Posted by Todd Chambers - CMO on Wed, Dec 23, 2009
Melissa Hathaway served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.
In her recently posted perspective on the state of cybersecurity ("Five Myths About Cybersecurity") published in the ExecutiveBiz Blog she highlights the following:
- Myth 1: Consumer protection exists in cyberspace
- Myth 2: Firewalls and virus scanners protect my computer and my enterprise
- Myth 3: My government has the solution and will protect me
- Myth 4: Physical assets are more valuable than information
- Myth 5: Laws are keeping pace with technological innovation
It is interesting to note that she specifically points out that "Few software programs protect us from the insider threat..." which according to a Verizon Business Breach Survey, accounts for approximately a third of all breaches.
This is especially concerning when you consider that a recent survey entitled "the global recession and its effect on work ethics", carried out by Cyber-Ark, found that 48% respondents admit that if they were fired tomorrow they would take company information with them. And a quarter of workers said that the recession has meant that they feel less loyal towards their employer.
It seems clear that protecting your organization from insider threats, and even external threats made possible by the inappropriate use of insider access (zombie accounts, weak password practices...) should be a key part of your Access Assurance strategy. The myth of being protected is not a strategy, so, how safe is your environment?
Posted by Bob Craig - Dir Prod Marketing on Mon, Dec 14, 2009
In my previous posting on Cloud Computing, I discussed some of the identity and access management (IAM) issues that arise from moving enterprise applications, particularly those containing sensitive data, to a cloud-based platform.
Now, I'd like to turn my attention to some of the same issues that come out of the emerging identity as a service (IaaS) trend, which entails delivering IAM services (user account provisioning, password management, single sign-on, access certification, etc.) using a cloud architecture.
Just as with any other application containing sensitive data, managing user identities via IaaS raises important risk and trust issues. By allowing an external service provider to manage your user's identities, you're essentially handing them the keys to the kingdom. You need to ensure that those keys will be kept safe and secure and that you will have complete and transparent control over the management of identities, in a way that is consistent with your acceptable level of risk.
You should also consider the ramifications if the service provider requires in-bound access to your data center in order to provision user accounts and access rights for internal applications. How will you monitor this activity and protect your internal systems from unauthorized external access?
And, just as with any other sensitive application, you need to know who at the service provider (i.e., system and database administrators) will have access to your user's identities, and what will they be able to do with them. Will user IDs and passwords be stored securely and encrypted? How will backup and recovery be handled? Are all identity transactions captured in a secure audit database? Who is responsible making sure only authorized users can obtain or change identities?
As part of your contractual negotiations, you need to define processes and procedures to protect you legally and financially. If there is a breach of your user's identities, who will be responsible and how will the costs be covered? Will you have access to the environment to perform the necessary forensics to determine the cause of the breach or will you have to rely solely on the service provider?
These are some of the questions that should be addressed as part of using IaaS to deliver your Access Assurance solution and we recommend you work with your service provider to make sure you clearly define how the processes of managing your user's identities will work.
Posted by Bob Craig - Dir Prod Marketing on Tue, Dec 08, 2009
Cloud computing is hot and enterprises (and many of their software suppliers) are moving enterprise applications to the cloud. Why? Because, cloud computing offers some attractive advantages. The economics can be very appealing, since by moving applications to a cloud provider, companies can reduce capital expenditures and pay for resources as they consume them. Because cloud applications typically run on a shared platform, cloud providers are able to deliver services at a lower cost. And, cloud applications deliver greater flexibility, since virtualization technology allows cloud providers to dynamically expand or reduce resources to meet fluctuating business needs, which is particularly appreciated by companies with seasonal spikes in utilization (such as retail during the holiday season).
At Courion, our concern is with how cloud computing affects your Access Assurance strategy. First we'll consider the identity and access management (IAM) ramifications of moving internal applications to an external cloud-based platform.
As we noted in a posting last April, (Bringing Clarity to the Cloud (Manifesto)), when you outsource crucial applications to an external provider (regardless of whether it's cloud-based or not) one factor you need to consider is how you'll manage the identities of users who require access to those systems, whether through provisioning, role management, access certification or password management. The good news is that the process of providing users with secure access to cloud applications is conceptually the same as with a traditional, in-house architecture. If you have an IAM infrastructure for managing users' identities, it should be able to do the same for a cloud, or any other web-based, application. You'll want assurance that you'll have the ability to automatically modify access rights when the user's role changes or revoke accounts when they leave the organization.
You should also weigh the risk associated with the data that you're moving to the cloud. Even though it's still your data, you're inevitably giving up some element of control over how that data is protected. You need to make sure that you can analyze the balance between risk and reward and evaluate the potential risk to your organization if there is a data breach in the cloud application.
For example, cloud service providers rely on their system administrators, just as you do in your own data center. Who will be the system administrators for the cloud application and what steps will be taken to prevent them, or other internal users, from unauthorized access to your sensitive data? If there is a breach, what kinds of forensic tools will be available to help you determine what happened?
Do you even know where the data will reside? Is there a possibility that the cloud provider might move your data to locations beyond your country borders to, for example, save costs? If that's the case, make sure you understand the legal ramification that arise when personal or private information (such as patient healthcare or customer financial data) crosses international boundaries.
Botton line: trusting your sensitive data to a cloud provider raises a mix of interesting questions, so make sure you consider them as part of your overall IAM and security policies and procedures. Sign up for our webinar on "Access Assurance in the Cloud" to learn more.
Posted by Todd Chambers - CMO on Thu, Oct 22, 2009
Recently, reports have surfaced revealing that user log-in credentials for more than 30,000 Web-based email accounts - including those from AOL, Gmail, Hotmail and Yahoo Mail, among others - have been stolen and made publicly available on the Internet. It's interesting to note that analysis of the stolen Hotmail passwords showed that 42% used only letters, nearly 20% only numbers, and the most frequently-used passwords overall were - you guessed it - "123456" and "123456789."
Although these particular attacks occurred with consumers' personal, Web-based email accounts, the cautionary message applies equally to enterprises. Companies need to keep in mind that "cross-over" will inevitably exist between employees' personal and business accounts - work-related emails may be forwarded to or sent directly to and from personal accounts or employees may also choose to replicate "personal" passwords for work applications. These bad password practices, among others, can expose more than employees' personal information, opening the door to corporate security and compliance risks that can potentially result in serious financial and reputational losses.
Enterprises need to ensure they've put in place sound password safeguards that ensure optimized security and compliance with password policies while still promoting ease-of-use and productivity for employees. Our customers are achieving these benefits through self-service password management and synchronization which has been seen to reduce password-related Help Desk calls by more than 80%. Users are able to access their password profiles and make changes at any time, rather than only when the Help Desk is open, and the new passwords are automatically applied across all other relevant applications and systems. IT staff can set and enforce self-service password policies in accordance with industry regulations and internal best practices, such as requiring more complex passwords - like minimum password length, mixed cases and numeric or other special characters - and more frequent password renewal, among other things. But whatever the password management solution, companies need to be keenly aware of the potentially bad personal password practices that employees may carry over into the workplace as well as the increasingly blurry lines between personal and work-related applications and access to them.
Posted by Kurt Johnson - VP Strategy on Mon, Oct 19, 2009
Last week a former Ford product engineer (from 1997-2007) was arrested at O'Hare airport and charged with stealing 4,000 sensitive design documents worth millions of dollars. According to reports, Xiang Dong Yu, 47, of Beijing, was charged in a five-count indictment with theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer. Apparently he stole this data back in 2006 before he left the company and has been using it to try to gain employment with other rival manufacturers in China.
As we continue to see these instances of data theft in the news, companies need to be laser focused on implementing strong Access Assurance strategies that ensure that the right people have the right access to the right resources and are doing the right things. When an employee leaves a company or changes roles, access policies need to be enforced immediately to prevent these types of breaches, especially in organizations where proprietary data is the stock-in-trade. A complete Access Assurance solution, including detective and preventative controls, helps alert IT managers to inappropriate access to sensitive data so they are able to remediate potential risk.
We talked last week about the evidence of a growing IAM market, as organizations are clearly working to address these challenges. But IAM is moving beyond traditional boundaries in organizations and needs to encompass elements of preventative and detective controls by reaching out to various monitoring technologies to assure that information gets into the right context to drive remediation.
Posted by Todd Chambers - CMO on Thu, Sep 24, 2009
EDUCAUSE, a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology, recently conducted their 10th annual EDUCAUSE Current Issues Survey. Given the tight IT (and overall) budgetary controls education institutions are facing today, along with increased data privacy laws and regulatory requirements, it's not surprising that "funding IT," "security" and "identity/access management" were among the top-ten issues IT leaders identified as the most critical to resolve in 2009.
These findings mirror the challenges and priorities we're seeing with our education and other customer segments out in the field every day. From an identity and access management - or more broadly, Access Assurance - perspective, we're helping them to approach each of these areas in new ways that deliver measurable ROI by improving risk and compliance while reducing costs:
Funding IT - our customers are facing CFOs that want concrete results in return for new IT spending. In response, we've developed a self-funding model that delivers "quick wins" through an incremental deployment scenario that helps to rationalize a larger, longer-term Access Assurance strategy. The process enables the customer to start improving Access Assurance one step at a time and to pinpoint where and when potential cost-savings come into play - right down to the exact timing of specific operational savings. One Courion customer recently implemented a significant Access Assurance initiative without spending a single budget dollar!
Security - higher ed IT staff are trying to mitigate the risks driven by the growing volume of information across multitudes of devices, web-based applications, and other network resources. One of the key pieces of this challenge is controlling user access to all of this data. By viewing users' behavior on the network as "body language," IT managers can get important clues that may signal inappropriate access or malicious intentions. For example, if an employee is about to resign, his or her network behavior during the weeks prior to giving notice often follow consistent patterns. For example, copying entire folders from file servers could be a signal that an employee is about to depart. Access Assurance technology puts safeguards in place to detect various types of network body language, more effectively and efficiently control user access, and ensure continuous compliance with privacy laws and other federal regulations.
Identity and Access Management (IAM) - as campuses attempt to deal with restricted access systems, such as databases and intellectual property, and the emergence of cloud or software-as-a-service applications, setting policies and controlling user access to all of these systems and applications has become a top priority. IT staff must carefully balance a campuses' need for collaboration and information sharing with the need to protect sensitive data and meet government regulations, such as those limiting user access to non-public resources. To effectively create, manage and monitor user access, institutions need to begin looking at identity and access management as more than just password management. A holistic approach to IAM - one that incorporates on-premise and cloud-based systems as well as processes such as automated user provisioning, role management and access certification, and credentialing, among other elements - can help higher ed IT staff increase campus-wide IT security and compliance as well as user productivity while ultimately reducing costs.
We're currently conducting our own education survey looking into the IAM practices of education organizations, so stay tuned - we'll make our findings public over the coming months.
Posted by Todd Chambers - CMO on Fri, Sep 18, 2009
Last week, the Gov 2.0 Summit opened in Washington, D.C., where policy makers and industry leaders discussed how technology can make government more functional. In conjunction with the summit, 10 companies announced that they will act as digital identity providers by supporting OpenID and Information Card technologies (described in depth here) for government Web sites, in an effort to make government Web sites easier to interact with. According to InformationWeek, the pilot programs aim to make use of Web 2.0 technologies to make government Web sites more open and participatory.
OpenID and Information Card technologies are a key part of the White House's Open Government initiative, which aims to provide strong privacy protections for users in order to speed efficiency. The purpose of these pilot programs is to give visitors to government Web sites pseudonymous interaction options that don't require users to reveal personal information. This makes access quicker, and requires less authentication from the user.
We applaud this effort and look forward to the next step in the process of delivering a holistic approach to access assurance as pointed out in my recent post. The move to trusted frameworks like OpenID is an important step to foster more participation and more efficiencies within our government agencies, and given the desire by the government to make more personal information available more broadly, it is critical to ensure that Web-based data is thoroughly protected.
Posted by Todd Chambers - CMO on Thu, Aug 27, 2009
A recent RSA-sponsored IDC survey on insider risk management resulted in some pretty interesting findings, suggesting at the highest level that IT organizations may be focused on the wrong things when it comes to insider risk. According to the survey, CXOs tend to give higher priority to protecting their organizations against malicious insider attacks rather than the more frequently occurring and potentially more damaging accidental insider breaches, of which inappropriate user access is a key element.
For example, the RSA security blog further revealed that while 65% of CXOs reported their top concern as unauthorized or deliberate access to systems and data, they cited 5,794 unintentional incidents created by excessive access rights - one of the highest categories of risk incidents over the last 12 months. CXOs also revealed that the greatest financial impact to their organization was caused by risks related to out-of-date or excessive access rights (17%) - again tied to unintentional user behavior.
Ultimately though, whether unauthorized access threats are internal or external, malicious or accidental, they all pose a major risk to sensitive data, and more broadly, an organization's brand integrity and financial and regulatory compliance posture. Inappropriate user access remains one of the top IT challenges for corporations, as this and numerous other industry surveys and analyst data continue to prove. A comprehensive Access Assurance strategy needs to be a core part of every organization's risk strategy to ensure that only the right people have the right access to the right resources and are doing the right things.
Posted by Todd Chambers - CMO on Mon, Aug 24, 2009
A few weeks back in a post on our blog, we discussed the shocking increase in the lack of compliance by government agencies with FISMA, as reported to Congress in a report from the U.S. General Accounting Office (GAO). That report showed that the number of information security incidents had more than tripled to over 16,000 in the past 3 years alone, directly pointing to access control weaknesses and poor password management as prime factors.
Why are these numbers increasing when security technology has advanced and awareness has risen about the potential disaster that data breaches can cause? For one, the ongoing search for a national cybersecurity coordinator hasn't helped matters. Recently, Mischel Kwon, the director of US-CERT, the Department of Homeland Security's research and response unit, resigned to take a position at RSA. That move was apparently in response to the cybersecurity leadership vacuum that has been growing since the resignation of Melissa Hathaway, formerly the top adviser on security and the architect of the administration's current policy on cybersecurity. The position has become so nebulous, wide-ranging and open-ended, that many top security experts and public officials have turned down the role, viewing it as a no-win situation. It is not clear when the leadership will come and from where.
Meanwhile, the General Services Administration's (GSA) e-Authentication Partnership that was initiated in 2004 was taken over and re-tooled by the Office of Governmentwide Policy last October, and the most recent advice from that office has been for federal agency leaders to "consider projects to keep pace with government-wide identity management initiatives." Not very specific guidelines, are they? In fact, there are several government consortiums (at least six according to a recent article by Alice Lipowicz for Federal Computer Week) that are currently working to create a blueprint for how federal agencies should be controlling access to shared data, and terms like "trusted federation," "authentication" and "credentials" are often used to describe the plans.
While cybersecurity leadership is clearly needed to drive security reform and get everyone on the same page in terms of how data should be shared responsibly, there is a major issue that agencies can address now, and that is the way in which access control and identity are viewed at the federal level.
Currently, identity management is tackled from an authentication perspective - meaning access to applications or systems is granted based on whether an employee is authenticated as being him or herself. However, this is really only the first step in a true Access Assurance strategy. Proving that an individual is who they say they are only provides one layer of security. It doesn't take into account many other factors, including whether someone's role in the organization or agency makes it necessary for him or her to have access to certain information at all. Also missing from a basic authentication strategy is the remediation of open access that should have been closed due to an employee leaving the organization or changing roles. Authentication or verification of individuals, while needed, does not provide a full access profile.
There is a need for a more overarching Access Assurance strategy across agencies, which will enable access compliance and transparency with regard to access control, ensuring that the right people have the right access to the right resources and that they are doing the right things. Agencies should seek to widen their view of Access Assurance now while the wait for cybersecurity leadership continues, so they'll be ready to tackle the many inevitable changes that will be on the horizon.
Posted by Brian Milas - CTO on Tue, Jun 23, 2009
CSO Magazine's June 2009 article, Undercover: A Case of Help Desk Failure takes me back to the early days when Courion was working with early adopters of automated password reset solutions.
The article describes how social engineering was used to gain access to another person's password through the helpdesk... highlighting the need (and difficulty) in challenging helpdesk callers with a set of questions that correctly authenticate the individual but yet are easy for the individual to remember.
In the early days of Courion, we heard similar stories about weak authentication processes at the helpdesk. The most memorable was the helpdesk whose reps recognized the voice of the caller... and this was not an isolated case, several companies used this "authentication mechanism".
The article goes on to emphasize the importance of security, compliance, and controls from the perspective of the business rather than just from the IT frame of reference. Security and Compliance should be part of the business, enabling it go move faster... making it easy for a worker to perform their job securely, and difficult to take risky actions.