Courion Corporation

2010 is about Access Assurance -- Applied Wisdom Nugget #4

Here's an old adage that we've all heard - the value of the whole exceeds the sum of the parts. Is it true? Well, according to the governments of the United States and Japan it is. If you include the skin, the human body is comprised of 65% oxygen, 18% carbon, 3% nitrogen and 9 other common and inexpensive elements down to a mere 0.00004% Iodine. Taken in their parts, 170 lbs of that is worth about $4.50.

But if you put it together in the right way, you can come up with the likes of Einstein, a Warren Buffet, a Gandhi, a Mother Theresa, an Alfred Bernhard Nobel.

It's similar in our space. We have all the elements - provisioning, compliance, role management, governance, sensitive data analysis, sensitive activity analysis, entitlement management and even security in the cloud (which we all know to be the next big thing until the next big thing comes along). Where we are collectively weak is the ability to put all of these things together in sophisticated ways where the whole exceeds the value of the sum of the parts - and by a whole lot.

With that, here are my 3 predictions for 2010:

1. 2010 will not be about the cloud. We've been living in the clouds for years and Courion has already has been weaving our customer's provisioning, access
   compliance and access assurance frameworks into those clouds with connectors like GE Pharmacy, Fedlink, Equifax and Salesforce. That's not interesting.
2. Companies will take advantage of commoditized pricing for custom connectors to dramatically increase the systems and applications for which they automate
   compliance, risk management and controls today.
3. Companies will realize a dramatic increase in the value of what they already have by pulling together all of the elements in sophisticated ways to assure access
   and predict and remediate risk before breaches occur - Identity Intelligence and Analytics will be the next real big thing.

Did you know?

I presume you know that the Nobel Prizes (including the coveted Nobel Peace Prize) come from the institute of the same name. But did you know that the philanthropist who founded the institute was also the inventor of dynamite and he made his fortunes in the 1800s as a major arms manufacturer and dealer?

Define irony.

Risk of Verification -- Applied Wisdom Nugget #3

This week, I was thinking about using a quote about the "burden of knowledge" to stimulate some thinking around managing risk or, more specifically, managing liabilities. Unfortunately, the term is not easily attributed to any one person. In some form, the term has been used by Nobel Laureates, heads of state and philosophers for literally thousands of years.  What's more interesting is its use as a foundational element of legal systems all over the world.

For risk managers, this is important stuff. Your company can be found negligent and therefore liable for damages caused either directly or indirectly because of something you either knew or should have known. In such cases, legal systems consistently magnify findings against plaintiffs who are found to be "grossly" negligent.

What does all this mean? In legalese, ordinary negligence is for "want of great diligence" and gross negligence is for "want of slight diligence." Still unclear? So was I, so I called my lawyer and he gave me more mumbo jumbo. Then I called my nephew who is in law school and he said "Uncle Chris, if you should have known something you are negligent - you are liable. If you actually knew and did nothing, then you are grossly negligent - You are $&%!(d".

I get it now. So if you turn on a DLP solution and it generates 1,000,000+ critical alerts a week because there's lots of sensitive information moving around your company, then you are left with obvious 3 options:

1. Eradicate the sensitive information that is, by the way, required to run your business
2. Hire an army of security analysts to ferret out and address the small number of real concerns
3. Shut off the DLP system because if there is one unaddressed misuse in those 1,000,000 alerts that you knew about.. You did nothing... You are $&%!(d

Think I'm being dramatic? This exact scenario was presented to me by the CIO of a Fortune 100 company less than a year ago. He chose option 3 and, not surprisingly, he does not want to be quoted for this article.

What if you buy some fancy new attestation software that will process data dumps of access rights from your key systems and help you identify risks? That's helpful right? Not if you don't remediate those risks. If you don't, then you knew, you did nothing and you are...

A more sensible approach would be to put in place an Access Assurance framework to ensure that the right people have the right access to the right resources and they are doing the right things:

• If your DLP system finds Protected Health Information then bounce it off the Identity Management solution to see if the people who have access to it are clinicians. In most cases, they will be and you've automated away most of the unnecessary work.
• What's the risk of verification if your access certification process finds issues and you can't automate the requisite remediation?

By thinking holistically, you can take an approach that automates away rote work to ensure that you do know what you should know and that you can deal with it efficiently and effectively.

Did you know?

• It's official, Bing is better than Google. When researching "burden of knowledge" I noticed that Bing returned 21,500,000 results while Google returned only 16,300,000. Probably either one would have been sufficient to get me started.
• "Knowledge burdens but wisdom frees one from the burden of knowledge" - Brother Sahajananda, Benedictine monk

Governance - Applied Wisdom Nugget #2

With 34 successful books and decades as a regular contributor to rags like WSJ, HBR and The Economist, many regard the late Peter Drucker as the most influential thinker on management and leadership in modern times.

As a slick communicator, Drucker was very fond of saying that "If you can't measure it, you can't manage it."

Think about that for a second, "If you can't measure it, you can't manage it".  Should we have been thinking this way about mortgage backed securities?

• With traditional mortgages, originators make and service their own loans. The service provider knows the borrower and takes care to ensure that the borrower has the ability to repay because if the don't, they take the loss. It's also worth noting that there's not much leverage. The originator is limited in how much they can loan by their own deposits.
• With the mortgage backed securities (MBS) era that began in the late 1970s, providers pool individual loans by the thousands and convert them into bond like instruments that are floated to investors as claims to principal and interest. Selling these assets means that the originator has more cash to make more loans. The resulting leverage and liquidity is very seductive to the original provider but the new provider and the real customer can no longer see each other so you can't manage it. To complicate things, these new providers also want leverage and liquidity so they abstract their securities yet again into even bigger pools and sell them to even bigger investors (like the Chinese government ;). No one can see anything but we have lots of leverage and liquidity so everyone is happy until....
• Until some of those individual mortgages fail. With all those layers of abstraction it is impossible to separate toxic assets from good ones so investors stopped buying, which seizes capital markets, so no individual or business can get a loan... and you find yourself in the worst economic down turn in 80 years.

Drucker would have said that this leverage & liquidity was the opiate that led everyone to abandon transparency and reason and, ultimately, to our collective doom. He would have said that a system like this where the service providers deliberately abstract the actual services in a series of layers, each of which might be repackaged and resourced to a different provider until the customer and the provider have no traceable connection to each other is a disaster in waiting. He would have said that... Wait.. Am I thinking about MBSs or cloud computing - I honestly can't tell.

I can tell that the insightful and pragmatic Drucker would have made a great CISO. He would have worked tirelessly to put in place an effective framework for information governance, provisioning and access compliance before moving aggressively into the cloud so that, when his company did, they could maintain transparency and control and still get liquidity and leverage.. And he would still have his job next year ;)

Did you know?

• In April 2009, the FBI raided 5 data centers in an attempt to gather evidence related to an ongoing fraud investigation. As part of these raids, they physically seized computers and storage for dozens of companies because they were co-hosted - The action effectively shut them all down until the evidence was processed.
• "Computers have enabled people to make more mistakes faster than almost any invention in history.... with the possible exception of tequila and hand guns" - Mitch Ratcliffe

Risk Management - Applied Wisdom Nugget #1

Welcome to Applied Wisdom, a series of vignettes that seeks to glean practical a insight for managing risk and compliance from some of history's greatest minds.

Warren Buffett, the world's richest man and undisputed king of practical risk management once said "Risk comes from not knowing what you're doing."

How simple is that? You can have all of the risk management frameworks that the big four can sell you but if you don't know who has access to what, you can't assure access, can't manage risk and you can't assert compliance to virtually any regulations. Hell, you don't even know what access to remove when someone leaves your company.

Take a tip from Buffett (Warren not Jimmy) and deploy an IdentityMap^tm.  It's a very simple process to discover identities from across the enterprise and bind them to unique identifiers for employees or partners or privileged accounts. From there you will be able to identify rouge accounts when they appear, disable all access on termination, synchronize passwords for users, manage accurate access verifications and accelerate forensics with speed and efficiency.

Did you know?

Warren Edward Buffet still lives in the five-bedroom stucco house that he bought for $31,500 in 1957.

The "big four" are:

• 1) PricewaterhouseCoopers at $26.2bn and 163,000 employees worldwide.
• 2) Ernst & Young at $21.4bn and 144,441
• 3) Deloitte Touche Tohmatsu at $27.4bn and 165,000
• 4) KPMG $22.7bn and 135,000

Care to share any of your "Applied Wisdom"?

Primary Observation from Catalyst 2009 – the Connector Problem

Another summer is waning and another Catalyst San Diego is behind us. As a regular attendee, I would give this year's conference fairly good marks. For me the key takeaways were:

• The Lighting Round
• The virtual compliance gap
• The conspicuous lack of customer case studies demonstrating deep and broad success in the identity space.

The Lightning Rounds were new to the format this year. Vendors were given a very short time to explain why they mattered. It seemed an effective way to give attendees a taste of each dish so that they might go back and find out more if they were interested.  Most importantly, it was, dare I say, fun to watch - no time for death by PowerPoint sales pitches here - the presenting executives had their 6 minutes of fame and they were either going to bask in the glow of the lighting flash or be incinerated by it.

There was also a special moment for me that was akin to that rare time in adolescence when your parent does something that you are actually proud of. When my boss, Courion CEO Chris Zannetos, took the podium, he skipped the "Courion is about ensuring the right people get the right access to the right resources and they are doing the right things" blurb and went right to the heart of the matter - "This [use your favorite expletive] is hard". Clearly, automating identity and access management yields speed, efficiency and control and, while there are enough failed or mediocre deployments out there to make people wonder if it's worth all the fuss, there are brilliant successes, too. Chris used his time to share the key ingredients required for success - understand the risk, control and financial implications, take an incremental approach and, most crucially, choose your vendor partner with great care:

• Ask for references and ask these references the tough questions. How many systems and applications are you managing? At what level of granularity? How long did the deployment take? What are you actually automating? How many people did it take to deploy? How many does it take to maintain?
• Do a POC - a real POC, not a demo. Make the vendor take the shrink wrap off the software and install it on your iron and watch how difficult this is to do.
• Ask them to share the risk. Will they commit to a price for all future connectors? Will they lead with a fixed price proposal for everything you need?

Chris took the high road and I was proud (please don't tell him).

The virtual compliance gap was also interesting - the identity track folks touched on the difficulty of demonstrating compliance in a virtual world and so did the virtualization folks, but it's clear a lot of work needs to be done before these areas converge. How, exactly, do you demonstrate compliance to geographically specific regulations when that data (and the entire application and server that's instantiating your business process) is automatically floated between different data centers in different parts of the world to manage power consumption? This is a topic for a future blog.

Finally, the conspicuous lack of deeply successful case studies was, for me, the most important observation and not entirely disconnected from Chris' comments about the importance of partnering with the right vendor. There were several "customer success" stories but the only one I heard that showed deep and lasting success was Wendy Booker from SunTrust Banks (full disclosure: a Courion customer.) In Wendy's case, she covered how they funded a robust access assurance program that manages fine grained entitlements for 35,000 people, with detailed roles and 50+ custom connectors automating all aspects of provisioning and compliance for hundreds of systems and applications - yielding dramatic control, efficiency and service quality improvements.

I hope I didn't miss an important session but most of the other deployments described seemed superficial, such as the case where it took 18 months to do 25 roles for 25,000 people and they only covered RACF and AD. Really? Most companies I know with 25,000 people are dealing in the range of 500-1000 applications, with hundreds of them being KFA (key financial applications for SOX) or HRA (high risk applications for the business). Surely 25 roles for this level of complexity does not begin to address the problem or opportunities.

I began to realize that the elephant in the room is connectors. All provisioning and/or compliance vendors have connectors for RACF and AD but this doesn't begin to meet the need for companies with this kind of scale and complexity. At Courion, we have 160+ out-of-the-box connectors, but what's the likelihood they will be the 160+ most important of the 1000+ that you need?

That's it then--the Achilles heel of the Provisioning and Access Compliance world is connectors. Can your vendor give you a low fixed price for as many as you need? Can they commit to a price in advance, even before you know what the applications are, so that you can plan and manage your deployment out of Phase I and into something that truly enables the business? The answer in almost all cases is, "No".

This is a problem that Courion has been working on for a long time - we understand the issues that make this difficult and we have tooled ourselves to address them. Today, not at some time in the future, we provide our customers unlimited connectors with speed and efficiency, and at one low fixed price - perhaps there's some fodder here for a future blog as well.

ROI Is One of Three Good Justifications for Security

Information week posted a blog yesterday that "ROI Is Not A Good Justification For Security".  With all due respect to blogger Mike Fratto, yes it is.

In fairness to Mike, I think he's reacting to increasing pressure across every industry to cost justify security programs and he's reminding us of two very important facts. First, there are risk management and compliance benefits that, just because they are harder to quantify for the CFO, should not be ignored. Second, it might be harder than you think to realized some operational efficiencies.

Here's the rest of the story...

Companies deploy access assurance solutions for 3 simple reasons:

1. Effective security controls reduce risk and meet compliance demands
2. Automation yields efficient security operations
3. Speed enables the business to move faster

You must justify programs internally by being realistic about which of the benefits will secure funding:

• Effective security is attractive if it addresses high risk areas identified in risk assessments done with the business. In today's environment, this might be insider threat from disgruntled, soon to be former or former employees.
• Efficiency gains are real and measurable. It may be hard to recover the cost from employees working as part time security administrators but a company's core applications like SAP, AD, RACF and email require dedicated personal that are easy to identify. Increasingly, companies are auditing for efficiency as well. Here's some actual data from our customers:
• 7000 person teaching hospital automated 24,960 password resets and 52,708 account create, add, change and disables in 2008.
• 35,000 person retail bank is automating account administration where turnover is approximately 800 people per month. In addition, they report having saved $2,175,300 in calls to the help desk by automating password resets alone.
• Enabling the business means getting employees productive more quickly or executing mergers or divestitures more quickly

In most companies today, the optimal approach is to build a business case that clearly and conservatively defines how an access assurance program:

1. Enables the business (soft benefits)
2. Meets security needs (basic requirements)
3. Saves money (operational efficiency)

If you need some help with this, let me know ;)

 

What’s a Sun Dial in the Shade?

I was reading the recently published "Market Overview: Enterprise Role Management" by Andras Cser of Forrester and I was struck by his comment about Courion adding a "whopping" number of roles customers in 2008. The report goes on to talk about the need for enterprise roles, double digit market growth rates in a down economy and a bunch of
products that all sound the same- "All products, with the exception of IBM's TIM, support role mining, role management, role versioning, compliance reporting, definition, and enforcement of segregation of duties out-of-the-box".

By the time I finished the report, I had 2 questions stuck in my craw:

1. Why is Courion, who Forrester positions between the big iron guys and trendy pure play role vendors, thriving even in a down economy?
2. If I was about to start a roles project, who would I pick as a vendor?

I suspect that the answer to both comes down to value.

By themselves, roles have no more value that a sundial in the shade. They help you define what people should have access to but they don't actually grant or verify access. You will need a well integrated provisioning and compliance solution to ensure that the right people have the right access to the right resources and are doing the right things.

Also, your solution has to leverage what you have rather than requiring a rebuild of your core IT infrastructure. Otherwise you'll end up a cure that's worse than the illness.

If you're about to embark on a roles initiative, here's some things to consider:

• What problem am I'm trying to solve?
• How will it be funded? Will the expense be approved? Can the solution generate efficiencies fast enough to be self funding?
• Does it actually work? Can you see it in a POC? Does the vendor have references that can speak to the business value that they have achieved?

If you use this approach you should be successful and, I think, Courion will add a whopping number of new customers in 2009 as well.