Posted by Chris Zannetos - CEO on Wed, May 27, 2009
Many years ago when Courion introduced self-service to the identity management market, I used the Automated Teller Machine as an analogy to explain the concept and value. The ATM, I explained, succeeded so dramatically because it embedded security policy in a business process - enabling that business process to move faster and at a lower cost. Security was improved, yes - but under the covers (by removing people from the process). The ATM succeeded in changing the nature of banking because it delivered service that was faster and easier for customers at a lower cost to banks.
In today's economy, the business lesson of the ATM is more relevant than ever. Last week Courion held its 7th Annual Customer Conference, CONVERGE 09, at which we brought together over 110 CIO's, CISO's, security managers and IAM experts to discuss how to turn today's challenges into opportunities. During my keynote I commented that Courion was seeing that customers weren't just challenged by having fewer budget dollars, many essentially had no IT budget at all. As I looked out at the audience, I saw a sea of vigorously nodding heads.
Now, I don't mean that there isn't IT spending. Courion has been fortunate to see continued growth in this difficult time, so we know that there is spending. The issue is that organizations' financial executives have their fingers so directly on spending that it doesn't matter whether there was a plan or an IT budget approved at an earlier date. The IT budget is in essence approved piecemeal when the financial executives feel confident to spend money based on a combination of the organization's and the general market's performance. One Fortune 1000 CISO told me that his organization re-forecasts the entire company's budget monthly!
The implication of this trend is that customers are fighting every day to get spending approved. Customers are reporting that they have to get confirmation of approval for a project repeatedly- at conception, prior to RFP, prior to Proof of Concept, prior to negotiating contracts, and prior to signing those negotiated contracts.
It is unclear how long this will last, however security executives are beginning to understand and adapt to this fundamental change in financial management process. For example, some customers have asked Courion to fully negotiate a contract even though funding has not been approved. This way, the documents can be signed the day funding is approved without letting even one day of the market's performance impact confirmation of approval to spend.
Perhaps the most important adaptation is that customers are laser-focused on how to deliver measurable business value, not just security value, by automating access governance, provisioning and compliance (what we now call Access Assurance). They are coming back to the lesson of the ATM and focusing on how to help their businesses move faster at a lower operational cost - not just deliver improved security. They aren't selling security insurance. Instead they realize, as the CIO of a global 2000 manufacturer told me recently, "the business has no patience for us unless we tell them what we are going to do for them."
As a result, customers are looking for security software vendors who are willing to engage them to build a plan to deliver real business value. They are willing to open up their financial and accounting processes to trusted business partners to build business cases that detail improved business agility and cost savings that are both comprehensive and believable. Business cases to which they and the trusted partner are willing to be held accountable. Some customers have even built - and delivered on - self-funding projects.
If this trend is the outcome of today's challenges, perhaps not having an IT budget is a good thing after all.
Posted by Todd Chambers - CMO on Thu, May 21, 2009
CONVERGE 09, Courion's 7th annual customer conference, wrapped yesterday exceeding all our expectations. There was a lively exchange of ideas, best practices and sharing of valuable information amongst the attendees, who represented a broad mix of companies and industries.
This year's theme, "Turning Today's Challenges into Opportunities" set the stage for discussions of how, even in difficult economic times, companies can leverage their investment in Courion technology and services to improve compliance and security, while maximizing business efficiency.
Customers such as SunTrust Banks, Brookdale Senior Living, People's United Bank, Dollar Tree Stores, FirstData Corporation, and Memorial Hermann Health System discussed their strategies and results achieved with Courion technology, including best practices to reduce costs and deliver self-funding projects.
We would like to thank our premier sponsor RSA, the security division of EMC, and our featured sponsors Cyber-Ark and Radiant Logic for their participation, and especially all of our customers who took time out of their busy lives to come and make the event a success.
Posted by Kurt Johnson - VP Strategy on Thu, May 21, 2009
On the heels of our 7th annual CONVERGE conference, Sam Curry, VP of product management at RSA, posted some reactions on his "Speaking of Security" blog.
Sam and I had the pleasure of presenting a session together that explored the possibilities of a comprehensive access and compliance management strategy. The presentation explored the various complexities organizations are dealing with for a comprehensive security and compliance strategy. This includes information sprawl, identity sprawl, and infrastructure sprawl in light of increased threats and increased regulation. The reality is many security organizations have addressed this from a reactive perspective, resulting in numerous point products focused on individual points of control.
What's needed is a proactive strategic approach that addresses this from a holistic view represented by a security system or ecosystem. That is the only way to get ahead of these issues and properly balance the people process, and product requirements. In the post, Sam pulls out the top line summary of the zero sum game that's played between security and performance concerns. By adopting a true security system approach, an organization can ensure higher security doesn't come at the expense of decreased efficiency and business performance. Courion's product suite is designed around this concept, recognizing the critical importance of linking to other parts of that ecosystem, and is at the core of our partnering strategy.
I, for one, appreciated Sam's participation to communicate the aspects of this joint strategy. I appreciate our other partners and customers who participated, and was thrilled to see so many of them coming away with fresh ideas and actionable advice to further their IAM strategies. As Sam pointed out, organizations can be very successful with IAM. This success is measured in business value. When you can achieve this, you make them the happy people Sam encountered while at CONVERGE.
Posted by Bob Craig - Dir Prod Marketing on Mon, May 18, 2009
According to articles in the Mercury News and SC magazine, ex-employee Abdirahman Ismail Abdi used a zombie account to log on to a computer system at the California Water Service Company (CWSC) in San Jose the evening of April 27 after hours and successfully transferred $9 million to offshore bank accounts in Qatar.
Here is what we know, so far:
- Abdi is not a U.S. citizen and was ordered deported to Somalia in 2005.
- He was an internal auditor with the California Water Service Company and resigned earlier the same day.
- He was able to enter the building after hours, where the only person who spotted him was a janitor.
- He was able to physically access and log onto a sensitive financial system.
- His credentials enabled him to transfer $9 million out of the country without raising any alarms.
The money was retrieved and he is being sought by the FBI, which has charged him with unlawful flight from prosecution. This incident raises a number of troubling questions for the folks at the CWSC:
- Why was an illegal alien given privileged access to sensitive financial data?
- Why wasn't his computer account immediately disabled or revoked when he resigned?
- How was he able to gain access to the building after hours? Did he still have a key or passcard that provided him entry?
- Logging onto a sensitive system and initiating a multi-million dollar wire transfer after hours is suspicious. Why didn't the system detect and block this type of suspicious activity?
- How is it that a single individual can transfer millions of dollars electronically without requiring additional authorization?
Without further revelations, it's unlikely we'll learn the answers to all these questions, but you should probably be asking, "Could the same thing happen to my company?"
Posted by Todd Chambers - CMO on Tue, May 12, 2009
I thought you'd all be interested to know that, thanks to the support of our ever-growing customer base, today we announced record sales, revenues and profits for the first quarter of 2009. Read the full press release here.
Some of the highlights of Q1 included:
- Industry Recognition: Positioned in the "Short List" category in Burton Group's 2009 User Provisioning report on January 15, 2009.
- Awards: Named the winner of the SC Magazine Awards Europe in the Best Identity Management category.
- New Products: Released Compliance Manager for SharePoint, a solution designed to ensure that SharePoint sites are managed according to appropriate security policies and industry best practices.
Posted by Bob Craig - Dir Prod Marketing on Fri, May 08, 2009
In an article "
Changing times for identity management" published by
Information Security magazine, Burton analyst Mark Diodati makes some interesting and useful observations about the current and future state of the identity and access management (IAM) market.
Diodati makes a great point of the need to do a thorough evaluation of any IAM solution you're planning to deploy, including a recommendation to "...install the identity management products in your development environment, and test them against your existing applications..." Our experience is that customers find it's well worth the time and effort to do a rigorous proof of concept to clearly understand the features, ease of implementation, and long term support requirements of each solution within their IT ecosystem.
Courion's Access Assurance vision focuses on "ensure only the right people have the right access to the right resources and are doing the right things", so we were interested to see Diodati call out security information management - SIM (sometimes referred to as security incident event management - SIEM) as an important, fast growing segment of the IAM market.
Integration between IAM and SIM technology addresses the need to make sure that users are "doing the right things." However, SIM tools are notorious for generating lots of false positive alerts - alerts that turn out not to be a problem. Since the real issue is sensitive data at risk of exposure, Courion believes that integrating data loss prevention (DLP) technology into an identity architecture, along with IAM and SIM, adds even greater synergy.
DLP tells you when and where sensitive data is vulnerable, SIM tells you which user accounts have accessed the data, and IAM adds the business context of who the user is, what department they work for, what other access entitlements they hold, etc. The combination of identity, SIM and DLP makes it easier for security administrators and IT managers to focus their remediation efforts on those situations that represent the highest level of risk to the enterprise.