This is the first installment of a 3-part series that explores how intelligence improves IAM. In part 1 we’ll look at how intelligence improves the provisioning portion of IAM, including the access request and the approval process, which helps to ensure that the right people have the right access to the right resources.
Before we dive in, let’s look back at an excerpt from a previous blog about what makes intelligent IAM intelligent and refresh our memories about why IAM needs to be intelligent.
Fundamentally, IAM is a resource allocation process that operates on the simple principle that people should only have access to the resources they need in order to do their job. Therein lies one of the problems; without intelligence, IAM operations are inconsistent and can be easily corrupted; resulting in decreased efficiency of workers, increased risk to the corporation (more on that later) or both.
A non-intelligent IAM provisioning process is typically inconsistent and often results in the overprovisioning of access because the downside of insufficient access is frustration and inefficiency while the downside of too much access tends to be invisible – until something happens. The contributing factors that lead to such inconsistency and overprovisioning include a rigidly structured provisioning process combined with unguided human judgment that devolves into rubber-stamp approvals. The solution to this problem is to enhance the provisioning process with intelligence, which guides the human decision-making and provides a feedback loop that helps the provisioning process adapt to evolving business operations.
A non-intelligent provisioning process often starts with an unstructured shopping expedition that enables a user to see and request access to almost any business resource. The access request is then routed through an approval process and ultimately scheduled for fulfillment. Such a process relies on users to find and request access to appropriate resources coupled with a reliance upon approvers to catch any anomalies, such as requests that provide the recipient with access to a resource that they don’t need to do their job. If the goal is to ensure that the right people have the right access to the right resources, how well do you think a non-intelligent provisioning process satisfies that goal?
By contrast, intelligence improves all aspects of the provisioning process. Envision an access catalog organized into groupings that provide access to something meaningful to the business, such as a user account on a server, read & write privileges to a file share or even all the access needed to function as an Executive Assistant or a Marketing Analyst. IAM intelligence is derived from the breadth and depth of the IAM data that is collected and processed into useful information. Starting with the access request, intelligence can guide the user toward appropriate resources while warning them about or even preventing them from seeing inappropriate resources. Utilizing a user’s job code or department coupled with knowledge about the user’s peer group and their collective access, an intelligent access request process can suggest, for example, that a user with the job title Marketing Analyst needs access to the marketing printer, the marketing file share as well as accounts on specific servers. While the user may still be able to request access to other resources, the user is not left unguided to try and determine which resources are appropriate. An intelligent access request process can be compared with a visit to Amazon.com, where suggestions are made based upon knowledge about the user as well as knowledge about similar users (e.g., those in the same department or those who have the same job code). Consequently, an intelligent access request process is far more capable of satisfying the goal of ensuring that the right people have the right access to the right resources.
While users may be better positioned to request access to appropriate resources, they may still be able to request access to other resources. However, an intelligent approval process helps ensure that such access requests are also approved or denied in accordance with business policies. While a non-intelligent approval process typically follows a prescribed approval sequence, an intelligent approval process can auto-approve certain requests (e.g., access that was suggested during the access request process) while requiring a more robust approval sequence for other requests. Applying intelligence to the approval process enables the approval sequence to adapt to each individual access request based upon the anomalous nature of each request. As an example, a user in the marketing department requesting access to the sales server will require more approvals than that same user’s request for access to the marketing server and fewer approvals than that same user’s request for access to the finance server.
An intelligent provisioning process adapts to evolving business operations by utilizing knowledge about the user, the user’s peer group and their access, the sensitivity of corporate resources and the associated risk should those resources be compromised. All of this information is combined with the knowledge of who has access to which resources and how those resources are being used, which determines how the overall business risk is trending. The end result is an intelligent provisioning process that is well-suited to meet the overarching business goal of ensuring that the right people have the right access to the right resources.
In my next installment of this 3-part series, we’ll focus on how intelligence improves the governance process.
In response to the now near daily revelations of data breaches, ‘security monitoring’ and ‘security analytics’ have been getting plenty of air time in the social networks and in the media. In the minds of most, security analytics is all about malware detection, event log analysis and event management.
While those security measures are all needed and necessary, I think one crucial security analytics resource is missing from the equation: identity analytics and intelligence, or IAI.
Many of the recent data breach attacks show similar patterns. They often start with a phishing attempt after the attacker has researched the subject on personal, professional and social media sites. The cyber criminal then uses this information to create a phishing attack based on what they’ve learned, often a sophisticated email to a contact that appears to come from the subject.
This email often includes a link or file that once clicked launches some form of malware or command-and-control technology used to take over the victim’s system to then crawl the network for more valuable user targets and information. The attacker moves within the network to identify high value target resources, further exploiting vulnerabilities as needed to gain access to those resources. The cyber criminal then packages up the valuable data and exfiltrates or removes it. This process can take days or weeks, as needed, because cyber criminals typically go unnoticed until they are long gone.
Security analytics has focused heavily on identifying malware or viruses to address the initial compromise stage, when the cybercriminal is first establishing a foothold on the target user’s computer. Security information and event management (SIEM) solutions and deep packet inspection solutions focus on the later stages of a cyber attack when data is being packaged up and exfiltrated.
But none of these solutions focuses on the crucial middle stages where the attacker is gaining undetected access to the rest of the company’s IT infrastructure, using exploits and password cracking to acquire administrator privileges, and moving laterally to expand control to other computers and servers.
This is precisely where identity analytics and intelligence and continuous monitoring come in.
The 2014 Verizon Data Breach Investigations Report (DBIR) showed that two out of three breaches involved attackers using stolen or misused credentials. As Jay Jacobs, a co-author of the report said in an interview with Dark Reading, "Trying to get valid credentials is part of many styles of attacks and patterns. To go in with an authenticated credential opens a lot more avenues, obviously. You don't have to compromise every machine. You just log in."
Therefore, we need improved IAM controls and continuous monitoring to understand what is really happening with users and their access, but the challenge is, traditional identity and access management has been event driven (hire, fire, relocate) or audit driven (periodic review, once or twice a year). This is simply not adequate for detecting the kind of changes to access that may indicate a cybercriminal is on the prowl.
Identity analytics and intelligence enables you to continuous monitor users and their access and clearly see when a user’s activity departs from the norm, when a user’s access is elevated to gain privileged access, when a user has more access than is warranted given his or her responsibilities, or other suspicious access activity.
Also, Identity analytics and intelligence enables you to look at a particular user’s access behavior in the context of other factors, such as whether that access behavior is typical of a user in that role, that job title, or that geographic location. These are the kind of details that enable you to better understand whether it is the user, or the account being manipulated by a nefarious player.
Today’s definition of security analytics needs to include identity analytics and intelligence. The bad guys use every tool at their disposal, shouldn’t you?
Gartner, a leading information technology research and advisory firm, issued the 2015 Gartner Magic Quadrant for Identity Governance and Administration (IGA) on January 12th.
Courion was recognized as a leader by Gartner for a remarkable 10th time.
Perhaps that recognition has something to do with the fact that the Access Assurance Suite™ performs superbly across a wide range of use case scenarios. Or maybe it has something to do with the fact that organizations that use Courion solutions are highly satisfied and give our support high marks, or that our customers would recommend the Access Assurance Suite to others.
Regardless of the factors that played a role in the analyst alchemy that resulted in Courion being recognized as a leader this year, and a total of 10 times since 2007, we are grateful.
It is external affirmation of our commitment to excellence in provisioning, governance and identity analytics solutions that have made our customers successful. And we can help you be successful, too.
Most organizations have to demonstrate that they are compliant in an increasingly regulatory landscape. An important objective of compliance efforts is to ensure that the right people have appropriate access, particularly to high-risk applications and sensitive data such as cardholder information and personal health information. To satisfy these regulatory requirements, organizations conduct periodic reviews, typically every six months or a year, in which managers and other authorized personnel periodically review users’ access and attest to whether those access rights are correct.
Based on media accounts, the number of security breaches per year is increasing dramatically. In many of these breaches, it has become apparent that the breached organizations were unaware that a security breach occurred. So why is this the case? Why are organizations more susceptible to breaches, even after performing periodic certification reviews and essentially passing audits?
The reason is the significant surge in the volume, variety and velocity of information. The Big Data storm has made it extremely challenging, if not impossible, for organizations to enforce high security standards while also achieving a high level of productivity. Much can change with users, their roles and responsibilities, their access rights and the resources they access in the time in-between periodic access reviews.
Hence, even though users’ access information is presented to reviewers, there is typically no context around that information. Reviewers do not quite know how or why or when users obtained the access. In fact, a recent survey conducted by Courion found 43 percent of IT Security executives agreeing with the statement that their organization is unaware of when access privileges are increased or when access behavior departs from the norm. In addition, the volume of data that is presented is considerable, if not overwhelming. These reasons invariably drive reviewers to rubber stamp. Clearly, this is not an effective tactic to truly mitigate organizational risk.
What organizations need is a continuous and comprehensive approach to identify access risks and employ preventative controls to mitigate those risks. The Courion Access Assurance Suite provides organizations with the ability to automatically revoke inappropriate access and/or perform risk-based certifications reviews when a policy violation occurs or when a threat is detected.
Risk-based certification reviews provide complete context around the information being reviewed, thereby enabling managers to make more educated and informed decisions on whether a user’s access is appropriate or not. By performing these narrowly focused risk-based certification reviews on a continuous basis, organizations can not only satisfy audit requirements, but also mitigate potential risks in a more intelligent and efficient manner.
At last week’s Gartner IAM Summit in Las Vegas, it was fascinating to see how the conference has grown. Over 1,200 attendees made this the largest Gartner IAM event to date, which says there is a huge amount of interest in identity and access management. Many were there to understand the basics, but there was plenty for IAM professionals looking to strategize for the future and who are seeking to maximize their IAM investment.
The highlights for Courion were two presentations that attracted close to 200 attendees. One was a case study featuring our own Kurt Johnson and Mark Teehan, an IAM Program Manager from Harvard Pilgrim Health Care.
In the presentation Mark described how his organization, a health benefits company that serves more than 1.2 million members, expanded its IAM program to reduce access risk across the organization by constantly monitoring and analyzing data generated by its IAM systems. The company has moved beyond provisioning and certification by implementing tools and processes to proactively identify and remediate the access issues that lead to business risk. For example, the organization has reduced orphaned and abandoned accounts and established a management process for system and non-human accounts, and has reduced accounts with privileged capabilities and those with unnecessary access. The session really resonated with attendees, judging by the number of questions and post-session conversations that occurred.
I held a lunch session that described how to assess risk before an IAM implementation. I reviewed how an Identity and Access Intelligence solution can help diagnose access risk in any organization and how an organization can take the findings from that diagnosis to formulate an actionable remediation plan. I spoke with a number of attendees who are working on the basics of IAM but who can clearly see the value of being more proactive. These attendees confirmed their desire to eventually deploy a continuous monitoring solution to address access risk.
For conference attendees who missed either session, or anyone who is interested in the topic, I highly recommend tuning into our upcoming webinar:
Tim Callahan, CISO of Aflac, and Kurt Johnson, VP of Strategy for Courion will present, Keep a Constant Vigil: Risk-Aware IAM on Monday December 15th at 11:00 a.m. Eastern.
This webinar will help an IAM professional at any level. I hope you can tune in!
We recently conducted a survey and the findings reveal that while IT security executives understand the risk factors that lead to a data breach, their organizations may not be able to effectively remediate those access risks. Here's an infographic that highlights some of the findings:
Click here to view the complete survey findings.
A theme that is echoed over and over again in Identity and Access Management is that organizations do not have a comprehensive view of what is actually ‘in’ their environment.
For example, quite often they are unable to reliably answer fundamental questions such as
• Who has access to what?
• Are there active, but abandoned accounts?
• Are there ungoverned privileged accounts?
• Do people have more access than they should when compared to what their peers have?
• Are there unused entitlements and if so what are those?
This is only a small subset of the questions that organizations strive to answer, and uncovering such information often highlights inefficient and sometimes even broken processes, for example:
• Contractor accounts are not disabled correctly. This may lead to active but abandoned accounts
• Administrators grant administrative privileges directly in target systems, circumventing a request approval process. This may lead to un-governed privileged accounts.
• Employees perform different job functions over the course of their tenure in the organization and access may not have been revoked appropriately. This may lead to people having excessive access when compared to what their peers have.
Over the past decade, many organizations have employed some level of automation. In traditional IAM automation may help streamline certain processes, but it does not provide a continuous and comprehensive solution to address and mitigate all access risk issues. It is essential to realize that while automation can be a boon to organizations, automating inaccurate and broken processes can be a bane.
The key is to adopt an approach that combines strong fundamental IAM capabilities and access intelligence. Organizations must not only understand ‘what’ is in their environment and remediate policy violations, but also identify inefficient and broken processes and employ strong fundamental IAM strategies to appropriately address those. Yes, this is a shift from the traditional approach but it will only enable organizations to focus on the most important areas and mitigate risk quickly and effectively.
This week at London’s Hotel Russell, the Identity Management 2014 conference brought together hundreds of technology professionals and security specialists across government and enterprises of all sizes and industries.
It was fascinating to hear from industry leaders discussing the next generation of Identity and Access Management, representing diverse firms and organizations such as ISACA, Visa Europe, Ping Identity, CyberArk, and beverage giant SABMiller.
A highlight for me was a session that included Nick Taylor, Director of IAM at Deloitte, and Andrew Bennett, CTO of global private bank Kleinwort Benson.
Taylor discussed the challenges that IAM professionals face in making access governance reviews business friendly, as often there is not enough context to understand the risks that they face. For example, an equities trader making lots of trades at a certain time of the day may be normal, but maybe not so normal if that trader is doing it from different locations or geographies.
Bennett supported that notion by pointing out that technical jargon can mask risk that exists, so he recommended that the financial services industry look into the concept of identity and access intelligence and start taking it on now. Adopting such a solution is not a case of throwing more tools at the problem; it is a matter of having the right tool to make sense of the mess.
Also good to hear our partner Ping Identity's session “It’s Not About the Device – It’s All About the Standards” and how modern identity protocols allow the differentiation of business & personal identities.
Overall a good conference that provided attendees with lots of opportunity to learn best practices and hear how their colleagues are approaching identity management. But rather than waiting for next year’s conference, anyone can learn more in the near term by attending Courion’s upcoming webinar Data Breach - Top Tips to Protect, Detect and Deter on Thursday November 20th at 11 a.m. ET, 8 a.m. PT, 4 p.m. GMT.
“Too much to do, too few resources.”
This is a phrase that all too frequently comes up in the discussions that I have with IT staff in organizations around the globe. They feel never-ending pressure to improve security and service to the business, but usually with the same or fewer resources. This is a challenge that is especially glaring when trying to marry solid Identity and Access Management practices with current business processes.
For example, a security manager I spoke to at a large health organization was nearly brought to tears as he talked about the need to accurately track an ever-changing user population where the same person might move through multiple roles and through multiple access scenarios in the course of just a week. At another organization, a help desk manager I worked with wrestled daily with an avalanche of access requests from users who had no idea what access to request, and were seeking help from administrators who in turn had no idea what access users actually needed.
What’s often needed in these situations is an IAM program that is centered on incremental progress that can provide some instant relief while also generating the time and resources needed so that the program can subsequently be expanded into a comprehensive solution. The key is to know where to begin, and to aim for quick business value. Those quick wins will help free-up resources by simplifying and automating processes that typically suck-up valuable manpower and time. Each incremental win then makes it easier to maintain momentum and expand user buy-in within the organization.
To get started with an IAM program that supports this kind of continuous improvement, you should first understand your identity and access landscape. By leveraging intelligence, as with Courion’s Access Insight, you can get an immediate evaluation of Microsoft Active Directory, a key system for most organizations. The dashboards included with Access Insight highlight potentially urgent security issues as well as IAM processes that may be broken. Access Insight integrates with the Access Assurance Suite or other IAM solutions so you can drill down to fix those broken processes and promptly disable access for terminations and properly manage non-employee access.
Another benefit of getting the big picture view of your identity and access landscape with Access Insight is to better understand who has access to what and to put automated processes in place to refresh that information at least daily. Even the most complex scenarios benefit greatly from putting rules in place that can automatically map access for 70-95% of the workforce. Allowances can be made for exceptions to be handled manually so that no one falls through the cracks.
With this real-time access information available as a foundation, you can then tackle any number of pain points. For example, most often, the onboarding and offboarding processes for user accounts cry out for attention. Offboarding, both planned and unplanned, is generally simple to address with an intelligence-enabled IAM solution such as the Courion Access Assurance Suite, alleviating security and/or audit concerns.
In addition, automating at least basic, birthright access for new hires can be both a quick win and a foundation for continuous improvement. Role-based access can be incrementally added to the new hire process. You can pick and choose where it’s worth investing effort, for example, where job turnover is high, or where access is very similar across a function. Implementing some roles into this process delivers a triple win – providing the right access (better security) at the right time (improved service) and reducing the number of access requests (boost IT efficiency).
Leveraging intelligence, you can start to cut down on the effort required to develop roles. Intelligence solutions such as Access Insight use analytics to attack the mountain of access data available to find those access patterns to suggest appropriate access for a user. Let the computer do the work!
If your help desk is struggling to keep up, there are several ways to alleviate the pressure while also enhancing security and providing better customer service. For example, a streamlined, centralized access request process provides these multiple benefits.
I often remember an IT manager I worked with at a manufacturing company whose request process included 140 different forms! It was a huge improvement when we helped his organization move to a simple, one-stop access request shopping solution that included a full audit trail and built-in approval process.
With an Intelligent-enabled IAM solution such as the Courion Access Assurance Suite, the request process is enhanced, because it provides guidance to the user regarding what to request. This is done via intelligent modeling of user access, which suggests access options for users in similar roles. The Access Assurance Suite also provides ‘guard rails’ against the inadvertent provisioning of inappropriate access because it automatically checks for possible policy violations, such as Segregation of Duty, during the request process.
As fundamental as it may seem, a self-service password management solution is also of great benefit to users, IT and help desk staff. Password reset calls often account for 25% or more of help desk calls. Shifting those inbound requests to a self-service process will free up IT and help desk time to tackle more high value activities while allowing end users to avoid waiting on a phone to get a password reset.
Last on this list but not last in priority, is the recertification of user access. Access recertification is a best practice and, likely, a legal and audit requirement. With an intelligence-enabled IAM solution in place this effort can begin by assembling data that details ‘who has access to what’. You can then leverage that information to provide a business-friendly recertification process that does not tax IT resources with hours of assembling spreadsheets from a multitude of systems.
While periodic re-certifications are important and necessary, Intelligence also allows you to trigger automated ‘micro-certifications’ based on policies you define. For example, you may create a policy where a user who gets access to highly sensitive data outside the norm kicks off an access recertification process. This type of risk-aware micro-certification reduces the kind of access risk that exists where waiting six months for the next review could be dangerous. This has the added benefit of maintaining compliance continuously, thus expediting the next audit you face.
Clearly, it’s possible to make significant progress in a relatively short time. The key is that these are not Band-Aid solutions, but the bricks that form a solid foundation for building a comprehensive, flexible and risk-aware IAM solution.
Kurt Johnson, Vice President of Strategy and Corporate Development, has posted a blog on Wired Innovations Insight titled, Data Breach? Just Tell It Like It Is.
In the post, Kurt discusses the negative PR implications of delayed breach disclosure and recommends improving your breach deterrence and detection capabilities by continuously monitoring identity and access activity for anomalous patterns and problems, such as orphan accounts, duties that need to be segregated, ill-conceived provisioning or just unusual activity.
Read the full post now.