Posted by Todd Chambers - CMO on Wed, Jun 09, 2010
Deloitte has just released their 2010 Financial Services Global Security Study and once again identity and access management has topped the list as the "Top Security Initiative" for enterprises in 2010. It is encouraging to see so many respondents highlighting the importance of improving security and meeting regulatory compliance requirements as key drivers to adopting Identity and Access Management (IAM) solutions.
Other Findings:
- Data loss prevention has taken on greater urgency: Data loss is caused by an intended or unintended action on the part of an organization's people. When asked to characterize their ability to thwart internal breaches, only 34 percent of respondents are "very confident".
- Regulatory compliance is a key priority for financial institutions: Financial institutions are clearly expecting more regulatory pressure. Respondents to the survey include regulatory and legislative compliance as one of their top five initiatives and are hiring more internal auditors to resolve internal and external audit findings in preparation.
- Business alignment is still lacking: While 87 percent of respondents either have, or plan to have, a security strategy within the next 12 months, respondents reveal that security functions do not get input or involvement from the lines of business when the strategy is being developed; this indicates that strategy development tends to be driven by the security function rather than driven by business goals.
IAM solutions need to be able to integrate with data protection solutions like DLP; they need to help relieve increasing regulatory pressures; and they need to help IT engage the business into the process of securing access to data. This is what we call Access Assurance.
Failure to clamp down on data access has real and painful consequences for any organization, not just those in the financial sector. Data breaches are getting more expensive, regulations more onerous, and catastrophic bad press can have negative impact for years.
Posted by Todd Chambers - CMO on Thu, Mar 11, 2010
Based on a recent study by the research firm Ponemon Institute it was reported that, "Despite the best efforts of IT departments, business managers continue to disengage, or turn off, their laptops' encryption solution - exposing company information to thieves should the computer go missing." This is a concern, especially given the increase in sensitive data being made more broadly available (electronic health records, mobile computing...) and the continuing reports of lost or stolen laptops, but there was some that I found even more concerning...
In the report was the statement, "33% of IT practitioners believe encryption makes it unnecessary to use other security measures, whereas 58 percent of business managers believe this to be the case". One third of the IT people and over half of the business people believe that encryption is the only security measure needed? Without effective management of access, how can you truly protect sensitive information in an organization? It's like locking a door and not being sure who has a key.
In the report Dr. Larry Ponemon does state, "This study shows that business managers may be overly reliant on encryption to keep confidential information safe and secure". That's absolutely true and it's clear that the combination of preventive AND detective controls are required to effectively manage the risk of inappropriate access to information.
The goal of any Access Assurance strategy is to assure that only the right people get the right access to the right resources and are doing the right things with it. So, are you taking a balanced approach?
Posted by Kurt Johnson - VP Strategy on Wed, Feb 24, 2010
Okay, before I dive in, a bit of a mea culpa here. I know and understand that part of the responsibilities of authoring a blog is frequency. Woops. Given my last entry was back in October, and that was the first since May, I'm not sure I'm really doing too well here. Is the end of February still an opportunity for a New Year's Resolution? Well, the journey back starts with a first step, right? So, why not start with a late February, 2010 entry about a court ruling filed back in September, 2009?
To be fair, it's not like I regularly scan the US Court of Appeals findings on a regular basis, and the following story didn't make front page headlines. But, at a recent CSO Breakfast Club meeting this case was brought up and inspired me to take a deeper look. It was interesting reading.
Seems LVRC Holdings (which operates a residential treatment center for addicted persons in Nevada) filed a lawsuit against a former employee Christopher Brekka. LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA) by accessing LVRC's computer "without authorization" both while Brekka was employed at LVRC and after he left the company.
LVRC alleged that Brekka exceeded authorized access by emailing sensitive documents from his work computer to a personal computer as well as accessing accounts without authorization after he left the company. Amongst other accusations, LVRC alleged that Brekka, who left the company in September, 2003, accessed critical resources by using an account cbrekka@fountainridge.com which was discovered in November, 2004, more than a year after Brekka left. It was at this point that the account was disabled.
What makes this interesting is the Court ruling. The US Court of Appeals ruled in favor of Brekka. In their ruling they state that "authorization" is defined in the dictionary as "permission or power granted by an authority." Based on this definition, an employer gives an employee "authorization" to access a company computer when the employer gives the employee permission to use it, which LVRC did for Brekka. The Court further ruled that, "It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or ‘without authorization'." Additionally it states, "If the employer has not rescinded the defendant's right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA."
What does all this legal stuff mean? Basically, by the fact that LVRC did not disable the access of Brekka when he left the company, the Court states that Brekka's continuing to use this access did not constitute a criminal or illegal action. Because it was originally granted, that account, my remaining active, essentially grants an employee the ability to keep using it, because in the Court's opinion that user "would have no reason to know" that using the account was a violation.
This seemingly obscure ruling has major ramifications for organizations around managing Zombie accounts (accounts that stay active for users that are no longer with the organization). Given the highly sensitive amount of information that various accounts grant access to, it is imperative that these accounts be disabled immediately when someone leaves the organization. In this Brekka case the account in question was an administrative account that seemingly offers significant access privileges. Without this, they could have no recourse in pursuing legal action against former employees who might misuse such access rights and data access.
There are easy ways to address this. An ongoing access certification by business managers would have identified the fact that Brekka's account was still active after he left the organization. By automating the account disablement process ensures that accounts are turned off immediately upon an employee being terminated or leaving the organization. By the mere fact that LVRC did not institute such practices, a critical account was allowed to stay open, and even though the former employee was alleged to be misusing these privileges, by not following its policies or detecting violations to them, an account was left active. As the Court states, by leaving this account active, it was not considered unauthorized access just because the employee was no longer with the firm.
It doesn't make sense to have a policy if you're not following it. A lax access assurance strategy inevitably can lead to trouble, and may even limit was legal recourses a firm can take.
Posted by Chris Sullivan - VP Customer Solutions on Tue, Nov 03, 2009
This week, I was thinking about using a quote about the "burden of knowledge" to stimulate some thinking around managing risk or, more specifically, managing liabilities. Unfortunately, the term is not easily attributed to any one person. In some form, the term has been used by Nobel Laureates, heads of state and philosophers for literally thousands of years. What's more interesting is its use as a foundational element of legal systems all over the world.
For risk managers, this is important stuff. Your company can be found negligent and therefore liable for damages caused either directly or indirectly because of something you either knew or should have known. In such cases, legal systems consistently magnify findings against plaintiffs who are found to be "grossly" negligent.
What does all this mean? In legalese, ordinary negligence is for "want of great diligence" and gross negligence is for "want of slight diligence." Still unclear? So was I, so I called my lawyer and he gave me more mumbo jumbo. Then I called my nephew who is in law school and he said "Uncle Chris, if you should have known something you are negligent - you are liable. If you actually knew and did nothing, then you are grossly negligent - You are $&%!(d".
I get it now. So if you turn on a DLP solution and it generates 1,000,000+ critical alerts a week because there's lots of sensitive information moving around your company, then you are left with obvious 3 options:
- Eradicate the sensitive information that is, by the way, required to run your business
- Hire an army of security analysts to ferret out and address the small number of real concerns
- Shut off the DLP system because if there is one unaddressed misuse in those 1,000,000 alerts that you knew about.. You did nothing... You are $&%!(d
Think I'm being dramatic? This exact scenario was presented to me by the CIO of a Fortune 100 company less than a year ago. He chose option 3 and, not surprisingly, he does not want to be quoted for this article.
What if you buy some fancy new attestation software that will process data dumps of access rights from your key systems and help you identify risks? That's helpful right? Not if you don't remediate those risks. If you don't, then you knew, you did nothing and you are...
A more sensible approach would be to put in place an Access Assurance framework to ensure that the right people have the right access to the right resources and they are doing the right things:
- If your DLP system finds Protected Health Information then bounce it off the Identity Management solution to see if the people who have access to it are clinicians. In most cases, they will be and you've automated away most of the unnecessary work.
- What's the risk of verification if your access certification process finds issues and you can't automate the requisite remediation?
By thinking holistically, you can take an approach that automates away rote work to ensure that you do know what you should know and that you can deal with it efficiently and effectively.
Did you know?
- It's official, Bing is better than Google. When researching "burden of knowledge" I noticed that Bing returned 21,500,000 results while Google returned only 16,300,000. Probably either one would have been sufficient to get me started.
- "Knowledge burdens but wisdom frees one from the burden of knowledge" - Brother Sahajananda, Benedictine monk
Posted by Chris Sullivan - VP Customer Solutions on Tue, Oct 20, 2009
Welcome to Applied Wisdom, a series of vignettes that seeks to glean practical a insight for managing risk and compliance from some of history's greatest minds.
Warren Buffett, the world's richest man and undisputed king of practical risk management once said "Risk comes from not knowing what you're doing."
How simple is that? You can have all of the risk management frameworks that the big four can sell you but if you don't know who has access to what, you can't assure access, can't manage risk and you can't assert compliance to virtually any regulations. Hell, you don't even know what access to remove when someone leaves your company.
Take a tip from Buffett (Warren not Jimmy) and deploy an IdentityMaptm. It's a very simple process to discover identities from across the enterprise and bind them to unique identifiers for employees or partners or privileged accounts. From there you will be able to identify rouge accounts when they appear, disable all access on termination, synchronize passwords for users, manage accurate access verifications and accelerate forensics with speed and efficiency.
Did you know?
Warren Edward Buffet still lives in the five-bedroom stucco house that he bought for $31,500 in 1957.
The "big four" are:
- 1) PricewaterhouseCoopers at $26.2bn and 163,000 employees worldwide.
- 2) Ernst & Young at $21.4bn and 144,441
- 3) Deloitte Touche Tohmatsu at $27.4bn and 165,000
- 4) KPMG $22.7bn and 135,000
Care to share any of your "Applied Wisdom"?
Posted by Todd Chambers - CMO on Thu, Aug 27, 2009
A recent RSA-sponsored IDC survey on insider risk management resulted in some pretty interesting findings, suggesting at the highest level that IT organizations may be focused on the wrong things when it comes to insider risk. According to the survey, CXOs tend to give higher priority to protecting their organizations against malicious insider attacks rather than the more frequently occurring and potentially more damaging accidental insider breaches, of which inappropriate user access is a key element.
For example, the RSA security blog further revealed that while 65% of CXOs reported their top concern as unauthorized or deliberate access to systems and data, they cited 5,794 unintentional incidents created by excessive access rights - one of the highest categories of risk incidents over the last 12 months. CXOs also revealed that the greatest financial impact to their organization was caused by risks related to out-of-date or excessive access rights (17%) - again tied to unintentional user behavior.
Ultimately though, whether unauthorized access threats are internal or external, malicious or accidental, they all pose a major risk to sensitive data, and more broadly, an organization's brand integrity and financial and regulatory compliance posture. Inappropriate user access remains one of the top IT challenges for corporations, as this and numerous other industry surveys and analyst data continue to prove. A comprehensive Access Assurance strategy needs to be a core part of every organization's risk strategy to ensure that only the right people have the right access to the right resources and are doing the right things.
Posted by Chris Sullivan - VP Customer Solutions on Tue, Aug 11, 2009
Another summer is waning and another
Catalyst San Diego is behind us. As a regular attendee, I would give this year's conference fairly good marks. For me the key takeaways were:
- The Lighting Round
- The virtual compliance gap
- The conspicuous lack of customer case studies demonstrating deep and broad success in the identity space.
The Lightning Rounds were new to the format this year. Vendors were given a very short time to explain why they mattered. It seemed an effective way to give attendees a taste of each dish so that they might go back and find out more if they were interested. Most importantly, it was, dare I say, fun to watch - no time for death by PowerPoint sales pitches here - the presenting executives had their 6 minutes of fame and they were either going to bask in the glow of the lighting flash or be incinerated by it.
There was also a special moment for me that was akin to that rare time in adolescence when your parent does something that you are actually proud of. When my boss, Courion CEO Chris Zannetos, took the podium, he skipped the "Courion is about ensuring the right people get the right access to the right resources and they are doing the right things" blurb and went right to the heart of the matter - "This [use your favorite expletive] is hard". Clearly, automating identity and access management yields speed, efficiency and control and, while there are enough failed or mediocre deployments out there to make people wonder if it's worth all the fuss, there are brilliant successes, too. Chris used his time to share the key ingredients required for success - understand the risk, control and financial implications, take an incremental approach and, most crucially, choose your vendor partner with great care:
- Ask for references and ask these references the tough questions. How many systems and applications are you managing? At what level of granularity? How long did the deployment take? What are you actually automating? How many people did it take to deploy? How many does it take to maintain?
- Do a POC - a real POC, not a demo. Make the vendor take the shrink wrap off the software and install it on your iron and watch how difficult this is to do.
- Ask them to share the risk. Will they commit to a price for all future connectors? Will they lead with a fixed price proposal for everything you need?
Chris took the high road and I was proud (please don't tell him).
The virtual compliance gap was also interesting - the identity track folks touched on the difficulty of demonstrating compliance in a virtual world and so did the virtualization folks, but it's clear a lot of work needs to be done before these areas converge. How, exactly, do you demonstrate compliance to geographically specific regulations when that data (and the entire application and server that's instantiating your business process) is automatically floated between different data centers in different parts of the world to manage power consumption? This is a topic for a future blog.
Finally, the conspicuous lack of deeply successful case studies was, for me, the most important observation and not entirely disconnected from Chris' comments about the importance of partnering with the right vendor. There were several "customer success" stories but the only one I heard that showed deep and lasting success was Wendy Booker from SunTrust Banks (full disclosure: a Courion customer.) In Wendy's case, she covered how they funded a robust access assurance program that manages fine grained entitlements for 35,000 people, with detailed roles and 50+ custom connectors automating all aspects of provisioning and compliance for hundreds of systems and applications - yielding dramatic control, efficiency and service quality improvements.
I hope I didn't miss an important session but most of the other deployments described seemed superficial, such as the case where it took 18 months to do 25 roles for 25,000 people and they only covered RACF and AD. Really? Most companies I know with 25,000 people are dealing in the range of 500-1000 applications, with hundreds of them being KFA (key financial applications for SOX) or HRA (high risk applications for the business). Surely 25 roles for this level of complexity does not begin to address the problem or opportunities.
I began to realize that the elephant in the room is connectors. All provisioning and/or compliance vendors have connectors for RACF and AD but this doesn't begin to meet the need for companies with this kind of scale and complexity. At Courion, we have 160+ out-of-the-box connectors, but what's the likelihood they will be the 160+ most important of the 1000+ that you need?
That's it then--the Achilles heel of the Provisioning and Access Compliance world is connectors. Can your vendor give you a low fixed price for as many as you need? Can they commit to a price in advance, even before you know what the applications are, so that you can plan and manage your deployment out of Phase I and into something that truly enables the business? The answer in almost all cases is, "No".
This is a problem that Courion has been working on for a long time - we understand the issues that make this difficult and we have tooled ourselves to address them. Today, not at some time in the future, we provide our customers unlimited connectors with speed and efficiency, and at one low fixed price - perhaps there's some fodder here for a future blog as well.
Posted by Todd Chambers - CMO on Tue, Aug 04, 2009
There have been a number of indicators in the past few weeks which suggest the market for automated identity and access management (IAM) solutions will continue to see solid growth.
Industry expert and Network World columnist Dave Kearns recently reported on the results of a survey fielded at The Experts Conference this Spring, which found that:
- User provisioning and de-provisioning, and compliance reporting were the second and third toughest challenges facing the 240 IT managers surveyed
- Getting better tools and automation was at the top of the respondents' wish lists for the third year in a row.
Dave rightly points out that: "It's been more than 10 years since the first provisioning applications/services were introduced and yet it's still presenting problems to IT departments. Admittedly, there's more to provision these days what with outsourced services and cloud-based apps."
Additionally, a recent Deloitte & Touche survey of life sciences and healthcare organizations found that identity and access management is a top operational imperative and a core enabler of enterprise applications as access to information and data is a growing need.
Finally, Courion's own June survey found that of the 59% of companies that have some form of automated tools in place (commercial or homegrown) for provisioning and de-provisioning employee access, they are still only covering a fraction of their systems and resources, making the continued opportunity to increase business value very compelling.
Many organizations today think that implementing an integrated IAM solution is a daunting, risky, and time-consuming process, and therefore hesitate to ensure that their access controls are appropriate for the business. The truth is that today, the right access assurance strategy can be implemented quickly, cost effectively, and in stages that will minimize upfront investment and maximize short-term returns. Getting quick wins under your belt can help validate your longer term security and compliance strategy.
So, is your organization being protected from sensitive data breaches caused by inappropriate access? If "no", then you're not alone, but that shouldn't be a welcome feeling.
Posted by Brian Milas - CTO on Tue, Jun 23, 2009
CSO Magazine's June 2009 article, Undercover: A Case of Help Desk Failure takes me back to the early days when Courion was working with early adopters of automated password reset solutions.
The article describes how social engineering was used to gain access to another person's password through the helpdesk... highlighting the need (and difficulty) in challenging helpdesk callers with a set of questions that correctly authenticate the individual but yet are easy for the individual to remember.
In the early days of Courion, we heard similar stories about weak authentication processes at the helpdesk. The most memorable was the helpdesk whose reps recognized the voice of the caller... and this was not an isolated case, several companies used this "authentication mechanism".
The article goes on to emphasize the importance of security, compliance, and controls from the perspective of the business rather than just from the IT frame of reference. Security and Compliance should be part of the business, enabling it go move faster... making it easy for a worker to perform their job securely, and difficult to take risky actions.
Posted by Todd Chambers - CMO on Mon, Jun 08, 2009
The revelation that a highly placed State Department official and his wife have been spying for Cuba for almost 30 years should be another reminder that internal ‘espionage' is every bit as dangerous as external hacking, and can be even more costly. For much of the past 30 years, technologies didn't exist that would allow IT managers to detect suspicious access patterns. That's not the case anymore.
Today, an advanced Access Assurance strategy with a combination of detective and preventative controls (DLP, SIEM, provisioning...) gives the security team insight not only into who has access to which resources, but what they are doing with that access, and whether that action logically corresponds with the user's job requirements.
As the White House further develops its new cybersecurity plan, it will be important to include guidelines that direct the implementation of a consistent Access Assurance strategy across agencies. While external hacks certainly pose a risk, protecting sensitive data from insider threats should be just as high of a priority.