Every time I told a friend I got an IT security job, I was always asked a similar question "Do you catch hackers or virus?". Of course, the popularity of the Internet definitely puts external threats and attacks on enterprise IT security's radar. However, I still personally believe internal threats and attacks cost more damage.

According to a 2003 study by the Computer Security Institute (CSI) and the United States Federal Bureau of Investigations (FBI), nearly half of all security breaches—an astounding 45 percent—come from within the enterprise by disgruntled or malicious employees. Industry analyst firm The Gartner Group estimates that more than 70 percent of unauthorized access to information systems is committed by employees and believes that more than 95 percent of intrusions result in significant financial losses.

SUA, LPA and SAT are good IAM defense weapons against internal identity theft:

  • SUA (Strong User Authentication): Password is always weak. You should plan for 2 factor authentication (see Technology Category for definition) such as Smart Card, USB Token, or RSA SecurID. When you evaluate/buy a technology, an important thing is to give equal weight to associated lifecycle management system.
  • LPA (Least Privileged Authorization or Access): A strategy to minimize internal security risk is to reduce attack surface area. LPA is an execution of this strategy. First, you need to classify your data. Then, the access will be granted for different class of data on a "need to know" basis. A suite of software products could be used to help LPA (such as group management, role management, rule management, authorization management, access management, self service, workflow etc.).
  • SAT (Security Awareness Training): IAM is about process and software is just an enabler. One import process is user security awareness training. For example, it is easier to prevent social engineering through this training process and it is hard (or even not possible) through technology. You need to develop training courses and deliver it to all users.

An IAM project to improve security will cost money. Here is a rough estimate formula to calculate cost justification:

value of all data ($) ×  probability of breach (%) > cost of project ($)