My previous blog was about weather – well, that weather caused an ice dam, and that ice dam caused a small roof leak. When I saw the small outline of water on the wall in my home, my first thought was not, “Well, it looks like I need to paint the wall.” My first thought was, “Well, I better find and fix that leak before I have a serious problem.”
That water stain got me thinking about other warning signs, and what people do about them:
– Tire pressure light: Put air in your tires
– Pants too tight: Go on a diet, and workout
– Chest pain, nausea, and pain in your arm: Go to the emergency room
All of these signs are time sensitive. They may turn out to be nothing, but you don’t want to wait until you have a flat, your buttons pop, or you’re unconscious before doing something.
I bet Target, the NSA, RSA, and countless other organizations wish they had a real-time warning that a breach was imminent. Do you wish you had a warning indicator when hackers are trying to exploit vulnerable accounts? Well, one exists. Unfortunately, you may not have implemented yet.
Traditional compliance is like painting over a water stain on a wall once a quarter, while Access Insight is like monitoring for the leak minute-by-minute and fixing the roof at the first drip of water.
Most of us are familiar with purchasing insurance to protect ourselves from unforeseen events and potential loss of our valuable assets. Sometimes, insurance is mandated in order to secure financing for the purchase of a home or a car. In other cases, we may opt to carry insurance to protect our families against loss of income should something happen to us. Alternatively, we may possess valuable assets such as rare pieces of art, precious jewelry, or expensive electronics and we may want to have the ability to replace the cost of those treasured items if there was an intruder who knew how and when to break in and steal our property.
The same is true for companies that want to protect themselves against the liability that occurs if, or when, protected health information, intellectual property, company confidential financial data, or other personally identifiable information is compromised through unauthorized access to company assets. Interestingly, the need for insurance against such threats, or “cyber attacks”, has been recognized for a decade as reported by the Boston Globe in an article published on February 17, 2014.
The article cites that Liberty Mutual Insurance has had a 30% increase in sales of cyber insurance policies in the past year. That statistic emphasizes the trend that what used to be optional is now becoming a necessity. Companies cannot afford the risks associated with the loss of information, damage to their brand, and costs associated with violation of federal regulations. The cost of purchasing insurance is more predictable and helps protect the company.
Let’s consider the fact that purchasing insurance helps to mitigate the costs after a breach as occurred. The damage has already been done and there is no guarantee, as pointed out in the article, that insurance will cover all of the costs associated with the cyber attack. Insurance is essentially a backup plan in the event that a breach occurs. It may protect against some of the costs, but it won’t repair a damaged reputation.
Now let’s consider the possible things that a company can do to prevent attacks from occurring in the first place. There are different areas of vulnerabilities for which there have been long-standing methods to combat threats to networks, data, and security.
Acknowledging the increasing risk of a cyber attack is a huge stride towards making sure that your company is ahead of the curve and leveraging the tools available to minimize the risk of potential threats. The latest area that is emerging to combat against cyber threats is intelligent IAM. Intelligent IAM uses information collected from your infrastructure to reduce the threat surface, detect aberrations in real-time and help to insure that company security policies are met on an ongoing basis.
We now know that Edward Snowden used security credentials provided unwittingly by colleagues at a base in Hawaii to access some of the classified material he leaked to the media.
This news provides a case in point for my October 2013 blog post, which shared this statistic from a recent Forrester Research report: 36% of information losses are due to inadvertent misuse of data by employees. Insider threats are just that, threats, and should be treated with just as much gravitas as defend and detect strategies for external cyber threats.
If you don’t think the inside threat of a data breach by employees is important, consider the results of a survey Courion conducted in collaboration with Harris interactive in May of 2013:
—Nearly 1 in 5 employees (19 percent) age 18-34 who work in an office setting would take company information like customer data, price lists or product plans with them if they knew they were about to be terminated.
—Nearly 1 in 6 employees (16 percent) in an office setting have been able to use old user IDs and passwords to access a former employer’s computing systems.
Education and training of employees should be your first move, and you should make it now. While we do not endorse any specific employee education resource, you may find the information provided by the non-profit National Cyber Security Alliance here a useful starting point.
After employee education, what else should you do? With the media heralding every new data breach as a “the sky is falling!” event, most CISOs are ready to take action to reduce the risk of an inside threat, but just how, exactly? In a late January post on this blog, my colleague Kurt Johnson outlined a few steps you can take right now:
—Look outside AND In. First, hackers are not limited to external parties trying to break into systems via unauthorized ways. A lot of very serious harm can occur by people with legitimate access doing some bad things with it.
—Re-examine access privileges in light of the fact that many breaches involve insiders. Second, it points out how much harm can be done from unauthorized access. Critical data is not just that governed by regulation. There is more and more critical company information available and accessible that could cause an organization significant harm if stolen.
—Examine user access behavior relative to role, relative to peers and relative to historical behavior. Third, user activity is a key ingredient to overall authorized vs. unauthorized access and is something that needs to be examined in context of identity. Most likely the computer activity done these employees was atypical from what they usually do and atypical for people in their job functions and roles. A routine user certification review certainly would not have indicated any threat given the accounts were valid. This is exactly where an identity and access intelligence tool such as Access Insight comes in handy.
—Create strong employment policies so you have a legal leg to stand on.
—Finally, effective policy creation and communication is critical.
The words “weapon of mass destruction” are not a common household term, but it is one that is often bandied about in my home. This has come about because my husband is an academic whose entire career has focused on nuclear weapons, arms control, and American defense policy. So we often characterize household issues using uncommon vernacular that fits within these categories.
It occurred to me recently that while “weapon of mass destruction” has been used for the past 80 years to identify chemical, nuclear and biological weapons, there is another weapon lurking out there that can also be characterized as a WMD because it too can cause great harm and destruction. And while the magnitude of this new weapon can’t be compared to the loss of life caused by atomic missiles and chemical weapons, the magnitude of destruction it can cause is also massive. While this new threat can be characterized as a “weapon of terror” or a “weapon of intimidation”, it is more commonly known as “cyber technology threat”. Regardless of the specific designation, however, the bottom line is that all these weapons cause significant, destructive impact within seconds of reaching their target. And the targets themselves can vary from cities, to specific individuals in enemy territory, to network systems, to private health care information, to our personal financial information, to our children’s school and sports schedules.
The opportunity for this new WMD to cause harm presents itself in a seemingly innocent and innocuous way. It begins with a password. It begins with access. And here again, the analogy to the nuclear world is very clear. Unauthorized access has been a challenge and major concern since the first atomic bomb was designed. Imagine a stereotypical movie scene in which two military personnel desperately struggle to reach the missile launch switches that must be thrown simultaneously? Or the codes which are dispersed so that no one individual has the power to authorize a missile launch? We take great care to manage access to nuclear power in whatever form. We must now take great care to prevent access by the new WMD.
These threats clearly occur at multiple levels: threats to individual privacy, to corporate information and operations, to critical social infrastructure (electricity grids, for example), and even to military activities. And we have seen incidents of these threats continue to rise in number as technology becomes more sophisticated and we become more dependent on new technologies to navigate through our daily lives as students, farmers, sports enthusiasts, software programmers, or professionals.
Intelligent IAM is the best defense system that can be installed to manage access risks. Think of it in the same way we think of missile defense systems. Think of it as an Early Warning System that initiates alerts to possible issues and questionable behaviors. Think of it as a system that prevents massive destruction by the new WMD, cyber technology threat.
Every winter my wife and I look at each other and say, “Why don’t we move somewhere warmer?” After looking at the national weather map, it looks like this winter, there is no where “warmer.” Temperatures in Atlanta are dropping into the single digits, and Boston has had many ‘negative degree’ days, and even my beloved Naples, FL has experienced some uncharacteristically cold streaks.
On the bright side, technology allows me to see tomorrow’s weather, a 5-day forecast, and even a 10-day view of the weather at any location my travels may take me. Do I need to pack a warmer coat? An umbrella? Galoshes? These forecasts are a combination of historic weather, current patterns, and a mix of experiential analytics.
Just like I don’t want to get stuck in Charlotte on a 25 degree day with only a sweatshirt, the same is true for my corporate customers, who don’t want to find out they’ve had inappropriate access lingering in between provisioning events or re-certification campaigns.
Courion continues to be recognized as a leader in provisioning and compliance. But being a leader in existing technologies isn’t enough for the customers we serve. Over the past four years, we’ve been ratcheting up our ability to handle massive volumes of data (big identity and access data), interpreting breach trends (forensics analysis), and applied identity and access intelligence analytics. The result is our latest release of Access Insight, part of the Access Assurance Suite, which offers the equivalent of a weather forecast for risk in your enterprise.
Beyond existing core capabilities, our solution continuously monitors your access risk so on your next trip to Compliance-ville you don’t end up getting caught in the cold.
On January 9 of this year, David Nosal, a former managing director at the executive search firm Korn/Ferry International was sentenced to one year and one day in prison for violating the federal Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act after being convicted by a federal jury in April of last year. According to prosecutors, after Nosal left Korn/Ferry toward the end of 2004 he entered into an agreement with three Korn/Ferry employees to join him in starting a competing executive search firm. Before leaving, prosecutors claim the employees downloaded large amounts of confidential materials including customer contact information, source lists and other proprietary information, which Nosal intended to use in his new business.
The conviction followed years of criminal prosecution including an appeal to the US Court of Appeals for the Ninth Circuit. The long interesting road to the conviction includes widely divergent interpretations of the law based on the actions of the employees. Initially Nosal and the three employees were indicted on twenty counts of the CFAA for “knowingly and with intent to defraud” exceeding authorized access of the Korn/Ferry computers. Nosal appealed the verdict on the basis that the CFAA was focused on ‘computer hacking’ and did not prevent employees from stealing trade secrets from their computers or violate contractual confidentiality agreements. The district court eventually agreed with Nosal and overturned the five counts related to the CFAA section. A significant piece of their argument was that the employees were permitted access to the information in their jobs, and as a result did not “act without authorization” or “exceed authorized access” as specified in the CFAA.
This is an interesting point of debate, and one we’ve seen before in cases related to the interpretation of authorized vs. unauthorized access (see my blog from 2010 on the case of LVRC Holdings v. Brekka). When focusing on what is and is not computer fraud, the court ruling looked specifically at whether the user was authorized to use the computer systems or not. Doesn’t this conjure up much of the debate on the Snowden incident? The definition of unauthorized access must look at what users are doing with that access. The argument that these laws are merely for ‘hackers’ is another interesting point. Isn’t an internal employee, using their access to do bad things, a ‘hacker’? Shouldn’t the law distinguish between these two?
In the David Nosal case, the government appealed the district court decision. Their argument was that Nosal and his accomplices did, in fact, “exceed authorized access” by violating the Korn/Ferry computer access policies. The company’s policy restricted the “use and disclosure of all information, except for legitimate Korn/Ferry business”. In leading to the conviction, the court stated, “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.’ On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question."
This interpretation of the law points out a number of things that are critically important to enterprise organizations and security professionals. First, hackers are not limited to external parties trying to break into systems via unauthorized ways. A lot of very serious harm can occur by people with legitimate access doing some bad things with it. It’s good that the law is evolving to encompass illegitimate access by both external and internal parties, but we also need to be looking for internal threats as well.
Second, it points out how much harm can be done from unauthorized access. Critical data is not just that governed by regulation. There is more and more critical company information available and accessible that could cause an organization significant harm if stolen. As Assistant U.S. Attorney Kyle Waldinger stated in this case, “At the end of the day, stealing is stealing, whether you use a crowbar or a computer.”
Third, user activity is a key ingredient to overall authorized vs. unauthorized access and is something that needs to be examined in context of identity. Most likely the computer activity done these employees was atypical from what they usually do and atypical for people in their job functions and roles. A routine user certification review certainly would not have indicated any threat given the accounts were valid. This is exactly where an identity and access intelligence tool such as Access Insight comes in handy.
Finally, effective policy creation and communication is critical. The ultimate court decision relied heavily on Korn/Ferry policies around appropriate use of computer systems. It’s a strong reminder that the creation of effective policy is important as is the effective management and monitoring actions against that policy. These are all further examples of the importance of looking at identity and access above and beyond a certification review.
Last November was the 150th anniversary of the Gettysburg Address, delivered by President Abraham Lincoln at the dedication of the Soldiers' National Cemetery in Gettysburg, Pennsylvania, four months after the famous battle.
But Lincoln was not the featured speaker at the event. That honor went to Edward Everett, a former congressman, governor, ambassador, secretary of state and college president who delivered a two-hour oration that has been completely forgotten. Contrast that with Lincoln’s address: in less than two minutes he delivered a message that was clear, concise and memorable.
So what does this have to do with Identity and Access Management? Courion recently announced the concept of Big Identity Data, which is electronic information produced by the constant activity of identity and access management. It includes bringing on new users or terminating others, activating new devices, launching new applications, granting access rights, and changing user roles. This "identity universe" rapidly expands with the growth of Users (needing easy access to business information and systems); Rights to those resources; Targets, i.e., applications, data stores and other resources users need to get their jobs done; Policies regulating what users are and are not allowed to do; and Platforms, including in house networks, the cloud, mobile devices and SaaS.
That’s a lot of complexity to manage, right? And if you needed to articulate this challenge, and the impact it has on your organization, would you need two minutes, or two hours?
I recently spoke with a customer who described the challenge this way: they are constantly adding new people, new applications and new companies to the portfolio. They need to find a way to streamline provisioning, automate governance and utilize analytics to discover hidden risks. But they can only bite off a certain amount at a time, so they prefer to take the components in a modular form for an orderly, planned rollout.
What he asked for is an “intelligent approach to IAM that aligns with his company’s roadmap for growth”. Simple, concise, and ultimately as memorable as this statement is, the message walked the halls within his organization, winning the necessary approvals to implement.
So what is your roadmap for growth? Do you have a strategic approach for managing employee and partner access to business information and systems? Where should you start? Risks naturally crop up as you grow your company, incorporate new users and consolidate the disparate IT infrastructures you acquire. Address these risks early and decisively, because it gets more challenging the longer you wait. And articulate the challenge clearly to your organization. Otherwise it might be forgotten like what’s-his-name’s 2-hour speech.
Happy New Year. I hope 2013 was a good one for everyone and best wishes to a healthy and prosperous 2014. As always, New Year’s resolutions are top of mind, and I vow (again) to make more frequent blogging one of my resolutions. Let’s hope I do better than I have in the past. I like that AT&T commercial where the guy is talking with the kids and one says his New Year’s “revolution” is to eat more jelly beans. I’m not sure more blogging is as easy to accomplish, so I also have the resolution to drink more wine to ensure some level of success. But, in regard to blogging, I will do my best.
Late last year I attended the Gartner Identity and Access Management Summit in Los Angeles. In the keynote presentation the group of Gartner analysts focusing on identity presented “Seven Ways in Which IAM Then Will Be Unlike IAM Now”. Number six on that list was that “identity intelligence finally gets a brain”. The accompanying strategic planning initiative behind this projection states, “By year-end 2020, identity analytics and intelligence (IAI) tools will deliver direct business value (that is, outside the scope of [Identity Governance and Administration]) in 60% of enterprises, up from <5% today.” That’s quite an increase.
I laud the statement. In order to accomplish it, however, I think we have to come to terms on what is real as it relates to IAI. While IAI is in its very early stages of maturity, it is already falling victim to the abuse of buzzword barrage and vendor ambiguity. Courion started conversations about identity analytics and intelligence a few years ago. It dawned on us that there needed to be a new approach to seeing identity and access risk, vulnerabilities, and operational trends. A new approach is what led us to the introduction of a new product to the suite that, in a nutshell, is a business intelligence solution built specifically for identity and access management.
A recent conversation I was having with a CISO put it this way. His assessment of risk was a combination of how big a target you are and how valuable your data is, balanced with the level of visibility and insight you have into the potential of a breach. This made great sense to me. Obviously the hackers are going to want what is most interesting and valuable. The level of visibility and insight is what continues to worry me, especially around IAM. What comfort do we have when most of the visibility and insight is done once or twice a year during an audit review?
Certain facts are hard to refute. There are more breaches than ever before. Identity and access are increasingly popular methods of coordinating attacks and stealing data. In fact, the Verizon 2013 Data Breach Investigations Report stated that 76% of the breaches investigated (the largest percentage of any type) were by exploitation of weak and stolen credentials. There is more valuable data online than ever before being accessed by an increasing number and variety of users. Still, the majority of organizations have limited visibility and insight into what is going on, and it is most often through an access certification review done only once or twice a year.
Today we announced that Courion is in the Leaders Quadrant in Gartner’s Magic Quadrant report for Identity Governance and Administration (IGA). We are honored that Courion was one of four companies thus recognized and was evaluated by Gartner on its ability to execute and the completeness of its vision.
We believe this is further affirmation of Courion’s commitment to Identity and Access Management over the last 16 years. Since 2007, Courion has been positioned in the Leaders Quadrant in Gartner Magic Quadrants nine times, even as the category has evolved from ‘user administration and provisioning’ and ‘identity and access governance’ to the merged ‘identity governance and administration’.
In 2013, Courion was also lauded by several other analyst firms and publishers, such as KuppingerCole, DataWEEK, Network Products Guide and Info Security Products Guide.
The Gartner report guides readers to, “use this Magic Quadrant as a reference for evaluations, but explore further to qualify the capacity of each vendor to address your unique business problems and technical concerns."
Let’s say you take that advice to heart. Just how would you evaluate the four leaders, or other vendors, given your specific needs?
You might consider whether the solution will be easy for your security team and other departmental managers to use. You could ask whether the company offers connectors for the data and applications that are in common use in your company and industry. You could investigate the company’s ability to help their customers implement the solution. You might even consider what the next stage of IAM will bring, and whether a particular vendor can help you clear the next hurdle, one that you might not even see yet.
If those criteria are important to you, take a closer look at Courion. Courion’s Access Assurance Suite offers an intuitive user interface that business executives, not just IT professionals can use for performing routine tasks such as access requests, approvals and certifications. Would that help your IT staff be more productive, more quickly?
Courion’s separately packaged connectors are tailored to help customers in vertical markets such as financial services, healthcare, manufacturing and retail get up and running quickly. Does your company fall into one of those categories? In addition, Courion’s well-established implementation methodology, honed through its experience serving more than 600 customers, may well reduce your installation time and costs.
You might also want to consider what is next on the horizon for IAM, or IGA. Industry pundits increasingly agree that the next generation of IAM products will leverage the big data in your identity and access system to inform, improve and optimize your ability to automate common IAM tasks, maintain continuous compliance and recognize and reduce risk through the use of analytics, or Identity and Access Intelligence (IAI). If that is indeed where the market is going, then you really only have one choice, Courion, the company that offers robust identity analytics and intelligence capabilities.
Click this link to download the complete Gartner Magic Quadrant report on Identity Governance and Administration (IGA).
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
I am certain that I am not alone when I say that football is the ultimate team sport, and that great teams often excel in all three phases of the game (Offense, Defense and Special Teams). I believe that a company can be a lot like a winning football team, where different attributes, and the interaction between each of those attributes, can define a company’s greatness, or the greatness in what it delivers to its customers. This blog uses the three phases of football as an analogy to explore some key attributes that enable Courion to provide the best IAM solution to its customers.
From delivering the first Password Management solution 16 years ago to delivering the most recent Identity and Access Intelligence solution, Courion has, and continues to be, an innovator in its space. The fact that Courion is 100% focused on Identity and Access Management allows Courion to invest in next-generation solutions, paving the way for organizations to address their Identity and Access Risk Management needs in the most efficient manner. Similar to how good offenses stay ahead of their opposition on the field, innovation enables Courion to consistently stay ahead of its competition.
Technology is the spine for all enterprise software product companies. Reliability, scalability, security, and extensibility are a few of the complex requirements that determine whether a particular technology solution is fit for an enterprise wide roll out. All of these factors are embodied in Courion’s solution, which has been deployed in myriad organizations of varying sizes and in widely disparate vertical industries, confirming that Courion technology is proven to work in the most challenging of environments.
The solution is also architected in a fashion that allows organizations to address their immediate needs while also making it possible for them to be well prepared for future requirements. This enables organizations to see tangible incremental progress throughout the deployment process.
Similar to how good defenses are well prepared to adapt and handle anything that is thrown at them in real-time, Courion’s underlying technology provides the most effective IAM solution to its customers, regardless of where they are in the deployment process.
With more than 16 years of experience and hundreds of successful implementations, Courion is uniquely positioned to understand the various IAM requirements organizations may have and implement effectively. Courion implements the technology that it also builds, and provides business consulting on best practices and implementation methodologies and processes.
This is a key point of differentiation for prospective customers to consider, since projects often go astray when implementation is passed to a 3rd party service provider. Just as a winning football team with a gifted Special Team exploits the benefit of great field position during the course of a game to win, Courion’s capitalizes on its experience, proven methodology and expertise to ensure a successful IAM implementation.