Most companies use some form of identity and access management controls to protect their applications and information. But few centrally manage these systems and keep up with changes in user privileges, according to a study released last week. It's a dangerous situation, given that any company that doesn't know who has access to what in its IT environment is a prime candidate for a security breach.

More than 64% of 627 IT pros surveyed by the Ponemon Institute say their companies use identity and access management technology. But only 13% of respondents to the survey, which was sponsored by SailPoint Technologies, a provider of compliance, governance, and identity management technology, have centralized identity and access management.

Those who invest in identity and access management technology primarily want to improve the efficiency of system access and the security of their systems, as well as meet regulatory requirements. But for many companies, even the ones using identity management technology, the process remains largely manual, and that "translates to reactive measures for addressing insider abuse," says institute chairman Larry Ponemon. Last month's revelation that a DuPont research chemist stole the company's intellectual property is a case in point, he says. Gary Min was caught after DuPont realized he'd accessed large volumes of information not relevant to his role at the company. "But these anomalies were not detected and identified as high-risk behavior until after $400 million in trade secrets had been compromised," Ponemon says.

Close attention to what users are doing is key because the greatest security threat is from a disenchanted employee, says Jay Raimondi, CTO of CRC Health Group, a provider of treatment for people with chemical dependency and related behavioral health problems. CRC late last year began working to improve its ability to provision and deprovision users and plans to integrate its HR, payroll, general ledger, clinical management, and other applications into a centralized identity and access management system using Apere's RapidConnector Framework. This will help CRC protect itself from intruders and more easily comply with the Health Insurance Portability and Accountability Act and Sarbanes-Oxley, among other regulations.

The first step was to replace the trouble-ticket system CRC used to extend and remove access privileges to users with Apere's Identity Managed Access Gateway, which centrally manages identity information tied to various applications. The gateway appliance automatically locates all databases and directories with application-specific identity data and creates an updated list of user identities and access rights.

The RapidConnector Framework cuts the cost and hassle of integrating all of a network's applications and directories into an identity management system, Apere says. It connects a directory or application to an identity management system in about 30 minutes, regardless of whether the component is commercial or homegrown software, the company says.

Apere's RapidConnector emulates native administrative privileges on an application's user interface to gather and provision user information, rather than building a connector using an application's API. It becomes a virtual administrator and learns all of the administrative commands and fields used by the application's screens, says Jared Hufferd, Apere's VP of business development and sales. It also determines how an application manages access privilege information and taps into the identity database or directory where that identity data is stored.

When a user leaves his employer, the company can use RapidConnector in conjunction with its identity management system--whether from CA, Novell, Oracle, or some other vendor--to communicate to all the apps on the network to remove that user's access rights. This eliminates orphaned accounts that linger in IT environments long after an employee has moved on.