Courion Automates Computer Access To Keep Data Where It’s Supposed to Be
January, 2008: French bank Societe Generale discloses that it has lost $7.1 billion, thanks to unauthorized trading by a single employee, Jerome Kerviel, who apparently breached various controls on access to the bank’s computer systems.
March, 2008: UCLA Medical Center fires 13 workers and disciplines a dozen others for snooping in the confidential medical files of celebrity patients including Britney Spears, Farah Fawcett, and Maria Shriver.
April, 2008: Financial comparison shopping site LendingTree discloses that several former employees gave mortgage lenders passwords they needed to access confidential loan-request data from LendingTree customers.
May, 2008: Walter Reed Army Hospital discloses that personal information for 1,000 former patients may have been breached by someone using a peer-to-peer file sharing program on a hospital computer.
July 9, 2008 (yesterday): The Washington Post reveals that Supreme Court Justice Stephen Breyer and about 2,000 other clients of a McLean, VA, investment firm had their names, birthdates, and social security numbers exposed to the open Internet by an employee using the LimeWire peer-to-peer file sharing program on a company computer.
Hackers aren’t the only threat to computer-system security and confidentiality rules, many security professionals say. The common elements in each of these recent, high-profile data breaches were rogue insiders with inappropriate levels of access to their organizations’ IT systems. And while you might think it would be easy to control who gets access to these systems—the LendingTree debacle, for example, could have been avoided if the company had simply invalidated the former employees’ passwords when they left the company—the reality is that many big organizations are overwhelmed by the problem of managing their employees’ network access.
Or so says Kurt Johnson, vice president of corporate development for Courion, a company in Framingham, MA, whose “identity management” software helps large organizations automate the once labor-intensive task of administering thousands of computer accounts. “You want to make sure that information gets into the hands of the individuals who need it, but there have to be controls and security over who should get access. You can’t have one without the other,” says Johnson. “Courion’s goal is to enable organizations to increase security with tighter controls—but without requiring more bodies to do the administration.”
The privately held company, which has 130 employees spread across offices in Massachusetts, Georgia, Texas, California, New York, and the U.K., offers a menu of software products—upgraded just two weeks ago—that can be matched to an organization’s specific needs. PasswordCourier—the product that helped to launch the company in 1996—is a basic self-service password management system that helps employees who have forgotten their passwords to obtain a new one after brief, online challenge-and-response session. ProfileCourier allows users to set up the authentication questions used in these sessions—for example, “the name of your favorite childhood pet.” AccountCourier automates the creation and deletion of user accounts; it knows, for example, that ex-employees should have their passwords revoked. CertificateCourier manages the public-key-encrypted digital certificates that many companies use to manage access to internal websites and applications, and ComplianceCourier lets managers quickly review who is using which corporate applications and purge users who’ve been granted improper access. (In that last area, Courion’s product overlaps with those from Ecora, a Portsmouth, NH startup that makes software for tracking and auditing configuration changes in corporate IT systems.)
The company’s newest product, RoleCourier, automates the whole process further by letting organizations define standard job roles that involve access to a predefined set of applications or networks. New collections specialists in a big corporation’s finance department, for example, might be granted automatic access to the company’s accounts receivable system and its general Outlook Exchange e-mail system, but not to its accounts payable or enterprise resource planning systems.
Johnson says Boston’s Children’s Hospital uses Courion’s software to make sure that people like surgeons, radiologists, nurses, residents, and medical students all have access to the data appropriate to their roles. “As a teaching hospital affiliated with Harvard, there’s one day each year when Children’s has an influx of ‘baby docs,'” meaning first-year residents, Johnson says. “On that one day, hundreds of provisioning actions have to take place—the accounts for first-years have to be enabled while those for second-years who have moved on to other departments are disabled,” and so on.
Using the hospital’s old system, in which administrators had to grant access user by user, the provisioning process actually dragged on for two weeks. With Courion’s system, Johnson says, “The service level went from two weeks to minutes, and the hospital reduced its IT operations staff from 20 people down to one.” And the biggest drain on administrators’ time—phone calls from doctors who had forgotten their passwords—declined by 80 percent.
With one in six of all corporate data breaches traceable to insiders, according to a June study by the Identity Theft Resource Center in San Diego, there’s likely to be a continuing demand for systems that lock down access to a organization’s digital assets without locking out those who really need the data—and without increasing the administrative burden. Courion’s software appeals most to organizations with 1,000 employees or more, according to Johnson, but it can also be a useful way for medium-sized companies to meet federal accounting and privacy standards. “We’ve seen 20-person local banks getting beaten down by regulators who could really use our system,” says Johnson.
Courion has raised some $32 million in venture funding over five rounds, with Paladin Capital, Questmark Partners, JMI, Riggs Capital, Citizens Capital, and the Massachusetts Technology Development Corporation as the main participants. The company’s diverse group of customers includes AIG, Barclays, Boeing, CapitalOne, Cox, Dell, GlaxoSmithKline, Harvard Pilgrim HealthCare, the IRS, Office Depot, Partners Healthcare, and REI. That’s a lot of entities to keep track of—but luckily, Courion is really good at that.