Société Générale - update

Earlier, I posted on how lax password security was one of the ways that Mr. Kerviel thwarted "the system" and managed to perpetrate a $7.2B fraud against Société Générale. There have been a number of good reports on the fraud that I thought I'd point out in case you want to know a bit more about what went on:

Societe Generale: A cautionary tale of insider threats

Poor IT Security Blamed for Bank Fraud

Some of the other specific areas that have been cited as problematic - and identity management, security or compliance related - include:

1. Periodic reviews of their user access rights not being done. (aka "attestation")
2. The use of fake e-mail messages to justify missing trades. (aka "digital signature or non-repudiation")
3. The use of instant messaging for trading. (aka "inadequate audit")

Bob Blakeley over at Burton Group is quoted as follows:

...there must be a process of dual control, where no one trader is allowed to act alone. Important transactions should always be proposed by one individual and approved by another so that a conspiracy of at least two people would be necessary to do the company harm.

Unfortunately, Mr. Kerviel already thwarted dual-control by having the passwords of some of his fellow traders. You need more than dual-control - you also need two-factor authentication. Also, I'm willing to bet that even a few seconds of having someone else authorize a transaction could lead to a trading loss. I don't think these companies are willing to put security that high on their list so that impacts their profits!

Technorati Tags:
identity management, passwords, authorization, biometrics, compliance

Mexican Riviera

We're in San Diego getting ready for our cruise down to the Mexican Riviera. We'll be aboard Holland Line's Oosterdam for the next 7 days. You guys need to keep me hosest because I bet 5 pounds with John Rainford (CEO, PassGo) that I wouldn't send any work e-mail while I was gone - by the way John, blogging doesn't count.

I have no idea if I can post pictures or not but I'll try. Back to the reality tour next week!

We're hiring Identity Management gurus!

Using your deep knowledge of the Identity Management market, you will work in a presales capacity to create and propose solutions using Quest Software’s Identity and Access Management products.

5+ years in-depth Systems knowledge including:

• deep knowledge of UNIX (PAM/NSS)
• Active Directory architecture, LDAP, and Meta Directory
• Roles and Role based management
• Java, C/C++, ANT, .NET, C#
• DBA knowledge/experience

3-5 Years with Directory Services, User/Identity Lifecycle management, Web/SSO, Virtual Directory, Metadirectory, Enterprise SSO, and Password management. Superior communication and presentation skills required.

If you're interested contact me and as a loyal reader you will get the highest endorsement!

Jackson.Shaw(at)Quest.com

Technorati Tags:
Quest Software, identity management

Biometric hamburgers

I've always liked the Digital Persona biometric fingerprint product. I did a lot of work with Vance Bjorn (DP's CTO) while I was at Microsoft as they were developing the biometric keyboard and mouse for Microsoft.

Interestingly enough I was involved in a huge argument with the security guys at Microsoft who refused to allow those devices to be used for domain authentication. Their argument was that it was not foolproof. Of course, passwords are, aren't they? (c.f. A $7.2B password mistake?) As a personal aside I do not miss that set of bozos. Oh, and I use a fingerprint scanner for domain authentication on my Lenovo X60 laptop today. Anyway, I digress.

There's a great article in Network World that talks about White Castle's use of Digital Persona's product. Here's the conclusion from the article...

The results have been impressive. White Castle has focused on several applications that were extremely paper intensive prior to the implementation:

* Enrollment in benefit programs – By having employees enroll online, data entry mistakes are reduced and employees can begin receiving benefits sooner.

* Labor scheduling – Only specific people can approve the schedules, and electronic schedules and signatures have speeded up the process. Long says White Castle saved $12 million last year on just this one application.

* Direct payroll deposit – Rather than mailing paychecks to employees, White Castle has implemented direct deposit for everyone. Employees can print a paystub on a local printer after validating their identities. The company saves over $50,000 a year with this new process.

It's great to see security being an enabler for a change!

Oh, by the way: The Digital Persona product is not only very well integrated with Active Directory but also Active Directory Application Mode (ADAM). As a bonus, you can even use Group Policy to control the device and its various security settings and policies!! Sweet.

P.S. According to Vance over 30M laptops with biometric fingerprint scanners will ship this year!

Technorati Tags:
Microsoft, Digital Persona, biometrics, Active Directory, identity management