Welcome! Subscribe Here

Your email:

Courion Corporation

Current Articles | RSS Feed RSS Feed

Wait, There’s More in 8.4!


Peter GeorgeIn a Tuesday August 26th press release and follow-on blog post, we shared a few details regarding how the latest version of the Access Assurance Suite leverages intelligence at the initial point of provisioning. This new capability ensures that you don’t inadvertently provide users with access that may lead to a governance violation. It complements the IAM suite’s existing use of intelligence to monitor users’ access and to automatically alert you or take action when a user’s access falls out of compliance. But wait, there’s even more in 8.4!

The latest version of the Access Assurance Suite alsAccess Your Wayo enables you to easily configure your identity and access management system to reflect how you intuitively think about your business. Now your users can search for access, approve requests, and certify access in your own familiar everyday language and with your own natural organizational structure. We call this Access Your Way.  This new access model can be used along with our suite’s existing tagging capabilities, improving your ability to categorize access for fast, intuitive user searches.

We’ve also leveraged User authentication via cellnew user interface technology to give the product a fresh new look and to extend support to a variety of additional browsers and devices. You can now use the Access Assurance Suite from an expanded range of Google Chrome, Internet Explorer and Mozilla Firefox browsers across PCs, tablets, and mobile phones. The Access Assurance Suite’s responsive new user interface automatically scales to different browser and device sizes.  There’s no longer a need to wait until you get to your desk to reset your password.  Just grab your Apple or Android cell phone or tablet and go.

Of course, intelligent provisioning, Access Your Way, and a great user experience are only part of what’s new. The 8.4 release includes dozens of other new capabilities ranging from expanded user dashboards to increased control over delegation to more sophisticated encryption and hashing algorithms to simplified self-service capabilities.improved dashboard 84

To learn more click here or call us at 866.COURION.

Baking In Intelligence at the Beginning


Nick BerentsRecently we announced the latest version of the Access Assurance Suite. The 8.4 revision brings Courion’s market-leading intelligence capabilities to where it all begins, provisioning. Now, business policy validation is fully baked into the access definition and user provisioning process in real-time. As a result, inappropriate access assignments can now be flagged from the start and prevented.

Here’s how it works: when an access request is submitted, the embedded intelligence engine alerts the user with a list of defined business policy violations.

SoD violation imagesFor example, an alert could be triggered automatically if a user requested access to both create purchase orders and approve orders, a Segregation of Duty (SoD) business policy violation.

You are then able to remedy the violation or request a policy exemption. All of your approvers can easily view the history of the request along with any follow-on exemption requests, providing a more intuitive approval process and eliminating bottlenecks.

This is a great complement to the suite’s existing continuous monitoring capabilities, which detect business policy violations whenever they occur, enabling provisioning remediation without the need for human intervention and further automating the governance process. Now your organization can both start compliant and stay compliant on an ongoing basis. A nice one-two punch!

Watch for future posts about additional new features in 8.4.

Same “Stuff”, Different Day


Chris SullivanOn August 20th, UPS Stores announced that they hired a private security company to perform a review of their Point of Sale (PoS) systems after receiving Alert (TA14-212A) Backoff Point-of-Sale Malware about a new form of PoS attack and, surprise, they found out that they had a problem. They released some information about which stores and the type of information was exposed, but little else. Freedom of Information Act requests have already been filed.

What followed was the predictable media buzz, where it was postulated that this was yet-another PoS breech similar to those that affected Neiman Marcus and Target. While there is some truth is this, there are interesting bits that make this case very different.

What’s different?

  • This was a brute force password attack against remote desktop applications (the list named in the Alert includes Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn).

  • Because UPS is a franchise, the PoS systems are not centrally managed, so each store was individually hacked. This might explain why the actual impact was low (1% of the stores effected) and why UPS is not completely certain what was taken.

  • At the time of the breach, the malware was not detectable with conventional tools.

What’s the same?

  • It was a Point of Sale PoS based attack using one of many PoS rootkits.

  • The initial compromise provided access to privileged accounts, enabling lateral movement and control of the payment systems.

  • Alert (TA14-212A) guidance on access related controls to reduce this type of risk is:

  • Define complex password parameters

  • Limit administrative privileges for users and applications

  • Assign strong password security solutions to prevent application modification

  • Implement least privileges and ACLs on user and applications on the system.

  • The official guidance fails to recognize that periodic reviews are done too infrequently and too superficially to prevent or, in most cases, even detect such activities.

  • European Union residents, armed with EMV protected cards, may feel they are immune to these problems. If this were the case, then why are we seeing a dramatic rise in the use of card scrapers throughout Europe? Perhaps that’s a topic for another time.

What can you do to deter a breach that takes advantage of vulnerabilities in your identity and access equation? Begin by practicing good hygiene by following the identity and access controls recommended in Alert (TA14-212A), the 2014 Verizon Data Breach Report and the SANs Security Controls Version 5 as outlined by mUPS Stores Logoy colleague Brian Milas in this blog post.

What can you to detect a breach as soon as possible? Brian points out in the same post that by using a intelligent IAM solution, you will be better equipped to minimize the type of access risk that leads to a breach by provisioning users effectively from the start, but also will be better able to detect access risk issues as they happen and remediate them on an ongoing basis by leveraging continuous monitoring capabilities.

The point is, regardless of the exact details and mechanisms employed in an attack, you can and should do what is under your control to minimize risk and equip yourself for early detection. Identity and access intelligence is a good place to start.

Purdue Pharma Selects Courion to Fulfill Identity and Access Management Requirements


David DiGangiPurdue Pharma L.P., a privately held pharmaceutical company based in Stamford Connecticut, has selected the Courion Access Assurance Suite after an evaluation of several competing offerings. The pharmaceutical company will leverage the intelligence capabilities of access assurance suite to maintain regulatory compliance and mitigate risk.

Purdue Pharma, together with its network of independent associated US companies, has administrative, research and manufacturing facilities in Connecticut, New Jersey and North Carolina.Purdue Pharma logo

With implementation of the intelligence capabilities within the Courion IAM Suite, Purdue will be able to leverage this product to automate routine IAM tasks and maintain compliance with US Food & Drug Administration requirements.

Making Traditional IAM More Intelligent: Deterrence & Detection


Brian MilasNow that Cloud Identity Summit is over, I’m taking some time to reflect on the Intelligence workshop. In the workshop we looked at some of the IAM approaches used today and some of their limitations. Given that the bad guys are motivated and creative, we need to look to new techniques to detect and deter them. Applying analytics and Intelligence fundamentally changes the game from the traditional approaches.

Reports on data breaches illustrate the large contribution that hackers make to data breaches as compared to other methods such as lost laptop or lost media. As an example, check out:

– InformationIsBeautiful.net

– Ponemon’s 2014 report on the cost of data breaches, which states, “In most countries, the primary root cause of the data breach is a malicious insider or criminal attack.”

– Verizon Data Breach Investigations Report, which states,“ . . . 92% of the 100,000 incidents we’ve analyzed from the last ten years can be described in just nine basic patterns.”

– New York State Attorney General Data Breach Report, “Hacking attacks accounted for over 40 percent of data security breaches, between 2006 and 2013.”

Source: InformationisBeautiful.net

 So just how prevalent are data breaches? Consider these statistics:

– 20M

– 7.4M

– 900

– 1.3B

These numbers come from the aforementioned New York State Attorney General Report which analyzed data breaches:

– 20M: the population of New York City in July 2013

– 7.4M: the number of residents breached in 2013, that’s about 85% of the population

– 900: the number of breaches in 2013, about 2.5 per day or 8,000 records/breach.  BTW, the number has tripled since 2006

– $1.3B: the cost to the public and private citizens of these breaches

So what’s missing from today’s techniques? We see two (2) major challenges.

Deterrence: What can you do NOW in IAM to reduce the likelihood of a breach? Clean house and reduce the attack surface: get rid of abandoned accounts, make sure orphan accounts are properly managed, eliminate access that is not needed, keep Superuser administrator accounts to a minimum, manage to least privilege. For further confirmation of these suggestions, see the 2014 Verizon DBIR recommendations and the SANS 5 Security Control recommendations:

The 2014 Verizon Data Breach Incident Report recommends 4 identity and access management tactics to address insider and privilege misuse:

­– Know your data and who has access to it

– Review user accounts

– Watch for data exfiltration

– Publish audit results

And the SANS Institute, a leader in computer security training, offers version 5 of the organization’s Top 20 Critical Security Controls, which recommend several identity management processes:

– Controlled Use of Administrative Privileges

– Maintenance, Monitoring, and Analysis of Audit Logs

– Account Monitoring and Control

– Data Protection

Monitoring and Detection:  Cleaning your house (reducing the attack surface) is good, but you must detect when a “spill occurs”. By monitoring and taking actions on the anomalies, you’re able to start reducing the window available for exploit, so you need to be keeping constant watch with identity and access intelligence or analytics.

To get the big picture of access across everything (from person to data) you’ll need to understand and analyze relationships between different objects and systems . . . but this quickly becomes millions and billions of relationships in the typical organization. As Mark Diodati of Ping Identity talked about in his “Modern Identity” presentation, the difficult of managing identity and access increases with distance, which you can think of as “remoteness.”

The second challenge has to do with time, more specifically reaction time. Our ability to detect and react to a breach or vulnerability is moving slower than the adversary. Hence we’re have little (or no) time to act . . . we’re constantly “on our heels”.

Let’s look at a typical lifecycle with IAM. The frequency between “Assign” and “Review” may be months, quarters, or even longer:

Assign Access >> Time passes >> Things Change >> Review Access & Remediate

How do we increase the frequency of our detect/react cycle to better combat the adversary? By improving our capabilities around:

– Complexity

– Speed

We need to continually analyze and understand the complexity and monitor. “Monitor” can be done on the order of hours or minutes . . . allowing the “Review” steps to happen much more quickly.

Assign Access >> Monitor as Time Passes & Things Change >> Review Access & Remediate

The Insider and Privilege Misuse section of the Verizon DBIR summarizes the discovery timeline (figure 38).  Detection within days (34%) is good, but many took months (11%) or years (2%) to discover.Discovery Timeline 2014 Verizon DBIR

By applying Intelligence and Analytics, we can continually update and understand complexity, and then detect and act on things that we have been proactively looking for . . . increasing our speed and frequency. In addition, with all of the complex relationships analyzed and at hand, we’re free to slice, dice, drill down and apply forensics to identify the next/upcoming set of things to monitor . . . adding those into the category of complex items that we can:

Understand, and


Traditional approaches are an important part of providing security, speed, and value to the business  . . . but we can do better. As CIOs and CISOs, we are in an arms race with the bad guys, and in some ways it’s an arms race to keep up with the complexity of the business’s environment. Through the application of Analytics and Intelligence along with other approaches, we can understand and manage complexity and act on it more quickly, mitigating breaches quickly, or even better reducing risk and avoiding some them altogether.


SOX Reporting Headache? Take One ComplianceCourier and Get a Clear View Into ‘Who Has Access to What’


Brad FrostThe headache of Sarbanes-Oxley (SOX) reporting requirements is just about to get easier for Old Republic National Title Insurance Company, since the title insurer selected Courion ComplianceCourier™ for its access certification solution.

The public company, which has more than 4,000 employees, must comply with Sarbanes-Oxley (SOX) reporting requirements. And not unlike many companies we speak with, the IT department was finding the challenge of answering “who has access to what” was absorbing too much manpower and time. The manual data process of gathering user access information and compiling it into spreadsheets was also vulnerable to error.Old Republic

With ComplianceCourier, Old Republic will be able to centralize and automate the access control process, reducing the risk of unauthorized access. What’s more, the access certification solution will allow the company to audit existing access by user, application, administrator, group, or workstation and meet SOX compliance requirements more easily. The efficiency of IT operations will be improved and as an added bonus, the active directory structure will be consolidated. To read more, click here.

Extending IAM into the Cloud


describe the imageYour data is everywhere. And so are your applications. In the past, everything resided in the data center, but today they're stored in the cloud, by a partner (MSP), and even running on mobile devices.

Your customers, partners and employees are also everywhere. As a security professional, you need to ensure that the right people have access to the right data and are doing the right things with it. That's where Intelligent Identity Access Management comes in. But in the era of cloud-computing, who knows where the data physically resides? And with users and accounts spread around the globe, how can you ensure the data is being accessed by the right people, according to your policies? Again, that's where Intelligent Identity Access Management is crucial.

If your data were just centrally located and being accessed by individuals and devices that you manage, traditional IAM solutions work well. But that's probably not the case. You have data in internal and outsourced systems. Some of the outsourced systems may be wholly controlled by your contracts, while others may be shared among thousands of other organizations. And that data is being accessed by employees, partners and customers from their homes, phones and tablets, on planes trains and automobiles.

From a security perspective, it's imperative to provision, govern and monitor information access wherever that information resides and however it's being accessed, whether those are physically in your IT environment or in the cloud. So what are your options?

Options for Provisioning, Governance and Monitoring in the Cloud

Two obvious questions are "where's my IAM solution?" and "where's my data?" After all, both must reside somewhere and be secured. If we constrain the answers to those questions to "on premise" or "in the cloud", we have four options.

1. Host internally, manage internal applications

Traditional IAM solutions reside on IT managed hardware within an enterprise. They're typically located in a server room where they can be physically controlled by IT. They are configured to manage applications that also reside on servers physically controlled by IT. This is a largely closed system, with the administrative control and the application resources both co-located within IT. It makes security simpler, but in the era of cloud computing, is becoming increasingly rare.

2. Host internally, manage internal and cloud-based applications

As enterprise applications have migrated outside of the data center, the need to manage those applications has fallen to traditional IAM solutions. IAM vendors like Courion have evolved their suites to natively connect to cloud-based systems from an on premise administration point. Existing "connector libraries" have been extended to include connectors to cloud-based systems. These new connectors sit side-by-side with existing on premise connectors and reach out to cloud applications.

This evolution has been largely seamless, as the same architecture used for managing internal resources has been applied to external, cloud-based resources. The protocols change, like using SOAP over HTTP rather than files over SMB, or RESTful web services rather than SOAP, but the architecture and techniques survived.

3. Host in the cloud, manage internal and cloud-based applications

Just as enterprise applications are now hosted in the cloud, there is increasing interest in hosting security systems in the cloud. This enables enterprises to focus on their core competencies rather than security management and identity management, while at the same time optimizing CapEx for OpEx expenditures.

Early experiments are promising, with IAM solutions providing tunneling capabilities from cloud-based infrastructure. Tunneling can be through VPNs, reverse proxies or dedicated appliances. Over time, this will likely become the preferred deployment option.

4. Host in the cloud; manage cloud-based applications

If an enterprise has no data in house, then a pure cloud-based solution is ideal. Operating on Office 365 + SalesForce + ADP, a cloud-based IAM solution can effectively provision and govern cloud-based applications. This scenario eliminates the complexity and cost of network tunneling solutions since everything is natively in the cloud. Here, the protocols are rapidly standardizing on RESTFul web services, with common token-based security and federation. However, like the all-internal scenario, all-cloud environments are rare.

Hybrid – the viable solution

Of these options, only two are typically feasible, since most organizations have some data on premise and some in the cloud. There are exceptions, like a startup which is native-cloud or in certain government situations, but in general, a hybrid solution is required. Choosing between the 2nd and 3rd option described above, whether you host your IAM solution in the cloud or host it internally, comes down to a deployment choice.

Courion has customers who are doing each. Most run our IAM solution on premise, while some use deployment in the cloud. For cloud deployments, most choose private cloud infrastructure, while some go for public infrastructure. But the predominant approach, even in 2014, is to deploy on premise. This is chiefly because most data still resides locally, so most applications reside locally, tilting the equation to an internally hosted IAM solution. As more enterprise applications migrate to the cloud, the decision to host the Courion suite in the cloud will likely shift.

Unlike enterprise data however, people have already shifted to the cloud. Mobile devices, from phones to tablets, are the norm. Most organizations provide secure access to critical systems on a 7x24 basis, to individuals located on premise and on the go. So parts of your IAM infrastructure must be either in the cloud, or on the edge (DMZ).

Again, Courion solutions are well suited for this shift. The most common security transaction, other than login, is the humble Password Reset. This must be accessible from anywhere and must be very reliable. It's required from the road, at night, on weekends and 2 minutes before the big sales presentation. Courion customers have hosted their password reset infrastructure in the DMZ for exactly this purpose. In addition, the Courion suite is tooled with a clean interface so customers, partners and employees are met with a consumer-grade experience, accessible on their laptop, tablet or phone.

As your data and apps move to the cloud, so do your identity repositories and access control models, as mentioned earlier. Your IAM solution can span both, but it's still advantageous to consolidate identities and provide a more seamless and simple sign on experience for customers, partners and employees. Enter Ping Identity, another cloud app that integrates with Courion solutions. Just as we expanded to cloud apps as they entered the business, a strong partnership allows for seamless integration with Ping to offer federation and SSO capabilities.

Single Sign On (SSO) impacts the decision of where to deploy an IAM solution. While IAM can provision, govern and monitor access applications in cloud-based and on premise environments, SSO systems provide seamless application login and access to the user community. By coupling the flexibility of Courion's industry leading IAM solution with the SSO and federation capabilities of Ping, organizations can manage access across all of their applications. Because both products leverage a common structure with Active Directory, the result is great experience for the end user and a manageable system for IT.


As the computing world shifts to the cloud, with consumer-grade technology leading the enterprise, our customers, partners and employees expect great access to information. As security professionals, our job is to balance "great" access with "secure" access. We make choices every day in choosing the solutions we deploy and the infrastructure on which it resides. Courion is here to help.

What Makes Intelligent IAM Intelligent


Bill GlynnIn order to explain what makes Intelligent IAM Intelligent, we must first discuss why IAM needs to be intelligent.  Fundamentally, IAM is a resource allocation process that operates on the simple principle that people should only have access to the resources they need in order to do their job. So, basically, IAM is used to implement the Marxist philosophy, “to each according to need”. Therein lies one of the problems: without intelligence, IAM operations are inconsistent and can be easily corrupted; resulting in decreased efficiency of workers, increased risk to the corporation (more on that later) or both. The folks with the power have the ability to give some people (the privileged class, like their friends) more access than they need, while others (the exploited workers) may not have access to the resources they truly need, which leads to civil unrest and the potential collapse of corporate society as we know it.

However, given appropriate guidelines (rules) and sufficient information (knowledge), traditional IAM has evolved into an inherently intelligent process for managing resource allocation, such as Courion’s Intelligent IAM solution. On the front end, access requests are evaluated to see if they violate any business rules, such as, “If you aren’t in the Sales department, then you can’t have access to the company sales commission report.”

Such business rules combined with knowledge about the access recipients request and should receive enables the access assignment process to be an intelligent activity; ensuring that people do or don’t get access to corporate resources as determined by their functional role or their operational needs. On the back end, the entire corporate environment is continuously monitored, looking for evidence of any business rule violations.

Today’s corporations are challenged by a complex, mobile and open society; problems don’t necessarily get introduced through the front door.  Therefore, it’s critical to have an intelligent IAM system like Courion’s to both prevent problems from being created and to maintain a watchful eye and take immediate action, such as automatic notifications or even automatically disabling access or accounts should issues be discovered.Likelihood Impact Visual

As an example, Courion’s solution can easily distinguish between a company’s finance department server, which is obviously a far more sensitive resource than a Marketing department’s color printer – (unless you consider the price of replacement ink cartridges, and then it’s not so obvious.) Consequently, Courion’s Intelligent IAM solution, based upon a number of criteria, can determine who should and shouldn’t have access to such sensitive resources. This scenario alludes to a fundamental concept that guides the Courion solution: the concept of risk as it pertains to the corporation.  The system defines risk as a combination of likelihood, as in “OK, so what are the odds that will happen?”, and impact, as in, “So if it happens, how bad can it really be?” In general, a customer can configure the system to behave in accordance with their risk tolerance, which boils down to a basic question, “Just how lucky do you really feel?”

But it’s not just a pattern matching exercise based upon a bunch of If / Then conditions.  Courion’s Intelligent IAM solution not only knows which resources are more sensitive than others, but it also automatically adjusts its knowledge and its perspective over time.

As an analogy, a key isn’t necessarily an inherently sensitive resource. The risk associated with giving someone that key depends upon a variety of dynamic variables, such as who is going to get the key, what other keys may be behind the door that this key unlocks, how many other people also have a copy of this key, and exactly who are they?

So, while it may have seemed like a good idea to give Fred a key to the supply room, a week later we now know that all of Fred’s buddies also have a key to the supply room. More specifically, we know that Fred’s good friend Barney just got access to an additional key that unlocks the back door of the supply room. Consequently, the risk that the company’s expensive monogrammed tissue paper goes missing from the supply room has increased dramatically.

It’s this broad contextual view across a dynamically evolving environment, coupled with the knowledge of what is and isn’t an acceptable level of risk, and the ability to adapt its perspective to changing conditions that makes Courion’s Intelligent IAM solution such a valuable tool for ensuring appropriate access to corporate resources, such as prized paper goods.

However, perhaps one of the more subtle benefits provided by Courion’s Intelligent IAM solution is that it takes the burden off of the IT folks who no longer have to justify to angry users why their request was denied.  It now becomes a much easier conversation:

Rolling Stone Need vs Want“I’m sorry. I like you, and I feel your pain. I want to give you access to the Executive rest room, but I just don’t have that kind of power. You see, we use Courion’s Intelligent IAM solution and it can distinguish between what you want and what you need. So, it knows that you want access to the executive rest room, but it also knows that you don’t really need access to the executive rest room. It’s not like the old days when I might be persuaded to give you what you want. Even if I could give you such access, the Courion solution is always watching and it’s configured to notify the entire executive team of rule violations, and not only that, it will automatically take away your access.  It will simply lock the door. Therefore, continuing to try to open the door might be embarrassing, even for you. Why don’t you just use that nice restroom down the hall like the rest of us and then go back to your desk and listen to some music; I suggest a tune from The Rolling Stones – “You can't always get what you want, but if you try sometimes, you just might find, you get what you need.”

When the Lines Separating Employees, Contractors and Customers Blur


Nick Berents

I recently met with a Courion customer, one of the largest accountable care organizations in the US. This customer is based outside of Orlando, Florida, so naturally the topic of Disney came up. Over the past year Disney has figured out a way to use technology to distribute guests more evenly throughout the parks via their "Fastpass+" system. The end result is higher customer satisfaction by reducing wait times and increased revenue because now – you guessed it – vacationers can spend more time in the gift shops and restaurants.

Disney is able to accomplish this by setting up profiles that track your ride preferences in addition to your purchases. Vacationers can go through Disney's website portal, which is personalized based on their preferences, to make ride selections, dining reservations, and plans with others who also have profiles on the portal.

This was a massive investment and IT project for Disney. Naturally, it got me wondering, do they segregate this portal from their corporate networks? Are their employees also customers, and do they co-mingle their profiles? What about contractors they hire? Do they have access to the networks and are they constantly being monitored? Do they set up profiles on the portal as well? Remember that the Target data breach came about as a result of third party HVAC vendor’s access being compromised.

I then asked the Courion customer what he looks for in an identity and access intelligence system like Access Insight®. This is when the conversation got serious. He made it clear where Access Insight fits in.

"What if someone has what appears to be a safe access, but they happen to be an expert programmer? Once they're in your system they may start to make some movement that would cause your security people to ask questions like, 'Why has a person who should only have certain access suddenly be asking for access here, here, and here?' Those are the types of movements that really are suspicious and in some of the security breaches we've read about, only after the fact they say, 'Oh wow, if we had seen how somebody started to move along the access chain quickly at two in the morning, we would've been able to call this out.'"

"That's what Access Insight does. It alerts that there is movement that should not be, and we have a team on call 24 x 7 to monitor for alerts like that. It helps us understand if the movement is a natural course of action or a natural workflow. Or is this something that we need to wake some people up right now and stop and then investigate in the morning? Access Insight affords us the opportunity to see that."

He also acknowledged that most companies have very intricate infrastructure systems, and their IT departments are very well-schooled in protecting their environment. They receive penetration challenges every single day and they swat them back quickly. But what differentiates Access Insight is it sees someone who has been given permission to come in under the guise of a role that fits the job profile, but suddenly that person starts traversing the network because they have an extra skill or access that you don't know about. Access Insight keeps monitoring the people with permissions so that any activity that takes place out of the normal parameters you would expect to see, sends off an alert for your security team to stop, investigate, and take action if necessary.

This is something all organizations, from our Orlando-based customer to Disney, need to consider as the news of insider threats continues to rise. Knowing how sensitive company information is being accessed, at what time and for what purpose is also key. Having this insight will ensure that insiders, nefarious or naïve, don't get a data breach fast pass.

Gartner Predicts

describe the imageLast week Gartner held its 20th annual Security and Risk Management Summit in National Harbor, MD. Leading into GartnerSEC each year, the analysts have shared their key IT security trends and predictions which have been formalized as a series of "Gartner Predicts" statements. As you can guess, there has been a lot of change in these over the past 20 years. And, while there was more discussed than can reasonably be covered in this blog post, there was enough for me to say that by 2014 Kurt will have a 70% chance of writing a blog covering 30% of them. So here goes.

John Girard kicked things off with the opening keynote, saying, "Digital business will impact your professional life more than the emergence of the Internet." Bold statement; but I think he's right. He described the new business models arising from the blurring of digital and physical worlds and cited Lyft, Uber, Bitcoin and the Internet of Things (IoT) as a few examples. With more connected products, comes more connected risk. This led to the first Gartner Predicts unveiling which said, "By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk." Ouch! There was further discussion that the majority of security organizations are reactive and that more CISOs are focused on the events of today and the past while CEOs are looking to the events of tomorrow. This is a major cultural disconnect between business and security.

Gartner discussed this notion of digital risk management through the eyes of the CISO, CIO and CEO, but they didn’t stop there. There is a lot going on in digital business across multiple technology silos including traditional IT, OT (operational technology like SCADA), physical security (e.g. controls around driverless cars) and the Internet of Things. As a result, Paul Proctor called out the need for a new role - the Digital Risk Officer. Gartner Predicts that, "By 2017, 1/3 of large enterprise engaging in digital business will have a Digital Risk Officer or equivalent." This is not a new name for the CISO. Digital Risk Officers will manage the risk implications of digital innovation especially around how it changes the risk appetite for key business stakeholders. This is all about "smart risk" balancing security and business opportunity.

Throughout the conference Gartner mentioned many IT security technology trends. Some of these, I think, are especially relevant to this theme of smart risk which closely mirrors Courion’s discussion of intelligent IAM. One trend is around the need for big data security analytics. This is nothing new as we've heard a lot about the need for broad continuous security monitoring. I would remind everyone that this goes beyond machine data and MUST incorporate identity and access data analytics. Big data is about the 3Vs: volume, velocity, and variety. All of the identities, policies, resources, access rights and entitlements, and user activity certainly meets this requirement.

Gartner also talked about the need for intelligent, context-aware security analytics. This was called out in another Gartner Predicts stating, "By 2020, 40% of enterprises will have a 'security data warehouse'." This security data warehouse must store and analyze data and incorporate context to assist in determining what is “normal” and identify variances from the norm. I argue that identity and access analytics are key components to this warehouse and an absolute must in any discussion of true context.

Furthering this point Gartner called out the IT security trend of adaptive access which is about context aware access control that balances trust and risk. It stresses that access must reflect the specific conditions around access. This not only helps to prevent threats but also enables the allowance of access that might previously have been blocked - access from a widening variety of devices and from social IDs accessing corporate assets in a way that understands the risk profile and applies access controls accordingly. This is about balancing that need of access with the risk.

I found these predictions and trends rather interesting given all that Courion has been discussing around the notion of intelligent IAM. There are many parallels where we have talked about how access is critical to the business. John Girard is right in that digital business could impact our professional lives in ways we have never seen before. But, digital innovation means nothing if the business is blocked from appropriate access. This must be balanced with the risk of providing access to so many users and devices, not only to ensure it meets regulatory requirements, but that it effectively assesses and manages the inherent vulnerabilities. This clearly forces us to change our thinking from traditional IAM of provisioning, authentication and periodic certification review to one that adds a thorough understanding of what is happening on a continuous basis with user (and device) access and what is going on with that access. This can’t wait for the annual certification review, now can it?

Paul Proctor discussed the fact that for years we've fallen into the trap of believing more funding and smarter people are the keys behind better security. It's more than that. It's about changing the culture from one of chasing compliance and reacting to every threat that occurred yesterday to taking a proactive approach to balance business and risk. Context is key. Identity and access are critical parts of that puzzle that cannot be overlooked. There are challenges ahead, and the emergence of true Digital Risk Officers aside, we need a smarter approach that is proactive rather than reactive.

All Posts