 2 million names and personal information from the mortgage bank and selling them for a profit demonstrates the potential impact of a single insider and the need to have controls and monitoring in place. Clearly, even authorized users can misuse data or handle information in unauthorized ways.
With an authentication solution that has the ability to manage and monitor user login activity, organizations can achieve greater access control and have a vital tool for gaining knowledge on where security risks may lie. Auditing may be considered a sub-set of security, but we cannot overstate its value for the larger enterprise that oversees tens of thousands of users at multiple levels (both internal and external) and with access rights of varying degrees. With access control and auditing capabilities, an organization can significantly reduce the risk of insider hacking events, generate greater security administration efficiencies and reduce auditing and compliance costs. In terms of what it can save in potential costs due to intrusions and unauthorized access to and handling of sensitive data, access control can provide a tremendous return on investment.
Strengthening Authentication to Adapt to Changing Circumstances
The growing number of enterprise applications, an increasing need for globally-based users to access systems, and employees working 24/7 in remote locations has created the security challenges that IT administrators are seeing in today’s corporate environment:
- Ensuring only authorized individuals have access to specific data and systems
- Diminishing the risk of data exposure and network attacks
- Corporate mandates to employ security best practices
- Increased government and industry standards for data and IT security
- Multiple passwords for end-users to remember (and forget or lose)
- Increased number of unique password stores and sets of password policies to manage
Securing the authentication process is a major step toward securing the enterprise, however you want to ensure the process maintains end-user productivity, avoids increasing Help Desk calls and incorporates best practices such as stronger authentication, login restrictions and password security rules. So, what would be the right solution for securing authentication? The “right solution” should possess the following characteristics:
- Be appropriate for the level of risk posed by your IT environment;
- Scalability to accommodate growth;
- Interoperability with existing systems and future plans;
- Auditing and reporting capabilities; and
- Adequacy in light of changing risks, such as the evolving sophistication of compromise techniques.
We’ll have more on this subject in later posts, but please tell us if there are any characteristics that should be added to this list.