Securing an enterprise is no mean feat and is made more difficult by the rapidly expanding use of software in the Cloud. Although security is often cited as a concern with a move to the Cloud, what may not be fully appreciated is how cloud computing amplifies the existing risks of how to best manage millions, if not billions of identity and access relationships.
Check out this article by Kurt Johnson, Courion VP of Strategy and Corporate Development, to learn about the need for real-time access intelligence to manage the risk of improper access to systems and resources that span the enterprise and the Cloud, as well as how organizations can reduce risks before they become bona fide breaches.
Click here to read the full story.
The gap between user provisioning and access certification exposes organizations to significant security risks when changes that occur within this period of time go undetected. So, is the National Health Service (NHS) prepared to transition its new digital records system without exposing sensitive patient information to security risks?
In a recent article in Medical Technology Business Europe magazine, Marc Lee, Director EMEA Sales, talks about the security gap between user provisioning and access certification, discussing how real-time intelligence can help the NHS (and other organizations) to better secure records by managing the risk of security breaches.
Click here to read the full story.
Since the horrific events that took place at the Boston Marathon, we have received many emails and phone calls from customers checking to see if our team and families were safe. We are humbled and grateful for your thoughts and concern.
We are also very grateful to report that the Courion staff who ran in the Marathon, and the staff and families lining the route to cheer the runners, are all safe.
Boston is the center of many people’s lives — with a rich history, arts and culture, sports teams and world-class educational institutions. Throughout the years, we’ve had our share of sadness as well as triumph, but nothing could have prepared us for what took place on Monday.
As a company with deep roots in this great city, our heartfelt thoughts and sympathies go out to those who were affected by Monday’s tragedy. While we try and make sense of these events, we are also proud to see the generosity, resilience and sense of purpose of the victims, and of the runners, doctors, EMTs, law enforcement, National Guard and others in the crowd who ran to their aid. Their actions reflect the best of what we hope to be, and are a signal to all that this horrible act will only pull us closer together.
In last month’s XForce Annual Trend and Risk Report, IBM noted that
". . . few innovations have impacted the way the world communicates quite like social media; however, the mass interconnection and constant availability of individuals has introduced new vulnerabilities and caused a fundamental shift in intelligence gathering" by hackers. I can’t help but feel some sense of vindication, particularly when talking with my teenagers who I have been urging for years to limit the amount of personally identifiable information they share via social media.
In my recent blog "Are you Cyber Secure?," I wrote about how breaches at consumer websites, like recent hacks at LinkedIn, Evernote and Yahoo!, could let hackers access users’ accounts and use their personal information at other websites; or even worse, their place of business. As the IBM report highlights, even without breaches, information shared via social media can come back to haunt companies as well as individuals.
The XForce report noted that "social media repositories were leveraged for enhanced spear-phishing techniques." The RSA breach in 2011 was a prime example of social media-driven engineering as the first step of an advanced persistent threat attack. Taking the actions I suggested in my blog — managing passwords and personal information with risk in mind — is a good first step, however this hacking market trend requires companies and security vendors to step up their game.
- For our customers, the imperative is the continuous and proactive education of staff on the footprints of phishing attempts. Every day we get phishing emails with more and more targeted context, making it hard to believe that these emails are anything other than legitimate. In response, IT organizations need to educate staff aggressively and in real time so they don’t inadvertently open the way for an attack.
- For vendors, we need to take a page out of the financial service industry’s playbook and start delivering more sophisticated fraud detection-like monitoring capabilities. Banks have learned that they can identify a large percentage of fraud attempts by relentlessly applying context to transactions – context about the person, his or her history and historical activity patterns; context about people who fit a similar profile; context about past fraud patterns. We as industry solution providers need to do the same.
There is a lot of buzz in our industry about security intelligence; however, to date it has been anything but intelligent. The activity and traffic monitors such as SIEM and deep packet inspection products have been looking at streams of information flows without the context to make sense of them. This is a bit like analyzing a baseball game by looking only at the types of pitches and result (hit, walk, out) — without understanding who is pitching, who is up to bat, what their past patterns have been, the ballpark, or the weather. In other words, the "Moneyball" factor has been missing.
The call to arms for those of us in the vendor community is to start delivering context-rich monitoring. No matter how much education our customers provide to users, some phishing attacks will succeed and some breaches will occur that compromise user credentials.
We have to help our customers realize that what may look like a customer or partner or staff member, may not in fact be so. Just because it looks and quacks like a duck, doesn’t mean it is a duck. And only by adding context can we help our customers see that.
Courion recently garnered three prestigious awards for Global Excellence from Info Security Products Guide, the industry’s leading information security research and advisory guide, at the 2013 Global Excellence awards in San Francisco.
- Access Insight™ named as a Silver winner for the 2013 Global Excellence Awards in Most Innovative Security Product (Software) of the Year
- CourionLive™ named as a Silver winner in the SaaS/Cloud Solutions category
- Courion’s HCR ManorCare customer story named as a Bronze winner in the Best Deployments and Case Studies, USA, category
Access Insight, Courion’s premier Identity and Access Intelligence (IAI) solution, pinpoints risks in enterprise blind spots in real-time by applying proprietary analytics to the flood of data produced by everyday computing activities.
Want to learn more? Click here to read the whole article.
Leading global analyst firm, KuppingerCole, recently named Courion a leader in product, innovation and overall strength in the KuppingerCole Leadership Compass for access governance. The report, authored by Martin Kuppinger, founder and principal analyst at KuppingerCole, evaluated 18 products in the access governance space.
"Courion definitely is amongst the vendors that should be taken into account when looking for an Access Governance solution. They show innovativeness and provide a feature-rich, established and well-integrated platform" says Kuppinger.
Access governance has become critical as chief information security officers (CISOs) increasingly focus their attention on reducing risk through proactive verification of business users’ access rights. Its importance is growing along with the rising frequency of data breaches around the world. For CISOs researching access governance solutions, the survey recognizes providers that merit consideration.
KuppingerCole notes that access governance is the fastest-growing segment in the IAM market. Access governance is gaining traction because of the need for organizations to ensure that the right people have the right access to the right resources and to demonstrate they are doing the right things with this access.
To access your free copy of the complete report, visit the Courion Resource Center.
Over the weekend, InformationWeek reported that Evernote reset every user's password because of an intrusion in their network. The hackers reportedly accessed user names, email addresses and encrypted passwords for 50 million users, or nearly one fifth the population of the United States. Were you one of them?
Evernote. Yahoo! LinkedIn. Each week, another popular website reports it has had a password file hacked. The frequency of cyber attacks and data breaches is increasing. The bad guys are out there, attacking these and other websites you use each and every day. A Google search for "Facebook password hacking software" returns 4.5 million results!
These bad guys are not just doing this to get access to your Timeline or to see whether you have reached 500+ LinkedIn connections. Let's not kid ourselves — their objectives are more nefarious. Hacker organizations, formal and informal, have a pre-meditated plan and are not just randomly attacking sites. Frequently, a data breach at one website provides the keys to the kingdom at another.
Increasingly, organized crime, rogue states and hacktivists use the information gathered from websites like these to target you personally, financially and at work. For example, they collect information, such as what department you work in and perhaps your colleagues' names and email addresses, to help create spear-phishing attacks — all designed to lure you to download malware.
The next time you rush to reset a password after learning that a website you use has been compromised, consider:
- Did you use that password, or even a part of that password, for other services such as online banking? For your workplace network or remote access password? (It's easy enough to find out where you work, isn't it?).
- What information would the hacker gain access to if he had your password? What additional personal data is included in your account profile?
- Many sites enable you to reset your password by answering questions such as your first pet's name or mother's maiden name. Do you use that same authentication information at other sites? At work?
The use of passwords will not be replaced by a new improved authentication process any time soon. So what to do? You can scribble passwords down, use password vaults, or create a clever algorithm to remember them all. While there may be many ways to manage the plethora of passwords you have, you can take just a few steps now to prevent a breach at any one website from rippling through your cyber persona elsewhere:
- Understand how each site you use stores information. Is it encrypted? Hashed?
- Understand what the impact of a breach at each site would be. Would you potentially lose money? Have your credit score impacted? Have personal information stolen that could be used elsewhere?
- Evaluate the overlap of passwords, password re-set questions and other credentials at the websites you frequent and make adjustments, so that a breach at a low security website does not compromise your account at a high impact website.
In the corporate world, Chief Information Security Officers know that they have to not only maintain security but also proactively focus on risk management. They accept that the surface vulnerabilities and threat vectors are so broad and diverse that "complete security" is a misnomer. Instead, their best bet is to recognize where risk is highest and focus attention on those areas and address hot spots before an incident occurs.
Similarly, we as consumers need to become risk managers. We need to understand how the sites we use handle our information, and how that might enable compromises at other sites. Like the Chief Information Security Officer, we need to be proactive in eliminating risk after we have identified how our personal data might be vulnerable.
As the Evernote breach demonstrates: there is no time like the present to get started.
In a recent interview with Info Security Products Guide, Courion President and CEO, Chris Zannetos, spoke with Rake Narang about the identity and access management challenges facing most organizations today.
“Most organizations today have a highly complex infrastructure made up of many applications, systems and networks, all with the potential to expose the company to information security risks if user access is not properly managed. Add in growing trends, like cloud computing and BYOD, which create open environments and leave an organization more vulnerable to breaches as users access information from outside their walls.”
Highlights of the article include:
- What is causing data breaches to rise -- and what companies can do about it
- Why are organizations failing to recognize the IAM gap -- and what they should be doing to address it
- What is the next radical change in Identity Management and Access Governance solutions?
- What should CSOs look for when selecting an identity and access management solution?
Want to learn more? Click here to read the full interview.
Top Ten Reasons to register now for CONVERGE, Courion's annual customer conference:
- Hear success stories from customers achieving value today from their deployment and leveraging the Courion Suite in creative ways.
- Attend strategic and technical presentations and learn about product updates, emerging threats and industry trends – everything you need to know to stay miles ahead of the competition.
- Spend time with Courion executives, professional services consultants and engineering staff.
- Network with your peers during dedicated sessions and social activities.
- See live demos of Courion products and customer deployments you won't see anywhere else.
- Meet with Courion and our partners in the Solutions Showcase to learn how you can extend the value of your Courion deployment.
- Participate in an interactive conference game and be eligible to win a grand prize!
- Earn CPE credits toward your CISSP or other professional certification.
- Early bird registration ends March 1st – Significantly lower than other industry conferences, right now it's just $449 (regular registration is $599).
- Experience an event like no other – If you attend just one professional conference this year, make it CONVERGE 2013. Need help with approval? Share our justification letter with your manager to support your attendance.
View the detailed agenda and check back regularly for updates.
Don't miss out on these great benefits! Register for CONVERGE 2013 today!
Does it take hours, or even days to provision a new employee, or shut off access rights to one who has been terminated? Not only is productivity hampered, but your organization is wide open to the real threat of access risk. It’s time to automate your manual IAM processes with solutions from a proven leader in Identity and Access Management.
For the sixth year in a row, Gartner has positioned Courion in the Leaders Quadrant of the Gartner 2012 Magic Quadrant for User Administration and Provisioning (UAP). UAP is a key component of a comprehensive IAM strategy.
According to Gartner, “The 2012 Magic Quadrant focuses on of ease of deployment, ongoing operations, and maintenance and vendor management as a sign of maturity. It also evaluates marketing vision and execution, and analyzes sales and advertising execution as part of the overall experience.
Courion is a mature pure-play IAM vendor recognized as a significant competitor to larger IAM-suite-based alternatives. The company's earliest roots were in the password management market, and Courion has grown to provide viable full-service user administration and IAG experiences. Courion's focus for several years has been on delivering IAM solutions that are compliance-focused and business-friendly.”
To read the full report, click here and download your free copy of the Gartner 2012 Magic Quadrant for User Administration and Provisioning report.