The document discusses the challenges enterprises face regarding the security and management of login credentials, particularly highlighting the risks associated with having over 100,000 unmatchable credentials due to legacy systems and inadequate de-provisioning processes. It outlines potential risks, including theft of sensitive information, identity theft, financial loss, and regulatory violations, while presenting several alternatives for addressing these issues, such as maintaining the status quo or using advanced data quality tools. The document emphasizes the urgency for organizations to take action to mitigate these risks and improve compliance and security.

1. Finding Your ‘Lost Keys’ Ensuring the integrity & security of your enterprise data

2. A login credential is a key to your sensitive and valuable data and systems

3. If you are a large enterprise (>30K employees)...

4. You likely have over 100,000 active login credentials that you cannot match to a person

5. And many of them are accessible on the net.

6. Whoa! ... How did that happen?

7. Legacy Systems were not designed with the Internet in mind Credentials were not designed to be used across system silos Much of security came from the fact that you had to be in a controlled building on a controlled computer to use your credential Legacy systems built for old business requirements

8. Business imperatives are breaking down the original legacy access security

9. Business Imperative #1: Anywhere, Anytime Legacy systems have been connected to the web and extranet access is enabled. (often against the objection of the security department) This removes the legacy security of having to be in the building to get at the data. More and more systems vulnerable on the net.

10. Business Imperative #2: Integrating Processes Legacy systems being integrated together on the net Resulting in a multitude of legacy login systems and credentials for each person ( many not employees) with no easy way of matching them together and to a person

11. Business Imperative #3: Instant Productivity Managers of new employees can’t wait for all the old business processes to provision access People hound IT to get provisioned Business processes often circumvented because “they take too long”

12. Nobody Champions De-provisioning When you leave an organization, who hounds IT to take out your old credentials How many times has your email or login worked after you left? Do this for 10+ years and you get a large pile of old accounts, many of which are unmatchable to people.

13. What is the implication of having 100,000+ lost keys to your organization?

14. In the news: WestJet

15. This incident was mischaracterized as ‘hacking’...they simply used an ex-employee credential Source: Macleans Article

16. There are many, many more examples - most don’t make the news.

17. What risks do these lost credentials create?

18. Theft of Business Critical Information Sales data, business plans, competitive strategies, R&D, customer lists. Susceptibility to malicious acts identity theft, publishing of private data, extortion, illegal transactions, destroying/changing data Business Risk

19. Reputational Risk Unauthorized access to your confidential client and employee information Privacy Violations: Personally Identifiable Information Loss in customer trust in system integrity

20. Financial Risk Lawsuits arising from events such as broad-based customer identity theft Illegal transactions not discovered

21. Regulatory Risk #1 Source of Access Control failings prevalent and persistent in audit findings Observed as root cause, barrier to SOX compliance No comfort from Access Control Verification process due to bad data

22. Alternative #1: Maintain Status Quo CASE FOR These 100,000 have built up over many years. What’s another year or so. Everyone in the same boat. We can fix it in the future when there is a forcing condition. No need to carve out budget.

23. Alternative #1: Maintain Status Quo CASE AGAINST This must be done soon anyway for compliance or security reasons What is the value of the operational and other risk being carried? Already spending on hidden cost to other projects Current access reports flawed, due to 20% bad data

24. Alternative #2: Delete Unmatched Credentials CASE FOR Low cost Easy Quick Right? (OK, this was a bit of a strawman argument)

25. Alternative #2: Delete Unmatched Credentials CASE AGAINST Could result in severe business interruption. Hard to match credentials contain active, business critical credentials Likely would generate flood of calls to the help desk Would destroy evidence of any past improper use You still have to do a matching exercise to determine the ‘hard to match’ entries

26. Alternative #3: Ad Hoc Solution CASE FOR Can start using internal resources and budgets Get started quickly Get early success with ‘easy’ matches (50%+) OK for ‘best efforts’ matching

27. Alternative #3: Ad Hoc Solution CASE AGAINST Reinventing wheel Cost and time escalation ending in incomplete job No ability to deal with unmatchable resulting in a huge manual effort (5 Man Years) Weak auditability.

28. Alternative #4: Work with your Identity/Audit Vendor’s Tools CASE FOR Have existing vendor relationship with related requirements. They have matching and audit tools too. No need to carve out incremental budget

29. Alternative #4: Work with your Identity/Audit Vendor’s Tools CASE AGAINST Identity vendor tools don’t deal with ‘unmatchable’ credentials They assume you will clean up manually (5 man years) What about the risk while you wait for that project to touch all the systems Some systems too old to connect modern tools

30. “ Data Cleansing takes a long time .. implementing the (identity managment) product seems to be the easy part .. we thought that would be the hard part. This (data cleansing) has got to be the same problem for everybody else.” Frank Ma, Petro Canada Digital ID World 2005 , Provisioning Customer Deployment Panel Reference Podcast link @ 22 minutes

31. Alternative #4: Alternative #5: Leverages best in class data quality and matching tools developed over 2 decades Provides unique ‘adjudication’ and ‘forensic matching’ tools specifically designed to address your ‘unmatchable’ records. Provides clean data necessary for reports you can trust Deloitte managed service engagement easily customized to your specific needs significantly reducing cost and timeframe.

33. Significantly reduce many risks now Reduce significant source of Audit Deficiencies You will complete a mandatory step for upcoming identity and audit projects ‘ Bad Data” great source of forensic information Possibly catch improper activity Discover flawed business processes Business Benefits

34. Links TRUE_IDENTITY Blog Product Solution Page