Many of these policies -- and the security infrastructure that backs them -- are tied to individual employees. Southwest Medical Center has the typical data access security polices based on an employee's role in the organization, but the center is also introducing biometrics and motion detection technology.
Southwest Medical's approach is akin to what Microsoft Chairman Bill Gates is hoping other organizations will adopt as he shares his vision of policy-based security management versus reactive security at this week's RSA Conference in San Francisco.
"We are looking at biometrics, fingerprints that are actually tied to motion detection technology," said Chris Lehr, network administrator at Southwest Medical Center, based in Liberal, Kan.
"When a doctor logs onto a shared machine and walks more than five or six feet away," Lehr said, "the PC logs them off so no one else can walk up and read the patient information that doctor had on the screen." Once that person is logged off, the PC also reboots itself back to a standard, locked-down configuration.
It is virtually impossible for an unknown person to gain access to Southwest Medical's network as well because each laptop assigned to each employee has a network card tied to that individual's PC. If an employee doesn't have a network card tied to an assigned PC, then that employee can't get in, Lehr said.
As the founder of Framingham, Mass.-based security integrator Conqwest Inc., Michelle Drolet is seeing a mix of tactical and strategic approaches to identity management and security policies, much of which is geared toward locking down data.
"I call it phase one," Drolet said. "Most people don't have security polices in place, which would really change their whole business processes, and many aren't ready for that. What they are doing is putting software firewalls in the desktop along with antivirus. But I would say only about 20% of [our customers] are moving toward putting security policies in place and education."
Mistakes make great learning guides
Spurred by the recent TJX Corp. debacle in which customer credit card information was stolen and individual bank accounts were accessed, the issue of security policy and identity management is being forced within organizations, Drolet said.
The customer calls Drolet is getting are coming from C-level executives. "They want to really start paying attention to how they are managing data and data flow and are concerned they may have some holes," she said.
Like many IT shops, Steve Perry has been using Active Directory to set up policies for groups and individual's roles at Costello & Sons Insurance Brokers, based in San Rafael, Calif.
But what he is looking for is an all-in-one technology that would automatically set up at least 85% of the security policies he needs out of the box with minor tweaking on his part.
"It would be great if we could get to that point, to be able to identify all the people, the objects they touch, services and eventually even identify components of the applications in order to set up policies," Perry said. "But still we would need to dedicate someone to finding all those resources and defining individual's roles, managing those policies and setting them up -- we just don't have any extra help for that."
For now, his company has an automated policy in place when an employee is terminated, "But what if a person is traveling or taking a leave of absence," Perry said. "Everything is manual at this point, and there are so many scenarios to set up policies for."