This is the second installment in a 3-part series that explores how intelligence improves identity & access management or IAM. In part 1, we looked at how intelligence improves the provisioning portion of IAM, which helps to ensure that the right people are getting the right access to the right resources. In this section, we’ll look at how intelligence improves the governance portion of IAM, with a focus on validating that the right people currently have the right access to the right resources.
Governance is a verification process, essentially the QA portion of IAM. Many organizations use a manual certification process to verify access, which is essentially a large report that provides a list of users along with their associated access. The certification itself may be a paper-based tool or an electronic tool like Excel. Regardless of the medium, the process is essentially the same and the expectation is that reviewers will look at each user/access assignment and make an informed decision as to whether or not the granted access is appropriate. Depending upon company size, an average reviewer may be responsible for hundreds if not thousands of decisions. That sounds like fun, right? In addition to the fact that a certification is a lengthy, time-consuming process, it is also a mind-numbing exercise. It’s no wonder certifications are relegated to an annual or perhaps a semi-annual punishment; pity the folks who tackle this on a quarterly basis. I wonder if anyone has ever collected any statistics that indicate a causal relationship between the scheduling of a company-wide certification and requested vacation days.
So, why do certifications at all? As painful as they may be, certifications serve an important security function; at least that’s the intent – your mileage may differ. If you think of access to corporate resources as being somewhat analogous to having a set of keys to your house, don’t you want to make sure you have tight control over who has a set of keys? Since the provisioning process incorporates a robust approval process, then why do we need to do periodic certifications on the back end? Haven’t we already ensured that the access assignments are appropriate on the front end? Well, yes and no, but mostly no.
You’ve heard the adage, “the only constant in this world is change.” Well, the average corporate environment exemplifies that sentiment. Corporations are dynamic entities. Corporate resources are often being added to or removed from the environment and the data that resides on those resources is constantly changing. Arguably, the most dynamic aspect of a corporation is the human resource component; employees come and go, they join and leave projects, change jobs and/or change departments. In addition, there are often contractors or temporary personnel, which adds another wrinkle to the situation. The limitation of verifying access only during provisioning is the fact that decisions are made in the moment, based upon one’s knowledge of the circumstances that exist at that point in time.
However, as discussed above, circumstances change over time and a decision that was appropriate last year, last month or even yesterday may not be appropriate today. Therefore, a governance process is necessary in order to ensure that access assignments remain appropriate within a dynamic environment. In addition, the governance process must be thoughtfully executed in order to achieve its goal. Unfortunately, a governance process, devoid of intelligence, tends to devolve into a rubber-stamp exercise. Asking a reviewer to make decisions upon hundreds or thousands of access assignments that all feel similar in importance coupled with a reviewer’s tendency to believe that the access assignments are probably already correct isn’t a recipe for a strong governance cycle.
By contrast, IAM intelligence in the form of data analytics can make dramatic improvements to the governance process. Envision a certification that is no longer a flat list, but instead organized into sections based upon the degree of attention required of a reviewer. One section may contain all of the access a user has that is in complete alignment with the user’s job title or equivalent to access provided to colleagues. This section probably needs little more than a cursory review.
However, another section may contain all of the resources that have been identified as highly sensitive, and a user having access to these resources requires a greater degree of scrutiny by a reviewer. Yet another section may identify access assignments that the intelligence engine, based upon configurable policies that reflect a corporation’s business policies, has flagged as being questionable.
One such example is outlier access, which may be defined as an access assignment that differs by some degree from access that is held by a user’s cohort group, such as others with the same job title or others in the same department. Such an intelligence-driven certification would focus a reviewer’s attention on those items that matter most, perhaps even requiring multi-level certification based upon the sensitivity of the resource or the degree to which the access is an outlier.
Perhaps the most attractive aspect of intelligence-driven certifications is the potential to eliminate the need for an all-encompassing review altogether. Since the use of intelligence can segment access assignments into different groups based upon configurable criteria, why not use that intelligence as the basis for determining which access should be reviewed on an as needed basis? Sensitive resources can be reviewed on a monthly basis. Outlier access can be reviewed as soon as it is detected and the access can be removed immediately or approved for a given amount of time based upon configurable boundaries.
Intelligence-driven governance is a game-changer; identifying and organizing access assignments into questions that focus reviewers’ attention on those things that matter most to the business. The use of intelligence changes the question from “Are all of these access assignments appropriate?” to questions like, “Should Bob have access to this server when he is the only one in the department with such access?”, “Sue has access to this file share just like all of her colleagues, but she’s the only one accessing it on the weekends, is that appropriate?” or “This resource has been identified as a highly-sensitive resource and average utilization of this resource has increased over the past week; in particular, Joe & Fred have shown a 200% increase for this resource, is that appropriate?”
In addition to the fact that the governance process can evolve from a high-level check to very specific queries, the addition of intelligence ensures that these specific questions are asked at the time the events are happening, such that anomalies can be addressed immediately before they become a catastrophe.
In my final installment of this 3-part series, we’ll focus on the use of intelligence as a means to reduce risk.
There are so many reasons to join us at CONVERGE May 19 - 21. And now we are happy to announce yet one more: Mike Rothman, President of the analyst firm Securosis, will join us on Thursday May 21st to discuss “The Future of Security”.
Mike specializes in what he irreverently describes as the “sexy” aspects of security, like protecting networks and endpoints, security management, and compliance. Mike will bring his “cynicism about the state of security and what it takes to survive as a security professional” to his session at CONVERGE 2015. Don’t miss it.
Sign-up before April 30 to save $100 on your registration fee.
Here are ten more reasons to join us:
1. Mix and mingle with fellow Courion customers
2. Learn what’s next in the Courion Access Assurance Suite
3. Take advantage of Tech Tuesday, a full day of deep dive technical workshops, and become an IGA ninja!
4. Network with industry IS peers in our popular ‘Birds of a Feather’ sessions on Wednesday May 20th
5. Laugh during a set of “application-specific comedy” with Don McMillan of Technically Funny on Wednesday May 20th at 4:00 p.m.
6. Meet new members of the Courion executive team
7. Earn 15 hours of continuing professional education (CPE) credits good towards maintaining professional certifications such as CISSP or CISM
8. Connect with solution partners such as IDMWorks, Ping Identity, Lieberman Software, Radiant Logic, SecZetta and Secure Reset.
9. Learn about Courion customer experiences firsthand in case studies and a special customer panel on intelligence
10. Enjoy fabulous food and exciting entertainment. It’s Vegas–need we say more?
See you there!
CONVERGE, our perennially popular annual customer conference, happens Tuesday May 19th to Thursday May 21st at the Cosmopolitan Hotel in Las Vegas. Click here to register and take advantage of a $150.00 discount if you sign-up before March 31st.
CONVERGE provides a great opportunity to mix and mingle with your peers and industry thought leaders. We’re bringing together noted authorities in identity governance and administration to share their expertise, and we’ll provide a peek into what’s new at Courion and in the field of security.
Need to earn (ISC)² Continuing Professional Education credits toward your CISSP or other professional certification? On Tuesday May 19th we are offering a full day dedicated to technical training and workshops, including a deep dive into the Courion Access Assurance Suite so you can fully exploit this market-leading IGA suite’s capabilities. Tech Tuesday at CONVERGE provides the ideal opportunity to earn those CPE credits and we’ll be happy to submit the needed paperwork.
Our conference theme, Know the Odds – Win with Risk Aware IAM is based on the notion that in this age of the Internet of Things, it’s essential to have concrete insight into your IAM infrastructure so you can better protect your company from access risks that may lead to a data breach. Courion’s intelligent IAM provisioning and governance solutions, powered by the award-winning identity analytics solution, Access Insight, provides the knowledge you need to see exactly where threats are hiding so you can identify, quantify, and reduce risk.
So come, join us in Vegas and register today!
To learn more, go http://www.courion.com/CONVERGE.
Venkat Rajaji is Vice President of Product Management & Marketing for Courion.
This is the first installment of a 3-part series that explores how intelligence improves IAM. In part 1 we’ll look at how intelligence improves the provisioning portion of IAM, including the access request and the approval process, which helps to ensure that the right people have the right access to the right resources.
Before we dive in, let’s look back at an excerpt from a previous blog about what makes intelligent IAM intelligent and refresh our memories about why IAM needs to be intelligent.
Fundamentally, IAM is a resource allocation process that operates on the simple principle that people should only have access to the resources they need in order to do their job. Therein lies one of the problems; without intelligence, IAM operations are inconsistent and can be easily corrupted; resulting in decreased efficiency of workers, increased risk to the corporation (more on that later) or both.
A non-intelligent IAM provisioning process is typically inconsistent and often results in the overprovisioning of access because the downside of insufficient access is frustration and inefficiency while the downside of too much access tends to be invisible – until something happens. The contributing factors that lead to such inconsistency and overprovisioning include a rigidly structured provisioning process combined with unguided human judgment that devolves into rubber-stamp approvals. The solution to this problem is to enhance the provisioning process with intelligence, which guides the human decision-making and provides a feedback loop that helps the provisioning process adapt to evolving business operations.
A non-intelligent provisioning process often starts with an unstructured shopping expedition that enables a user to see and request access to almost any business resource. The access request is then routed through an approval process and ultimately scheduled for fulfillment. Such a process relies on users to find and request access to appropriate resources coupled with a reliance upon approvers to catch any anomalies, such as requests that provide the recipient with access to a resource that they don’t need to do their job. If the goal is to ensure that the right people have the right access to the right resources, how well do you think a non-intelligent provisioning process satisfies that goal?
By contrast, intelligence improves all aspects of the provisioning process. Envision an access catalog organized into groupings that provide access to something meaningful to the business, such as a user account on a server, read & write privileges to a file share or even all the access needed to function as an Executive Assistant or a Marketing Analyst. IAM intelligence is derived from the breadth and depth of the IAM data that is collected and processed into useful information. Starting with the access request, intelligence can guide the user toward appropriate resources while warning them about or even preventing them from seeing inappropriate resources. Utilizing a user’s job code or department coupled with knowledge about the user’s peer group and their collective access, an intelligent access request process can suggest, for example, that a user with the job title Marketing Analyst needs access to the marketing printer, the marketing file share as well as accounts on specific servers. While the user may still be able to request access to other resources, the user is not left unguided to try and determine which resources are appropriate. An intelligent access request process can be compared with a visit to Amazon.com, where suggestions are made based upon knowledge about the user as well as knowledge about similar users (e.g., those in the same department or those who have the same job code). Consequently, an intelligent access request process is far more capable of satisfying the goal of ensuring that the right people have the right access to the right resources.
While users may be better positioned to request access to appropriate resources, they may still be able to request access to other resources. However, an intelligent approval process helps ensure that such access requests are also approved or denied in accordance with business policies. While a non-intelligent approval process typically follows a prescribed approval sequence, an intelligent approval process can auto-approve certain requests (e.g., access that was suggested during the access request process) while requiring a more robust approval sequence for other requests. Applying intelligence to the approval process enables the approval sequence to adapt to each individual access request based upon the anomalous nature of each request. As an example, a user in the marketing department requesting access to the sales server will require more approvals than that same user’s request for access to the marketing server and fewer approvals than that same user’s request for access to the finance server.
An intelligent provisioning process adapts to evolving business operations by utilizing knowledge about the user, the user’s peer group and their access, the sensitivity of corporate resources and the associated risk should those resources be compromised. All of this information is combined with the knowledge of who has access to which resources and how those resources are being used, which determines how the overall business risk is trending. The end result is an intelligent provisioning process that is well-suited to meet the overarching business goal of ensuring that the right people have the right access to the right resources.
In my next installment of this 3-part series, we’ll focus on how intelligence improves the governance process.
In response to the now near daily revelations of data breaches, ‘security monitoring’ and ‘security analytics’ have been getting plenty of air time in the social networks and in the media. In the minds of most, security analytics is all about malware detection, event log analysis and event management.
While those security measures are all needed and necessary, I think one crucial security analytics resource is missing from the equation: identity analytics and intelligence, or IAI.
Many of the recent data breach attacks show similar patterns. They often start with a phishing attempt after the attacker has researched the subject on personal, professional and social media sites. The cyber criminal then uses this information to create a phishing attack based on what they’ve learned, often a sophisticated email to a contact that appears to come from the subject.
This email often includes a link or file that once clicked launches some form of malware or command-and-control technology used to take over the victim’s system to then crawl the network for more valuable user targets and information. The attacker moves within the network to identify high value target resources, further exploiting vulnerabilities as needed to gain access to those resources. The cyber criminal then packages up the valuable data and exfiltrates or removes it. This process can take days or weeks, as needed, because cyber criminals typically go unnoticed until they are long gone.
Security analytics has focused heavily on identifying malware or viruses to address the initial compromise stage, when the cybercriminal is first establishing a foothold on the target user’s computer. Security information and event management (SIEM) solutions and deep packet inspection solutions focus on the later stages of a cyber attack when data is being packaged up and exfiltrated.
But none of these solutions focuses on the crucial middle stages where the attacker is gaining undetected access to the rest of the company’s IT infrastructure, using exploits and password cracking to acquire administrator privileges, and moving laterally to expand control to other computers and servers.
This is precisely where identity analytics and intelligence and continuous monitoring come in.
The 2014 Verizon Data Breach Investigations Report (DBIR) showed that two out of three breaches involved attackers using stolen or misused credentials. As Jay Jacobs, a co-author of the report said in an interview with Dark Reading, "Trying to get valid credentials is part of many styles of attacks and patterns. To go in with an authenticated credential opens a lot more avenues, obviously. You don't have to compromise every machine. You just log in."
Therefore, we need improved IAM controls and continuous monitoring to understand what is really happening with users and their access, but the challenge is, traditional identity and access management has been event driven (hire, fire, relocate) or audit driven (periodic review, once or twice a year). This is simply not adequate for detecting the kind of changes to access that may indicate a cybercriminal is on the prowl.
Identity analytics and intelligence enables you to continuous monitor users and their access and clearly see when a user’s activity departs from the norm, when a user’s access is elevated to gain privileged access, when a user has more access than is warranted given his or her responsibilities, or other suspicious access activity.
Also, Identity analytics and intelligence enables you to look at a particular user’s access behavior in the context of other factors, such as whether that access behavior is typical of a user in that role, that job title, or that geographic location. These are the kind of details that enable you to better understand whether it is the user, or the account being manipulated by a nefarious player.
Today’s definition of security analytics needs to include identity analytics and intelligence. The bad guys use every tool at their disposal, shouldn’t you?
Gartner, a leading information technology research and advisory firm, issued the 2015 Gartner Magic Quadrant for Identity Governance and Administration (IGA) on January 12th.
Courion was recognized as a leader by Gartner for a remarkable 10th time.
Perhaps that recognition has something to do with the fact that the Access Assurance Suite™ performs superbly across a wide range of use case scenarios. Or maybe it has something to do with the fact that organizations that use Courion solutions are highly satisfied and give our support high marks, or that our customers would recommend the Access Assurance Suite to others.
Regardless of the factors that played a role in the analyst alchemy that resulted in Courion being recognized as a leader this year, and a total of 10 times since 2007, we are grateful.
It is external affirmation of our commitment to excellence in provisioning, governance and identity analytics solutions that have made our customers successful. And we can help you be successful, too.
Most organizations have to demonstrate that they are compliant in an increasingly regulatory landscape. An important objective of compliance efforts is to ensure that the right people have appropriate access, particularly to high-risk applications and sensitive data such as cardholder information and personal health information. To satisfy these regulatory requirements, organizations conduct periodic reviews, typically every six months or a year, in which managers and other authorized personnel periodically review users’ access and attest to whether those access rights are correct.
Based on media accounts, the number of security breaches per year is increasing dramatically. In many of these breaches, it has become apparent that the breached organizations were unaware that a security breach occurred. So why is this the case? Why are organizations more susceptible to breaches, even after performing periodic certification reviews and essentially passing audits?
The reason is the significant surge in the volume, variety and velocity of information. The Big Data storm has made it extremely challenging, if not impossible, for organizations to enforce high security standards while also achieving a high level of productivity. Much can change with users, their roles and responsibilities, their access rights and the resources they access in the time in-between periodic access reviews.
Hence, even though users’ access information is presented to reviewers, there is typically no context around that information. Reviewers do not quite know how or why or when users obtained the access. In fact, a recent survey conducted by Courion found 43 percent of IT Security executives agreeing with the statement that their organization is unaware of when access privileges are increased or when access behavior departs from the norm. In addition, the volume of data that is presented is considerable, if not overwhelming. These reasons invariably drive reviewers to rubber stamp. Clearly, this is not an effective tactic to truly mitigate organizational risk.
What organizations need is a continuous and comprehensive approach to identify access risks and employ preventative controls to mitigate those risks. The Courion Access Assurance Suite provides organizations with the ability to automatically revoke inappropriate access and/or perform risk-based certifications reviews when a policy violation occurs or when a threat is detected.
Risk-based certification reviews provide complete context around the information being reviewed, thereby enabling managers to make more educated and informed decisions on whether a user’s access is appropriate or not. By performing these narrowly focused risk-based certification reviews on a continuous basis, organizations can not only satisfy audit requirements, but also mitigate potential risks in a more intelligent and efficient manner.
At last week’s Gartner IAM Summit in Las Vegas, it was fascinating to see how the conference has grown. Over 1,200 attendees made this the largest Gartner IAM event to date, which says there is a huge amount of interest in identity and access management. Many were there to understand the basics, but there was plenty for IAM professionals looking to strategize for the future and who are seeking to maximize their IAM investment.
The highlights for Courion were two presentations that attracted close to 200 attendees. One was a case study featuring our own Kurt Johnson and Mark Teehan, an IAM Program Manager from Harvard Pilgrim Health Care.
In the presentation Mark described how his organization, a health benefits company that serves more than 1.2 million members, expanded its IAM program to reduce access risk across the organization by constantly monitoring and analyzing data generated by its IAM systems. The company has moved beyond provisioning and certification by implementing tools and processes to proactively identify and remediate the access issues that lead to business risk. For example, the organization has reduced orphaned and abandoned accounts and established a management process for system and non-human accounts, and has reduced accounts with privileged capabilities and those with unnecessary access. The session really resonated with attendees, judging by the number of questions and post-session conversations that occurred.
I held a lunch session that described how to assess risk before an IAM implementation. I reviewed how an Identity and Access Intelligence solution can help diagnose access risk in any organization and how an organization can take the findings from that diagnosis to formulate an actionable remediation plan. I spoke with a number of attendees who are working on the basics of IAM but who can clearly see the value of being more proactive. These attendees confirmed their desire to eventually deploy a continuous monitoring solution to address access risk.
For conference attendees who missed either session, or anyone who is interested in the topic, I highly recommend tuning into our upcoming webinar:
Tim Callahan, CISO of Aflac, and Kurt Johnson, VP of Strategy for Courion will present, Keep a Constant Vigil: Risk-Aware IAM on Monday December 15th at 11:00 a.m. Eastern.
This webinar will help an IAM professional at any level. I hope you can tune in!
We recently conducted a survey and the findings reveal that while IT security executives understand the risk factors that lead to a data breach, their organizations may not be able to effectively remediate those access risks. Here's an infographic that highlights some of the findings:
Click here to view the complete survey findings.
A theme that is echoed over and over again in Identity and Access Management is that organizations do not have a comprehensive view of what is actually ‘in’ their environment.
For example, quite often they are unable to reliably answer fundamental questions such as
• Who has access to what?
• Are there active, but abandoned accounts?
• Are there ungoverned privileged accounts?
• Do people have more access than they should when compared to what their peers have?
• Are there unused entitlements and if so what are those?
This is only a small subset of the questions that organizations strive to answer, and uncovering such information often highlights inefficient and sometimes even broken processes, for example:
• Contractor accounts are not disabled correctly. This may lead to active but abandoned accounts
• Administrators grant administrative privileges directly in target systems, circumventing a request approval process. This may lead to un-governed privileged accounts.
• Employees perform different job functions over the course of their tenure in the organization and access may not have been revoked appropriately. This may lead to people having excessive access when compared to what their peers have.
Over the past decade, many organizations have employed some level of automation. In traditional IAM automation may help streamline certain processes, but it does not provide a continuous and comprehensive solution to address and mitigate all access risk issues. It is essential to realize that while automation can be a boon to organizations, automating inaccurate and broken processes can be a bane.
The key is to adopt an approach that combines strong fundamental IAM capabilities and access intelligence. Organizations must not only understand ‘what’ is in their environment and remediate policy violations, but also identify inefficient and broken processes and employ strong fundamental IAM strategies to appropriately address those. Yes, this is a shift from the traditional approach but it will only enable organizations to focus on the most important areas and mitigate risk quickly and effectively.