As computer security specialist living in Paris and dealing with large corporate and government customers around Europe I have watched with interest from close quarters as this story is unfolding.
Société Générale accused Jerome Kerviel, 31-year-old junior trader employed by the bank, of creating fraudulent trading position on the bank’s computers and betting €50 billion – more than the bank’s market value – on futures in European equity markets.
If proven, the fraud will be the biggest in banking history, dwarfing the US$1.4 billion in unauthorised trading losses that junior trader Nick Leeson inflicted on England’s Barings Bank in 1995.
A huge loss like this can affect much more than the institution involved. It can shatter the public’s confidence in the banking system – which is why other French banks rallied around to try to help Société Générale out of its predicament. This particular debacle has even impacted the French government, which has prepared report on the lessons to be learned.
How could it be that 13 years after the world was stunned by the magnitude of Nick Leeson’s fraud that another major bank could be rocked by an even bigger loss?
All the signs point to poor controls – in Société Générale’s case inadequate governance and management of its information technology (IT) systems.
How secure are your computer systems?
If, as company director, you think none of the organisations you govern are vulnerable to fraudulent or just unauthorised use of their computer systems by even junior staff … think again.
Company directors, whose backgrounds are predominantly in law and accounting may not be familiar or comfortable with the complexities of IT systems. But as information technology increasingly becomes the engine room of business, directors must be confident it is well managed and secure and can be audited.
Many company directors may not realise that, just as there is computer software for financials, manufacturing and human resources, there is computer software specifically to govern, manage and secure IT systems.
That’s what my company, CA, specialises in. We have tools to help organisations with the compliance, security and auditing of their IT systems. Company directors needn’t understand the detail of these systems but they should be aware that they are available to reduce the risk of breaches.
Better IT management needed
A report on 4 February 2008 by Jeremy Kirk of IDG News Service summarised the views of analysts that Société Générale’s losses “don’t necessarily point to an IT systems failure, but rather to poor management of those systems”.
Société Générale said Kerviel created fraudulent trading position by, among other things, misappropriating passwords. Management of passwords, including rescinding passwords of employees who have moved on, is routine task, but one which is often mishandled or neglected, thereby opening the door for unscrupulous behaviour.
To give an example closer to home, CA worked with an Australian government department that had 15,000 employees but 30,000 log-on accounts as result of people changing their status or leaving. This organisation handled very sensitive information for millions of Australians and the extra “ghost” log-on accounts presented an opportunity for unauthorised access to that information. I am glad to report the problem has now been resolved using special CA tool called CA Cleanup.
It’s also not simply case of ensuring that employees don’t have access to the computer system and that their accounts are closed down when they leave.
As Ian Walden, professor of information and communications law at Queen Mary, University of London succinctly puts it in Jeremy Kirk’s story: “In some cases it may not be the security of the passwords themselves that pose problem but rather the access those passwords allowed.
“Organisations tend to think of access as being binary in nature: you get access to it all, or you don’t. In reality there are many more levels of access. In modern, complicated systems the granularity has to be much more sophisticated.”
Identity Access Management
At CA we use the term Identity Access Management (IAM) for the process of managing who gets access to what. IAM is central part of the overall IT security management.
There are four components for an effective security management platform:
• Identity Administration The essence of any internal control is being able to effectively administer user identities. Administrators need to know who their users are and what access rights they have been granted. Managing user profiles includes services such as user enrolment and de-enrolment, self-service and delegated administration.
• Provisioning The heart of any security management platform is the provisioning of new users with appropriate accounts and access rights to corporate resources, as well as de-provisioning (preferably automatically) at the appropriate time (eg when they leave the company).
• Access Management platform that enforces access policies is essential for effective internal controls. This policy enforcement must include not just application access, but also access to all the organisation’s various computer systems.
• Monitoring/Auditing The essence of any security compliance programme is being able to monitor, audit and control your computer systems. It must be easy for administrators to define which events are of interest to them, as well as to create policies for filtering and correlating these events. Visibility of the current state of the entire security infrastructure is critical to identify events of interest and respond to them.
Monitoring should include an alarm system whereby administrators are able to define what events are important and need to be reported upward to the appropriate people using the appropriate communication tool – eg pager, cellphone or email. Policy-based alarm services create strong set of event response controls.
An IAM system dramatically reduces the risk of business being the victim of serious corporate breach and I can’t help thinking of the trouble that would have been saved if Société Générale had working controls like these in place.
New Zealand is not immune
Just in case you think this somehow doesn’t apply in New Zealand, let me give you some examples of how CA is working with New Zealand organisations on IAM projects.
Interestingly, many of our New Zealand customers are using CA’s software to manage access of external parties to their computer systems. Of course this adds another layer of complexity because these organisations are concerned not only with managing internal staff access but also selected external stakeholders.
New Zealand government departments use CA SiteMinder web IAM software to enable students to track the status of their student loans and for doctors to lodge accident compensation claims directly from their offices. Together with large New Zealand corporate using CA SiteMinder these three organisations provide secure web access to about 700,000 New Zealanders.
Another government department has recently chosen CA for IAM and we have number of corporates using CA software to manage internal users.
Across the Tasman, the Western Australian state government’s Department of Land Information is using CA software to allow secure access to spatial data stored on the department’s systems.
Providing information and services online is rapidly growing area that simply reinforces the need for robust computer security and identity access management that are properly monitored or audited.
Bringing it back to governance
I have drilled down to give some detail of the components of an IAM system as part of an overall IT security management system and given some regional examples of how these are being used in Australasia.
From governance perspective, directors will want to be assured that their companies a) comply with relevant laws and regulations and b) don’t suffer serious