Posted by Bob Craig - Dir Prod Marketing on Thu, Feb 04, 2010
This week Dave Kearns wrote a column, User provisioning: right access to the right people, where he outlined some of the key benefits of provisioning, namely: improving productivity and reducing risk. Dave makes the point that productivity is improved by providing new employees with Day One access to various IT resources (email, laptop, enterprise applications, databases, etc.), while risk is reduced by reconfiguring or removing access rights when an employee changes roles or leaves the company.
Dave is absolutely right regarding these benefits, but there are a few other benefits he didn't discuss that are worth pointing out in more detail.
One benefit which we hear regularly from our customers is that automated provisioning significantly reduces the time and effort required to manage user access rights. The result is that they are able to drastically reduce the number of staff dedicated to the provisioning process. In one instance, a $2 billion provider of senior living services was able to reduce headcount from 5 FTEs to 0.5 FTEs, saving hundreds of thousands of dollars annually. In another, a large regional bank was able to double their provisioning coverage from 100 to more than 210 applications and justified the investment to their management through reduced headcount (see Creating Budget Where None Exists).
Another key benefit is in access compliance. Whether your company needs to comply with internal policies, audit findings, or industry and government regulations, you need to ensure that user access rights are being managed appropriately. While provisioning isn't required to be compliant, one of the benefits you can achieve is assuring that users are initially only granted access rights that are needed to do their jobs. This preventative control lowers risk, reduces the potential that you may fail a security audit, and helps streamline the access certification process.
Posted by Bob Craig - Dir Prod Marketing on Fri, Jan 08, 2010
The industry analyst landscape has been going through some major changes lately. In the latest development, Gartner has acquired Burton Group shortly after snapping up AMR Research in December.
As a leader in the identity and access management (IAM) market, Courion has had positive, fruitful relationships with the IAM analysts at both firms. We have a great deal of respect for the breadth of knowledge and customer service focus demonstrated by both groups of analysts and are proud of Courion's market leadership positioning in the Gartner Magic Quadrant for Provisioning and Burton's Market InSight user provisioning report.
Burton provided a valuable, independent perspective which we, many of our customers (and, yes, even our competitors), relied on for an alternative point of view. They have long had a reputation for a high level of technical expertise, while Gartner has generally placed more emphasis on the strategic business impact of IAM. While we will miss the opportunity to compare and contrast Burton's free-wheeling, technological approach with Gartner's corporate viewpoint, the combination of these points of view has the potential to significantly strengthen Gartner's IAM and other security capabilities.
We think both outlooks have a place in the market and hope that Gartner employs a "big tent" strategy that accommodates diverse points of view. Knowing the Gartner team as we do, we are optimistic they will work hard to make the Burton analysts feel welcome. It would be unfortunate if some of the exceptional, creative Burton analysts felt that their perspective wasn't appreciated at Gartner.
However this event turns out, we wish our colleagues in both organizations well and look forward to continuing to work them in the future.
Posted by Bob Craig - Dir Prod Marketing on Thu, Dec 17, 2009
Recently, industry analyst Martin Kuppinger of Kuppinger-Cole, posted an article "CapEx and OpEx - the latest thing in IT buzzwords: On the economics of Cloud Computings," in which he discusses CIO's interest in new IAM offerings which allow them to avoid capital expenditures. In particular, Kuppinger points out that, "Cloud Computing offers a way of reducing capital expenditure for IT by getting out of costly leasing agreements or classic licensing contracts and switching to rental models while achieving as much security and flexibility as possible."
However, Kuppinger also warns, that, "...customers would be best advised to ask critical questions. Simply reducing CapEx doesn't always make the biggest business sense," to which we say, "Amen!" Just this past week, we blogged on the Ramifications of Cloud Computing, in which we discussed some of critical questions customers need to consider before adopting a cloud-based solution. While there are significant benefits to moving enterprise applications or identity management to a cloud platform, there are also risk and trust issues that you need to consider and work out with your cloud provider before there's a data breach, not after.
However, cloud computing is all about reducing, but not eliminating, the impact of IAM (and other applications) on your budgets. Wouldn't it be better to improve risk management and security without affecting your budget at all? For more on that, read the blog Creating Budget Where None Exists by Chris Zannetos, which discusses how a Courion customer "...automated access compliance and attestation and automated provisioning for over 100 applications - without spending a single budget dollar."
Posted by Bob Craig - Dir Prod Marketing on Mon, Dec 14, 2009
In my previous posting on Cloud Computing, I discussed some of the identity and access management (IAM) issues that arise from moving enterprise applications, particularly those containing sensitive data, to a cloud-based platform.
Now, I'd like to turn my attention to some of the same issues that come out of the emerging identity as a service (IaaS) trend, which entails delivering IAM services (user account provisioning, password management, single sign-on, access certification, etc.) using a cloud architecture.
Just as with any other application containing sensitive data, managing user identities via IaaS raises important risk and trust issues. By allowing an external service provider to manage your user's identities, you're essentially handing them the keys to the kingdom. You need to ensure that those keys will be kept safe and secure and that you will have complete and transparent control over the management of identities, in a way that is consistent with your acceptable level of risk.
You should also consider the ramifications if the service provider requires in-bound access to your data center in order to provision user accounts and access rights for internal applications. How will you monitor this activity and protect your internal systems from unauthorized external access?
And, just as with any other sensitive application, you need to know who at the service provider (i.e., system and database administrators) will have access to your user's identities, and what will they be able to do with them. Will user IDs and passwords be stored securely and encrypted? How will backup and recovery be handled? Are all identity transactions captured in a secure audit database? Who is responsible making sure only authorized users can obtain or change identities?
As part of your contractual negotiations, you need to define processes and procedures to protect you legally and financially. If there is a breach of your user's identities, who will be responsible and how will the costs be covered? Will you have access to the environment to perform the necessary forensics to determine the cause of the breach or will you have to rely solely on the service provider?
These are some of the questions that should be addressed as part of using IaaS to deliver your Access Assurance solution and we recommend you work with your service provider to make sure you clearly define how the processes of managing your user's identities will work.
Posted by Bob Craig - Dir Prod Marketing on Tue, Dec 08, 2009
Cloud computing is hot and enterprises (and many of their software suppliers) are moving enterprise applications to the cloud. Why? Because, cloud computing offers some attractive advantages. The economics can be very appealing, since by moving applications to a cloud provider, companies can reduce capital expenditures and pay for resources as they consume them. Because cloud applications typically run on a shared platform, cloud providers are able to deliver services at a lower cost. And, cloud applications deliver greater flexibility, since virtualization technology allows cloud providers to dynamically expand or reduce resources to meet fluctuating business needs, which is particularly appreciated by companies with seasonal spikes in utilization (such as retail during the holiday season).
At Courion, our concern is with how cloud computing affects your Access Assurance strategy. First we'll consider the identity and access management (IAM) ramifications of moving internal applications to an external cloud-based platform.
As we noted in a posting last April, (Bringing Clarity to the Cloud (Manifesto)), when you outsource crucial applications to an external provider (regardless of whether it's cloud-based or not) one factor you need to consider is how you'll manage the identities of users who require access to those systems, whether through provisioning, role management, access certification or password management. The good news is that the process of providing users with secure access to cloud applications is conceptually the same as with a traditional, in-house architecture. If you have an IAM infrastructure for managing users' identities, it should be able to do the same for a cloud, or any other web-based, application. You'll want assurance that you'll have the ability to automatically modify access rights when the user's role changes or revoke accounts when they leave the organization.
You should also weigh the risk associated with the data that you're moving to the cloud. Even though it's still your data, you're inevitably giving up some element of control over how that data is protected. You need to make sure that you can analyze the balance between risk and reward and evaluate the potential risk to your organization if there is a data breach in the cloud application.
For example, cloud service providers rely on their system administrators, just as you do in your own data center. Who will be the system administrators for the cloud application and what steps will be taken to prevent them, or other internal users, from unauthorized access to your sensitive data? If there is a breach, what kinds of forensic tools will be available to help you determine what happened?
Do you even know where the data will reside? Is there a possibility that the cloud provider might move your data to locations beyond your country borders to, for example, save costs? If that's the case, make sure you understand the legal ramification that arise when personal or private information (such as patient healthcare or customer financial data) crosses international boundaries.
Botton line: trusting your sensitive data to a cloud provider raises a mix of interesting questions, so make sure you consider them as part of your overall IAM and security policies and procedures. Sign up for our webinar on "Access Assurance in the Cloud" to learn more.
Posted by Bob Craig - Dir Prod Marketing on Thu, Jul 23, 2009
Recently the U.S. General Accounting Office (GAO) sent a very disturbing
report to Congress concerning Federal agencies compliance with the Federal Information Security Management Act (FISMA). To quote from the report:
"Significant weaknesses in information security policies and practices threaten the confidentiality, integrity, and availability of critical information and information systems used to support the operations, assets, and personnel of most federal agencies. These persistent weaknesses expose sensitive data to significant risk, as illustrated by recent incidents at various agencies. Further, our work and reviews by inspectors general note significant information security control deficiencies that place a broad array of federal operations and assets at risk."
Some of the areas of deficiency include:
|
Access Controls |
At least 23 major federal agencies had access control weaknesses during fiscal year 2008. ...agencies did not consistently identify and authenticate users to prevent unauthorized access; enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; log, audit, and monitor security-relevant events... |
|
Accounts and password management |
...certain agencies did not adequately enforce strong password settings, increasing the likelihood that accounts could be compromised and used by unauthorized individuals to gain access to sensitive information, ... [did not] enforce periodic changing of passwords or use of one-time passwords or passcodes, and transmitted or stored passwords in clear text. |
|
Segregation of Duties |
At least 14 agencies did not appropriately segregate information technology duties... |
|
Policy weaknesses |
Thirteen agencies had weaknesses in their information security policies and procedures... |
As a result, the number of reported incidents has risen dramatically over the past 3 years, increasing from 5,503 incidents reported in fiscal year 2006 to 16,843 incidents in fiscal year 2008 (slightly more than 200 percent). Some of the findings reported by the GAO include:
- Dept. of Transportation: audit staff gained unauthorized access to ... sensitive personally identifiable information.
- FAA: employee personal identity information ... stolen electronically
- Office of Personnel and Management: USAJOBS database illegally accessed and contact and account data taken
- Federal Emergency Management Administration: a spreadsheet with data that included applicant names, social security numbers, addresses, telephone numbers, e-mail addresses, and other information on disaster applicants was posted to the Internet
- Securities and Exchange Commission: has not always consistently enforced strong controls for identifying and authenticating users [or] sufficiently restricted user access to systems.
The 66-page report continues with a litany of additional planning, testing, training, certification and monitoring failures.
The Federal Government must get serious about adopting an Access Assurance strategy that will ensure that sensitive data, including personally identifiable data, is kept safe and secure from unauthorized access. This includes:
- Implementing robust password management processes and procedures
- Deploying authorization controls to eliminate violations of the principle of least privilege
- Better managing access rights to critical systems, such as terminating accounts associated with employees and/or contractors are not longer employed by the government
- Defining and enforcing segregation-of-duties and other policies designed to reduce or eliminate fraud and waste
- Configuring activity tracking systems to monitor users' activities
- Testing and installing software patches on a timely basis to protect against known vulnerabilities
Posted by Bob Craig - Dir Prod Marketing on Tue, Jun 02, 2009
It is being
reported that yet another utility company has been attacked by a disgruntled ex-employee using a zombie account. This time, the victim was Energy Future Holdings, a large privately-held energy company in Texas. After being fired and escorted off the premises, a former employee apparently used his still-active account to gain access to the corporate VPN, where he emailed proprietary data to a personal email account on Yahoo! and modified or deleted various files in the corporate network, which caused an estimated $26K in damages related to lost business.
As we saw last month in the case of the California Water Service Company in San Jose, enterprise networks can be extremely vulnerable to attack by zombie accounts as layoffs - and tempers - mount. Security professionals need to be extremely diligent about the state of their Access Assurance strategies to make sure they are turning off access for former employees immediately upon termination. Leaving even a short time gap between notice of termination and closing accounts creates vulnerabilities. For example, earlier this year the Ponemon Institute reported that 59 percent of terminated employees admitted to stealing confidential company information. Implementing an automatic de-provisioning process is the only way to confidently avoid glaring lapses in security when your company's data stores are vulnerable to attack.
Posted by Bob Craig - Dir Prod Marketing on Mon, May 18, 2009
According to articles in the Mercury News and SC magazine, ex-employee Abdirahman Ismail Abdi used a zombie account to log on to a computer system at the California Water Service Company (CWSC) in San Jose the evening of April 27 after hours and successfully transferred $9 million to offshore bank accounts in Qatar.
Here is what we know, so far:
- Abdi is not a U.S. citizen and was ordered deported to Somalia in 2005.
- He was an internal auditor with the California Water Service Company and resigned earlier the same day.
- He was able to enter the building after hours, where the only person who spotted him was a janitor.
- He was able to physically access and log onto a sensitive financial system.
- His credentials enabled him to transfer $9 million out of the country without raising any alarms.
The money was retrieved and he is being sought by the FBI, which has charged him with unlawful flight from prosecution. This incident raises a number of troubling questions for the folks at the CWSC:
- Why was an illegal alien given privileged access to sensitive financial data?
- Why wasn't his computer account immediately disabled or revoked when he resigned?
- How was he able to gain access to the building after hours? Did he still have a key or passcard that provided him entry?
- Logging onto a sensitive system and initiating a multi-million dollar wire transfer after hours is suspicious. Why didn't the system detect and block this type of suspicious activity?
- How is it that a single individual can transfer millions of dollars electronically without requiring additional authorization?
Without further revelations, it's unlikely we'll learn the answers to all these questions, but you should probably be asking, "Could the same thing happen to my company?"
Posted by Bob Craig - Dir Prod Marketing on Fri, May 08, 2009
In an article "
Changing times for identity management" published by
Information Security magazine, Burton analyst Mark Diodati makes some interesting and useful observations about the current and future state of the identity and access management (IAM) market.
Diodati makes a great point of the need to do a thorough evaluation of any IAM solution you're planning to deploy, including a recommendation to "...install the identity management products in your development environment, and test them against your existing applications..." Our experience is that customers find it's well worth the time and effort to do a rigorous proof of concept to clearly understand the features, ease of implementation, and long term support requirements of each solution within their IT ecosystem.
Courion's Access Assurance vision focuses on "ensure only the right people have the right access to the right resources and are doing the right things", so we were interested to see Diodati call out security information management - SIM (sometimes referred to as security incident event management - SIEM) as an important, fast growing segment of the IAM market.
Integration between IAM and SIM technology addresses the need to make sure that users are "doing the right things." However, SIM tools are notorious for generating lots of false positive alerts - alerts that turn out not to be a problem. Since the real issue is sensitive data at risk of exposure, Courion believes that integrating data loss prevention (DLP) technology into an identity architecture, along with IAM and SIM, adds even greater synergy.
DLP tells you when and where sensitive data is vulnerable, SIM tells you which user accounts have accessed the data, and IAM adds the business context of who the user is, what department they work for, what other access entitlements they hold, etc. The combination of identity, SIM and DLP makes it easier for security administrators and IT managers to focus their remediation efforts on those situations that represent the highest level of risk to the enterprise.
Posted by Bob Craig - Dir Prod Marketing on Wed, Apr 22, 2009
Following the recent announcement of Oracle's Sun acquisition, Ashraf Motiwala has a good post in his
blog describing how Sun convinced a client that a "boutique vendor" was risky as it was more likely to fail or be acquired. Now that client is worried about what's going to happen to their investment, "because of the heavy overlap between the Sun and Oracle product lines".