Posted by Kurt Johnson - VP Strategy on Wed, Feb 24, 2010
Okay, before I dive in, a bit of a mea culpa here. I know and understand that part of the responsibilities of authoring a blog is frequency. Woops. Given my last entry was back in October, and that was the first since May, I'm not sure I'm really doing too well here. Is the end of February still an opportunity for a New Year's Resolution? Well, the journey back starts with a first step, right? So, why not start with a late February, 2010 entry about a court ruling filed back in September, 2009?
To be fair, it's not like I regularly scan the US Court of Appeals findings on a regular basis, and the following story didn't make front page headlines. But, at a recent CSO Breakfast Club meeting this case was brought up and inspired me to take a deeper look. It was interesting reading.
Seems LVRC Holdings (which operates a residential treatment center for addicted persons in Nevada) filed a lawsuit against a former employee Christopher Brekka. LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA) by accessing LVRC's computer "without authorization" both while Brekka was employed at LVRC and after he left the company.
LVRC alleged that Brekka exceeded authorized access by emailing sensitive documents from his work computer to a personal computer as well as accessing accounts without authorization after he left the company. Amongst other accusations, LVRC alleged that Brekka, who left the company in September, 2003, accessed critical resources by using an account cbrekka@fountainridge.com which was discovered in November, 2004, more than a year after Brekka left. It was at this point that the account was disabled.
What makes this interesting is the Court ruling. The US Court of Appeals ruled in favor of Brekka. In their ruling they state that "authorization" is defined in the dictionary as "permission or power granted by an authority." Based on this definition, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it, which LVRC did for Brekka. The Court further ruled that, "It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or ‘without authorization'." Additionally it states, "If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA."
What does all this legal stuff mean? Basically, by the fact that LVRC did not disable the access of Brekka when he left the company, the Court states that Brekka's continuing to use this access did not constitute a criminal or illegal action. Because it was originally granted, that account, my remaining active, essentially grants an employee the ability to keep using it, because in the Court's opinion that user "would have no reason to know" that using the account was a violation.
This seemingly obscure ruling has major ramifications for organizations around managing Zombie accounts (accounts that stay active for users that are no longer with the organization). Given the highly sensitive amount of information that various accounts grant access to, it is imperative that these accounts be disabled immediately when someone leaves the organization. In this Brekka case the account in question was an administrative account that seemingly offers significant access privileges. Without this, they could have no recourse in pursuing legal action against former employees who might misuse such access rights and data access.
There are easy ways to address this. An ongoing access certification by business managers would have identified the fact that Brekka's account was still active after he left the organization. By automating the account disablement process ensures that accounts are turned off immediately upon an employee being terminated or leaving the organization. By the mere fact that LVRC did not institute such practices, a critical account was allowed to stay open, and even though the former employee was alleged to be misusing these privileges, by not following its policies or detecting violations to them, an account was left active. As the Court states, by leaving this account active, it was not considered unauthorized access just because the employee was no longer with the firm.
It doesn't make sense to have a policy if you're not following it. A lax access assurance strategy inevitably can lead to trouble, and may even limit was legal recourses a firm can take.
Posted by Kurt Johnson - VP Strategy on Mon, Oct 19, 2009
Last week a former Ford product engineer (from 1997-2007) was arrested at O'Hare airport and charged with stealing 4,000 sensitive design documents worth millions of dollars. According to reports, Xiang Dong Yu, 47, of Beijing, was charged in a five-count indictment with theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer. Apparently he stole this data back in 2006 before he left the company and has been using it to try to gain employment with other rival manufacturers in China.
As we continue to see these instances of data theft in the news, companies need to be laser focused on implementing strong Access Assurance strategies that ensure that the right people have the right access to the right resources and are doing the right things. When an employee leaves a company or changes roles, access policies need to be enforced immediately to prevent these types of breaches, especially in organizations where proprietary data is the stock-in-trade. A complete Access Assurance solution, including detective and preventative controls, helps alert IT managers to inappropriate access to sensitive data so they are able to remediate potential risk.
We talked last week about the evidence of a growing IAM market, as organizations are clearly working to address these challenges. But IAM is moving beyond traditional boundaries in organizations and needs to encompass elements of preventative and detective controls by reaching out to various monitoring technologies to assure that information gets into the right context to drive remediation.
Posted by Kurt Johnson - VP Strategy on Thu, May 21, 2009
On the heels of our 7th annual CONVERGE conference, Sam Curry, VP of product management at RSA, posted some reactions on his "Speaking of Security" blog.
Sam and I had the pleasure of presenting a session together that explored the possibilities of a comprehensive access and compliance management strategy. The presentation explored the various complexities organizations are dealing with for a comprehensive security and compliance strategy. This includes information sprawl, identity sprawl, and infrastructure sprawl in light of increased threats and increased regulation. The reality is many security organizations have addressed this from a reactive perspective, resulting in numerous point products focused on individual points of control.
What's needed is a proactive strategic approach that addresses this from a holistic view represented by a security system or ecosystem. That is the only way to get ahead of these issues and properly balance the people process, and product requirements. In the post, Sam pulls out the top line summary of the zero sum game that's played between security and performance concerns. By adopting a true security system approach, an organization can ensure higher security doesn't come at the expense of decreased efficiency and business performance. Courion's product suite is designed around this concept, recognizing the critical importance of linking to other parts of that ecosystem, and is at the core of our partnering strategy.
I, for one, appreciated Sam's participation to communicate the aspects of this joint strategy. I appreciate our other partners and customers who participated, and was thrilled to see so many of them coming away with fresh ideas and actionable advice to further their IAM strategies. As Sam pointed out, organizations can be very successful with IAM. This success is measured in business value. When you can achieve this, you make them the happy people Sam encountered while at CONVERGE.
Posted by Kurt Johnson - VP Strategy on Thu, Apr 30, 2009
It's no mystery that cloud computing is the current hot topic in the industry. Whether it's the next major "paradigm shift" (I shudder at the mere use of the term) or it's merely enjoying its 15 minutes of fame, it clearly has industry buzz. Cloud computing security is riding this wave as well, with much discussion, focus, and vendor marketing aimed at the subject at the most recent
RSA Security Conference in California last week.
In good timing, the Cloud Security Alliance recently published its initial report, "Security Guidance for Critical Areas of Focus in Cloud Computing". I agree with the alliance's belief that cloud computing represents an important trend that has the potential for major change in business with its increased adoption. I think the alliance is spot on that the basic tenants of security: good governance, managing risks, and common sense, do not change. But, it's paramount that security professionals get ahead of the curve to address the security issues as the business adopt cloud computing.
The mission of the Cloud Security Alliance is to provide best practices to secure cloud computing. Its initial report makes great strides by outlining areas of concern and guidance for organizations adopting cloud computing. Key areas identified include governance, audit and compliance, and Identity and Access Management (IAM).
While we are encouraged to see IAM addressed in this initial report, the primary focus is on the need for a robust federated identity management architecture, its insistence on standards such as SAML, WS-Federation, and Liberty ID-FF. and authentication. The governance and audit sections also highlight important best practices. While we wholeheartedly agree that these are important tenants, it's also important to address other key areas of IAM focused on identity administration and audit and instilling a strong Access Assurance framework.
The complexities of ensuring that the right users have the right access to the right resources and are doing the right things with them are increased with cloud computing. Just as the alliance states, strong security practices do not change with cloud computing. This applies to access assurances issues as well. But, managing them can be more complex, time consuming, and open to error and oversight. Access Assurance best practices are a critical component to managing this increasingly important computing (dare I say it) paradigm.
Posted by Kurt Johnson - VP Strategy on Tue, Apr 21, 2009
Yesterday Oracle announced it had agreed to acquire Sun Microsystems. My friend Dave Kearns sent an email asking for reaction (for those of you unfamiliar with Dave's work, I strongly suggest you subscribe to
his blog and
identity management newsletter) and it got me thinking. Oracle's positioning is talking about providing an integrated system from "application to disk" and also lauds the merits of having Solaris and Java at its disposal. But, nowhere do you hear anything about identity management. This is of no surprise as the acquisition was not motivated by a strategy of combining identity management solutions. However, if you're a Sun identity management customer, you have to be concerned due to the significant overlap between Oracle's and Sun's IAM product lines.
So, this got me thinking about the importance of the "new" vendor viability. As an independent player who is a wee bit smaller than some of the companies we compete with in the IAM market, Courion sees vendor viability thrown in our faces at times in competitive situations. Although we've demonstrated product innovation and leadership (according to Gartner and Burton Group among others) and are recognized for a strong track record of customer success at a fraction of the overall implementation and service costs, our competition (including Sun) would throw the viability FUD in there to try to wrestle deals away. Comments such as "They're too small"; "They're not going to be around much longer"; "We're going to crush them" have all been things we've heard in selling cycles for a long time.
Well, I believe the Oracle Sun acquisition highlights where the real viability concerns lie. Clearly the IAM business was not a consideration of Oracle when acquiring Sun. There is tremendous overlap between the product sets and one can only suspect that Oracle will be announcing an end of life plan for the Sun Identity Manager products before too long.
Consider other announcements over the last few years. HP acquires Trulogica as an entry into the identity management market only to announce a few years later that HP was getting out of the business. Similarly BMC announced it was dropping traditional identity management. After acquiring Netegrity, much of the original Business Layers identity management products have been "evolved" by CA under a completely different architecture. It sure appears to me that size has nothing to do with IAM vendor viability.
IAM is what Courion does. We can't afford to give away hardware, operating systems, databases, or anything else if the project goes bad. We must have customer success for each and every project as there is no other way for Courion to "make it up" to the customer. Clearly a company like Courion is not planning on getting out of the IAM business.
IAM is a strong and growing market, and is still a top priority in even the current economic climate. But, when vendors use their IAM business as a way to help pull other products and push infrastructure on customers, success is measured in more than pure IAM revenue. True vendor viability concerns should be focused on these larger organizations and prospective customers need to look carefully at the nature of their commitment and the viability of their overall business. The commitment these organizations have to IAM should be a major concern. Courion's focus for IAM is to solve real, critical business problems. Its purpose is not to sell other pieces of infrastructure. This is what we do and we like to think we're doing it pretty well. We're growing. We're profitable. We've got a customer base full of happy customers. That all sounds pretty viable to me.
What are your thoughts?
Posted by Kurt Johnson - VP Strategy on Tue, Apr 07, 2009
Adam Bosnian recently noted in an article he penned in SC Magazine the importance of privileged user access and the risk of poor controls around privileged users. We clearly see this as a critical issue that our customers and prospective customers are trying to get their hands around, and it's critical that privileged accounts are considered as part of a broader access assurance strategy.
Access assurance, for those not familiar with the term, is ensuring that the right users have the right access to the right resources, and are doing the right things with it. One of the most popular questions I get when I'm on the road talking to companies is, "Where should we start?" We often find organizations taking a tactical jump into access assurance. Often it's driven by an audit finding. So, if it's a SOX audit, it's the key financial apps they start with. If HIPAA it may be clinical applications. If it's a finding around accounts still in place for users that left the organization, it's a focus on disabling user access.
Organization need to take a step back and prepare a comprehensive access assurance strategy. The key is to look across the environment and build a phased plan with some key initial wins. This should be driven by the highest areas of the risk in the organization. You should try to avoid the fire fighting approach trying to stomp out little fires all over the place. Build a plan and make sure to include privileged user access as part of the broader identity and access management program.
It's important to take this comprehensive view to lay out a continual process for access assurance. Define who should have access to what. Enforce and apply that access. Detect when access or activity is beyond the scope of policy. Correct variances from policy and coutinously evaluate if the policy is appropriate. This applies to privileged and common users alike.
Posted by Kurt Johnson - VP Strategy on Wed, Apr 01, 2009
It was
reported yesterday that 15 hospital employees were fired, and another eight disciplined, for viewing patient records without permission. It appears that the employees of Kaiser Permanente Bellflower Medical Center viewed the patient records of infamous octuplet mother Nadya Suleman, (aka Octomom) without a medical reason.
This is just the latest incident in which private patient records have been accessed by employees in violation of hospital policy and healthcare privacy laws. A similar story broke last year at UCLA hospitals where medical records were violated for various celebrities including Britney Spears and Farrah Fawcett leading to firing, suspensions, and warning for approximately 175 hospital employees.
It's critical that organizations truly understand who has access to what. Is this access appropriate? Is it within hospital policy? Does it violate HIPAA policy? As may, or may not, be the case here, the access itself may be appropriate, but the activity was not. These employees may have had valid access, but they had no right snooping into Octomom's medical information. It's critical that organizations gain control not only on access, but on user activity as well, and ensure this is within policy.
Today's healthcare organizations can't be too careful when it comes to ensuring that their users only have access to what they need in order to properly perform their jobs. As I discussed in a recent blog posting (HIPAA Compliance - This Time We Mean It) The Department of Health & Human Services has really stepped up their enforcement of privacy laws recently and it's more important than ever that hospitals employ every tool at their disposal to protect patient data from such breaches - or risk severe penalties." This is going to be particularly important for California hospitals like UCLA and Kaiser since California Gov. Arnold Schwarzenegger recently signed into law legislation that increase state fines for security and privacy violations involving patient health information. The bills include mandate security controls for preventing unauthorized access to patient data.
Developing an access assurance strategy can provide strong controls for protecting privacy information and complying with regulations like HIPAA. It's imperative that organizations take steps to properly define the policy around who should have access to what, ensure they have the ability to enforce this policy, continuously monitor and detect when access and actions are inconsistent with that policy, and remediate and document when policy violations occur.
Posted by Kurt Johnson - VP Strategy on Wed, Mar 25, 2009
I was just reading Gartner analyst Neil MacDonald's most recent blog posting about Rogue SharePoint Sites and was interested to see that Gartner estimates that about 30% of SharePoint servers are operating outside of the management sphere of IT departments. Neil also mentions that this is not SharePoint's fault, but rather a problem with oversight - or lack thereof - with respect to organizational compliance with enterprise security policies.
I touched on this in my blog posting last month (Microsoft SharePoint - Governance Schmuvernance) and I'm glad to see that awareness of this policy compliance issue is becoming widespread, with the likes of Gartner recognizing the scope of the potential risk it poses. Courion has been providing SharePoint security solutions for some time which give organizations insight into the configuration, authentication, and authorization needs that Neil refers to.
How does your organization view this issue?
Posted by Kurt Johnson - VP Strategy on Fri, Mar 20, 2009
With the rash of regulatory compliance policies thrown at virtually every industry over the last decade, healthcare was not immune (no pun intended). Understanding that advances in technology would have a major impact on the privacy of health information the Health Insurance Portability and Accountability Act (better known as HIPAA) includes scrutiny on patient privacy and handling of that information.
One critical aspect of privacy protection is the access to electronic health information. Understanding who has access to this data, if this access is appropriate, how did they get it, and is it effectively taken away when no longer needed, are all key ingredients of an Access Assurance strategy and a critical part of the controls that are required for HIPAA compliance.
Still many of the healthcare IT and audit professionals I speak with regard HIPAA much like a teenager does music piracy. They are not that fearful of non-compliance and don't believe they are ever going to get caught. While many pointed at Atlanta's Piedmont Hospital and Seattle's Providence Health as the poster children for the impact of HIPAA non-compliance after being audited and penalized back in 2007 and 2008 respectively, these one-a-year headline catchers weren't enough to scare people too badly. As a result, HIPAA is more of a way to secure budget than a driving force to boost internal controls around protecting patient data. Many folks I speak with tell me they are far more worried about the impact on resources and the organization to implement tighter security and controls than they are in fines for non-compliance.
Well clearly I wasn't the only one hearing this as the Office of the Inspector General (OIG) decided to take a deeper look into Health and Human Services' (HHS) oversight of HIPAA and added HIPAA review to its FY09 Work Plan with a strong focus on the HIPAA Security Rule and HIPAA Privacy Rule. OIG came down pretty heavily on HHS's failure to enforce HIPAA rules (ModernHealthcare.com coverage and OIG Report).
Apparently they weren't kidding around and HHS is getting the message. Last month CVS Caremark agreed to pay $2.25 million to settle a federal investigation that it violated HIPAA privacy regulations. Appears the people in the white coats behind the counter threw items such as pill bottles with patient information in the trash. Woops.
This decent penalty is getting the attention of healthcare organizations and they're starting to believe that HHS is serious this time. Many are feeling that HHS would relish the opportunity to grab headlines with major findings and penalties to prove they're getting their act together. In addition, a new law signed by President Obama includes rules expanding HIPAA including stricter penalties and public disclosure rules. Moreover it authorizes State Attorneys General to bring civil actions against individuals who violate HIPAA. I'm sure this has AG's frothing at the mouth for new things to go after and this, as well as steeper fines, are grabbing the attention of healthcare security professionals.
What this means for security professionals is it's time to get real about HIPAA. It's time to dust off the policies and procedures and focus on education of individuals around the protection of privacy information. Also high on the list should be an assessment of data governance and access assurance:
- Where is the private data?
- What kind of data is out there?
- Who has access to this data?
- Do the right people have the right access to the right resources and are the doing the right things with it?
- How will this be enforced and managed on an ongoing basis?
Practitioners and management must have ownership of privacy data and how this information is being protected. It's critical that healthcare organizations take a strong look at how they're managing the lifecycle of access assurance. This starts with defining access policy, enforcing that policy, detecting when actions are inconsistent with policy, validating when those actions violate policy and create risk, then remediating to bring things back in line. It appears HHS is serious this time, and you don't want to be the next attention grabbing headline out there.
I'd love to hear what you think.
Posted by Kurt Johnson - VP Strategy on Wed, Feb 11, 2009
The source of all information great and accurate (and I'm talking about Wikipedia of course) defines governance as relating "to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility". This sounds reasonable to me. Today's realities of increasing privacy concerns, compliance management, and regulatory pressure have brought visibility to the importance of sound policies and processes to minimize risk and protect organizations. IT governance consists of cross-organization teams, with a heavy emphasis on line-of-business involvement, to more effectively ensure that IT policies are not only being followed, but are the responsibility of the individual users and business managers to define and enforce. It's not solely an IT function.
Sounds great, doesn't it? As part of this IT, and even IT security, have emerged from the bowels of their cavernous quarters to have a seat at the table working with the organization to identify risk and build effective ways to manage it. In many areas IT security has effectively shattered the image of being a business impediment to one of a business enabler.
Then along comes something like Microsoft SharePoint to ruin everything. Are we even a little surprised that we're reading that Microsoft SharePoint is hard to secure? (Microsoft SharePoint: A Weak Link In Enterprise Security?) A recent Ponemon Institute survey stated that only 60% of respondents have deployed security tools specifically for SharePoint. Courion's own survey on SharePoint compliance showed that 25% of respondents stated that they believed their SharePoint security was either weak or they were unaware of what was being done about it.
It's always easy to takes shots at Microsoft and point the finger at the tool. But blame here belongs focused at the organization using the product. Microsoft designed a solution to provide enhanced collaboration capability to make it easy to share information across different organizations or even outside the organization. SharePoint was designed to install easily, be painless to administer, and simple to post documents and data for wide audiences to see and share. Guess what? The product works. But, like a loaded gun, which in the right hands can be an effective tool but in the wrong hands can lead to unfathomable destruction, so too can SharePoint or any collaboration tool.
Historically we've seen IT security and management as afterthoughts to application deployments. Back in my META Group days we referred to this as the pig being thrown over the wall. An application goes live and then IT management is left to figure out how to ensure it doesn't bring the infrastructure to its knees and that the information is secure. As I mentioned before, IT governance started to change much of this. But, in many cases, SharePoint is so easy to deploy IT doesn't even know about it. Thus security is not planned for up front.
So what is IT security to do? My friend Mike Rothman suggests in his Daily Incite post, pray. Not bad advice. How does IT gain control while not impeding the business value of collaboration? The solution is what we at Courion refer to as an Access Assurance strategy.
Access Assurance refers to ensuring the right people, have the right access, to the right resources, and are doing the right things. It involves the definition of access policy; enforcement of that policy via automation; detection when that access varies from policy; remediation to bring access back within policy; and validation that the policy is appropriate. Where better can this apply than to SharePoint? This focus on a lifecycle for SharePoint compliance management offers significant value for organizations.
So, how does one go about building SharePoint compliance and access assurance? It starts by finding out what's out there. This discovery must include an assessment of the various risk associated with the sites. It doesn't make much sense to put a ton of policy around the company softball site; however that engineering planning one might need a little more oversight. This risk may include identification of sites that have sensitive data on them. DLP tools like those from RSA and Symantec are helpful in discovering such information. Risk can also be assess by seeing how many have multiple site owners, how many grant access via explicit access vs. groups, how many does the "everyone" group have access to, etc. Identify which users have access to the different sites, what job function they belong to, and what types of rights they have (e.g. contribute, read only, full administration, etc.). There should then be a formal process to verify that this is appropriate and have the business managers attest to the fact that the access is appropriate. When it's not, remediate by removing or modifying that access. This is what Courion's Solutions for Microsoft SharePoint focus on; creating an Access Assurance lifecycle for SharePoint.
Once this clean-up has occurred, we can then implement a process of governance for sensitive sites. Ongoing reviews of who has what type of access is critical. Formal processes for approving access to such sites should trump the "let the site owner add anyone they'd like" approach. The SharePoint policies must be well understood, well communicated, and implemented in a way that ensures business efficiency while maintaining policy. We like to refer to this as transparent compliance. Embedding the policy into the business process allows the organization to enjoy the benefits of increased business efficiency with higher security, and thus reduced risk.
Isn't that what we're all striving for anyway?