'The big IAM' tops security chiefs' shopping lists

Encryption, identity and access management systems and intrusion detection should be near the top of any corporate shopping list, according to leading security chiefs.

One security chief from the banking industry said encryption has become increasingly important, as evidenced by a spate of data leaks from financial institutions over the past year - and admitted data may well go astray and should therefore be encrypted.

Ashley Bear, head of information security at AXA, echoed the sentiments of many attendees at Gartner's Security Summit in London when he told delegates his priority currently is identity and access management (IAM).

One aim, Bear said, is to "eliminate Windows passwords". He intends to do this through the rollout of smartcard authentication which operates in the realm of both digital and physical security.

Speaking about an integrated smartcard to authenticate digital and physical access to a building, he said: "Give users smartcards and eliminate the risk of them leaving it in the keyboard by requiring them to use it to get out of the building." It's an approach other businesses are adopting.

Federation is also another area of IAM Bear is looking into. "Identity federation is something of interest in a decentralised business such as AXA," he said.

Dr Mark Ferrar, director of infrastructure and information governance at the NHS, told delegates his organisation is now one-fifth of the way through a smartcard deployment which will see one million users provided with smartcard authentication.

Ferrar said clearing up a mess of multiple user IDs on an "unknown number of applications" - which had led to the creation of around eight million IDs for one million staff - is a priority and something that will enable the NHS to run more efficiently.

Federation is also an issue at the front of Ferrar's mind. He said the benefits of authenticating one system against another should be obvious, citing the strong authentication that protects the core NHS 'Spine' system.

Want more on ID management?

Read silicon.com's Cheat Sheet on federated identity for the lowdown on authentication.

Ferrar said: "If we trust the Spine enough to let people in to access medical records then shouldn't other systems trust the Spine?"

Other delegates said the time is long overdue to sort out identity and access management issues, the complexity of which has spiralled with the deployment of multiple systems - all with different formats of usernames and passwords. AXA's Bear described it as being like "a garden which has been let go".

Other issues at the forefront of security chiefs' minds include intrusion detection and encryption. Randi Roisli, chief information security officer at Statoil, said the former is essential though warned "it generates an awful lot of logs and needs a lot of looking at to establish what is an alert and what needs looking at", adding: "It's very complicated."

Making a case for encryption, Mary McCrohan, head of group information security at Irish bank AIB Group, said: "As sure as shooting, something will get lost and will contain customer data so let's make sure it's encrypted when it's lost."