Posted by Kurt Johnson - VP Strategy on Wed, Feb 24, 2010
Okay, before I dive in, a bit of a mea culpa here. I know and understand that part of the responsibilities of authoring a blog is frequency. Woops. Given my last entry was back in October, and that was the first since May, I'm not sure I'm really doing too well here. Is the end of February still an opportunity for a New Year's Resolution? Well, the journey back starts with a first step, right? So, why not start with a late February, 2010 entry about a court ruling filed back in September, 2009?
To be fair, it's not like I regularly scan the US Court of Appeals findings on a regular basis, and the following story didn't make front page headlines. But, at a recent CSO Breakfast Club meeting this case was brought up and inspired me to take a deeper look. It was interesting reading.
Seems LVRC Holdings (which operates a residential treatment center for addicted persons in Nevada) filed a lawsuit against a former employee Christopher Brekka. LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA) by accessing LVRC's computer "without authorization" both while Brekka was employed at LVRC and after he left the company.
LVRC alleged that Brekka exceeded authorized access by emailing sensitive documents from his work computer to a personal computer as well as accessing accounts without authorization after he left the company. Amongst other accusations, LVRC alleged that Brekka, who left the company in September, 2003, accessed critical resources by using an account cbrekka@fountainridge.com which was discovered in November, 2004, more than a year after Brekka left. It was at this point that the account was disabled.
What makes this interesting is the Court ruling. The US Court of Appeals ruled in favor of Brekka. In their ruling they state that "authorization" is defined in the dictionary as "permission or power granted by an authority." Based on this definition, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it, which LVRC did for Brekka. The Court further ruled that, "It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or ‘without authorization'." Additionally it states, "If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA."
What does all this legal stuff mean? Basically, by the fact that LVRC did not disable the access of Brekka when he left the company, the Court states that Brekka's continuing to use this access did not constitute a criminal or illegal action. Because it was originally granted, that account, my remaining active, essentially grants an employee the ability to keep using it, because in the Court's opinion that user "would have no reason to know" that using the account was a violation.
This seemingly obscure ruling has major ramifications for organizations around managing Zombie accounts (accounts that stay active for users that are no longer with the organization). Given the highly sensitive amount of information that various accounts grant access to, it is imperative that these accounts be disabled immediately when someone leaves the organization. In this Brekka case the account in question was an administrative account that seemingly offers significant access privileges. Without this, they could have no recourse in pursuing legal action against former employees who might misuse such access rights and data access.
There are easy ways to address this. An ongoing access certification by business managers would have identified the fact that Brekka's account was still active after he left the organization. By automating the account disablement process ensures that accounts are turned off immediately upon an employee being terminated or leaving the organization. By the mere fact that LVRC did not institute such practices, a critical account was allowed to stay open, and even though the former employee was alleged to be misusing these privileges, by not following its policies or detecting violations to them, an account was left active. As the Court states, by leaving this account active, it was not considered unauthorized access just because the employee was no longer with the firm.
It doesn't make sense to have a policy if you're not following it. A lax access assurance strategy inevitably can lead to trouble, and may even limit was legal recourses a firm can take.
Posted by Bob Craig - Dir Prod Marketing on Thu, Feb 04, 2010
This week Dave Kearns wrote a column, User provisioning: right access to the right people, where he outlined some of the key benefits of provisioning, namely: improving productivity and reducing risk. Dave makes the point that productivity is improved by providing new employees with Day One access to various IT resources (email, laptop, enterprise applications, databases, etc.), while risk is reduced by reconfiguring or removing access rights when an employee changes roles or leaves the company.
Dave is absolutely right regarding these benefits, but there are a few other benefits he didn't discuss that are worth pointing out in more detail.
One benefit which we hear regularly from our customers is that automated provisioning significantly reduces the time and effort required to manage user access rights. The result is that they are able to drastically reduce the number of staff dedicated to the provisioning process. In one instance, a $2 billion provider of senior living services was able to reduce headcount from 5 FTEs to 0.5 FTEs, saving hundreds of thousands of dollars annually. In another, a large regional bank was able to double their provisioning coverage from 100 to more than 210 applications and justified the investment to their management through reduced headcount (see Creating Budget Where None Exists).
Another key benefit is in access compliance. Whether your company needs to comply with internal policies, audit findings, or industry and government regulations, you need to ensure that user access rights are being managed appropriately. While provisioning isn't required to be compliant, one of the benefits you can achieve is assuring that users are initially only granted access rights that are needed to do their jobs. This preventative control lowers risk, reduces the potential that you may fail a security audit, and helps streamline the access certification process.
Posted by Bob Craig - Dir Prod Marketing on Fri, Jan 08, 2010
The industry analyst landscape has been going through some major changes lately. In the latest development, Gartner has acquired Burton Group shortly after snapping up AMR Research in December.
As a leader in the identity and access management (IAM) market, Courion has had positive, fruitful relationships with the IAM analysts at both firms. We have a great deal of respect for the breadth of knowledge and customer service focus demonstrated by both groups of analysts and are proud of Courion's market leadership positioning in the Gartner Magic Quadrant for Provisioning and Burton's Market InSight user provisioning report.
Burton provided a valuable, independent perspective which we, many of our customers (and, yes, even our competitors), relied on for an alternative point of view. They have long had a reputation for a high level of technical expertise, while Gartner has generally placed more emphasis on the strategic business impact of IAM. While we will miss the opportunity to compare and contrast Burton's free-wheeling, technological approach with Gartner's corporate viewpoint, the combination of these points of view has the potential to significantly strengthen Gartner's IAM and other security capabilities.
We think both outlooks have a place in the market and hope that Gartner employs a "big tent" strategy that accommodates diverse points of view. Knowing the Gartner team as we do, we are optimistic they will work hard to make the Burton analysts feel welcome. It would be unfortunate if some of the exceptional, creative Burton analysts felt that their perspective wasn't appreciated at Gartner.
However this event turns out, we wish our colleagues in both organizations well and look forward to continuing to work them in the future.
Posted by Chris Sullivan - VP Customer Solutions on Thu, Jan 07, 2010
Here's an old adage that we've all heard - the value of the whole exceeds the sum of the parts. Is it true? Well, according to the governments of the United States and Japan it is. If you include the skin, the human body is comprised of 65% oxygen, 18% carbon, 3% nitrogen and 9 other common and inexpensive elements down to a mere 0.00004% Iodine. Taken in their parts, 170 lbs of that is worth about $4.50.
But if you put it together in the right way, you can come up with the likes of Einstein, a Warren Buffet, a Gandhi, a Mother Theresa, an Alfred Bernhard Nobel.
It's similar in our space. We have all the elements - provisioning, compliance, role management, governance, sensitive data analysis, sensitive activity analysis, entitlement management and even security in the cloud (which we all know to be the next big thing until the next big thing comes along). Where we are collectively weak is the ability to put all of these things together in sophisticated ways where the whole exceeds the value of the sum of the parts - and by a whole lot.
With that, here are my 3 predictions for 2010:
- 2010 will not be about the cloud. We've been living in the clouds for years and Courion has already has been weaving our customer's provisioning, access
compliance and access assurance frameworks into those clouds with connectors like GE Pharmacy, Fedlink, Equifax and Salesforce. That's not interesting.
- Companies will take advantage of commoditized pricing for custom connectors to dramatically increase the systems and applications for which they automate
compliance, risk management and controls today.
- Companies will realize a dramatic increase in the value of what they already have by pulling together all of the elements in sophisticated ways to assure access
and predict and remediate risk before breaches occur - Identity Intelligence and Analytics will be the next real big thing.
Did you know?
I presume you know that the Nobel Prizes (including the coveted Nobel Peace Prize) come from the institute of the same name. But did you know that the philanthropist who founded the institute was also the inventor of dynamite and he made his fortunes in the 1800s as a major arms manufacturer and dealer?
Define irony.
Posted by Todd Chambers - CMO on Wed, Dec 23, 2009
Melissa Hathaway served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.
In her recently posted perspective on the state of cybersecurity ("Five Myths About Cybersecurity") published in the ExecutiveBiz Blog she highlights the following:
- Myth 1: Consumer protection exists in cyberspace
- Myth 2: Firewalls and virus scanners protect my computer and my enterprise
- Myth 3: My government has the solution and will protect me
- Myth 4: Physical assets are more valuable than information
- Myth 5: Laws are keeping pace with technological innovation
It is interesting to note that she specifically points out that "Few software programs protect us from the insider threat..." which according to a Verizon Business Breach Survey, accounts for approximately a third of all breaches.
This is especially concerning when you consider that a recent survey entitled "the global recession and its effect on work ethics", carried out by Cyber-Ark, found that 48% respondents admit that if they were fired tomorrow they would take company information with them. And a quarter of workers said that the recession has meant that they feel less loyal towards their employer.
It seems clear that protecting your organization from insider threats, and even external threats made possible by the inappropriate use of insider access (zombie accounts, weak password practices...) should be a key part of your Access Assurance strategy. The myth of being protected is not a strategy, so, how safe is your environment?
Posted by Todd Chambers - CMO on Fri, Dec 18, 2009
Companies' that work to mitigate risk in their business face numerous identity and access management challenges spanning Access Governance, Access Provisioning, and Access Compliance, but with each organization each of these areas will be prioritized differently. As you build your strategy it's important not to attack each challenge as if it were stand-alone and unaffected by other business imperatives. In other words, it's critical that your solutions allow you to "start anywhere" based on your unique business drivers and requirements, but also allow you to "go anywhere" in order to gain greater value by addressing the broader goals of your organization.
Take for example a company unable to demonstrate that their employees have only the minimum required access to company resources to do their jobs. On the surface this seems to be a straight forward access verification challenge of identifying who has access to what resources, and then asking the managers in the organization to vet the access, right? In actuality, this is just part of the process needed to appropriately assure that ONLY the right people have the right access to the right resources and are doing the right things with it.
When delivering an access verification solution you need to ask yourself, "How will we manage all the exceptions that it will clearly uncover?" And, "How will we manage it over time and in an automated fashion to accommodate the changes constantly taking place in our business?" The ultimate goal should be to enable the verification AND remediation of access regardless of your environment. Sure, you need to be able to send email alerts and link to help desk systems, but you also should have the ability to automatically change, disable, or delete access directly for any resource, with or without an existing automated provisioning solution. This approach will make your business more agile and effective (easier compliance adherence, increased efficiency and effectiveness) and at the same time reduce risk for the organization.
A "start anywhere, go anywhere" approach is a cornerstone of Access Assurance and is especially critical to success in today's environment where all businesses need to show incremental value on the way to their ultimate goals. Delivering successful programs that are cost effective, easy to manage, and deliver business results quickly, are great ways to increase security, compliance and business value, as long as they are an integrated part of your access assurance strategy. Not to mention, having multiple "wins" under your belt is always nice to have when requesting your next round of resources.
Posted by Bob Craig - Dir Prod Marketing on Thu, Dec 17, 2009
Recently, industry analyst Martin Kuppinger of Kuppinger-Cole, posted an article "CapEx and OpEx - the latest thing in IT buzzwords: On the economics of Cloud Computings," in which he discusses CIO's interest in new IAM offerings which allow them to avoid capital expenditures. In particular, Kuppinger points out that, "Cloud Computing offers a way of reducing capital expenditure for IT by getting out of costly leasing agreements or classic licensing contracts and switching to rental models while achieving as much security and flexibility as possible."
However, Kuppinger also warns, that, "...customers would be best advised to ask critical questions. Simply reducing CapEx doesn't always make the biggest business sense," to which we say, "Amen!" Just this past week, we blogged on the Ramifications of Cloud Computing, in which we discussed some of critical questions customers need to consider before adopting a cloud-based solution. While there are significant benefits to moving enterprise applications or identity management to a cloud platform, there are also risk and trust issues that you need to consider and work out with your cloud provider before there's a data breach, not after.
However, cloud computing is all about reducing, but not eliminating, the impact of IAM (and other applications) on your budgets. Wouldn't it be better to improve risk management and security without affecting your budget at all? For more on that, read the blog Creating Budget Where None Exists by Chris Zannetos, which discusses how a Courion customer "...automated access compliance and attestation and automated provisioning for over 100 applications - without spending a single budget dollar."
Posted by Bob Craig - Dir Prod Marketing on Mon, Dec 14, 2009
In my previous posting on Cloud Computing, I discussed some of the identity and access management (IAM) issues that arise from moving enterprise applications, particularly those containing sensitive data, to a cloud-based platform.
Now, I'd like to turn my attention to some of the same issues that come out of the emerging identity as a service (IaaS) trend, which entails delivering IAM services (user account provisioning, password management, single sign-on, access certification, etc.) using a cloud architecture.
Just as with any other application containing sensitive data, managing user identities via IaaS raises important risk and trust issues. By allowing an external service provider to manage your user's identities, you're essentially handing them the keys to the kingdom. You need to ensure that those keys will be kept safe and secure and that you will have complete and transparent control over the management of identities, in a way that is consistent with your acceptable level of risk.
You should also consider the ramifications if the service provider requires in-bound access to your data center in order to provision user accounts and access rights for internal applications. How will you monitor this activity and protect your internal systems from unauthorized external access?
And, just as with any other sensitive application, you need to know who at the service provider (i.e., system and database administrators) will have access to your user's identities, and what will they be able to do with them. Will user IDs and passwords be stored securely and encrypted? How will backup and recovery be handled? Are all identity transactions captured in a secure audit database? Who is responsible making sure only authorized users can obtain or change identities?
As part of your contractual negotiations, you need to define processes and procedures to protect you legally and financially. If there is a breach of your user's identities, who will be responsible and how will the costs be covered? Will you have access to the environment to perform the necessary forensics to determine the cause of the breach or will you have to rely solely on the service provider?
These are some of the questions that should be addressed as part of using IaaS to deliver your Access Assurance solution and we recommend you work with your service provider to make sure you clearly define how the processes of managing your user's identities will work.
Posted by Bob Craig - Dir Prod Marketing on Tue, Dec 08, 2009
Cloud computing is hot and enterprises (and many of their software suppliers) are moving enterprise applications to the cloud. Why? Because, cloud computing offers some attractive advantages. The economics can be very appealing, since by moving applications to a cloud provider, companies can reduce capital expenditures and pay for resources as they consume them. Because cloud applications typically run on a shared platform, cloud providers are able to deliver services at a lower cost. And, cloud applications deliver greater flexibility, since virtualization technology allows cloud providers to dynamically expand or reduce resources to meet fluctuating business needs, which is particularly appreciated by companies with seasonal spikes in utilization (such as retail during the holiday season).
At Courion, our concern is with how cloud computing affects your Access Assurance strategy. First we'll consider the identity and access management (IAM) ramifications of moving internal applications to an external cloud-based platform.
As we noted in a posting last April, (Bringing Clarity to the Cloud (Manifesto)), when you outsource crucial applications to an external provider (regardless of whether it's cloud-based or not) one factor you need to consider is how you'll manage the identities of users who require access to those systems, whether through provisioning, role management, access certification or password management. The good news is that the process of providing users with secure access to cloud applications is conceptually the same as with a traditional, in-house architecture. If you have an IAM infrastructure for managing users' identities, it should be able to do the same for a cloud, or any other web-based, application. You'll want assurance that you'll have the ability to automatically modify access rights when the user's role changes or revoke accounts when they leave the organization.
You should also weigh the risk associated with the data that you're moving to the cloud. Even though it's still your data, you're inevitably giving up some element of control over how that data is protected. You need to make sure that you can analyze the balance between risk and reward and evaluate the potential risk to your organization if there is a data breach in the cloud application.
For example, cloud service providers rely on their system administrators, just as you do in your own data center. Who will be the system administrators for the cloud application and what steps will be taken to prevent them, or other internal users, from unauthorized access to your sensitive data? If there is a breach, what kinds of forensic tools will be available to help you determine what happened?
Do you even know where the data will reside? Is there a possibility that the cloud provider might move your data to locations beyond your country borders to, for example, save costs? If that's the case, make sure you understand the legal ramification that arise when personal or private information (such as patient healthcare or customer financial data) crosses international boundaries.
Botton line: trusting your sensitive data to a cloud provider raises a mix of interesting questions, so make sure you consider them as part of your overall IAM and security policies and procedures. Sign up for our webinar on "Access Assurance in the Cloud" to learn more.
Posted by Chris Sullivan - VP Customer Solutions on Tue, Nov 03, 2009
This week, I was thinking about using a quote about the "burden of knowledge" to stimulate some thinking around managing risk or, more specifically, managing liabilities. Unfortunately, the term is not easily attributed to any one person. In some form, the term has been used by Nobel Laureates, heads of state and philosophers for literally thousands of years. What's more interesting is its use as a foundational element of legal systems all over the world.
For risk managers, this is important stuff. Your company can be found negligent and therefore liable for damages caused either directly or indirectly because of something you either knew or should have known. In such cases, legal systems consistently magnify findings against plaintiffs who are found to be "grossly" negligent.
What does all this mean? In legalese, ordinary negligence is for "want of great diligence" and gross negligence is for "want of slight diligence." Still unclear? So was I, so I called my lawyer and he gave me more mumbo jumbo. Then I called my nephew who is in law school and he said "Uncle Chris, if you should have known something you are negligent - you are liable. If you actually knew and did nothing, then you are grossly negligent - You are $&%!(d".
I get it now. So if you turn on a DLP solution and it generates 1,000,000+ critical alerts a week because there's lots of sensitive information moving around your company, then you are left with obvious 3 options:
- Eradicate the sensitive information that is, by the way, required to run your business
- Hire an army of security analysts to ferret out and address the small number of real concerns
- Shut off the DLP system because if there is one unaddressed misuse in those 1,000,000 alerts that you knew about.. You did nothing... You are $&%!(d
Think I'm being dramatic? This exact scenario was presented to me by the CIO of a Fortune 100 company less than a year ago. He chose option 3 and, not surprisingly, he does not want to be quoted for this article.
What if you buy some fancy new attestation software that will process data dumps of access rights from your key systems and help you identify risks? That's helpful right? Not if you don't remediate those risks. If you don't, then you knew, you did nothing and you are...
A more sensible approach would be to put in place an Access Assurance framework to ensure that the right people have the right access to the right resources and they are doing the right things:
- If your DLP system finds Protected Health Information then bounce it off the Identity Management solution to see if the people who have access to it are clinicians. In most cases, they will be and you've automated away most of the unnecessary work.
- What's the risk of verification if your access certification process finds issues and you can't automate the requisite remediation?
By thinking holistically, you can take an approach that automates away rote work to ensure that you do know what you should know and that you can deal with it efficiently and effectively.
Did you know?
- It's official, Bing is better than Google. When researching "burden of knowledge" I noticed that Bing returned 21,500,000 results while Google returned only 16,300,000. Probably either one would have been sufficient to get me started.
- "Knowledge burdens but wisdom frees one from the burden of knowledge" - Brother Sahajananda, Benedictine monk