Web apps: The forgotten security
This week, I read a really interesting blog post by Christine Bevilacqua over at Ping Identity. It reminded me of the report we did last year about the threat posed by rogue ex-employees to your business. Christine looked at the issue from the perspective of a potential rogue ex-employee, tracing the web app access she walked away with from a previous job.
Christine is quick to point out that the IT staff at that company were diligent and worked hard to make sure ex-employees were removed from the system:
“At my old company, keeping people off the “system” meant locking doors and throwing away any available keys. The building is a fortress when it comes to protecting the company and their hardware and on-premises software from unwanted intrusions. After I was gone, my boss’ administrator emailed IT to tell them to erase my access ID and password. Our IT was great. They expect these emails, and when they come in they always tried their best to get to them sooner rather than later.”
But the one thing they didn’t take into account was the access she had to web apps. She didn’t make any use of them, but she could have. And that’s the point she wants companies to realize.
“Let the record show that after I left, I never accessed any cloud-based applications for the purposes of accessing employer data that didn’t belong to me. But if I had wanted to, it wouldn’t have been difficult. Not only did I retain my own access to corporate web applications, but I could have probably talked a colleague into sharing their access with me. According to a recent study by IS Decisions, the majority of employees see no problems with sharing passwords.”
It’s a great post and I highly recommend that you read it. Christine ends with a checklist of things you should consider when allowing employees to use web apps on the job.
I’ll add that you should definitely implement a single sign-on solution to ensure that users are choosing strong passwords, and that you have some control over the web apps they are using for business. Check out Intermedia AppID® as a possibility.