Courion Corporation

Financial Institutions See IAM as #1 Priority

Deloitte has just released their 2010 Financial Services Global Security Study and once again identity and access management has topped the list as the "Top Security Initiative" for enterprises in 2010.  It is encouraging to see so many respondents highlighting the importance of improving security and meeting regulatory compliance requirements as key drivers to adopting Identity and Access Management (IAM) solutions.

Other Findings:

• Data loss prevention has taken on greater urgency: Data loss is caused by an intended or unintended action on the part of an organization's people. When asked to characterize their ability to thwart internal breaches, only 34 percent of respondents are "very confident".
  
• Regulatory compliance is a key priority for financial institutions: Financial institutions are clearly expecting more regulatory pressure. Respondents to the survey include regulatory and legislative compliance as one of their top five initiatives and are hiring more internal auditors to resolve internal and external audit findings in preparation.
  
• Business alignment is still lacking: While 87 percent of respondents either have, or plan to have, a security strategy within the next 12 months, respondents reveal that security functions do not get input or involvement from the lines of business when the strategy is being developed; this indicates that strategy development tends to be driven by the security function rather than driven by business goals.

IAM solutions need to be able to integrate with data protection solutions like DLP; they need to help relieve increasing regulatory pressures; and they need to help IT engage the business into the process of securing access to data.  This is what we call Access Assurance. 

Failure to clamp down on data access has real and painful consequences for any organization, not just those in the financial sector. Data breaches are getting more expensive, regulations more onerous, and catastrophic bad press can have negative impact for years.

Study: Employees Continue to Put Data at Risk

Based on a recent study by the research firm Ponemon Institute it was reported that, "Despite the best efforts of IT departments, business managers continue to disengage, or turn off, their laptops' encryption solution - exposing company information to thieves should the computer go missing."  This is a concern, especially given the increase in sensitive data being made more broadly available (electronic health records, mobile computing...) and the continuing reports of lost or stolen laptops, but there was some that I found even more concerning...

In the report was the statement, "33% of IT practitioners believe encryption makes it unnecessary to use other security measures, whereas 58 percent of business managers believe this to be the case".  One third of the IT people and over half of the business people believe that encryption is the only security measure needed? Without effective management of access, how can you truly protect sensitive information in an organization?  It's like locking a door and not being sure who has a key.

In the report Dr. Larry Ponemon does state, "This study shows that business managers may be overly reliant on encryption to keep confidential information safe and secure".  That's absolutely true and it's clear that the combination of preventive AND detective controls are required to effectively manage the risk of inappropriate access to information.

The goal of any Access Assurance strategy is to assure that only the right people get the right access to the right resources and are doing the right things with it.  So, are you taking a balanced approach?

2010 is about Access Assurance -- Applied Wisdom Nugget #4

Here's an old adage that we've all heard - the value of the whole exceeds the sum of the parts. Is it true? Well, according to the governments of the United States and Japan it is. If you include the skin, the human body is comprised of 65% oxygen, 18% carbon, 3% nitrogen and 9 other common and inexpensive elements down to a mere 0.00004% Iodine. Taken in their parts, 170 lbs of that is worth about $4.50.

But if you put it together in the right way, you can come up with the likes of Einstein, a Warren Buffet, a Gandhi, a Mother Theresa, an Alfred Bernhard Nobel.

It's similar in our space. We have all the elements - provisioning, compliance, role management, governance, sensitive data analysis, sensitive activity analysis, entitlement management and even security in the cloud (which we all know to be the next big thing until the next big thing comes along). Where we are collectively weak is the ability to put all of these things together in sophisticated ways where the whole exceeds the value of the sum of the parts - and by a whole lot.

With that, here are my 3 predictions for 2010:

1. 2010 will not be about the cloud. We've been living in the clouds for years and Courion has already has been weaving our customer's provisioning, access
   compliance and access assurance frameworks into those clouds with connectors like GE Pharmacy, Fedlink, Equifax and Salesforce. That's not interesting.
2. Companies will take advantage of commoditized pricing for custom connectors to dramatically increase the systems and applications for which they automate
   compliance, risk management and controls today.
3. Companies will realize a dramatic increase in the value of what they already have by pulling together all of the elements in sophisticated ways to assure access
   and predict and remediate risk before breaches occur - Identity Intelligence and Analytics will be the next real big thing.

Did you know?

I presume you know that the Nobel Prizes (including the coveted Nobel Peace Prize) come from the institute of the same name. But did you know that the philanthropist who founded the institute was also the inventor of dynamite and he made his fortunes in the 1800s as a major arms manufacturer and dealer?

Define irony.

Security Czar Highlights Insider Threats

Melissa Hathaway served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.

In her recently posted perspective on the state of cybersecurity ("Five Myths About Cybersecurity") published in the ExecutiveBiz Blog she highlights the following:

• Myth 1: Consumer protection exists in cyberspace
• Myth 2: Firewalls and virus scanners protect my computer and my enterprise
• Myth 3: My government has the solution and will protect me
• Myth 4: Physical assets are more valuable than information
• Myth 5: Laws are keeping pace with technological innovation

It is interesting to note that she specifically points out that "Few software programs protect us from the insider threat..." which according to a Verizon Business Breach Survey, accounts for approximately a third of all breaches.

This is especially concerning when you consider that a recent survey entitled "the global recession and its effect on work ethics", carried out by Cyber-Ark, found that 48% respondents admit that if they were fired tomorrow they would take company information with them. And a quarter of workers said that the recession has meant that they feel less loyal towards their employer.

It seems clear that protecting your organization from insider threats, and even external threats made possible by the inappropriate use of insider access (zombie accounts, weak password practices...) should be a key part of your Access Assurance strategy.  The myth of being protected is not a strategy, so, how safe is your environment?

Access Verification - A Step in Managing Risk

Companies' that work to mitigate risk in their business face numerous identity and access management challenges spanning Access Governance, Access Provisioning, and Access Compliance, but with each organization each of these areas will be prioritized differently.  As you build your strategy it's important not to attack each challenge as if it were stand-alone and unaffected by other business imperatives.  In other words, it's critical that your solutions allow you to "start anywhere" based on your unique business drivers and requirements, but also allow you to "go anywhere" in order to gain greater value by addressing the broader goals of your organization.

Take for example a company unable to demonstrate that their employees have only the minimum required access to company resources to do their jobs.  On the surface this seems to be a straight forward access verification challenge of identifying who has access to what resources, and then asking the managers in the organization to vet the access, right?  In actuality, this is just part of the process needed to appropriately assure that ONLY the right people have the right access to the right resources and are doing the right things with it.

When delivering an access verification solution you need to ask yourself, "How will we manage all the exceptions that it will clearly uncover?"  And, "How will we manage it over time and in an automated fashion to accommodate the changes constantly taking place in our business?"  The ultimate goal should be to enable the verification AND remediation of access regardless of your environment.  Sure, you need to be able to send email alerts and link to help desk systems, but you also should have the ability to automatically change, disable, or delete access directly for any resource, with or without an existing automated provisioning solution.   This approach will make your business more agile and effective (easier compliance adherence, increased efficiency and effectiveness) and at the same time reduce risk for the organization.

A "start anywhere, go anywhere" approach is a cornerstone of Access Assurance and is especially critical to success in today's environment where all businesses need to show incremental value on the way to their ultimate goals.  Delivering successful programs that are cost effective, easy to manage, and deliver business results quickly, are great ways to increase security, compliance and business value, as long as they are an integrated part of your access assurance strategy.   Not to mention, having multiple "wins" under your belt is always nice to have when requesting your next round of resources.

Part 2 - Creating Budget Where None Exists

LINK TO PART 1 - Creating Budget Where None Exists 

Last week I introduced "Company X", a Courion customer that is delivering improved risk management and security via automated access compliance and attestation, and automated provisioning for over 100 applications - without spending a single budget dollar.   I discussed understanding the multiple budgets of your organization" as Part 1 of a 4-part process for achieving this.  And now....for the rest of the story.

2. Understand Operations via Activity-based Costing

There is, of course, more to the story of Customer X.  Spending over $1 million with a vendor would surely result in an Expense Budget Impact of over $20,000 in 2009 and $0 in 2010, wouldn't it?  The next thing that Customer X did was evaluate its operations to determine what level of savings was attainable via this project's automation of manual provisioning and attestation processes.

 In the first phase of automating provisioning and access compliance, Customer X knew that the organization was spending over 50 person years' manually adding, changing, deleting accounts across the first 100 applications which they addressed.  They automated the provisioning and access verification for those applications, eliminated the admin staff positions, and booked the savings.

As Company X moved on to begin addressing the other 700 applications used by the organization, they did not have firm figures regarding the cost of administration and verification.   So they did what I would advise every organization to do:  they executed a thorough activity-based costing effort. 

• Document the flow of the work - starting at the business action that drove the provisioning or compliance activity (hiring, promoting, introducing a new application service, SAS70 audit, semi-annual SOX attestation, etc.)
• Identify all activities - who is responsible for them, how much staff time is required to execute them, how much time elapses from start to finish of the activity
• Cost the activities - spread staff members' fully-burdened cost across all of the activities that they are responsible for executing

And once they understood the costs and cost drivers, they took a deeper dive into the company's accounting policies.

3. Understand their Accounting Policies

Disclaimer:  Accounting was my least favorite subject at business school.  Accounting rules seek to provide a comprehensive, accurate view of organizations' financial health, but there are times at which accounting rules drive behavior that is inconsistent with these goals.  I have always found that difficult to accept, but as I repeatedly tell my children:  "just because it doesn't make sense to you doesn't mean that you can ignore it!"

One of your first actions should be to sit down with your finance team, or the finance professionals in your IT organization - and learn about the rules.

What are the rules regarding amortization of capital expenses?  What is the definition of useful life for software (at least software that works!), and is there a maximum useful life?  (For the record, Courion customers have illustrated that the useful life of Provisioning Software (at least software that works!) is at least 10 years....Note that you will probably have a maximum.  Some other areas of focus:

• Software capitalization policies.  Software costs not only can be amortized, but they typically are not applied to your IT Operating Budget until the software is implemented.  In the case of Customer X, Courion has been delivering 50 Connectors over the course of 9 months.  The amortized license and maintenance cost of each connector does not show up on the IT Operating (Expense) Budget report until it is implemented.
• Services capitalization policies.  You may be able to capitalize services consulting expenditures.  Ironically for we in the techie world, this is a situation in which words really do matter!  Services such as design, configuration, testing and installation may be eligible for capitalization.  But be careful of your terms because services such as consulting, project management, data conversion, overhead are typically not eligible.
• Vendor contract options.  Talk to your vendor about providing a term or subscription contract if your organization's policy for "maximum" useful life of software is very short (18-24 months)

4. Step up to the plate - Extract the costs

Now comes the hard part - when you put the budgeting information, Activity-based Costing and Accounting Policies together to create a plan.  In order to "make budget" where none exists, you have to be willing to extract the costs that you have identified via the Activity-based Costing.  And you and your vendor partner will have to commit to achieving concrete objects within agreed upon timeframes - so that you can book savings when you need to in order to not use budget dollars.

In the case of Customer X, they eliminated sufficient manual administrative work by automating the provisioning and attestation process for an additional 100 applications to reduce staff to pay for the entire project.  And while the manual work was most time intensive for applications that were not "Key Financial Applications", by bundling the work for those with Key Financial Applications, Company X was able to significantly improve controls around these key applications and improve their management of risk (and audit position).

So there you have it.  Four simple steps to self-funding IAM initiatives:

1. Understand the budgets
2. Perform activity-based costing
3. Understanding your organization's accounting policies
4. Make the hard decisions and extract the cost

If a CISO follows this approach, he or she will drive considerable value to their organization by reducing risk and streamlining operations.  But more important even than delivering the value of this sort of self-funded initiative, the CISO will also transition from insurance salesman to business enabler.

Creating Budget Where None Exists

In my last Blog I mentioned that that many customers had no formal IT budget.  In these volatile economic times, budget has become irrelevant as CFO's and other business executives are doling out money spoonful by spoonful, just as Captain Queeg doled out strawberries on the ill-fated USS Caine (yes, I realize that referencing a Humphrey Bogart movie dates me!).

Some customers adapted to this new reality by finding ways to continue to improve the security of their business operations via "self-funding" access provisioning and compliance automation projects.  One such organization - let's call them Customer X - recently executed a $1 million+ program with Courion to "get ahead of auditors" in access control and improve service to the business that will not use a single budget dollar!

This was possible because the customer's staff

• were very smart about how they structured the project
• knew their "provisioning and compliance attestation" operations deeply
• were willing to make and execute some difficult decisions
• worked with a vendor (Courion) whose product and services could deliver concrete business results - and that was willing to sign up to achieve operational milestones

I can understand that this may be difficult to believe....one million dollars spent, but no budget dollars spent?  It might be even harder to believe knowing that this customer had already automated provisioning for 30,000+ end users across 100 applications and in support of hiring, termination, promotions/role changes, and acquisitions.  This new project called for the addition of some provisioning and attestation workflows - and the development and implementation of 50 connectors (software) to industry-specific third party and homegrown systems which managed access to 210 applications.

So, how did they "make budget" where none exists?  They used a 4-part formula:

1. Understand the Budgets

The first thing that Customer X understood was that there wasn't one budget...there were multiple budgets.  They, like most organizations, had an Expense Budget which outlined the areas in which the IT organization would spend during the year.  Often called the IT Operations Budget, this is typically what people view as "The Budget", and it sets Financial Executives' expectations on what expenses from IT will be reflected in the organization's Income Statement. 

They had a Capital Appropriations Budget, which identified investment in assets which would benefit the organization beyond just one fiscal year.  Items on the Capital Appropriations Budget are reflected in the IT Operations Budget, but the costs are "capitalized".  That is, the value is amortized (spread out) across the useful life of the asset.  So what might appear as $120,000 in the Capital Appropriations Budget, would be represented by $60,000 in the IT Operations Budget for an asset with a 2 year useful life.

And finally, they had a Capital Expenditure Budget, which details the expected outflow of cash throughout the course of the year.

Most importantly they understood that their organization's goals and time-frame of relevance were different across these budgets. When they first approached executive management about this project, the response was "we have no budget."  What that meant was that there was no placeholder in the Capital Appropriations Budget.  They had made their plans for the year 6 months prior, and they were not willing to change priorities to place these 50 Connectors higher on the list.

But the sponsoring Executive did not let the effort stop there.  He knew that the company was focused on the overall Income Statement, and not on the Cash Balance or Capital Budget.  He told the team:  "bring me a plan that has a maximum hit on the IT Operations (Expense) Budget of $20,000 in 2009, and a net positive effective on that budget and cash flow neutral by mid year 2010." 

This Executive understood that cash is different than expenditure (agreement to pay) which is different than expense.  For example, if a company licensing $600,000 of software that is delivered immediately and has a useful life of 3 years, with an agreement to pay 50% on signing and 50% 18 months after signing (for this example, we will assume no maintenance or services costs), the resultant impact would be:

	Year 1	Year 2	Year 3
Capital Expenditure Budget Impact	-$300,000	-$300,000	$0
Expense Budget Impact	-$200,000	-$200,000	-$200,000
Capital Appropriations Budget Impact	-$600,000	$0	$0

The moral:  keep reminding yourself that cash isn't agreement to pay which isn't expense.  And make sure that you understand the varied goals and management time-frames your organization puts around the Expense Budget, the Capital Appropriations Budget and the Capital Expenditure Budget.

LINK TO PART 2  -   The rest of the formula (Steps 2-4) to Create Budget Where None Exists - Understanding your operations, Understanding your firm's accounting rules, Extract the cost!

Forget about available budget dollars…customers don’t have an IT budget! (And maybe that is a good thing)

Many years ago when Courion introduced self-service to the identity management market, I used the Automated Teller Machine as an analogy to explain the concept and value.  The ATM, I explained, succeeded so dramatically because it embedded security policy in a business process - enabling that business process to move faster and at a lower cost.  Security was improved, yes - but under the covers (by removing people from the process).  The ATM succeeded in changing the nature of banking because it delivered service that was faster and easier for customers at a lower cost to banks.

In today's economy, the business lesson of the ATM is more relevant than ever.  Last week Courion held its 7^th Annual Customer Conference, CONVERGE 09, at which we brought together over 110 CIO's, CISO's, security managers and IAM experts to discuss how to turn today's challenges into opportunities.  During my keynote I commented that Courion was seeing that customers weren't just challenged by having fewer budget dollars, many essentially had no IT budget at all.  As I looked out at the audience, I saw a sea of vigorously nodding heads.

Now, I don't mean that there isn't IT spending.  Courion has been fortunate to see continued growth in this difficult time, so we know that there is spending.  The issue is that organizations' financial executives have their fingers so directly on spending that it doesn't matter whether there was a plan or an IT budget approved at an earlier date.  The IT budget is in essence approved piecemeal when the financial executives feel confident to spend money based on a combination of the organization's and the general market's performance.  One Fortune 1000 CISO told me that his organization re-forecasts the entire company's budget monthly!

The implication of this trend is that customers are fighting every day to get spending approved.  Customers are reporting that they have to get confirmation of approval for a project repeatedly- at conception, prior to RFP, prior to Proof of Concept, prior to negotiating contracts, and prior to signing those negotiated contracts.

It is unclear how long this will last, however security executives are beginning to understand and adapt to this fundamental change in financial management process.  For example, some customers have asked Courion to fully negotiate a contract even though funding has not been approved.  This way, the documents can be signed the day funding is approved without letting even one day of the market's performance impact confirmation of approval to spend.

Perhaps the most important adaptation is that customers are laser-focused on how to deliver measurable business value, not just security value, by automating access governance, provisioning and compliance (what we now call Access Assurance).  They are coming back to the lesson of the ATM and focusing on how to help their businesses move faster at a lower operational cost - not just deliver improved security.  They aren't selling security insurance.  Instead they realize, as the CIO of a global 2000 manufacturer told me recently, "the business has no patience for us unless we tell them what we are going to do for them."

As a result, customers are looking for security software vendors who are willing to engage them to build a plan to deliver real business value.  They are willing to open up their financial and accounting processes to trusted business partners to build business cases that detail improved business agility and cost savings that are both comprehensive and believable.  Business cases to which they and the trusted partner are willing to be held accountable.  Some customers have even built - and delivered on - self-funding projects.

If this trend is the outcome of today's challenges, perhaps not having an IT budget is a good thing after all.

Oracle Buying Sun: Defining IAM Vendor Viability

Yesterday Oracle announced it had agreed to acquire Sun Microsystems.  My friend Dave Kearns sent an email asking for reaction (for those of you unfamiliar with Dave's work, I strongly suggest you subscribe to his blog and identity management newsletter) and it got me thinking.  Oracle's positioning is talking about providing an integrated system from "application to disk" and also lauds the merits of having Solaris and Java at its disposal.  But, nowhere do you hear anything about identity management.  This is of no surprise as the acquisition was not motivated by a strategy of combining identity management solutions.  However, if you're a Sun identity management customer, you have to be concerned due to the significant overlap between Oracle's and Sun's IAM product lines.

So, this got me thinking about the importance of the "new" vendor viability.  As an independent player who is a wee bit smaller than some of the companies we compete with in the IAM market, Courion sees vendor viability thrown in our faces at times in competitive situations.  Although we've demonstrated product innovation and leadership (according to Gartner and Burton Group among others) and are recognized for a strong track record of customer success at a fraction of the overall implementation and service costs, our competition (including Sun) would throw the viability FUD in there to try to wrestle deals away.  Comments such as "They're too small"; "They're not going to be around much longer"; "We're going to crush them" have all been things we've heard in selling cycles for a long time.

Well, I believe the Oracle Sun acquisition highlights where the real viability concerns lie.  Clearly the IAM business was not a consideration of Oracle when acquiring Sun.  There is tremendous overlap between the product sets and one can only suspect that Oracle will be announcing an end of life plan for the Sun Identity Manager products before too long. 

Consider other announcements over the last few years.  HP acquires Trulogica as an entry into the identity management market only to announce a few years later that HP was getting out of the business.  Similarly BMC announced it was dropping traditional identity management.  After acquiring Netegrity, much of the original Business Layers identity management products have been "evolved" by CA under a completely different architecture.  It sure appears to me that size has nothing to do with IAM vendor viability.

IAM is what Courion does.  We can't afford to give away hardware, operating systems, databases, or anything else if the project goes bad.  We must have customer success for each and every project as there is no other way for Courion to "make it up" to the customer.  Clearly a company like Courion is not planning on getting out of the IAM business.

IAM is a strong and growing market, and is still a top priority in even the current economic climate.  But, when vendors use their IAM business as a way to help pull other products and push infrastructure on customers, success is measured in more than pure IAM revenue.  True vendor viability concerns should be focused on these larger organizations and prospective customers need to look carefully at the nature of their commitment and the viability of their overall business.   The commitment these organizations have to IAM should be a major concern.  Courion's focus for IAM is to solve real, critical business problems.  Its purpose is not to sell other pieces of infrastructure.  This is what we do and we like to think we're doing it pretty well.  We're growing.  We're profitable.  We've got a customer base full of happy customers.  That all sounds pretty viable to me.

What are your thoughts?  

Biggest Data Theft Threat?

A couple of newly released studies on data theft are contradicting the avalanche of recent data suggesting that "insider" security attacks were more prevalent in 2008 than external hacking.  While it's interesting to note that insider breaches continue to be much more damaging, the 2^nd annual Verizon Business Breach study (a complete PDF copy of which is available here: http://tinyurl.com/c59gjo) found that 64% of breaches were external hacks that resulted from third-party remote access of default credentials.   The Verizon Business study includes recommendations for bolstering access controls, including frequent changes to default credentials, limiting shared credentials, regular review of user account privileges, and ensuring effective termination procedures.

In addition, the Computing Technology Industry Association's (CompTIA) 7^th annual security research study revealed that while a significant number (31%) of respondents said their breaches came from inside their companies (whether accidental or malicious), the majority of breaches were still caused by external attacks. 

It's interesting to note that after all the increases in security spending, businesses are still finding themselves vulnerable when it comes to their ability to prevent unauthorized access.  As the Verizon Business study points out, "87% [of breaches] were considered avoidable through simple or intermediate controls." 

The bottom line here is that whether you're talking about internal or external threats to corporate data, companies need to be sure to constantly review their access assurance policies and identify the right processes to ensure that access to default credentials are locked down.  After all, criminals will usually take the path of least resistance, and unfettered access fits that description all too well.