This week at London’s Hotel Russell, the Identity Management 2014 conference brought together hundreds of technology professionals and security specialists across government and enterprises of all sizes and industries.
It was fascinating to hear from industry leaders discussing the next generation of Identity and Access Management, representing diverse firms and organizations such as ISACA, Visa Europe, Ping Identity, CyberArk, and beverage giant SABMiller.
A highlight for me was a session that included Nick Taylor, Director of IAM at Deloitte, and Andrew Bennett, CTO of global private bank Kleinwort Benson.
Taylor discussed the challenges that IAM professionals face in making access governance reviews business friendly, as often there is not enough context to understand the risks that they face. For example, an equities trader making lots of trades at a certain time of the day may be normal, but maybe not so normal if that trader is doing it from different locations or geographies.
Bennett supported that notion by pointing out that technical jargon can mask risk that exists, so he recommended that the financial services industry look into the concept of identity and access intelligence and start taking it on now. Adopting such a solution is not a case of throwing more tools at the problem; it is a matter of having the right tool to make sense of the mess.
Also good to hear our partner Ping Identity's session “It’s Not About the Device – It’s All About the Standards” and how modern identity protocols allow the differentiation of business & personal identities.
Overall a good conference that provided attendees with lots of opportunity to learn best practices and hear how their colleagues are approaching identity management. But rather than waiting for next year’s conference, anyone can learn more in the near term by attending Courion’s upcoming webinar Data Breach - Top Tips to Protect, Detect and Deter on Thursday November 20th at 11 a.m. ET, 8 a.m. PT, 4 p.m. GMT.
“Too much to do, too few resources.”
This is a phrase that all too frequently comes up in the discussions that I have with IT staff in organizations around the globe. They feel never-ending pressure to improve security and service to the business, but usually with the same or fewer resources. This is a challenge that is especially glaring when trying to marry solid Identity and Access Management practices with current business processes.
For example, a security manager I spoke to at a large health organization was nearly brought to tears as he talked about the need to accurately track an ever-changing user population where the same person might move through multiple roles and through multiple access scenarios in the course of just a week. At another organization, a help desk manager I worked with wrestled daily with an avalanche of access requests from users who had no idea what access to request, and were seeking help from administrators who in turn had no idea what access users actually needed.
What’s often needed in these situations is an IAM program that is centered on incremental progress that can provide some instant relief while also generating the time and resources needed so that the program can subsequently be expanded into a comprehensive solution. The key is to know where to begin, and to aim for quick business value. Those quick wins will help free-up resources by simplifying and automating processes that typically suck-up valuable manpower and time. Each incremental win then makes it easier to maintain momentum and expand user buy-in within the organization.
To get started with an IAM program that supports this kind of continuous improvement, you should first understand your identity and access landscape. By leveraging intelligence, as with Courion’s Access Insight, you can get an immediate evaluation of Microsoft Active Directory, a key system for most organizations. The dashboards included with Access Insight highlight potentially urgent security issues as well as IAM processes that may be broken. Access Insight integrates with the Access Assurance Suite or other IAM solutions so you can drill down to fix those broken processes and promptly disable access for terminations and properly manage non-employee access.
Another benefit of getting the big picture view of your identity and access landscape with Access Insight is to better understand who has access to what and to put automated processes in place to refresh that information at least daily. Even the most complex scenarios benefit greatly from putting rules in place that can automatically map access for 70-95% of the workforce. Allowances can be made for exceptions to be handled manually so that no one falls through the cracks.
With this real-time access information available as a foundation, you can then tackle any number of pain points. For example, most often, the onboarding and offboarding processes for user accounts cry out for attention. Offboarding, both planned and unplanned, is generally simple to address with an intelligence-enabled IAM solution such as the Courion Access Assurance Suite, alleviating security and/or audit concerns.
In addition, automating at least basic, birthright access for new hires can be both a quick win and a foundation for continuous improvement. Role-based access can be incrementally added to the new hire process. You can pick and choose where it’s worth investing effort, for example, where job turnover is high, or where access is very similar across a function. Implementing some roles into this process delivers a triple win – providing the right access (better security) at the right time (improved service) and reducing the number of access requests (boost IT efficiency).
Leveraging intelligence, you can start to cut down on the effort required to develop roles. Intelligence solutions such as Access Insight use analytics to attack the mountain of access data available to find those access patterns to suggest appropriate access for a user. Let the computer do the work!
If your help desk is struggling to keep up, there are several ways to alleviate the pressure while also enhancing security and providing better customer service. For example, a streamlined, centralized access request process provides these multiple benefits.
I often remember an IT manager I worked with at a manufacturing company whose request process included 140 different forms! It was a huge improvement when we helped his organization move to a simple, one-stop access request shopping solution that included a full audit trail and built-in approval process.
With an Intelligent-enabled IAM solution such as the Courion Access Assurance Suite, the request process is enhanced, because it provides guidance to the user regarding what to request. This is done via intelligent modeling of user access, which suggests access options for users in similar roles. The Access Assurance Suite also provides ‘guard rails’ against the inadvertent provisioning of inappropriate access because it automatically checks for possible policy violations, such as Segregation of Duty, during the request process.
As fundamental as it may seem, a self-service password management solution is also of great benefit to users, IT and help desk staff. Password reset calls often account for 25% or more of help desk calls. Shifting those inbound requests to a self-service process will free up IT and help desk time to tackle more high value activities while allowing end users to avoid waiting on a phone to get a password reset.
Last on this list but not last in priority, is the recertification of user access. Access recertification is a best practice and, likely, a legal and audit requirement. With an intelligence-enabled IAM solution in place this effort can begin by assembling data that details ‘who has access to what’. You can then leverage that information to provide a business-friendly recertification process that does not tax IT resources with hours of assembling spreadsheets from a multitude of systems.
While periodic re-certifications are important and necessary, Intelligence also allows you to trigger automated ‘micro-certifications’ based on policies you define. For example, you may create a policy where a user who gets access to highly sensitive data outside the norm kicks off an access recertification process. This type of risk-aware micro-certification reduces the kind of access risk that exists where waiting six months for the next review could be dangerous. This has the added benefit of maintaining compliance continuously, thus expediting the next audit you face.
Clearly, it’s possible to make significant progress in a relatively short time. The key is that these are not Band-Aid solutions, but the bricks that form a solid foundation for building a comprehensive, flexible and risk-aware IAM solution.
Kurt Johnson, Vice President of Strategy and Corporate Development, has posted a blog on Wired Innovations Insight titled, Data Breach? Just Tell It Like It Is.
In the post, Kurt discusses the negative PR implications of delayed breach disclosure and recommends improving your breach deterrence and detection capabilities by continuously monitoring identity and access activity for anomalous patterns and problems, such as orphan accounts, duties that need to be segregated, ill-conceived provisioning or just unusual activity.
Read the full post now.
Today Courion was named a leader in the 2014 Leadership Compass for Access Governance by KuppingerCole, a global analyst firm. Courion’s Access Assurance Suite was recognized for product features and Innovation, and as a very strong offering that covers virtually all standard requirements. In the management summary of the report, Courion is highlighted as the first to deliver advanced access intelligence capabilities.
Courion was also recognized as a leader in the Gartner Magic Quadrant for Identity Governance and Administration (IGA) and as a leader in the KuppingerCole Leadership Compass for Identity Provisioning earlier this year.
The US Department of Homeland Security recently published a Public Service Announcement, “Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information”, touching on multiple (and all too familiar) insider threat scenarios.
This announcement is the proverbial icing on the “insider threat” cake baked a long time ago. Disgruntled employees, malfeasance, or general conduct unbecoming is nothing new. What is new is recognition that bad actors act with alarming efficiency to siphon off value from companies. These 21st century digital pickpockets of sensitive data and proprietary information are a new challenge with their blazing speed and seemingly invisible movement within their firms.
Of the ten recommendations offered to confront this issue, seven focus on Identity and Access Management (IAM) tasks. First on the list is: Conduct a regular review of employee access and terminate any account that individuals do not need to perform their daily job responsibilities.
Clearly a prudent recommendation. Yet, an elusive goal for even the most sophisticated IAM teams. How do you align regular reviews with a continuously evolving threat? How do you elevate existing risk management operating procedures without impeding your normal course of business? With internal personnel moves occurring by the hour, how can you possibly ensure that the right people have the right access to the right information and are doing the right things with it?
The way forward must be a combination of strong IAM fundamentals coupled with innovative capability found in identity and access intelligence solutions such as Courion’s Access InsightTM. Access Insight helps firms redefine access management practices to take IAM beyond the traditional and into the exceptional. For example, Harvard Pilgrim Health Care uses Access Insight to document exactly who is accessing PHI in order to streamline and enhance their audit readiness to federal HIPPA regulations.
Tasks previously impractical to pursue are now within reach when you leverage Access Insight’s big data framework. This actionable intelligence enables you to close the access risk process gap inherent in traditional IAM models. For example, Universal American uses Access Insight to analyze and compare current user access behavior to historical norms in near real-time to spot unusual behavior and trigger actionable alerts.
Allow us to speak with you about our proven approaches to reduce access risk. Ask about how our Access Risk Quick Scan offer can help you uncover your organization’s access risk – in just hours. Check us out and let us help you take your IAM beyond the traditional to the truly exceptional.
We all have skeletons in our IT closets that we'd rather forget about. In nearly every organization’s network, there is a legacy application or old piece of infrastructure that is bound to reach the end of its useful life at some point, yet plans for removal of obsolete technology typically do not exist. What we often fail to consider, however, is the fate of our service accounts associated with these aging applications and infrastructure. Unmanaged or unused service accounts represent a qualified, and in the case of Target Corporation, hugely quantifiable, risk to any organization. Continuous intelligence-based pattern recognition and monitoring using an identity and access analytics product like Courion Access Insight is the easiest and most effective way to mitigate such risk.
Service accounts are accounts on a system that are intended to be used by software in order to gain access to and interact with other software. Correspondingly, It is common practice that passwords for such service accounts are not frequently changed so that the loss of this interconnectivity can be avoided. These accounts are also frequently highly privileged, allowing a large number of activities to be integrated between systems.
How is this a risk if the accounts aren't meant for humans?
The Target breach was no more complicated than the hacks often seen on the news when someone has altered the message displayed on a road construction sign: an attacker finds or knows of a default service account and password that exists on the system and exploits it to gain access.
The Target breach was only slightly more complicated: attackers were aware of a service account laid down automatically by the installation of BMC software. The attackers were able to leverage that service account to elevate the privileges of a new account they created for themselves on the network, and the rest is history. The attack cost Target an estimated $2.2 billion, and highlighted that some common IT practices may not be "best" practices at all.
How can this threat be managed? How does one even identify a service account?
When the service accounts have been purposefully created, identification of these accounts can be straightforward. Naming conventions within your IAM system can be applied that mark an account as a service account. However, too often, there's no such obvious clue. This is where the pattern and trend recognition provided by an identity and access intelligence solution like Access Insight becomes key. The intelligence engine acts like a detective. It uses the circumstantial evidence about an account's activity and history to determine its purpose. The engine analyzes things like password reset history, login history, privilege patterns, ownership, and more to determine accounts that may be service accounts and which may represent a high risk of compromise.
We have quarterly compliance reviews, surely that will catch the risks, right?
Modern access governance is critical, but there are some gaps that modern attackers have learned to exploit. The biggest gap is speed. The typical organization will perform compliance reviews quarterly. These compliance reviews are great for looking back in time and reviewing what has happened, but they're not timely enough to catch an attacker red-handed.
As an analogy, consider the robbery of a bank vault. If it is discovered three months later, the knowledge of what happened doesn't really help much. But if an alarm sounds right away and summons the police, this will help. Similarly, Access Insight gives you the tools to sound that alarm immediately, so you can understand what is happening within your network so you can take steps to remediate it at that moment, not in three months when the hacker is long gone with your data.
The next biggest gap is complexity. Large organizations can suffer from data overload. A compliance review may or may not catch every single service account risk in the organization which may be hidden somewhere amongst the thousands of pages of mundane, normal accounts. They're easy to overlook, and hard to find after the fact. Access Insight uses built-in algorithms combined with risk weighting you tailor to your network. This provides you with a color-coded, prioritized view of your organization's risk.
How fast can the problem be tackled?
To assist with this problem, Courion now offers a complimentary quick scan evaluation of access risk which leverages Access Insight, to help organizations gauge whether they have an ungoverned or unmanaged service account problem. This quick scan can often be completed in a single day and provides a prioritized view of where remedial action is needed most. Of course, fully deploying Access Insight on your network, regardless of what IAM suite you have installed, will give you the visibility, or insight, you really need through continuous monitoring to find and fix access-related risk, now and on an ongoing basis, not just at a point in time.
As the leading provider of IAM solutions for healthcare organizations, Courion’s connector framework is designed to interface with a wide variety of IT systems, including popular healthcare applications from vendors such as Epic.
Healthcare institutions continue to move rapidly to adopt a range of technology solutions for improving patient outcomes and reducing costs by automating clinical information and processes.
In order to effectively address the security concerns posed by these applications, healthcare organizations turn to identity and access management solutions to ensure that users, such as physicians or billing clerks, are provided timely and efficient access to information and that their access rights are consistent with their roles and enterprise security policy. These IAM solutions require the use of connectors to various healthcare-specific and general use applications in order to create, manage and terminate user access rights in accordance with policies and regulations.
Courion recently published a technology brief for healthcare organizations interested in implementing and managing user identity profiles for Epic and other systems throughout their organization.
To download a copy of this paper, click here.
In a Tuesday August 26th press release and follow-on blog post, we shared a few details regarding how the latest version of the Access Assurance Suite leverages intelligence at the initial point of provisioning. This new capability ensures that you don’t inadvertently provide users with access that may lead to a governance violation. It complements the IAM suite’s existing use of intelligence to monitor users’ access and to automatically alert you or take action when a user’s access falls out of compliance. But wait, there’s even more in 8.4!
The latest version of the Access Assurance Suite also enables you to easily configure your identity and access management system to reflect how you intuitively think about your business. Now your users can search for access, approve requests, and certify access in your own familiar everyday language and with your own natural organizational structure. We call this Access Your Way. This new access model can be used along with our suite’s existing tagging capabilities, improving your ability to categorize access for fast, intuitive user searches.
We’ve also leveraged new user interface technology to give the product a fresh new look and to extend support to a variety of additional browsers and devices. You can now use the Access Assurance Suite from an expanded range of Google Chrome, Internet Explorer and Mozilla Firefox browsers across PCs, tablets, and mobile phones. The Access Assurance Suite’s responsive new user interface automatically scales to different browser and device sizes. There’s no longer a need to wait until you get to your desk to reset your password. Just grab your Apple or Android cell phone or tablet and go.
Of course, intelligent provisioning, Access Your Way, and a great user experience are only part of what’s new. The 8.4 release includes dozens of other new capabilities ranging from expanded user dashboards to increased control over delegation to more sophisticated encryption and hashing algorithms to simplified self-service capabilities.
To learn more click here or call us at 866.COURION.
Recently we announced the latest version of the Access Assurance Suite. The 8.4 revision brings Courion’s market-leading intelligence capabilities to where it all begins, provisioning. Now, business policy validation is fully baked into the access definition and user provisioning process in real-time. As a result, inappropriate access assignments can now be flagged from the start and prevented.
Here’s how it works: when an access request is submitted, the embedded intelligence engine alerts the user with a list of defined business policy violations.
For example, an alert could be triggered automatically if a user requested access to both create purchase orders and approve orders, a Segregation of Duty (SoD) business policy violation.
You are then able to remedy the violation or request a policy exemption. All of your approvers can easily view the history of the request along with any follow-on exemption requests, providing a more intuitive approval process and eliminating bottlenecks.
This is a great complement to the suite’s existing continuous monitoring capabilities, which detect business policy violations whenever they occur, enabling provisioning remediation without the need for human intervention and further automating the governance process. Now your organization can both start compliant and stay compliant on an ongoing basis. A nice one-two punch!
Watch for future posts about additional new features in 8.4.
On August 20th, UPS Stores announced that they hired a private security company to perform a review of their Point of Sale (PoS) systems after receiving Alert (TA14-212A) Backoff Point-of-Sale Malware about a new form of PoS attack and, surprise, they found out that they had a problem. They released some information about which stores and the type of information was exposed, but little else. Freedom of Information Act requests have already been filed.
What followed was the predictable media buzz, where it was postulated that this was yet-another PoS breech similar to those that affected Neiman Marcus and Target. While there is some truth is this, there are interesting bits that make this case very different.
This was a brute force password attack against remote desktop applications (the list named in the Alert includes Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn).
Because UPS is a franchise, the PoS systems are not centrally managed, so each store was individually hacked. This might explain why the actual impact was low (1% of the stores effected) and why UPS is not completely certain what was taken.
What’s the same?
European Union residents, armed with EMV protected cards, may feel they are immune to these problems. If this were the case, then why are we seeing a dramatic rise in the use of card scrapers throughout Europe? Perhaps that’s a topic for another time.
What can you do to deter a breach that takes advantage of vulnerabilities in your identity and access equation? Begin by practicing good hygiene by following the identity and access controls recommended in Alert (TA14-212A), the 2014 Verizon Data Breach Report and the SANs Security Controls Version 5 as outlined by my colleague Brian Milas in this blog post.
What can you to detect a breach as soon as possible? Brian points out in the same post that by using a intelligent IAM solution, you will be better equipped to minimize the type of access risk that leads to a breach by provisioning users effectively from the start, but also will be better able to detect access risk issues as they happen and remediate them on an ongoing basis by leveraging continuous monitoring capabilities.
The point is, regardless of the exact details and mechanisms employed in an attack, you can and should do what is under your control to minimize risk and equip yourself for early detection. Identity and access intelligence is a good place to start.