Posted by Todd Chambers - CMO on Wed, Jun 09, 2010
Deloitte has just released their 2010 Financial Services Global Security Study and once again identity and access management has topped the list as the "Top Security Initiative" for enterprises in 2010. It is encouraging to see so many respondents highlighting the importance of improving security and meeting regulatory compliance requirements as key drivers to adopting Identity and Access Management (IAM) solutions.
Other Findings:
- Data loss prevention has taken on greater urgency: Data loss is caused by an intended or unintended action on the part of an organization's people. When asked to characterize their ability to thwart internal breaches, only 34 percent of respondents are "very confident".
- Regulatory compliance is a key priority for financial institutions: Financial institutions are clearly expecting more regulatory pressure. Respondents to the survey include regulatory and legislative compliance as one of their top five initiatives and are hiring more internal auditors to resolve internal and external audit findings in preparation.
- Business alignment is still lacking: While 87 percent of respondents either have, or plan to have, a security strategy within the next 12 months, respondents reveal that security functions do not get input or involvement from the lines of business when the strategy is being developed; this indicates that strategy development tends to be driven by the security function rather than driven by business goals.
IAM solutions need to be able to integrate with data protection solutions like DLP; they need to help relieve increasing regulatory pressures; and they need to help IT engage the business into the process of securing access to data. This is what we call Access Assurance.
Failure to clamp down on data access has real and painful consequences for any organization, not just those in the financial sector. Data breaches are getting more expensive, regulations more onerous, and catastrophic bad press can have negative impact for years.
Posted by Todd Chambers - CMO on Thu, Mar 11, 2010
Based on a recent study by the research firm Ponemon Institute it was reported that, "Despite the best efforts of IT departments, business managers continue to disengage, or turn off, their laptops' encryption solution - exposing company information to thieves should the computer go missing." This is a concern, especially given the increase in sensitive data being made more broadly available (electronic health records, mobile computing...) and the continuing reports of lost or stolen laptops, but there was some that I found even more concerning...
In the report was the statement, "33% of IT practitioners believe encryption makes it unnecessary to use other security measures, whereas 58 percent of business managers believe this to be the case". One third of the IT people and over half of the business people believe that encryption is the only security measure needed? Without effective management of access, how can you truly protect sensitive information in an organization? It's like locking a door and not being sure who has a key.
In the report Dr. Larry Ponemon does state, "This study shows that business managers may be overly reliant on encryption to keep confidential information safe and secure". That's absolutely true and it's clear that the combination of preventive AND detective controls are required to effectively manage the risk of inappropriate access to information.
The goal of any Access Assurance strategy is to assure that only the right people get the right access to the right resources and are doing the right things with it. So, are you taking a balanced approach?
Posted by Todd Chambers - CMO on Wed, Dec 23, 2009
Melissa Hathaway served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.
In her recently posted perspective on the state of cybersecurity ("Five Myths About Cybersecurity") published in the ExecutiveBiz Blog she highlights the following:
- Myth 1: Consumer protection exists in cyberspace
- Myth 2: Firewalls and virus scanners protect my computer and my enterprise
- Myth 3: My government has the solution and will protect me
- Myth 4: Physical assets are more valuable than information
- Myth 5: Laws are keeping pace with technological innovation
It is interesting to note that she specifically points out that "Few software programs protect us from the insider threat..." which according to a Verizon Business Breach Survey, accounts for approximately a third of all breaches.
This is especially concerning when you consider that a recent survey entitled "the global recession and its effect on work ethics", carried out by Cyber-Ark, found that 48% respondents admit that if they were fired tomorrow they would take company information with them. And a quarter of workers said that the recession has meant that they feel less loyal towards their employer.
It seems clear that protecting your organization from insider threats, and even external threats made possible by the inappropriate use of insider access (zombie accounts, weak password practices...) should be a key part of your Access Assurance strategy. The myth of being protected is not a strategy, so, how safe is your environment?
Posted by Todd Chambers - CMO on Fri, Dec 18, 2009
Companies' that work to mitigate risk in their business face numerous identity and access management challenges spanning Access Governance, Access Provisioning, and Access Compliance, but with each organization each of these areas will be prioritized differently. As you build your strategy it's important not to attack each challenge as if it were stand-alone and unaffected by other business imperatives. In other words, it's critical that your solutions allow you to "start anywhere" based on your unique business drivers and requirements, but also allow you to "go anywhere" in order to gain greater value by addressing the broader goals of your organization.
Take for example a company unable to demonstrate that their employees have only the minimum required access to company resources to do their jobs. On the surface this seems to be a straight forward access verification challenge of identifying who has access to what resources, and then asking the managers in the organization to vet the access, right? In actuality, this is just part of the process needed to appropriately assure that ONLY the right people have the right access to the right resources and are doing the right things with it.
When delivering an access verification solution you need to ask yourself, "How will we manage all the exceptions that it will clearly uncover?" And, "How will we manage it over time and in an automated fashion to accommodate the changes constantly taking place in our business?" The ultimate goal should be to enable the verification AND remediation of access regardless of your environment. Sure, you need to be able to send email alerts and link to help desk systems, but you also should have the ability to automatically change, disable, or delete access directly for any resource, with or without an existing automated provisioning solution. This approach will make your business more agile and effective (easier compliance adherence, increased efficiency and effectiveness) and at the same time reduce risk for the organization.
A "start anywhere, go anywhere" approach is a cornerstone of Access Assurance and is especially critical to success in today's environment where all businesses need to show incremental value on the way to their ultimate goals. Delivering successful programs that are cost effective, easy to manage, and deliver business results quickly, are great ways to increase security, compliance and business value, as long as they are an integrated part of your access assurance strategy. Not to mention, having multiple "wins" under your belt is always nice to have when requesting your next round of resources.
Posted by Todd Chambers - CMO on Thu, Oct 22, 2009
Recently, reports have surfaced revealing that user log-in credentials for more than 30,000 Web-based email accounts - including those from AOL, Gmail, Hotmail and Yahoo Mail, among others - have been stolen and made publicly available on the Internet. It's interesting to note that analysis of the stolen Hotmail passwords showed that 42% used only letters, nearly 20% only numbers, and the most frequently-used passwords overall were - you guessed it - "123456" and "123456789."
Although these particular attacks occurred with consumers' personal, Web-based email accounts, the cautionary message applies equally to enterprises. Companies need to keep in mind that "cross-over" will inevitably exist between employees' personal and business accounts - work-related emails may be forwarded to or sent directly to and from personal accounts or employees may also choose to replicate "personal" passwords for work applications. These bad password practices, among others, can expose more than employees' personal information, opening the door to corporate security and compliance risks that can potentially result in serious financial and reputational losses.
Enterprises need to ensure they've put in place sound password safeguards that ensure optimized security and compliance with password policies while still promoting ease-of-use and productivity for employees. Our customers are achieving these benefits through self-service password management and synchronization which has been seen to reduce password-related Help Desk calls by more than 80%. Users are able to access their password profiles and make changes at any time, rather than only when the Help Desk is open, and the new passwords are automatically applied across all other relevant applications and systems. IT staff can set and enforce self-service password policies in accordance with industry regulations and internal best practices, such as requiring more complex passwords - like minimum password length, mixed cases and numeric or other special characters - and more frequent password renewal, among other things. But whatever the password management solution, companies need to be keenly aware of the potentially bad personal password practices that employees may carry over into the workplace as well as the increasingly blurry lines between personal and work-related applications and access to them.
Posted by Todd Chambers - CMO on Fri, Oct 16, 2009
Last week at the ISSE 2009 security conference in The Hague, consultancy firms KPMG and the Everett Group fielded a survey focusing on 2009 IAM investments. Feedback from 128 respondents of organizations in 23 European countries re-confirmed the findings from the 2008 survey titled, "IAM is here to stay," with some eye-opening additions. According to the new survey, almost 90% of the CIOs and CEOs who responded said they have started one or more IAM projects in the past year, despite the economic climate and reduced IT security budgets. In fact, about 70% said they have allocated specific budgets to IAM. The main drivers of these new IAM deployments are said to be governance, risk and compliance, operational excellence and business agility.
This after Gartner forecasted in late September that the worldwide software security market will total $14.5 billion this year, up eight percent from last year. They see the trend continuing next year as well, when a 13 percent gain in revenue to $16.3 billion is anticipated in the market. And just this week, industry research firm RNCOS released a report further supporting these findings, predicting IAM market growth in various regions, including the Americas, EMEA and Asia-Pacific, of nearly 23% from 2009 to 2012, fueled by rising concerns over security breaches and identity thefts.
The Courion Access Assurance approach focuses on the necessity of showcasing incremental success and small wins in IAM deployments in order to gain support for further project. Using a "self-funding" strategy, we target the most pressing security challenges (access verification & certification, role management, access compliance...) to deliver visible business results often in under 90 days. In this way, IT security can actively involve the lines of business in proposed projects and make sure all parties are in alignment and striving for results that increase security and compliance, while increasing operational efficiency and business agility at the same time.
Ask yourself, is your organization getting the full value from your IAM initiatives?
Posted by Todd Chambers - CMO on Thu, Sep 24, 2009
EDUCAUSE, a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology, recently conducted their 10th annual EDUCAUSE Current Issues Survey. Given the tight IT (and overall) budgetary controls education institutions are facing today, along with increased data privacy laws and regulatory requirements, it's not surprising that "funding IT," "security" and "identity/access management" were among the top-ten issues IT leaders identified as the most critical to resolve in 2009.
These findings mirror the challenges and priorities we're seeing with our education and other customer segments out in the field every day. From an identity and access management - or more broadly, Access Assurance - perspective, we're helping them to approach each of these areas in new ways that deliver measurable ROI by improving risk and compliance while reducing costs:
Funding IT - our customers are facing CFOs that want concrete results in return for new IT spending. In response, we've developed a self-funding model that delivers "quick wins" through an incremental deployment scenario that helps to rationalize a larger, longer-term Access Assurance strategy. The process enables the customer to start improving Access Assurance one step at a time and to pinpoint where and when potential cost-savings come into play - right down to the exact timing of specific operational savings. One Courion customer recently implemented a significant Access Assurance initiative without spending a single budget dollar!
Security - higher ed IT staff are trying to mitigate the risks driven by the growing volume of information across multitudes of devices, web-based applications, and other network resources. One of the key pieces of this challenge is controlling user access to all of this data. By viewing users' behavior on the network as "body language," IT managers can get important clues that may signal inappropriate access or malicious intentions. For example, if an employee is about to resign, his or her network behavior during the weeks prior to giving notice often follow consistent patterns. For example, copying entire folders from file servers could be a signal that an employee is about to depart. Access Assurance technology puts safeguards in place to detect various types of network body language, more effectively and efficiently control user access, and ensure continuous compliance with privacy laws and other federal regulations.
Identity and Access Management (IAM) - as campuses attempt to deal with restricted access systems, such as databases and intellectual property, and the emergence of cloud or software-as-a-service applications, setting policies and controlling user access to all of these systems and applications has become a top priority. IT staff must carefully balance a campuses' need for collaboration and information sharing with the need to protect sensitive data and meet government regulations, such as those limiting user access to non-public resources. To effectively create, manage and monitor user access, institutions need to begin looking at identity and access management as more than just password management. A holistic approach to IAM - one that incorporates on-premise and cloud-based systems as well as processes such as automated user provisioning, role management and access certification, and credentialing, among other elements - can help higher ed IT staff increase campus-wide IT security and compliance as well as user productivity while ultimately reducing costs.
We're currently conducting our own education survey looking into the IAM practices of education organizations, so stay tuned - we'll make our findings public over the coming months.
Posted by Todd Chambers - CMO on Fri, Sep 18, 2009
Last week, the Gov 2.0 Summit opened in Washington, D.C., where policy makers and industry leaders discussed how technology can make government more functional. In conjunction with the summit, 10 companies announced that they will act as digital identity providers by supporting OpenID and Information Card technologies (described in depth here) for government Web sites, in an effort to make government Web sites easier to interact with. According to InformationWeek, the pilot programs aim to make use of Web 2.0 technologies to make government Web sites more open and participatory.
OpenID and Information Card technologies are a key part of the White House's Open Government initiative, which aims to provide strong privacy protections for users in order to speed efficiency. The purpose of these pilot programs is to give visitors to government Web sites pseudonymous interaction options that don't require users to reveal personal information. This makes access quicker, and requires less authentication from the user.
We applaud this effort and look forward to the next step in the process of delivering a holistic approach to access assurance as pointed out in my recent post. The move to trusted frameworks like OpenID is an important step to foster more participation and more efficiencies within our government agencies, and given the desire by the government to make more personal information available more broadly, it is critical to ensure that Web-based data is thoroughly protected.
Posted by Todd Chambers - CMO on Thu, Aug 27, 2009
A recent RSA-sponsored IDC survey on insider risk management resulted in some pretty interesting findings, suggesting at the highest level that IT organizations may be focused on the wrong things when it comes to insider risk. According to the survey, CXOs tend to give higher priority to protecting their organizations against malicious insider attacks rather than the more frequently occurring and potentially more damaging accidental insider breaches, of which inappropriate user access is a key element.
For example, the RSA security blog further revealed that while 65% of CXOs reported their top concern as unauthorized or deliberate access to systems and data, they cited 5,794 unintentional incidents created by excessive access rights - one of the highest categories of risk incidents over the last 12 months. CXOs also revealed that the greatest financial impact to their organization was caused by risks related to out-of-date or excessive access rights (17%) - again tied to unintentional user behavior.
Ultimately though, whether unauthorized access threats are internal or external, malicious or accidental, they all pose a major risk to sensitive data, and more broadly, an organization's brand integrity and financial and regulatory compliance posture. Inappropriate user access remains one of the top IT challenges for corporations, as this and numerous other industry surveys and analyst data continue to prove. A comprehensive Access Assurance strategy needs to be a core part of every organization's risk strategy to ensure that only the right people have the right access to the right resources and are doing the right things.
Posted by Todd Chambers - CMO on Mon, Aug 24, 2009
A few weeks back in a post on our blog, we discussed the shocking increase in the lack of compliance by government agencies with FISMA, as reported to Congress in a report from the U.S. General Accounting Office (GAO). That report showed that the number of information security incidents had more than tripled to over 16,000 in the past 3 years alone, directly pointing to access control weaknesses and poor password management as prime factors.
Why are these numbers increasing when security technology has advanced and awareness has risen about the potential disaster that data breaches can cause? For one, the ongoing search for a national cybersecurity coordinator hasn't helped matters. Recently, Mischel Kwon, the director of US-CERT, the Department of Homeland Security's research and response unit, resigned to take a position at RSA. That move was apparently in response to the cybersecurity leadership vacuum that has been growing since the resignation of Melissa Hathaway, formerly the top adviser on security and the architect of the administration's current policy on cybersecurity. The position has become so nebulous, wide-ranging and open-ended, that many top security experts and public officials have turned down the role, viewing it as a no-win situation. It is not clear when the leadership will come and from where.
Meanwhile, the General Services Administration's (GSA) e-Authentication Partnership that was initiated in 2004 was taken over and re-tooled by the Office of Governmentwide Policy last October, and the most recent advice from that office has been for federal agency leaders to "consider projects to keep pace with government-wide identity management initiatives." Not very specific guidelines, are they? In fact, there are several government consortiums (at least six according to a recent article by Alice Lipowicz for Federal Computer Week) that are currently working to create a blueprint for how federal agencies should be controlling access to shared data, and terms like "trusted federation," "authentication" and "credentials" are often used to describe the plans.
While cybersecurity leadership is clearly needed to drive security reform and get everyone on the same page in terms of how data should be shared responsibly, there is a major issue that agencies can address now, and that is the way in which access control and identity are viewed at the federal level.
Currently, identity management is tackled from an authentication perspective - meaning access to applications or systems is granted based on whether an employee is authenticated as being him or herself. However, this is really only the first step in a true Access Assurance strategy. Proving that an individual is who they say they are only provides one layer of security. It doesn't take into account many other factors, including whether someone's role in the organization or agency makes it necessary for him or her to have access to certain information at all. Also missing from a basic authentication strategy is the remediation of open access that should have been closed due to an employee leaving the organization or changing roles. Authentication or verification of individuals, while needed, does not provide a full access profile.
There is a need for a more overarching Access Assurance strategy across agencies, which will enable access compliance and transparency with regard to access control, ensuring that the right people have the right access to the right resources and that they are doing the right things. Agencies should seek to widen their view of Access Assurance now while the wait for cybersecurity leadership continues, so they'll be ready to tackle the many inevitable changes that will be on the horizon.