syserr.com

You would think this would be self explanitory, but it’s really not to many, many organizations.

It doesn’t matter how secure your enterprise system is. Even with firewalls, IPS, IDS, and application layer switches, when you run an enterprise application, you have an inherent duty to protect the data of your customer. In the case of many large organizations (credit companies, health care, government, etc), the ability to lose sight of the “big picture” seems to happen all too often.

Identity management seems to be a really big problem these days. When someone logs in for health care, how are you to prove that someone is who they say they are just by an email address?

The solution is to NOT USE THE SSN AS THE LOGIN. I’m not sure how this could be any easier. You cannot trust a user of your system to know when they have a keylogger installed, or to know when they are on a legitimate page. Just don’t do it. It’s that simple. When a person has a keylogger installed and they login to a system 10 times in a day with that SSN login, they might as well kiss their identity goodbye. And you can consider your organization at fault for bad design. Period.