Posted by Todd Chambers - CMO on Wed, Dec 23, 2009
Melissa Hathaway served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.
In her recently posted perspective on the state of cybersecurity ("Five Myths About Cybersecurity") published in the ExecutiveBiz Blog she highlights the following:
- Myth 1: Consumer protection exists in cyberspace
- Myth 2: Firewalls and virus scanners protect my computer and my enterprise
- Myth 3: My government has the solution and will protect me
- Myth 4: Physical assets are more valuable than information
- Myth 5: Laws are keeping pace with technological innovation
It is interesting to note that she specifically points out that "Few software programs protect us from the insider threat..." which according to a Verizon Business Breach Survey, accounts for approximately a third of all breaches.
This is especially concerning when you consider that a recent survey entitled "the global recession and its effect on work ethics", carried out by Cyber-Ark, found that 48% respondents admit that if they were fired tomorrow they would take company information with them. And a quarter of workers said that the recession has meant that they feel less loyal towards their employer.
It seems clear that protecting your organization from insider threats, and even external threats made possible by the inappropriate use of insider access (zombie accounts, weak password practices...) should be a key part of your Access Assurance strategy. The myth of being protected is not a strategy, so, how safe is your environment?
Posted by Todd Chambers - CMO on Fri, Dec 18, 2009
Companies' that work to mitigate risk in their business face numerous identity and access management challenges spanning Access Governance, Access Provisioning, and Access Compliance, but with each organization each of these areas will be prioritized differently. As you build your strategy it's important not to attack each challenge as if it were stand-alone and unaffected by other business imperatives. In other words, it's critical that your solutions allow you to "start anywhere" based on your unique business drivers and requirements, but also allow you to "go anywhere" in order to gain greater value by addressing the broader goals of your organization.
Take for example a company unable to demonstrate that their employees have only the minimum required access to company resources to do their jobs. On the surface this seems to be a straight forward access verification challenge of identifying who has access to what resources, and then asking the managers in the organization to vet the access, right? In actuality, this is just part of the process needed to appropriately assure that ONLY the right people have the right access to the right resources and are doing the right things with it.
When delivering an access verification solution you need to ask yourself, "How will we manage all the exceptions that it will clearly uncover?" And, "How will we manage it over time and in an automated fashion to accommodate the changes constantly taking place in our business?" The ultimate goal should be to enable the verification AND remediation of access regardless of your environment. Sure, you need to be able to send email alerts and link to help desk systems, but you also should have the ability to automatically change, disable, or delete access directly for any resource, with or without an existing automated provisioning solution. This approach will make your business more agile and effective (easier compliance adherence, increased efficiency and effectiveness) and at the same time reduce risk for the organization.
A "start anywhere, go anywhere" approach is a cornerstone of Access Assurance and is especially critical to success in today's environment where all businesses need to show incremental value on the way to their ultimate goals. Delivering successful programs that are cost effective, easy to manage, and deliver business results quickly, are great ways to increase security, compliance and business value, as long as they are an integrated part of your access assurance strategy. Not to mention, having multiple "wins" under your belt is always nice to have when requesting your next round of resources.
Posted by Bob Craig - Dir Prod Marketing on Thu, Dec 17, 2009
Recently, industry analyst Martin Kuppinger of Kuppinger-Cole, posted an article "CapEx and OpEx - the latest thing in IT buzzwords: On the economics of Cloud Computings," in which he discusses CIO's interest in new IAM offerings which allow them to avoid capital expenditures. In particular, Kuppinger points out that, "Cloud Computing offers a way of reducing capital expenditure for IT by getting out of costly leasing agreements or classic licensing contracts and switching to rental models while achieving as much security and flexibility as possible."
However, Kuppinger also warns, that, "...customers would be best advised to ask critical questions. Simply reducing CapEx doesn't always make the biggest business sense," to which we say, "Amen!" Just this past week, we blogged on the Ramifications of Cloud Computing, in which we discussed some of critical questions customers need to consider before adopting a cloud-based solution. While there are significant benefits to moving enterprise applications or identity management to a cloud platform, there are also risk and trust issues that you need to consider and work out with your cloud provider before there's a data breach, not after.
However, cloud computing is all about reducing, but not eliminating, the impact of IAM (and other applications) on your budgets. Wouldn't it be better to improve risk management and security without affecting your budget at all? For more on that, read the blog Creating Budget Where None Exists by Chris Zannetos, which discusses how a Courion customer "...automated access compliance and attestation and automated provisioning for over 100 applications - without spending a single budget dollar."
Posted by Bob Craig - Dir Prod Marketing on Mon, Dec 14, 2009
In my previous posting on Cloud Computing, I discussed some of the identity and access management (IAM) issues that arise from moving enterprise applications, particularly those containing sensitive data, to a cloud-based platform.
Now, I'd like to turn my attention to some of the same issues that come out of the emerging identity as a service (IaaS) trend, which entails delivering IAM services (user account provisioning, password management, single sign-on, access certification, etc.) using a cloud architecture.
Just as with any other application containing sensitive data, managing user identities via IaaS raises important risk and trust issues. By allowing an external service provider to manage your user's identities, you're essentially handing them the keys to the kingdom. You need to ensure that those keys will be kept safe and secure and that you will have complete and transparent control over the management of identities, in a way that is consistent with your acceptable level of risk.
You should also consider the ramifications if the service provider requires in-bound access to your data center in order to provision user accounts and access rights for internal applications. How will you monitor this activity and protect your internal systems from unauthorized external access?
And, just as with any other sensitive application, you need to know who at the service provider (i.e., system and database administrators) will have access to your user's identities, and what will they be able to do with them. Will user IDs and passwords be stored securely and encrypted? How will backup and recovery be handled? Are all identity transactions captured in a secure audit database? Who is responsible making sure only authorized users can obtain or change identities?
As part of your contractual negotiations, you need to define processes and procedures to protect you legally and financially. If there is a breach of your user's identities, who will be responsible and how will the costs be covered? Will you have access to the environment to perform the necessary forensics to determine the cause of the breach or will you have to rely solely on the service provider?
These are some of the questions that should be addressed as part of using IaaS to deliver your Access Assurance solution and we recommend you work with your service provider to make sure you clearly define how the processes of managing your user's identities will work.
Posted by Bob Craig - Dir Prod Marketing on Tue, Dec 08, 2009
Cloud computing is hot and enterprises (and many of their software suppliers) are moving enterprise applications to the cloud. Why? Because, cloud computing offers some attractive advantages. The economics can be very appealing, since by moving applications to a cloud provider, companies can reduce capital expenditures and pay for resources as they consume them. Because cloud applications typically run on a shared platform, cloud providers are able to deliver services at a lower cost. And, cloud applications deliver greater flexibility, since virtualization technology allows cloud providers to dynamically expand or reduce resources to meet fluctuating business needs, which is particularly appreciated by companies with seasonal spikes in utilization (such as retail during the holiday season).
At Courion, our concern is with how cloud computing affects your Access Assurance strategy. First we'll consider the identity and access management (IAM) ramifications of moving internal applications to an external cloud-based platform.
As we noted in a posting last April, (Bringing Clarity to the Cloud (Manifesto)), when you outsource crucial applications to an external provider (regardless of whether it's cloud-based or not) one factor you need to consider is how you'll manage the identities of users who require access to those systems, whether through provisioning, role management, access certification or password management. The good news is that the process of providing users with secure access to cloud applications is conceptually the same as with a traditional, in-house architecture. If you have an IAM infrastructure for managing users' identities, it should be able to do the same for a cloud, or any other web-based, application. You'll want assurance that you'll have the ability to automatically modify access rights when the user's role changes or revoke accounts when they leave the organization.
You should also weigh the risk associated with the data that you're moving to the cloud. Even though it's still your data, you're inevitably giving up some element of control over how that data is protected. You need to make sure that you can analyze the balance between risk and reward and evaluate the potential risk to your organization if there is a data breach in the cloud application.
For example, cloud service providers rely on their system administrators, just as you do in your own data center. Who will be the system administrators for the cloud application and what steps will be taken to prevent them, or other internal users, from unauthorized access to your sensitive data? If there is a breach, what kinds of forensic tools will be available to help you determine what happened?
Do you even know where the data will reside? Is there a possibility that the cloud provider might move your data to locations beyond your country borders to, for example, save costs? If that's the case, make sure you understand the legal ramification that arise when personal or private information (such as patient healthcare or customer financial data) crosses international boundaries.
Botton line: trusting your sensitive data to a cloud provider raises a mix of interesting questions, so make sure you consider them as part of your overall IAM and security policies and procedures. Sign up for our webinar on "Access Assurance in the Cloud" to learn more.