Posted by Courion Corporation on Thu, Jan 19, 2012
The cloud is here to stay. Organizations are reducing costs, streamlining operations, leveraging Software as a Service (SaaS) applications (the cloud, that is) more than ever before — and there’s no end in sight. Sure, the cloud is part of the modern enterprise infrastructure, but are organizations’ access risk strategies accounting for all the apps they have in the cloud? It’s already challenging to identify, quantify and manage access risk without solutions in place that can help, and now doing business in the cloud adds another degree of challenge as to how organizations can protect themselves.
Here’s a common scenario. An employee leaves the company on his own, or is terminated. So, you shut off access to his accounts, applications and fileshares. You think you’re good to go. But what about his accounts in the cloud? Do you know for a fact that he can no longer access his old salesforce.com account? If you’re not emphatically saying “yes,” you have a problem. If he has access to his old account, you’re inviting him to access your company’s assets — Personally Identifiable customer and employee Information (PII), intellectual property and other critical data.
We’ve all heard stories about former employees stealing critical information, uploading deadly viruses, or embezzling funds. But many, if not all of these incidents might have been prevented had those companies had better access risk management controls in place.
Most organizations focus their access risk strategy on on-premise applications, yet they still want to take advantage of cloud-based offerings to reduce operational costs and streamline processes. Some are actually moving mission-critical applications and data onto cloud-based platforms without considering the access risk implications. Regardless of whether the apps are on-premise or in the cloud, companies need to apply the same level of identity and access governance to all applications and mitigate their access risk to keep their business secure. So how are they doing it?
Cintas Corporation has the right idea. The international provider of corporate identity uniforms, safety equipment and training didn’t want to end up as another headline in a long series of highly public data breaches so they chose CourionLive™, the SaaS version of the Courion Access Risk Management Suite, as their identity and access management (IAM) solution. Now they have a fast, easy-to-implement, highly secure and redundant solution for managing their user access privileges to vital IT systems. They‘ll be able to automate manually intensive, repetitive IAM tasks like user provisioning, password management and user access certification, and increase operational efficiency while reducing their overhead.
The American Red Cross had the same idea. They needed a way to provision access to the Microsoft Office 365 cloud computing platform for their full-time employees, contractors and volunteers as part of an organization-wide initiative. They wanted to streamline their operations and reduce system costs by turning numerous email systems into one global communication system. As one of the largest Office 365 implementations how are they managing access risk for their cloud-based solution? Courion’s Access Risk Management Suite. It enables the Red Cross to improve security and mitigate access risk across their entire organization, while providing a fast time-to-value alternative to complex, expensive conventional identity and access management (IAM) solutions.
While mitigating access risk arising from cloud-based applications can be challenging — when you have the right solutions, it doesn’t have to be. And you’ll be good to go.
Posted by Courion Corporation on Tue, Dec 27, 2011
According to CSO.com’s December 19th article, “Expect conflict in 2012 as consumerisation raises security alarm bells for CIOs, ” the coming year will be a time of reckoning. Enterprises need to formally take a look at the very real risks arising from employees bringing personal mobile devices to work.
With more and more users bringing laptops and smartphones to work, CIOs are losing sleep worrying about how to address the business and security risks related to the burgeoning phenomena in today’s mobile, always-on, cloud based business environment, especially outside the corporate firewall.
Though it’s no surprise there isn’t a one-size-fits-all answer on how to deal with this problem, what is surprising is that a large number of enterprise CIOs and IT decision makers don’t have a policy governing use of personal mobile devices. To boot, they’re not too sure if the right people have the right access to the right information when users connect via the cloud, mobile devices or laptops.
In a recent Courion survey about personal mobile devices connecting to the corporate network, close to 1000 IT decision-makers at large enterprises expressed confidence they could ensure appropriate user access to resources on-premise, but were much less confident when users connect via the cloud, or on mobile devices or laptops.
While enterprises realize they need a comprehensive access risk management strategy, they’re not ready to jump on the bandwagon. What are they waiting for? To see their name as another headline screaming “$10B Data Breach Discovered at “Your Company Name Here.” Or will those CIOs just be too tired to notice?
Posted by Courion Corporation on Mon, Nov 21, 2011
On November 13, Courion announced its support for the Simple Cloud Identity Management (SCIM) specification. SCIM is a new standard that aims to simplify identity management (specifically provisioning activities) for cloud applications. Courion is supporting the SCIM initiative along with vendors such as Salesforce, Google, Ping Identity, VMware, Cisco, UnboundID, as well as many other cloud providers.
In his November 15th KuppingerCole blog, Dave Kearns talks about having a change of heart about SCIM. Said Dave, “Initially, I was opposed to SCIM – I thought that SPML could be moved forward to encompass cloud-based services relatively easily…I also had noted that no provisioning vendor had stepped forward to embrace SCIM. That’s now changed, as Courion announced their support earlier this month.” So what is SCIM? Simply, SCIM is focused on moving users (and their access) to, from and between cloud applications securely, quickly, and easily (or to say another way, it is used for the Create, Read, Update, Delete (CRUD) operations for identity and access.
SCIM gives cloud application providers a consistent and simple way to manage their identities in their cloud application as well as other clouds. It streamlines making connections to applications by emphasizing simplicity of development and integration. This reduces the cost and complexity of user management operations by providing standardization across cloud providers -- offering a simple, prescriptive, extensible standard for cloud provisioning actions.
So what about SPML? (Service Provisioning Markup Language) SPML is also a standard for performing CRUD operations on target systems. So why aren’t more vendors supporting SPML? SPML (now at version 2.0) was originally developed for the enterprise provisioning market. While many Identity Management vendors support sending and accepting SPML requests, few vendors of the target systems support SPML as their “API” for provisioning. As a result, most integrations from IAM vendors still use the API provided by the vendor (and those APIs vary greatly from vendor to vendor).
With a library of more than 350 connectors, Courion experiences the challenges of using wide and varied APIs to integrate with target systems. The benefits of SCIM appeal to us for all of the same reasons listed above. If SCIM gains traction (it’s currently in draft form), as an author of connectors, we’ll see benefits with the simplicity of integration and speed of delivery of the new connections.
So what have we done? In our initial prototypes we’ve made access requests from Courion products (consumers) to a SCIM endpoint and have found the development and integration work with SCIM to be very straightforward. The code is simple, performed well, and is network and firewall friendly. Our next project most will most likely be to flip the roles, turning Courion’s Connector Library into a SCIM endpoint with the potential of making 350+ systems targets via SCIM.
Posted by Courion Corporation on Mon, Nov 07, 2011
There are countless moving parts in information protection because information itself is the ultimate moving part in business today. Direct data exchange with vendors, customers and partners is mandatory for lowering costs and improving efficiency. Critical data is everywhere. It’s replicated in multiple databases, in file systems, on individual hard drives, even smart phones. Staff, customers, partners and vendors can get to it through applications, Web portals, public folders and e-mail attachments.
Keeping a handle on access risks means carefully monitoring all of the paths to critical data, and, specifically, who’s walking on them. Our customer, Universal American Corp., is an example of how to do it right – managing access risk to run the business better, rather than being paralyzed by it.
The way they are doing this is to complement Courion’s traditional Identity and Access Management (IAM) functionality (user provisioning and access certification), with our integration with Symantec’s Data Loss Prevention (DLP) product. Together, we enable UAM to better manage access to sensitive SOX- and HIPAA-related information and identify potential access violations to data in file shares. This product integration adds an identity context to DLP data, allowing business managers to not only identify where sensitive data resides, but also to determine: 1) which users have access to what sensitive data; 2) identify how they obtained that access; and then 3) certify appropriate user access and immediately remediate access that does not align with corporate, federal and industry policies.
UAM has also prioritized the need to automate quarterly attestation processes for SOX-relevant target systems. With an automated solution in place, UAM easily and efficiently performs user attestation by access level for SOX applications. Business managers can also eliminate the risk of “orphan” accounts, or active accounts that exist for employees and contractors who no longer work for the company. As a result, UAM is better able to demonstrate to auditors that terminated employees and contractors have been de-provisioned from their primary accounts and that any stale accounts to other systems are inaccessible.
These are just some examples of how information needs to move freely to support the pace of business these days, especially in an open, connected world where mobile devices are becoming ever more prevalent. With the integration of IAM and DLP solutions, UAM is showing that being “open” does not mean the same thing as being out of control.
Posted by Brian Milas - CTO on Fri, Nov 04, 2011
The Kantara Initiative is a professional organization dedicated to bridging and harmonizing the identity community with actions that will help ensure secure, identity-based on-line interactions while preventing misuse of personal information so that networks will become privacy protecting and more natively trustworthy environments.
The User Managed Access (UMA) working group at Kantara is working on defining protocols that give end users control over their online data. Looking back, it’s hard to believe how far we’ve come.
During the early days of Courion, when we were promoting the industry’s first self-service password management solution, we had a lot of IT personnel telling us that there was no way they would ever allow workers to reset their own passwords. Things have changed quite a bit, and today it’s a common occurrence in the enterprise and on the Internet.
I'm starting to see more awareness in my family and friends who are beginning to think about what they're sharing and what access they’re granting to their information. You really want to have an understanding of what's being shared when you connect an application to Facebook, or when you download an application to your mobile phone.
Think about how many times you (the Authorizing User) are using services from Site A (requesting party) and it asks for your permission to access information (protected resource) on Site B (the host). How do you, as an end user (the Authorizing User), authorize and control this access? Is it a one-time grant, or does it persist for some period of time?
I think it's interesting how we, as consumers, are taking on tasks and responsibilities that have previously typically required 'experts.' With advancing technology, simpler interfaces, and a little education, we are now doing things ourselves that in years past required an expert such as:
• publishing documents, images, music and videos
• booking travel
• printing tickets
Back in the early days of the telephone industry, operators were needed to make connections for the caller. At the pace the industry and telephone usage were growing, it was predicted that more operators were needed than there were citizens in the U.S.! And some amount of training was required in order to become an operator.
Fast forward to today. We've all become our own 'experts' and can perform the 'operator' function -- looking up information and placing our own calls – without a second thought.
With all of the technology we use in our personal and professional lives, and kids using iPads and iPhones before they can even read, who knows what’s next. Before we know it, we’ll be own security admins!
Posted by Marc Lee - Director of EMEA Sales on Fri, Oct 28, 2011
The UK Information Commissioner’s Office (ICO) confirmed what many already knew: data breaches have risen by 58% in the past year suggesting that too many UK organisations are failing to comply with data protection best practices and the rule of law as defined by the UK Data Protection Act.
According to a recent article in ComputerWeekly.com, some of the major vulnerabilities that ICO identified within the surveyed organisations were lack of effective security policies, poor monitoring of data use by contractors and data processors, and failure to control access to both computer networks and work environments.
Certainly organisations, end users and customers need to have a better awareness of how they can protect sensitive data because trust and security as fundamental to how our increasingly digital economies and societies function and flourish.
But it is important to reflect on why organisations aren’t being more vigilant and rigorous in their pursuit of data protection especially around the risks of identity and access. As an industry we need to honestly ask ourselves are we making it easy and simple enough for our IAM solutions to be adapted and deployed to resolve the challenges facing our customers.
Quite often the problem is not the lack of willingness on the part of organisations to ensure strict data security controls, but the difficulty to ‘do it right’. The implementation of effective access risk management solutions for example is often hindered by a long and complicated deployment process that requires significant investment and long time to achieve ROI. Furthermore, if not implemented properly, the IAM solution cannot deliver optimal results, thus leaving space for security vulnerabilities.
It is our duty as members of the IAM industry to make deployment of IAM solutions easier and faster for organisations while enabling a better understanding of access risk and implementing the needed tools to control it. This will foster wider adoption of IAM solutions within organisations and will help ensure that access to sensitive data is adequately monitored, managed and enforced.
Posted by David Fowler - Senior VP of Products and Marketing on Wed, Sep 28, 2011
The trend toward open IT systems has created some of the most spectacular examples of corporate theft of the last decade – take the recent data breach at UBS for example. Businesses have been dealing with risk for centuries. The difference now is that instead of figuring out the likelihood of a clipper ship sinking on the return trip from China, companies have to figure out the likelihood of someone accessing sensitive information they shouldn’t and doing something harmful with it.
Companies have hesitated to open their systems to outsiders and mobile users because they lacked the visibility to what would enable them to identify, quantify and manage access risk across all of their operations no matter the entry point. Software existed to automate some identity and access management (IAM) functions – user provisioning, access certification, password management, etc. – but not the ability to cost-effectively pull it together and analyze it in real time to assess changes in a company’s access risk profile.
From a series of recent surveys as well as data from industry analysts it’s pretty clear that the industry is facing two challenges to keep up with the business changes that are forcing more open access to their information:
- They need a comprehensive view of their Identity and Access data and activity.
- They need the ability to analyze the data to create real intelligence on where the critical risks are to the organization.
With a 30-day implementation time for user provisioning, access governance and access compliance, the ability to integrate usage data from SIEM systems and the delivery of an Access Intelligence Engine to analyze real-time access risk, Courion’s new Access Risk Management Suite is setting the bar on what IAM can do to help organizations better manage information access and make informed business decisions.
Posted by David Fowler - Senior VP of Products and Marketing on Fri, Sep 23, 2011
The recent multi-billion dollar data breach that occurred at Swiss finance company UBS underscores, yet again, the critical need for organizations to better understand where their greatest sources of information risk reside, as well as who is accessing sensitive data, how are they doing it, and what are they doing with it.
Managing access to applications and information is a growing challenge every organization confronts. With increased access to information comes increased risk to the business, a risk that increases dramatically if they go on using the same old day-to-day practices they’ve always employed when it comes to accessing sensitive data and systems. And this is not the first time for UBS. Last year they had a significant data breach resulting in $10 million in fines. It is often not good enough to just manage access policy with occasional scheduled reviews, organizations need to track user activity to make sure that access to the most sensitive data is granted only to those who need it. It’s important to make sure that those who have the “keys to the kingdom” – such as UBS Trader Kweku Adoboli − are overseen by a strategic approach to access risk management.
Companies should ask themselves:
- Are we adequately tracking employee activity to understand irregular behavior?
- Do we know what information and systems need the most protection and who has access to them?
- Do we have the comprehensive, near real-time visibility into the access risk and business risk associated with unmonitored access?
- Does our IAM solution serve up the necessary data required to analyze business risk?
- Can our IAM solution analyze access risk fast enough to remediate inappropriate or unnecessary access in a timely manner?
While no one can predict or completely stop data breaches, many can be prevented and most can be thwarted before they escalate to the level of a $2.3 billion loss, as in the case of UBS.
We as an industry share the responsibility to tackle this issue and make it easy and cost-effective for corporations to better manage their information risk.
Posted by David Fowler - Senior VP of Products and Marketing on Fri, Sep 16, 2011
Mobile devices — iOS phones or tablets, Android smart phones and laptops are all accepted as necessary tools for productivity in the enterprise — regardless of how they affect data security. Today, you’ve got to manage access risk to corporate data regardless of device or location.
We recently surveyed 988 IT decision makers at large global enterprises to see how they were coping with their access risk challenges. While we found most were confident they could assure appropriate user access to resources on-premises, surprisingly they were much less confident when users connected via the cloud, on mobile devices or laptops.
Sixty-nine percent, or two out of every three large enterprises report they have employees connecting their own personal mobile devices to the corporate network; but more than one in every five organizations doesn’t have a policy to govern this use—or aren’t sure if a policy even exists. Unfortunately, this situation isn’t unusual and nearly 10 percent of enterprises have experienced a data breach following the loss of a mobile device that had accessed their networks.
Companies are scrambling to keep up with information access vulnerabilities and compliance violations created by mobile devices that access and store confidential information. But by implementing and carefully managing the right access risk management solution, they can bring the same strength of protection to mobile devices that companies have deployed internally — ensuring that the right people have the right access to the right resources and are doing the right things. To learn more about the Courion survey, click here.
Posted by Kent Welch - Director, Product Management on Fri, Aug 26, 2011
Vivek Kundra wants the federal government in the clouds. The White House’s chief information officer predicts that cloud computing could save the federal government at least $3 billion a year, so before stepping down after two-and-a-half years on the job he gave all federal agencies under the White House’s purview a firm push in that direction. Kundra directed all new federal technology programs to consider cloud computing, and that every department had to change over three existing programs from conventional to cloud-based infrastructures.
But agencies that deal with sensitive information – notably the State and Defense departments – aren’t too keen on the idea, according to a New York Times report this week. They aren’t convinced the cloud is secure enough, especially in light of cyber-attacks against high-security government contractors like defense giants Lockheed Martin and Boeing and the Pentagon itself.
The heads of government agencies are right to be concerned with security, but that concern shouldn’t prevent government computing and data storage to go to the cloud. Its cost and efficiency advantages over conventional IT infrastructures are too persuasive to ignore. As bombastic as some publicized security breaches are, none of them were caused by cloud infrastructures. Even locking down internally housed data doesn’t prevent attacks and data loss, so the cloud doesn’t add to the overall risk to data from internal and external attacks. Knowing and managing risks and taking advantage of the industry’s best experience to secure data and efficiently manage information systems beats a hunkered-down, fear-based bunker mentality.
The cloud’s potential for reducing the government’s IT costs are obvious. Sprawling federal departments with operations across the country and the world can use the cloud to tie their IT operations together at a fraction of conventional IT costs. Instead of creating new server and network environments for each new project, departments can connect them to shared resources over the Internet that can expand or contract in response to demand. The ability to access data and applications from any site with an Internet connection also makes federal workers more flexible and productive.
This isn’t speculation, it’s fact. Companies in every industry are using cloud infrastructures to curb IT sprawl. Sensitive information – financial data, medical records, Social Security numbers – already exists in the cloud. Much of the Fortune 500 and a larger percentage of medium-sized and small companies entrust sales data and customer information to Salesforce.com, arguably the world’s most successful cloud-based company. Large-scale security breaches occasionally make the news, but they’re news because they’re rare. Risk is a part of doing business – and governing – in the Information Age. With effective access risk management strategies based on policies and processes that encompass cloud, mobile and on-premise information systems, the risk is more reasonable and potentially more lucrative.