Posted by Kurt Johnson - VP Strategy on Wed, Mar 25, 2009
I was just reading Gartner analyst Neil MacDonald's most recent blog posting about Rogue SharePoint Sites and was interested to see that Gartner estimates that about 30% of SharePoint servers are operating outside of the management sphere of IT departments. Neil also mentions that this is not SharePoint's fault, but rather a problem with oversight - or lack thereof - with respect to organizational compliance with enterprise security policies.
I touched on this in my blog posting last month (Microsoft SharePoint - Governance Schmuvernance) and I'm glad to see that awareness of this policy compliance issue is becoming widespread, with the likes of Gartner recognizing the scope of the potential risk it poses. Courion has been providing SharePoint security solutions for some time which give organizations insight into the configuration, authentication, and authorization needs that Neil refers to.
How does your organization view this issue?
Posted by Bob Craig - Dir Prod Marketing on Tue, Mar 24, 2009
In one of my first programming jobs, I worked at a major academic medical center in Boston that not only wrote their own software applications, they even developed and maintained their own proprietary programming language.
Needless to say, they don't do that anymore since that approach only makes economic sense when there are no other viable alternatives. Despite this, we occasionally run into enterprises that are considering developing their own in-house identity and access management (IAM) solution.
If you're considering developing your own custom IAM solution, what are the factors you should be considering as you evaluate the cost/benefit ratio?
Required Feature Set
First, what features would you want to implement? To simplify this, let's just consider password management and not include provisioning, role management, or other IAM applications.
Based on Courion's experience with hundreds of customers, here is a list of features that a reasonably functional password management solution should provide:
- Self-service: Users must be able to securely reset their own passwords. If you don't offer self-service, then all you're doing is automating the help desk, but without eliminating calls to the help desk in the first place, which is one of the main reasons companies choose to deploy password management.
- Challenge authentication: End-users should be able to register their own private challenge/response questions and answers in a secure directory or database that the system can use to verify their identity when they need to reset a password.
- Flexible user interface: Users should be able to reset their own passwords using a variety of interfaces. At a minimum, they should be able to use a browser and their Windows log-on screen. Other options include a telephone/voice recognition system or interactive kiosk.
- Help desk support: Some users can't, or won't, manage their own passwords, in which case your help desk needs to be able to reset passwords on their behalf without requiring privileged access to the target systems. The software should automatically create, populate and close tickets for reliable security audit and service level reports (this includes both self-service and assisted resets.)
- Password strength and history checking: The system should enforce prudent password history and strength policies, including:
- Centralized definition and enforcement of password policy;
- Minimum/Maximum password length;
- History (password reuse) and Dictionary checking;
- Required mixed case, numeric and/or special character use.
- Target integration: The solution must manage passwords on mission-critical target systems, each with its own unique native security system, including desktop computers, networks, enterprise directories, databases, packaged applications and custom-built or legacy systems. Building reliable, secure and scalable connectors to heterogeneous systems from a variety of vendors can be a daunting challenge. An IAM solution provider can enter into partner agreements that provide access to code, developers, and APIs not available to most internal developers. Troubleshooting connectors that fail when target APIs change without support can be expensive, time-consuming and frustrating.
- Logging and auditing: The solution must have a tamper-proof method for logging and tracking password-related transactions.
- Alerts and notifications: it should support email and/or pager alerts to confirm actions or warn of suspicious activity. For example, users should be notified of any changes via a message like, "Your password was reset on [date], if you didn't initiate this password reset request, please contact security immediately."
- Scalability: Only a large organization has the resources to create and maintain a custom password solution, which implies there will be times (i.e., Monday morning at 9 AM) when many users will be resetting their passwords simultaneously. The solution must scale to accommodate large numbers of simultaneous password reset requests, without buckling under the load and potentially compromising security.
- Data security: The solution must transfer and store data using encrypted and hashed formats to preserve the privacy of passwords.
Some other features that might be considered useful, but not essential for the first implementation, are:
- Synchronization: A feature that many users appreciate is the ability to synchronize a password across multiple systems, which means the user only needs to remember one password at a time.
- Delegation/Restriction: Some organizations will want to be able to block specific users from access to workflows, while others may want to be able to delegate authority to more than one administrator.
- Multi-language: A multi-national organization may need to provide support for non-English speakers.
Development Costs
Once you know what features to implement, you can estimate the costs. Based on our experience developing PasswordCourier, we estimate the above solution will require approximately eight person-years of development effort, at a total cost of between $1.2 million and $1.5 million (using fully loaded current salary rates and benefits.)
Maintenance and support of the above solution are estimated at 0.5 FTE (full time equivalent) per year or between $75K and $90K per year for routine support (bug fixes, minor enhancements, etc.) If you have a complex or dynamic environment (with new systems that require password connectors being deployed regularly), your development and maintenance requirements may be much higher.
You can do the math for your organization, but I expect you'll discover that investing more than a million dollars to develop software functionality that is currently available from commercial sources at much lower total cost of ownership won't pass muster with most CFOs.
On the other hand, if you proceed and 18 months later you've developed the password management system of your dreams, then you can start thinking about provisioning, role management, and compliance verification and reporting.
What are your thoughts?
Posted by Kurt Johnson - VP Strategy on Fri, Mar 20, 2009
With the rash of regulatory compliance policies thrown at virtually every industry over the last decade, healthcare was not immune (no pun intended). Understanding that advances in technology would have a major impact on the privacy of health information the Health Insurance Portability and Accountability Act (better known as HIPAA) includes scrutiny on patient privacy and handling of that information.
One critical aspect of privacy protection is the access to electronic health information. Understanding who has access to this data, if this access is appropriate, how did they get it, and is it effectively taken away when no longer needed, are all key ingredients of an Access Assurance strategy and a critical part of the controls that are required for HIPAA compliance.
Still many of the healthcare IT and audit professionals I speak with regard HIPAA much like a teenager does music piracy. They are not that fearful of non-compliance and don't believe they are ever going to get caught. While many pointed at Atlanta's Piedmont Hospital and Seattle's Providence Health as the poster children for the impact of HIPAA non-compliance after being audited and penalized back in 2007 and 2008 respectively, these one-a-year headline catchers weren't enough to scare people too badly. As a result, HIPAA is more of a way to secure budget than a driving force to boost internal controls around protecting patient data. Many folks I speak with tell me they are far more worried about the impact on resources and the organization to implement tighter security and controls than they are in fines for non-compliance.
Well clearly I wasn't the only one hearing this as the Office of the Inspector General (OIG) decided to take a deeper look into Health and Human Services' (HHS) oversight of HIPAA and added HIPAA review to its FY09 Work Plan with a strong focus on the HIPAA Security Rule and HIPAA Privacy Rule. OIG came down pretty heavily on HHS's failure to enforce HIPAA rules (ModernHealthcare.com coverage and OIG Report).
Apparently they weren't kidding around and HHS is getting the message. Last month CVS Caremark agreed to pay $2.25 million to settle a federal investigation that it violated HIPAA privacy regulations. Appears the people in the white coats behind the counter threw items such as pill bottles with patient information in the trash. Woops.
This decent penalty is getting the attention of healthcare organizations and they're starting to believe that HHS is serious this time. Many are feeling that HHS would relish the opportunity to grab headlines with major findings and penalties to prove they're getting their act together. In addition, a new law signed by President Obama includes rules expanding HIPAA including stricter penalties and public disclosure rules. Moreover it authorizes State Attorneys General to bring civil actions against individuals who violate HIPAA. I'm sure this has AG's frothing at the mouth for new things to go after and this, as well as steeper fines, are grabbing the attention of healthcare security professionals.
What this means for security professionals is it's time to get real about HIPAA. It's time to dust off the policies and procedures and focus on education of individuals around the protection of privacy information. Also high on the list should be an assessment of data governance and access assurance:
- Where is the private data?
- What kind of data is out there?
- Who has access to this data?
- Do the right people have the right access to the right resources and are the doing the right things with it?
- How will this be enforced and managed on an ongoing basis?
Practitioners and management must have ownership of privacy data and how this information is being protected. It's critical that healthcare organizations take a strong look at how they're managing the lifecycle of access assurance. This starts with defining access policy, enforcing that policy, detecting when actions are inconsistent with policy, validating when those actions violate policy and create risk, then remediating to bring things back in line. It appears HHS is serious this time, and you don't want to be the next attention grabbing headline out there.
I'd love to hear what you think.
Posted by Chris Zannetos - CEO on Thu, Mar 19, 2009
In her recent blog posting titled, Is a bad economy good for identity?, Lori Rowland of the Burton Group writes that the poor economy has actually been good for the Identity and Access Management market. She offers evidence that a number of companies, Courion included, reported record sales and revenue in 2008. Lori suggests that the unfortunate wave of layoffs and increased productivity requirements have driven demand for automated provisioning - to ensure that departed staff cannot access information and systems and that new hires are productive as soon as possible.
These are accurate observations from what Courion has seen in its business. But as the late Paul Harvey used to say...let's talk about "the rest of the story".
The reality for CIOs is that they have budgets that are flat at best, and more likely decreased from 2008. The impact on new projects is more severe. As all of us in the software industry know, a flat budget means a reduction in new project spending...a 10% budget reduction actually means a 30-100% reduction in new project spending.
This was confirmed for me when I spoke with 20 CIOs and CISOs in Courion's customer base earlier this year. The response across all industries and company sizes was that they would have at most a small handful of new projects this year. But they were all faced with the same challenge: "how do I respond to increasing access compliance pressures - whether regulatory- or internally-driven - with a budget less than last year's?"
This is the driver of the increased demand that Lori Rowland identified. Customers are demanding products that can automate administrative processes to reduce staff (and costs) while at the same time ensuring compliance with security policies and regulations.
They have to be compliant, and they have to reduce costs. It's that simple.
It is not surprising that the two examples that Lori provided were Access Provisioning examples. More than any other part of the Identity & Access Management market, Access Provisioning provides customers with the opportunity to reduce hard costs while improving security. This - along with Provisioning's ability to speed business processes - is why CIOs view Provisioning as a strategic platform for their operations.
So does this mean that Access Provisioning and Compliance projects are always among the 1 or 2 projects above the line to get budget? While Courion's sales force might wish they were...the answer is "sometimes". What makes Access Provisioning & Compliance projects unique among security projects, however, is that they can actually help IT organizations increase budget. I'll offer a recent Courion customer project as an example.
Courion recently signed an agreement with a customer to provide automated provisioning/de-provisioning and access verification for over 50 applications - even though the customer had no budget. How could we do this? Did Courion all of sudden lose its moral bearings and start to employ the bait and switch "free" approach of some vendors? No it didn't.
Even though the project cost is over $1 million, the project will never negatively impact the customer's financial statements. Or as my CFO likes to say, the project creates "P" instead of "L" on the Profit & Loss statement. The customer is able to begin reducing administrative staff within a few months of the project start, and is always able to reduce staff faster than the cost of the project that hits the P&L. And they end up ahead of their auditors - delivering the security the business needs but doesn't want to pay for.
I have been working in the Identity & Access Management market for over 15 years now, from before it was called the IAM market. I've been through the recession of the early 90's. I've been through the Tech Meltdown of 2001. Never before have I seen customers need vendors more to help them improve security and reduce costs. Automated Access Provisioning & Compliance provides both.
And that....is the rest of the story.
Posted by Stuart Hodkinson - UK General Manager on Fri, Mar 13, 2009
Identity and Access Management (IAM) is more critical than ever to organisations of all sizes. Even some of the largest companies in the FTSE 100 still use manual processes for tracking who has access to what. Such systems are often paper-based, or involve multiple standalone IT systems. Either way, it can be a time-consuming process to enable access, and an even harder one to take it away again. A poorly implemented manual process will buckle if you have to do it for 1,000 people in quick succession.
The current spate of job losses, mergers, acquisitions and data breaches have prompted several companies to take action to automate and modernise their access management processes and IT.
So significant is the issue, research group
RNCOS released last month is forecasting that the IAM market will grow at a compound annual growth rate (CAGR) of nearly 23 percent between 2009 and 2012. Europe and Asia-Pac will account for nearly 62 percent of the market by 2012 according to the research, largely because of spending on IAM in the major financial services centres.
As
Gartner rightly points out in recent
coverage on vnunet.com, the knock-on effect is that many rush in and choose a solution based on reputation rather than proven capability. No IT solution should be chosen on that basis alone, especially a security solution.
A sound upgrade of any IAM system and process is achieved through the considered and planned deployment of technology and services, with clear objectives for efficiency improvements and longer-term cost saving in mind. For this reason, investment in any IAM solution - especially if it is to replace an existing solution or group of disparate systems - must not be a snap decision.
Of course, IAM is more than just a technology play, even the best technology deployment needs to be supported by clearly-defined policies and staff education to ensure that best practices are adhered to at all times.
Posted by Stuart Hodkinson - UK General Manager on Mon, Mar 09, 2009
An interesting report has just been published by analyst firm
Ovum, looking into the current state of data governance in light of the economic situation in the UK and globally.
The report, Data governance in a downturn, suggests that in the current climate, pressure to achieve short term and instant cost savings to meet lower capital expenditure targets is leading to companies reducing their headcount and focus around data governance. This in turn is disrupting business operations and leading to information assets being lost, stolen and under-exploited due to a lack of oversight.
Acknowledging that expenditure on data governance is often under pressure as it is viewed, inaccurately, as a cost rather than a revenue generator and investment, The report's authors point to several points of concern. These include headcount reductions that compromise a company's ability to maintain data governance, ill-considered technology cutbacks and damage to brand value because of deteriorating partner and customer relationships brought about by poor data governance.
The report and analyst comments have already achieved some notable media interest, with IT PRO in the UK and iTWire in Australia running substantial pieces about it.
As the report identified, companies that cut spending on data governance are all too often gambling with the very data they need to protect.
Failure to safeguard confidential internal and customer data can expose a company to a multitude of regulatory and legal challenges, particularly if any subsequent investigation finds that reasonable steps were not taken to safeguard such data because spending on and attention to data governance has been reduced.
This is not to say that you cannot reduce your expenditure on data governance, of course you can and many organisations have successfully done so without compromising either day-to-day governance or longer-term data compliance. This is best achieved through the considered and planned deployment of technology and services with clear objectives for efficiency and longer-term cost saving in mind. For this reason, investment in data governance cannot be reduced for short-term budget reasons alone.
Reducing capital expenditure on a whim, on both the staff and technology that manages data governance, reduces the corporate capability to not only manage data, but also to manage users and their ability to access sensitive and valuable information.
Fewer data governance resources to manage access controls will inevitably lead to a significant lag between an employee leaving a company and their email, SharePoint and other key user accounts being terminated. Restructuring a company's headcount increases the risk of disgruntled ex-employees or opportunistic ‘dustbin raiders' exploiting ‘Zombie Account' login credentials for criminal gain or the desire to create disruption. Data is at risk of being tampered with, lost or stolen, while a company's brand can be irreparably damaged by a data loss or theft.
According to the Ponemon Institute, the average total cost of a data breach ranged from £84,000 to almost £3.8 million, with an average of £47 per record compromised, illustrating that a poorly planned and executed cut in data governance resources can in fact cost far more than it saves. The cost of a data breach for financial services companies is usually 17 percent higher than other business types, at £55 per record compromised.
If you think the cost of data governance is expensive, look at the overall cost to a business of a data breach.
Posted by Bob Craig - Dir Prod Marketing on Tue, Mar 03, 2009
CSO Magazine recently conducted a survey that reported 41 percent of organizations expect to see a decrease in spending on security staff, while close to 60 percent have either implemented, or plan to implement, a hiring freeze.
Can companies freeze or cut security staff and still deliver appropriate levels of security and compliance? Yes, actually they can:
- Lower costs
- Improve security and compliance
- Deliver increased business effectiveness
How? One answer is a comprehensive approach to access assurance. Companies find that implementing password management, access provisioning, role management, or compliance management and attestation, lets them do more with less which can have a significant impact on overhead costs.
An excellent example is Brookdale Senior Living, which was recently profiled in CIO Magazine. Brookdale grew by acquisition from $400 million to more than $2 billion in just three years to become the nation's largest owner and operator of senior living communities.
One consequence of Brookdale's rapid growth was their internal IT staff was overwhelmed with the sheer volume and complexity of change requests, due primarily to two factors: high turnover in certain positions and the need to provide access to dozens of systems acquired as a result of the mergers, each with its own unique user access requirements.
Automating account provisioning/de-provisioning allowed Brookdale to slash the time required to implement user-access changes from 5 days to less than 24 hours. This productivity boost enabled them to trim three security staff positions, reducing overall IT overhead costs by about $150,000.
Not only did Brookdale save money, but they also improved compliance with regulatory requirements (primarily HIPAA and Sarbanes-Oxley), delivered stronger security (automate ensuring only the right people have access to the right resources) and enhanced end-user productivity (by reducing the amount of time spent waiting for access to IT resources.)