Posted by Kurt Johnson - VP Strategy on Wed, Feb 24, 2010
Okay, before I dive in, a bit of a mea culpa here. I know and understand that part of the responsibilities of authoring a blog is frequency. Woops. Given my last entry was back in October, and that was the first since May, I'm not sure I'm really doing too well here. Is the end of February still an opportunity for a New Year's Resolution? Well, the journey back starts with a first step, right? So, why not start with a late February, 2010 entry about a court ruling filed back in September, 2009?
To be fair, it's not like I regularly scan the US Court of Appeals findings on a regular basis, and the following story didn't make front page headlines. But, at a recent CSO Breakfast Club meeting this case was brought up and inspired me to take a deeper look. It was interesting reading.
Seems LVRC Holdings (which operates a residential treatment center for addicted persons in Nevada) filed a lawsuit against a former employee Christopher Brekka. LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA) by accessing LVRC's computer "without authorization" both while Brekka was employed at LVRC and after he left the company.
LVRC alleged that Brekka exceeded authorized access by emailing sensitive documents from his work computer to a personal computer as well as accessing accounts without authorization after he left the company. Amongst other accusations, LVRC alleged that Brekka, who left the company in September, 2003, accessed critical resources by using an account cbrekka@fountainridge.com which was discovered in November, 2004, more than a year after Brekka left. It was at this point that the account was disabled.
What makes this interesting is the Court ruling. The US Court of Appeals ruled in favor of Brekka. In their ruling they state that "authorization" is defined in the dictionary as "permission or power granted by an authority." Based on this definition, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it, which LVRC did for Brekka. The Court further ruled that, "It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or ‘without authorization'." Additionally it states, "If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA."
What does all this legal stuff mean? Basically, by the fact that LVRC did not disable the access of Brekka when he left the company, the Court states that Brekka's continuing to use this access did not constitute a criminal or illegal action. Because it was originally granted, that account, my remaining active, essentially grants an employee the ability to keep using it, because in the Court's opinion that user "would have no reason to know" that using the account was a violation.
This seemingly obscure ruling has major ramifications for organizations around managing Zombie accounts (accounts that stay active for users that are no longer with the organization). Given the highly sensitive amount of information that various accounts grant access to, it is imperative that these accounts be disabled immediately when someone leaves the organization. In this Brekka case the account in question was an administrative account that seemingly offers significant access privileges. Without this, they could have no recourse in pursuing legal action against former employees who might misuse such access rights and data access.
There are easy ways to address this. An ongoing access certification by business managers would have identified the fact that Brekka's account was still active after he left the organization. By automating the account disablement process ensures that accounts are turned off immediately upon an employee being terminated or leaving the organization. By the mere fact that LVRC did not institute such practices, a critical account was allowed to stay open, and even though the former employee was alleged to be misusing these privileges, by not following its policies or detecting violations to them, an account was left active. As the Court states, by leaving this account active, it was not considered unauthorized access just because the employee was no longer with the firm.
It doesn't make sense to have a policy if you're not following it. A lax access assurance strategy inevitably can lead to trouble, and may even limit was legal recourses a firm can take.
Posted by Bob Craig - Dir Prod Marketing on Thu, Feb 04, 2010
This week Dave Kearns wrote a column, User provisioning: right access to the right people, where he outlined some of the key benefits of provisioning, namely: improving productivity and reducing risk. Dave makes the point that productivity is improved by providing new employees with Day One access to various IT resources (email, laptop, enterprise applications, databases, etc.), while risk is reduced by reconfiguring or removing access rights when an employee changes roles or leaves the company.
Dave is absolutely right regarding these benefits, but there are a few other benefits he didn't discuss that are worth pointing out in more detail.
One benefit which we hear regularly from our customers is that automated provisioning significantly reduces the time and effort required to manage user access rights. The result is that they are able to drastically reduce the number of staff dedicated to the provisioning process. In one instance, a $2 billion provider of senior living services was able to reduce headcount from 5 FTEs to 0.5 FTEs, saving hundreds of thousands of dollars annually. In another, a large regional bank was able to double their provisioning coverage from 100 to more than 210 applications and justified the investment to their management through reduced headcount (see Creating Budget Where None Exists).
Another key benefit is in access compliance. Whether your company needs to comply with internal policies, audit findings, or industry and government regulations, you need to ensure that user access rights are being managed appropriately. While provisioning isn't required to be compliant, one of the benefits you can achieve is assuring that users are initially only granted access rights that are needed to do their jobs. This preventative control lowers risk, reduces the potential that you may fail a security audit, and helps streamline the access certification process.
Posted by Todd Chambers - CMO on Wed, Dec 23, 2009
Melissa Hathaway served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.
In her recently posted perspective on the state of cybersecurity ("Five Myths About Cybersecurity") published in the ExecutiveBiz Blog she highlights the following:
- Myth 1: Consumer protection exists in cyberspace
- Myth 2: Firewalls and virus scanners protect my computer and my enterprise
- Myth 3: My government has the solution and will protect me
- Myth 4: Physical assets are more valuable than information
- Myth 5: Laws are keeping pace with technological innovation
It is interesting to note that she specifically points out that "Few software programs protect us from the insider threat..." which according to a Verizon Business Breach Survey, accounts for approximately a third of all breaches.
This is especially concerning when you consider that a recent survey entitled "the global recession and its effect on work ethics", carried out by Cyber-Ark, found that 48% respondents admit that if they were fired tomorrow they would take company information with them. And a quarter of workers said that the recession has meant that they feel less loyal towards their employer.
It seems clear that protecting your organization from insider threats, and even external threats made possible by the inappropriate use of insider access (zombie accounts, weak password practices...) should be a key part of your Access Assurance strategy. The myth of being protected is not a strategy, so, how safe is your environment?
Posted by Todd Chambers - CMO on Fri, Dec 18, 2009
Companies' that work to mitigate risk in their business face numerous identity and access management challenges spanning Access Governance, Access Provisioning, and Access Compliance, but with each organization each of these areas will be prioritized differently. As you build your strategy it's important not to attack each challenge as if it were stand-alone and unaffected by other business imperatives. In other words, it's critical that your solutions allow you to "start anywhere" based on your unique business drivers and requirements, but also allow you to "go anywhere" in order to gain greater value by addressing the broader goals of your organization.
Take for example a company unable to demonstrate that their employees have only the minimum required access to company resources to do their jobs. On the surface this seems to be a straight forward access verification challenge of identifying who has access to what resources, and then asking the managers in the organization to vet the access, right? In actuality, this is just part of the process needed to appropriately assure that ONLY the right people have the right access to the right resources and are doing the right things with it.
When delivering an access verification solution you need to ask yourself, "How will we manage all the exceptions that it will clearly uncover?" And, "How will we manage it over time and in an automated fashion to accommodate the changes constantly taking place in our business?" The ultimate goal should be to enable the verification AND remediation of access regardless of your environment. Sure, you need to be able to send email alerts and link to help desk systems, but you also should have the ability to automatically change, disable, or delete access directly for any resource, with or without an existing automated provisioning solution. This approach will make your business more agile and effective (easier compliance adherence, increased efficiency and effectiveness) and at the same time reduce risk for the organization.
A "start anywhere, go anywhere" approach is a cornerstone of Access Assurance and is especially critical to success in today's environment where all businesses need to show incremental value on the way to their ultimate goals. Delivering successful programs that are cost effective, easy to manage, and deliver business results quickly, are great ways to increase security, compliance and business value, as long as they are an integrated part of your access assurance strategy. Not to mention, having multiple "wins" under your belt is always nice to have when requesting your next round of resources.
Posted by Bob Craig - Dir Prod Marketing on Thu, Dec 17, 2009
Recently, industry analyst Martin Kuppinger of Kuppinger-Cole, posted an article "CapEx and OpEx - the latest thing in IT buzzwords: On the economics of Cloud Computings," in which he discusses CIO's interest in new IAM offerings which allow them to avoid capital expenditures. In particular, Kuppinger points out that, "Cloud Computing offers a way of reducing capital expenditure for IT by getting out of costly leasing agreements or classic licensing contracts and switching to rental models while achieving as much security and flexibility as possible."
However, Kuppinger also warns, that, "...customers would be best advised to ask critical questions. Simply reducing CapEx doesn't always make the biggest business sense," to which we say, "Amen!" Just this past week, we blogged on the Ramifications of Cloud Computing, in which we discussed some of critical questions customers need to consider before adopting a cloud-based solution. While there are significant benefits to moving enterprise applications or identity management to a cloud platform, there are also risk and trust issues that you need to consider and work out with your cloud provider before there's a data breach, not after.
However, cloud computing is all about reducing, but not eliminating, the impact of IAM (and other applications) on your budgets. Wouldn't it be better to improve risk management and security without affecting your budget at all? For more on that, read the blog Creating Budget Where None Exists by Chris Zannetos, which discusses how a Courion customer "...automated access compliance and attestation and automated provisioning for over 100 applications - without spending a single budget dollar."
Posted by Bob Craig - Dir Prod Marketing on Mon, Dec 14, 2009
In my previous posting on Cloud Computing, I discussed some of the identity and access management (IAM) issues that arise from moving enterprise applications, particularly those containing sensitive data, to a cloud-based platform.
Now, I'd like to turn my attention to some of the same issues that come out of the emerging identity as a service (IaaS) trend, which entails delivering IAM services (user account provisioning, password management, single sign-on, access certification, etc.) using a cloud architecture.
Just as with any other application containing sensitive data, managing user identities via IaaS raises important risk and trust issues. By allowing an external service provider to manage your user's identities, you're essentially handing them the keys to the kingdom. You need to ensure that those keys will be kept safe and secure and that you will have complete and transparent control over the management of identities, in a way that is consistent with your acceptable level of risk.
You should also consider the ramifications if the service provider requires in-bound access to your data center in order to provision user accounts and access rights for internal applications. How will you monitor this activity and protect your internal systems from unauthorized external access?
And, just as with any other sensitive application, you need to know who at the service provider (i.e., system and database administrators) will have access to your user's identities, and what will they be able to do with them. Will user IDs and passwords be stored securely and encrypted? How will backup and recovery be handled? Are all identity transactions captured in a secure audit database? Who is responsible making sure only authorized users can obtain or change identities?
As part of your contractual negotiations, you need to define processes and procedures to protect you legally and financially. If there is a breach of your user's identities, who will be responsible and how will the costs be covered? Will you have access to the environment to perform the necessary forensics to determine the cause of the breach or will you have to rely solely on the service provider?
These are some of the questions that should be addressed as part of using IaaS to deliver your Access Assurance solution and we recommend you work with your service provider to make sure you clearly define how the processes of managing your user's identities will work.
Posted by Bob Craig - Dir Prod Marketing on Tue, Dec 08, 2009
Cloud computing is hot and enterprises (and many of their software suppliers) are moving enterprise applications to the cloud. Why? Because, cloud computing offers some attractive advantages. The economics can be very appealing, since by moving applications to a cloud provider, companies can reduce capital expenditures and pay for resources as they consume them. Because cloud applications typically run on a shared platform, cloud providers are able to deliver services at a lower cost. And, cloud applications deliver greater flexibility, since virtualization technology allows cloud providers to dynamically expand or reduce resources to meet fluctuating business needs, which is particularly appreciated by companies with seasonal spikes in utilization (such as retail during the holiday season).
At Courion, our concern is with how cloud computing affects your Access Assurance strategy. First we'll consider the identity and access management (IAM) ramifications of moving internal applications to an external cloud-based platform.
As we noted in a posting last April, (Bringing Clarity to the Cloud (Manifesto)), when you outsource crucial applications to an external provider (regardless of whether it's cloud-based or not) one factor you need to consider is how you'll manage the identities of users who require access to those systems, whether through provisioning, role management, access certification or password management. The good news is that the process of providing users with secure access to cloud applications is conceptually the same as with a traditional, in-house architecture. If you have an IAM infrastructure for managing users' identities, it should be able to do the same for a cloud, or any other web-based, application. You'll want assurance that you'll have the ability to automatically modify access rights when the user's role changes or revoke accounts when they leave the organization.
You should also weigh the risk associated with the data that you're moving to the cloud. Even though it's still your data, you're inevitably giving up some element of control over how that data is protected. You need to make sure that you can analyze the balance between risk and reward and evaluate the potential risk to your organization if there is a data breach in the cloud application.
For example, cloud service providers rely on their system administrators, just as you do in your own data center. Who will be the system administrators for the cloud application and what steps will be taken to prevent them, or other internal users, from unauthorized access to your sensitive data? If there is a breach, what kinds of forensic tools will be available to help you determine what happened?
Do you even know where the data will reside? Is there a possibility that the cloud provider might move your data to locations beyond your country borders to, for example, save costs? If that's the case, make sure you understand the legal ramification that arise when personal or private information (such as patient healthcare or customer financial data) crosses international boundaries.
Botton line: trusting your sensitive data to a cloud provider raises a mix of interesting questions, so make sure you consider them as part of your overall IAM and security policies and procedures. Sign up for our webinar on "Access Assurance in the Cloud" to learn more.
Posted by Todd Chambers - CMO on Fri, Oct 16, 2009
Last week at the ISSE 2009 security conference in The Hague, consultancy firms KPMG and the Everett Group fielded a survey focusing on 2009 IAM investments. Feedback from 128 respondents of organizations in 23 European countries re-confirmed the findings from the 2008 survey titled, "IAM is here to stay," with some eye-opening additions. According to the new survey, almost 90% of the CIOs and CEOs who responded said they have started one or more IAM projects in the past year, despite the economic climate and reduced IT security budgets. In fact, about 70% said they have allocated specific budgets to IAM. The main drivers of these new IAM deployments are said to be governance, risk and compliance, operational excellence and business agility.
This after Gartner forecasted in late September that the worldwide software security market will total $14.5 billion this year, up eight percent from last year. They see the trend continuing next year as well, when a 13 percent gain in revenue to $16.3 billion is anticipated in the market. And just this week, industry research firm RNCOS released a report further supporting these findings, predicting IAM market growth in various regions, including the Americas, EMEA and Asia-Pacific, of nearly 23% from 2009 to 2012, fueled by rising concerns over security breaches and identity thefts.
The Courion Access Assurance approach focuses on the necessity of showcasing incremental success and small wins in IAM deployments in order to gain support for further project. Using a "self-funding" strategy, we target the most pressing security challenges (access verification & certification, role management, access compliance...) to deliver visible business results often in under 90 days. In this way, IT security can actively involve the lines of business in proposed projects and make sure all parties are in alignment and striving for results that increase security and compliance, while increasing operational efficiency and business agility at the same time.
Ask yourself, is your organization getting the full value from your IAM initiatives?
Posted by Todd Chambers - CMO on Thu, Aug 27, 2009
A recent RSA-sponsored IDC survey on insider risk management resulted in some pretty interesting findings, suggesting at the highest level that IT organizations may be focused on the wrong things when it comes to insider risk. According to the survey, CXOs tend to give higher priority to protecting their organizations against malicious insider attacks rather than the more frequently occurring and potentially more damaging accidental insider breaches, of which inappropriate user access is a key element.
For example, the RSA security blog further revealed that while 65% of CXOs reported their top concern as unauthorized or deliberate access to systems and data, they cited 5,794 unintentional incidents created by excessive access rights - one of the highest categories of risk incidents over the last 12 months. CXOs also revealed that the greatest financial impact to their organization was caused by risks related to out-of-date or excessive access rights (17%) - again tied to unintentional user behavior.
Ultimately though, whether unauthorized access threats are internal or external, malicious or accidental, they all pose a major risk to sensitive data, and more broadly, an organization's brand integrity and financial and regulatory compliance posture. Inappropriate user access remains one of the top IT challenges for corporations, as this and numerous other industry surveys and analyst data continue to prove. A comprehensive Access Assurance strategy needs to be a core part of every organization's risk strategy to ensure that only the right people have the right access to the right resources and are doing the right things.
Posted by Chris Sullivan - VP Customer Solutions on Tue, Aug 11, 2009
Another summer is waning and another
Catalyst San Diego is behind us. As a regular attendee, I would give this year's conference fairly good marks. For me the key takeaways were:
- The Lighting Round
- The virtual compliance gap
- The conspicuous lack of customer case studies demonstrating deep and broad success in the identity space.
The Lightning Rounds were new to the format this year. Vendors were given a very short time to explain why they mattered. It seemed an effective way to give attendees a taste of each dish so that they might go back and find out more if they were interested. Most importantly, it was, dare I say, fun to watch - no time for death by PowerPoint sales pitches here - the presenting executives had their 6 minutes of fame and they were either going to bask in the glow of the lighting flash or be incinerated by it.
There was also a special moment for me that was akin to that rare time in adolescence when your parent does something that you are actually proud of. When my boss, Courion CEO Chris Zannetos, took the podium, he skipped the "Courion is about ensuring the right people get the right access to the right resources and they are doing the right things" blurb and went right to the heart of the matter - "This [use your favorite expletive] is hard". Clearly, automating identity and access management yields speed, efficiency and control and, while there are enough failed or mediocre deployments out there to make people wonder if it's worth all the fuss, there are brilliant successes, too. Chris used his time to share the key ingredients required for success - understand the risk, control and financial implications, take an incremental approach and, most crucially, choose your vendor partner with great care:
- Ask for references and ask these references the tough questions. How many systems and applications are you managing? At what level of granularity? How long did the deployment take? What are you actually automating? How many people did it take to deploy? How many does it take to maintain?
- Do a POC - a real POC, not a demo. Make the vendor take the shrink wrap off the software and install it on your iron and watch how difficult this is to do.
- Ask them to share the risk. Will they commit to a price for all future connectors? Will they lead with a fixed price proposal for everything you need?
Chris took the high road and I was proud (please don't tell him).
The virtual compliance gap was also interesting - the identity track folks touched on the difficulty of demonstrating compliance in a virtual world and so did the virtualization folks, but it's clear a lot of work needs to be done before these areas converge. How, exactly, do you demonstrate compliance to geographically specific regulations when that data (and the entire application and server that's instantiating your business process) is automatically floated between different data centers in different parts of the world to manage power consumption? This is a topic for a future blog.
Finally, the conspicuous lack of deeply successful case studies was, for me, the most important observation and not entirely disconnected from Chris' comments about the importance of partnering with the right vendor. There were several "customer success" stories but the only one I heard that showed deep and lasting success was Wendy Booker from SunTrust Banks (full disclosure: a Courion customer.) In Wendy's case, she covered how they funded a robust access assurance program that manages fine grained entitlements for 35,000 people, with detailed roles and 50+ custom connectors automating all aspects of provisioning and compliance for hundreds of systems and applications - yielding dramatic control, efficiency and service quality improvements.
I hope I didn't miss an important session but most of the other deployments described seemed superficial, such as the case where it took 18 months to do 25 roles for 25,000 people and they only covered RACF and AD. Really? Most companies I know with 25,000 people are dealing in the range of 500-1000 applications, with hundreds of them being KFA (key financial applications for SOX) or HRA (high risk applications for the business). Surely 25 roles for this level of complexity does not begin to address the problem or opportunities.
I began to realize that the elephant in the room is connectors. All provisioning and/or compliance vendors have connectors for RACF and AD but this doesn't begin to meet the need for companies with this kind of scale and complexity. At Courion, we have 160+ out-of-the-box connectors, but what's the likelihood they will be the 160+ most important of the 1000+ that you need?
That's it then--the Achilles heel of the Provisioning and Access Compliance world is connectors. Can your vendor give you a low fixed price for as many as you need? Can they commit to a price in advance, even before you know what the applications are, so that you can plan and manage your deployment out of Phase I and into something that truly enables the business? The answer in almost all cases is, "No".
This is a problem that Courion has been working on for a long time - we understand the issues that make this difficult and we have tooled ourselves to address them. Today, not at some time in the future, we provide our customers unlimited connectors with speed and efficiency, and at one low fixed price - perhaps there's some fodder here for a future blog as well.