Pay Attention to Identity and Access Management

Written by Jim Bourke CPA.CITP

Monday, 21 September 2009 02:14

Each year the American Institute of Certified Public Accountants releases the results of its Top Technologies Initiative survey. When it comes to Identity and Access Management, the message is loud and clear, those in the know about technology and our profession once again ranked Identity and Access Management among those in the Top Ten.

Filling the number seven spot, Identity and Access management, was defined as “the implementation of physical, technical, and administrative controls that limit access to company resources to authorized persons. A challenge exists with achieving easy access by authorized users while making resources inaccessible to unauthorized users.”

No industry has gone untouched in dealing with this issue. Whether you are a large financial institution debating new and unique ways to verify customers who access their accounts via ATM or the Internet or simply an IT director who is trying to safeguard your customer’s private and confidential data, the challenge is the same - always taking the initiative to be one step ahead of the curve to prevent unauthorized access.

Should you be concerned about the vulnerability of a breach in your existing identity and access management system?

Absolutely…Yes!

If your employees are like most, you can be assured that they have created one or more access identities based upon “convenience” rather than on a security and/or privacy perspective. Most individuals will create passwords on such publicly available information such as initials, phone numbers, name of their first born or their mother’s maiden name. Hackers widely use the “dictionary attack” or the “brute force” method to break such passwords. The dictionary attack method uses mostly words in the dictionary to guess passwords and may add a number at the beginning or in the end. The brute-force method uses a crypto analysis technique to find more complex words or phrases and combines alpha, numeric and special characters to break the password. To test your own password and see how many days, hours or even minutes it could take to break using a simple computer, check out the calculator on www.hackosis.com

What can you do to help protect access to private and confidential data?
If you must use passwords, educate your end users on the importance of “strong” passwords. Passwords need to be unique and absolutely must be different for each application. Too many people try to utilize the same password for all applications. Just think about the ramifications if an individual had access to every application and data file within your system, simply as a result of hacking one password.

Some generally accepted rules of thumb on creating strong passwords include:
•   They need to contain special characters such as @#$%^&
•   They must be at least eight characters long
•   They must not have any common words such as 123, password, your birth date, your login name and any words that can be found in the dictionary.
•   a variation of capitalization and small letters
If you want to test your password, try the strength test at www.passwordmeter.com. The goal is to create a password that has a “very strong” complexity.

If possible, use alternatives for access control! Most computer manufactures today offer alternatives to password logins. The most commonly used are biometric techniques. These techniques include scanning such things as fingerprints and irises. Although these methods require additional hardware, they are very often more reliable than the use of passwords.

While the enhancement and modification of existing identity and access management systems should not create an additional layer of complexity for the business, such alternatives should be evaluated in order to protect the private and confidential data stored on such systems.

Leave a Comment

Jim Bourke CPA.CITP
		About the author:
		Jim is a Partner, Member of the Board of Directors and a Member of the Management Committee at WithumSmith+Brown, Red Bank, New Jersey and is Director of Firm Technology. In that capacity, he has the responsibility for overseeing all technology issues and operations for the Firm’s eleven offices and over five hundred employees. Jim gives direction and vision to a group of talented internal technology professions whose job it is to keep the Firm functional 24/7. His responsibilities consist of network design and implementation, Internet connectivity solutions, wireless network configuration, technology strategic planning, as well as overseeing the acquisition, implementation and training of new applications and technologies throughout the Firm. In addition, Jim is also responsible for the Firm’s annual technology budget. In September 2008 Jim was named by Accounting Today as one of the Top 100 Most Influential people in Accounting. Jim licensed as a CPA in New Jersey, New York and North Carolina.
	Read More >>

Related Articles:

Articles by this Author:

Client Portals for the Tax Practitioner
WS+B’s Experience with Tax Document Automation

View all articles by this author

< Prev		Next >

Add your comment

Your name:
Subject:
Comment:

Word verification:

yvComment v.1.22.0

Subscribe:

Newsletter

RSS Feed

Today's Featured Contributor

Tom C. Davis

About the Author:

Tom C. Davis, CPA, CITP is a partner at Bowen, Phillips, Carmichael, Davis & Sims and President of Knowledge Concepts, Inc., the developers of FirmWorks.