Posted by Brian Milas - CTO on Thu, Feb 26, 2009
Government Computer News published an interesting article on cross domain identity management. The benefits of federated identity are clear, one identity, a single sign on experience, authorization decisions made at the service provider (relying party).
Products and technologies are available today that make these benefits possible. Legal and political challenges are often the more difficult part, in the article, Roger Sullivan states, "Working out the business procedures is 90 percent of the problem".
I'd love to have a single identity that transitions between our corporate servers, 401K provider, travel agent, expense tracking, healthcare, and other systems that we use. Ideally, I'd logon to my desktop and seamlessly transition between the systems.
Take the perspective of the 401K provider. They will require both technical and legal contracts with my employer to make this happen. Then to assure that they are properly managing and vetting identities, they may require periodic audit and monitoring, and they will want to minimize their exposure in the event of a breach. Now repeat this process to reach all the customers of the 401K provider.
Take the perspective of my employer, we'll want to do the same on our end, making sure that the 401K provider, travel agent, etc are properly controlling and managing access. Again, making sure that the company is protected, and the exposure and risk is minimized.
We'll need to deal with these issues soon. In Massachusetts, the upcoming Standards for the Protection of Personal information (MA 201 CMR 17.00) are going to require policies, processes, and systems to be put in place for both business and for services that are outsourced to vendors such as the 401K provider. These are proactive regulation intended to protect personal information (PI) about MA residents. The company will be required to review (and even amend) the legal contracts with vendors who manage or have access to MA PI.
Posted by Chris Sullivan - VP Customer Solutions on Thu, Feb 19, 2009
Information week posted a blog yesterday that "ROI Is Not A Good Justification For Security". With all due respect to blogger Mike Fratto, yes it is.
In fairness to Mike, I think he's reacting to increasing pressure across every industry to cost justify security programs and he's reminding us of two very important facts. First, there are risk management and compliance benefits that, just because they are harder to quantify for the CFO, should not be ignored. Second, it might be harder than you think to realized some operational efficiencies.
Here's the rest of the story...
Companies deploy access assurance solutions for 3 simple reasons:
- Effective security controls reduce risk and meet compliance demands
- Automation yields efficient security operations
- Speed enables the business to move faster
You must justify programs internally by being realistic about which of the benefits will secure funding:
- Effective security is attractive if it addresses high risk areas identified in risk assessments done with the business. In today's environment, this might be insider threat from disgruntled, soon to be former or former employees.
- Efficiency gains are real and measurable. It may be hard to recover the cost from employees working as part time security administrators but a company's core applications like SAP, AD, RACF and email require dedicated personal that are easy to identify. Increasingly, companies are auditing for efficiency as well. Here's some actual data from our customers:
- 7000 person teaching hospital automated 24,960 password resets and 52,708 account create, add, change and disables in 2008.
- 35,000 person retail bank is automating account administration where turnover is approximately 800 people per month. In addition, they report having saved $2,175,300 in calls to the help desk by automating password resets alone.
- Enabling the business means getting employees productive more quickly or executing mergers or divestitures more quickly
In most companies today, the optimal approach is to build a business case that clearly and conservatively defines how an access assurance program:
- Enables the business (soft benefits)
- Meets security needs (basic requirements)
- Saves money (operational efficiency)
If you need some help with this, let me know ;)
Posted by Brian Milas - CTO on Thu, Feb 19, 2009
Overview: Many systems and applications are adopting a model where they rely on an external system for their authentication, authorization and audit (AAA) requirements which raises a few security concerns. Perhaps the most common example is applications that control access based on Active Directory (AD) accounts and Active Directory Security Groups. While Active Directory may be the most common example, other vendors offer products and solutions that make authentication (is this person really Bob?) and authorization (can Bob access this resource?) decisions.
Vendors: Other vendors include Cisco (via the Securent acquisition), RSA Entitlement Policy Manager (EPM), BitKoo, Rohati, Quest (Vintela), and even Microsoft has another technology called Authorization Manager (AzMan).
The Value of Externalizing AAA: This approach is advantageous to software vendors and developers. It allows them to concentrate on the core competencies of their application, while relying on the expertise of another vendor for authentication and authorization. While externalizing AAA is powerful, it can introduce complexities in the way that permissions are assigned and audited.
Example: Let's look at an example that I've experienced as a site owner in SharePoint. SharePoint has a permissions model that is built on top of Active Directory groups and accounts. As a site owner, I assign and control access via our corporate AD groups. The challenge that I have is that I don't have visibility into the AD group membership, so I'm unable to easily figure out who can get to my site at a certain permission level (read versus write).
Sprawl: The problem grows more complex as more systems (in this case) use AD for AAA. For example, I just found that our corporate VMware vCenter security model is tied into Active Directory. The group membership of my corporate account potentially grants me access to both SharePoint and VMware. In fact, looking across all systems in the enterprise, here's what comes to mind for systems that are using an external system (AD) for AAA:
- SharePoint (over 100 sites)
- SQL Server databases
- Spam Quarantine
- VMware vCenter
- Corporate Intranet
- Citrix License Server
- Citrix Password Manager
- Citrix XenApp
- Windows Shares
- And more....
Challenges:
Visibility: Given an entitlement in AD (or any other system), it is difficult to determine the systems and resources that it governs.
Unintended consequences: I assign Bob group membership in Grp Y to grants him read access to SharePoint....what else does Grp Y control? Is Bob also getting access to VMware?
Proliferation: to avoid the unintended consequences above, one might define an AD group per applications.....however, this can lead to a proliferation of AD groups.
Terminology: "Grp Y" may make sense to a technical person in IT, but it's not intuitive to business users.
Multiple Administrators: Multiple administrators and multiple systems need to be looked at to determine who can get to what.
- The VMware vCenter Admins can determine which AD groups control permissions in vCenter.
- The AD administrators can tell you who is a member of the AD group , taking into consideration nested groups, dynamic groups, etc in AD.
Market Needs: Companies need solutions that provide visibility into the business functions that are assigned to people, rather than the low level IT attributes such as AD group membership. The IT department is capable of making the connection between the application and the externalized AAA system (such as Active Directory). Business users often cannot make the connection and hence don't have the visibility to fully understand the business functions assigned to workers. Ideally a business would manage the assignment of permissions in terms of the application in a single step (Ex: Make Bob a Power User in VMware vCenter). At the time of assignment, you could see the other business application permissions that would be carried along with the change (unintended consequences). At any point, you could look at the infrastructure from the perspective of a person, a system, or an application permission to get the full picture of who is assigned which permissions:
- Connect a person to permissions in various systems
- Look at a system, view all permissions for all people
- Look at a permission on a system, determine people who have it assigned
- Look at the AD group (AAA resource) and determine what it controls (systems) and who has access (people)
With these capabilities in place activities such as assigning and managing access are simplified and the business has visibility into who is assigned which kind of access.
Posted by Chris Zannetos - CEO on Wed, Feb 18, 2009
As reported in CSOonline, Art Coviello, the president of RSA, the security division of EMC, noted in his overview of RSA's research report "Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy", these are difficult times for IT security executives. Regulations that require organizations to implement strong access and compliance management controls are not being relaxed just because the world economy is in a recession. In fact, given the history of the US Congress, such regulations are likely to increase. Hacking, business espionage and the like aren't decreasing, they are increasing. So how can Chief Information Security Officers (CISOs) deliver on their responsibilities - and dare we say, enable their businesses to be more successful - within current budgetary constraints?
Mr. Coviello offers some very sound advice to CISOs. Top on his list is "prioritize based on risk/reward". Underlying this and his other recommendations is a revolutionary thought for most IT security departments: that the security organization must mature from an insurance provider into a business enabler. Now, this is much easier said than done of course (as my long-time CTO and co-founder Brian Milas is fond of saying: "If it was easy, everyone would be doing it!"). However, Mr. Coviello provides some pragmatic points of advice, to which I would add two:
- Communicate business value. Very clearly identify the impact of your security programs on the business in terms of business speed, revenue generation and cost savings. Do not shy away from identifying hard cost savings attainable by eliminating manual activities through automation of security functions that are required by today's business operations and regulations.
- Take a phased, portfolio approach. Do not approach your CIO and Executive Team with individual projects, but rather present a portfolio of projects/capabilities and their aggregate value to the organization, that is delivered in phases. A dirty little secret of our industry is that while many vendors try to convince practitioners that the world revolves around point solutions, CISOs are faced with protecting the company against a portfolio of risks.
And while some might try to convince practitioners that a monolithic stack helps them manage all the risks, 2009 is clearly the year of "incremental improvement over delayed or unattainable architectural perfection". CISOs need to create a portfolio of capabilities to manage risks effectively, that can be delivered and expanded over time.
By taking the portfolio approach and including the sort of projects that deliver clear cost saving and business agility value (such as automated provisioning) along with security projects that protect the organization against difficult to define events of unknown probability, the CISO can build credibility and gain acceptance to his or her entire program. And by delivering "incremental progress" measured in business value, CISOs will create the credibility and political capital for the continuing rollout of their portfolio of security operations.
Posted by Kurt Johnson - VP Strategy on Wed, Feb 11, 2009
The source of all information great and accurate (and I'm talking about Wikipedia of course) defines governance as relating "to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility". This sounds reasonable to me. Today's realities of increasing privacy concerns, compliance management, and regulatory pressure have brought visibility to the importance of sound policies and processes to minimize risk and protect organizations. IT governance consists of cross-organization teams, with a heavy emphasis on line-of-business involvement, to more effectively ensure that IT policies are not only being followed, but are the responsibility of the individual users and business managers to define and enforce. It's not solely an IT function.
Sounds great, doesn't it? As part of this IT, and even IT security, have emerged from the bowels of their cavernous quarters to have a seat at the table working with the organization to identify risk and build effective ways to manage it. In many areas IT security has effectively shattered the image of being a business impediment to one of a business enabler.
Then along comes something like Microsoft SharePoint to ruin everything. Are we even a little surprised that we're reading that Microsoft SharePoint is hard to secure? (Microsoft SharePoint: A Weak Link In Enterprise Security?) A recent Ponemon Institute survey stated that only 60% of respondents have deployed security tools specifically for SharePoint. Courion's own survey on SharePoint compliance showed that 25% of respondents stated that they believed their SharePoint security was either weak or they were unaware of what was being done about it.
It's always easy to takes shots at Microsoft and point the finger at the tool. But blame here belongs focused at the organization using the product. Microsoft designed a solution to provide enhanced collaboration capability to make it easy to share information across different organizations or even outside the organization. SharePoint was designed to install easily, be painless to administer, and simple to post documents and data for wide audiences to see and share. Guess what? The product works. But, like a loaded gun, which in the right hands can be an effective tool but in the wrong hands can lead to unfathomable destruction, so too can SharePoint or any collaboration tool.
Historically we've seen IT security and management as afterthoughts to application deployments. Back in my META Group days we referred to this as the pig being thrown over the wall. An application goes live and then IT management is left to figure out how to ensure it doesn't bring the infrastructure to its knees and that the information is secure. As I mentioned before, IT governance started to change much of this. But, in many cases, SharePoint is so easy to deploy IT doesn't even know about it. Thus security is not planned for up front.
So what is IT security to do? My friend Mike Rothman suggests in his Daily Incite post, pray. Not bad advice. How does IT gain control while not impeding the business value of collaboration? The solution is what we at Courion refer to as an Access Assurance strategy.
Access Assurance refers to ensuring the right people, have the right access, to the right resources, and are doing the right things. It involves the definition of access policy; enforcement of that policy via automation; detection when that access varies from policy; remediation to bring access back within policy; and validation that the policy is appropriate. Where better can this apply than to SharePoint? This focus on a lifecycle for SharePoint compliance management offers significant value for organizations.
So, how does one go about building SharePoint compliance and access assurance? It starts by finding out what's out there. This discovery must include an assessment of the various risk associated with the sites. It doesn't make much sense to put a ton of policy around the company softball site; however that engineering planning one might need a little more oversight. This risk may include identification of sites that have sensitive data on them. DLP tools like those from RSA and Symantec are helpful in discovering such information. Risk can also be assess by seeing how many have multiple site owners, how many grant access via explicit access vs. groups, how many does the "everyone" group have access to, etc. Identify which users have access to the different sites, what job function they belong to, and what types of rights they have (e.g. contribute, read only, full administration, etc.). There should then be a formal process to verify that this is appropriate and have the business managers attest to the fact that the access is appropriate. When it's not, remediate by removing or modifying that access. This is what Courion's Solutions for Microsoft SharePoint focus on; creating an Access Assurance lifecycle for SharePoint.
Once this clean-up has occurred, we can then implement a process of governance for sensitive sites. Ongoing reviews of who has what type of access is critical. Formal processes for approving access to such sites should trump the "let the site owner add anyone they'd like" approach. The SharePoint policies must be well understood, well communicated, and implemented in a way that ensures business efficiency while maintaining policy. We like to refer to this as transparent compliance. Embedding the policy into the business process allows the organization to enjoy the benefits of increased business efficiency with higher security, and thus reduced risk.
Isn't that what we're all striving for anyway?
Posted by Chris Sullivan - VP Customer Solutions on Wed, Feb 11, 2009
I was reading the recently published "Market Overview: Enterprise Role Management" by Andras Cser of Forrester and I was struck by his comment about Courion adding a "whopping" number of roles customers in 2008. The report goes on to talk about the need for enterprise roles, double digit market growth rates in a down economy and a bunch of
products that all sound the same- "All products, with the exception of IBM's TIM, support role mining, role management, role versioning, compliance reporting, definition, and enforcement of segregation of duties out-of-the-box".
By the time I finished the report, I had 2 questions stuck in my craw:
- Why is Courion, who Forrester positions between the big iron guys and trendy pure play role vendors, thriving even in a down economy?
- If I was about to start a roles project, who would I pick as a vendor?
I suspect that the answer to both comes down to value.
By themselves, roles have no more value that a sundial in the shade. They help you define what people should have access to but they don't actually grant or verify access. You will need a well integrated provisioning and compliance solution to ensure that the right people have the right access to the right resources and are doing the right things.
Also, your solution has to leverage what you have rather than requiring a rebuild of your core IT infrastructure. Otherwise you'll end up a cure that's worse than the illness.
If you're about to embark on a roles initiative, here's some things to consider:
- What problem am I'm trying to solve?
- How will it be funded? Will the expense be approved? Can the solution generate efficiencies fast enough to be self funding?
- Does it actually work? Can you see it in a POC? Does the vendor have references that can speak to the business value that they have achieved?
If you use this approach you should be successful and, I think, Courion will add a whopping number of new customers in 2009 as well.
Posted by Bob Craig - Dir Prod Marketing on Mon, Feb 09, 2009
Companies going through mergers and acquisitions have a big problem on their hands. As they bring new companies on board, they have to deal with the acquired company's infrastructure giving them multiple disparate systems, such as packaged enterprise applications (like SAP), custom or legacy applications, networks, servers, and directories. As they assess their situation, they have three choices on how to manage these systems from an identity and access management perspective.
One, they can leave them in place. This minimizes disruption to the acquired employees, but increases cost and complexity, since redundant systems must be managed separately.
Two, they can merge all user accounts into a single system of record. This cuts down on management overhead, but at the risk of business disruption as users and administrators get used to the new environment, not to mention the time, cost and effort required to migrate.
Three, they can adopt a hybrid strategy, leaving some systems in place, while merging others.
One global company, for example, had 140 separate ERP applications and processes that they wanted to consolidate into a single instance of SAP. Their strategy was to migrate to the new platform over time with minimal disruption to the business.
Whatever strategy you choose, your IAM platform should be able to accommodate it by delivering a flexible framework that will work in whichever scenario suits your organization and not force your business to fit into its framework.
A flexible infrastructure allows you to manage user identities and access rights in multiple, heterogeneous systems without requiring a centralized directory or extraneous infrastructure. At the same time, it should make certain you aren't compromising core security policies, such as segregation of duties checking or password strength requirements.
In the above example, the company chose a framework that enabled them to manage legacy system accounts while gradually migrating accounts to the new platform in phases. This enabled them to make the necessary changes with minimal end-user disruption. And as they decommissioned systems they were able to unplug the connectors to those systems from the framework without changing the underlying IAM architecture.
If they had adopted the hybrid approach, the same framework would have allowed the acquired company's systems to be brought online in the IAM platform....allowing disparate systems to coexist side-by-side, while ensuring that security policies are uniformly enforced across different native platforms.
The lesson learned by this company was that an inflexible, all-or-nothing approach that required a huge investment in a particular vendor's vertical infrastructure would not have met their business needs.
Posted by Todd Chambers - CMO on Thu, Feb 05, 2009
The effects of the economic crisis is heightening security risks at the world's largest financial institutions, according to Deloitte's 6th Annual Global Security Survey, which benchmarks IT security and privacy in the financial services industry.
It comes as no surprise that identity and access management (IAM) and security regulatory compliance were the top security initiatives of financial institutions for the past 2 years. Increasing regulation and industry guidelines, as well as the need to provide secure access to systems for suppliers, business partners and others is driving the need for identity and access management and compliance solutions. In spite of this, many of these organizations have a growing concern about insider threats - according to the survey 36 per cent of respondents expressed a greater level of concern about insiders.
‘Excessive access rights' was the top internal/external audit finding over the past 12 months and ‘unauthorized access to personal information' was the number one privacy concern stated by respondents.
As financial institutions face an increased risk of security breaches this year due to budgetary constraints and an increased threat of insider misconduct, an access assurance strategy can help them to strengthen security and improve compliance by assuring users' access rights and activities are compliant with policy while aligning security and business objectives.
Posted by Todd Chambers - CMO on Mon, Feb 02, 2009
As recently reported in Network World, the Ponemon Institute 2008 survey found that, "88% of all data breach cases for 2008 were traced back to insider negligence." Couple this with the ever rising cost of coping with a breach, "$6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006" and the irreparable damage a breach can cause to a company's brand and it's easy to see why "insider threats" need to remain top-of-mind.
Two of the most-cited steps companies took following a breach were identity and access management and data loss prevention (DLP) product deployments, which more and more companies are looking to integrate to increase compliance effectiveness as a cornerstone of their GRC arsenal.
Access governance, access provisioning and access compliance, coupled with access intelligence (i.e., data loss prevention, security incident and event management (SIEM) and other detective technologies) are the heart of any successful access assurance strategy.