Access Risk Management for Manufacturing
As a manufacturer, information systems play an important role in your day-to-day business operations. Cyber-security is critical for manufacturers of all sizes for two reasons: One, being able to make your commitments on time is a major concern, so downtime, decreased productivity, compliance issues and lost sales as the result of a system security breach will be extremely detrimental and will also negatively impact your reputation. Second, the information or intellectual property you have about your manufacturing processes and products is extremely valuable to your business, so a breach of this proprietary information could have devastating competitive consequences. Therefore, security must be robust in order to protect all your assets.
Technology in the manufacturing sector is shifting from closed, proprietary systems to open, flexible systems that allow greater and more meaningful interaction with the customer, headquarters, and partners, such as suppliers and distributors. The introduction of innovative technologies such as wireless networking, store-based Internet access, multifunction point-of-sale (POS) devices, customer kiosks, handheld devices, etc. carries with it greater security risk for two reasons. First, the complexity of these systems and the various ways they interact introduces more potential opportunities for unauthorized access. Second, many systems utilize their own internal security model for creating and managing access rights. And, because of the nature of the applications and the high volume of sensitive data they transmit and store, these systems are more vulnerable to attack. As a result, companies in, or supporting, the manufacturing sector have become one of the prime targets of attacks launched by both internal employees and external hackers.
Another factor that manufacturing organizations must cope with is personnel turnover. The typical manufacturing organization tends to large numbers of employees coming and going annually. This normal turnover is exacerbated by the fact that manufacturers are often forced to hire large numbers of temporary or seasonal employees during particularly busy periods during the year.
Ensuring that temporary or transient employees only have the access rights to sensitive data (such as customer credit card data, other personally identifiable information, or inventory shrinkage systems) can be very challenging, particularly for a large, geographically distributed organization.
As a result of a history of customer data breaches, over the past decade various regulations, such as PCI DSS, FACTA, and more than 40 state regulations like MA 201 CMR17, have been enacted to protect consumers against the risk of identity theft or hold manufacturers accountable in the event of a breach. As a result of these increasingly onerous and complex regulations, some of which provide for hefty fines for non-compliance, it has become even more essential for manufacturing organizations to protect both internal and customer assets from the risks of fraudulent activity.
Protecting The Brand
And, of course, protecting the brand is essential for any organization that depends on the continued good will of its customers, and this is particularly true in the brutally competitive world of manufacturing. Industry surveys have repeatedly shown that customers are not reluctant to stop shopping with an organization if they don’t believe the organization can be trusted to protect their sensitive, personal information.
In addition to a negative impact on the brand, the list of potential adverse consequences if consumer data isn’t protected includes: individual and class action lawsuits, paying compensatory damages to consumers or banks, regulatory fines, significant declines in company valuation (if public), and other negative outcomes.
Courion in Manufacturing
Given the significant impacts of a data breach, manufacturers need a solution that enables them to improve the security and protection of vital information assets by ensuring that only the right people have the right access to the right resources and are doing the right thing with that access.
They need Courion’s Access Risk Management Suite solution. The Access Risk Management Suite enables manufacturers to:
- Control access to applications and IT assets containing trade secrets or other sensitive information
- Verify the proper use of that access
- Safeguard sensitive data from unauthorized access
- Demonstrate compliance with industry regulations
- Protect the organization’s brand and reputation.
Some of the Access Risk Management Suite features that manufacturers rely on include:
Identify Unknown Accounts: In many attacks, a hacker may attempt to compromise or create an account for their own purposes. Courion’s IdentityMap process locates user accounts on internal systems and associates those accounts with a known individual identified in a designated system of record, such as Peoplesoft HR. The initial IdentityMap scan can identify and resolve zombie accounts, which are accounts associated with someone who is no longer with the organization. Subsequent IdentityMap scans may reveal previously unknown accounts, which may indicate an attack. Courion can then alert the appropriate personnel to take remedial action.
Access Certification: Courion ComplianceCourier™ is used by line-of-business managers, security professionals, or IT administrators to review access rights of users they supervise and certify that access complies with policy. When a user’s access rights are out of compliance with policy or industry regulations, ComplianceCourier provides a range of options to block or restrict unauthorized access. Audit tracking capabilities also make compliance reporting and analysis faster, easier and cheaper.
Protect Sensitive Data: Courion’s Sensitive Data Manager module works in conjunction with industry-leading data loss prevention (DLP) technologies to verify that access is not being misused to cover up illegal or unethical activities. According to the Verizon Business 2009 Data Breach Investigations Report, 67 percent of breached records were in locations that the organization wasn’t aware of. Integration with DLP technologies enables your organization to find sensitive data, identify who has access to that data, determine how they obtained that access, and correct access that is inconsistent with the individual’s business role.
Identify Suspicious Activity: Courion’s User Activity Manager module leverages leading security incident and event management (SIEM) technologies to perform deep analysis of prior user activity. Integration with SIEM technologies enables you to identify patterns of suspicious behavior — after-hours access, large data downloads, access from a previously unknown account, etc. — captured in system log files, and combine that data with information concerning the user engaged in that behavior, such as name, title, department, manager, location, etc. You can then determine if the individual’s behavior is consistent with the needs of the business, and take the appropriate steps to terminate access to key applications if it is not.
Manage Employee Access Rights: Manufacturers often must cope with providing large numbers of seasonable employees’ access to the systems they require to be productive on Day One, and automatically removing their access when they leave the organization. Manufacturing organizations use Courion’s RoleCourier® solution to manage the role definition process, which ensures that users within a particular role only have the access rights they require to be productive. AccountCourier® then automates the process of account creation and termination, using either pre-defined roles, or whatever access request and authorization process your organization uses. These solutions ensure that users have the appropriate access rights, prevent separation of duties violations, and significantly reduce the time, effort and cost of managing employee access rights.
Secure Passwords: Courion’s PasswordCourier® reduces potential access vulnerabilities by enforcing strong password policies, while also dramatically reducing costs associated with help desk calls because of its secure self-service password reset capability.
Courion solutions allows Manufacturing enterprises to:
- Improve productivity: Create accounts for new employees quickly and easily, giving them immediate access to mission-critical business applications, while ensuring they have the minimum access to sensitive data required for their jobs.
- Enhance security: Dynamically adjust access rights as employees change roles due to transfers, promotions, demotions or reorganizations. Transparent synchronization technology allows users to use the same username/password combination for all systems, reducing the potential that they will be tempted to write down their password.
- Eliminate zombie accounts: Automatically suspend or discontinue access when employees are terminated.
- Reduce costs: Enable users to securely reset a forgotten or expired password direction from their PC, using a web browser, or via a telephone, without having to call the help desk. Provisioning enables substantial reductions in IT staff overhead dedicated to managing the account creation, management and termination process.
- Demonstrate compliance: Quickly and easily attest that employees have access rights that are consistent with internal security policy, or relevant industry or government requirements, such as Sarbanes-Oxley.