Courion Corporation

IDC/RSA Survey: Inappropriate User Access Causes Greatest Financial Impact

A recent RSA-sponsored IDC survey on insider risk management resulted in some pretty interesting findings, suggesting at the highest level that IT organizations may be focused on the wrong things when it comes to insider risk. According to the survey, CXOs tend to give higher priority to protecting their organizations against malicious insider attacks rather than the more frequently occurring and potentially more damaging accidental insider breaches, of which inappropriate user access is a key element.

For example, the RSA security blog further revealed that while 65% of CXOs reported their top concern as unauthorized or deliberate access to systems and data, they cited 5,794 unintentional incidents created by excessive access rights - one of the highest categories of risk incidents over the last 12 months. CXOs also revealed that the greatest financial impact to their organization was caused by risks related to out-of-date or excessive access rights (17%) - again tied to unintentional user behavior.

Ultimately though, whether unauthorized access threats are internal or external, malicious or accidental, they all pose a major risk to sensitive data, and more broadly, an organization's brand integrity and financial and regulatory compliance posture. Inappropriate user access remains one of the top IT challenges for corporations, as this and numerous other industry surveys and analyst data continue to prove. A comprehensive Access Assurance strategy needs to be a core part of every organization's risk strategy to ensure that only the right people have the right access to the right resources and are doing the right things.

Federal Access Control Policies Require Holistic Approach

A few weeks back in a post on our blog, we discussed the shocking increase in the lack of compliance by government agencies with FISMA, as reported to Congress in a report from the U.S. General Accounting Office (GAO).  That report showed that the number of information security incidents had more than tripled to over 16,000 in the past 3 years alone, directly pointing to access control weaknesses and poor password management as prime factors.

Why are these numbers increasing when security technology has advanced and awareness has risen about the potential disaster that data breaches can cause?  For one, the ongoing search for a national cybersecurity coordinator hasn't helped matters.  Recently, Mischel Kwon, the director of US-CERT, the Department of Homeland Security's research and response unit, resigned to take a position at RSA.  That move was apparently in response to the cybersecurity leadership vacuum that has been growing since the resignation of Melissa Hathaway, formerly the top adviser on security and the architect of the administration's current policy on cybersecurity.  The position has become so nebulous, wide-ranging and open-ended, that many top security experts and public officials have turned down the role, viewing it as a no-win situation.  It is not clear when the leadership will come and from where.

Meanwhile, the General Services Administration's (GSA) e-Authentication Partnership that was initiated in 2004 was taken over and re-tooled by the Office of Governmentwide Policy last October, and the most recent advice from that office has been for federal agency leaders to "consider projects to keep pace with government-wide identity management initiatives."  Not very specific guidelines, are they?  In fact, there are several government consortiums (at least six according to a recent article by Alice Lipowicz for Federal Computer Week) that are currently working to create a blueprint for how federal agencies should be controlling access to shared data, and terms like "trusted federation," "authentication" and "credentials" are often used to describe the plans.

While cybersecurity leadership is clearly needed to drive security reform and get everyone on the same page in terms of how data should be shared responsibly, there is a major issue that agencies can address now, and that is the way in which access control and identity are viewed at the federal level.

Currently, identity management is tackled from an authentication perspective - meaning access to applications or systems is granted based on whether an employee is authenticated as being him or herself.   However, this is really only the first step in a true Access Assurance strategy.  Proving that an individual is who they say they are only provides one layer of security. It doesn't take into account many other factors, including whether someone's role in the organization or agency makes it necessary for him or her to have access to certain information at all.  Also missing from a basic authentication strategy is the remediation of open access that should have been closed due to an employee leaving the organization or changing roles.   Authentication or verification of individuals, while needed, does not provide a full access profile.

There is a need for a more overarching Access Assurance strategy across agencies, which will enable access compliance and transparency with regard to access control, ensuring that the right people have the right access to the right resources and that they are doing the right things.   Agencies should seek to widen their view of Access Assurance now while the wait for cybersecurity leadership continues, so they'll be ready to tackle the many inevitable changes that will be on the horizon.

Part 2 - Creating Budget Where None Exists

LINK TO PART 1 - Creating Budget Where None Exists 

Last week I introduced "Company X", a Courion customer that is delivering improved risk management and security via automated access compliance and attestation, and automated provisioning for over 100 applications - without spending a single budget dollar.   I discussed understanding the multiple budgets of your organization" as Part 1 of a 4-part process for achieving this.  And now....for the rest of the story.

2. Understand Operations via Activity-based Costing

There is, of course, more to the story of Customer X.  Spending over $1 million with a vendor would surely result in an Expense Budget Impact of over $20,000 in 2009 and $0 in 2010, wouldn't it?  The next thing that Customer X did was evaluate its operations to determine what level of savings was attainable via this project's automation of manual provisioning and attestation processes.

 In the first phase of automating provisioning and access compliance, Customer X knew that the organization was spending over 50 person years' manually adding, changing, deleting accounts across the first 100 applications which they addressed.  They automated the provisioning and access verification for those applications, eliminated the admin staff positions, and booked the savings.

As Company X moved on to begin addressing the other 700 applications used by the organization, they did not have firm figures regarding the cost of administration and verification.   So they did what I would advise every organization to do:  they executed a thorough activity-based costing effort. 

• Document the flow of the work - starting at the business action that drove the provisioning or compliance activity (hiring, promoting, introducing a new application service, SAS70 audit, semi-annual SOX attestation, etc.)
• Identify all activities - who is responsible for them, how much staff time is required to execute them, how much time elapses from start to finish of the activity
• Cost the activities - spread staff members' fully-burdened cost across all of the activities that they are responsible for executing

And once they understood the costs and cost drivers, they took a deeper dive into the company's accounting policies.

3. Understand their Accounting Policies

Disclaimer:  Accounting was my least favorite subject at business school.  Accounting rules seek to provide a comprehensive, accurate view of organizations' financial health, but there are times at which accounting rules drive behavior that is inconsistent with these goals.  I have always found that difficult to accept, but as I repeatedly tell my children:  "just because it doesn't make sense to you doesn't mean that you can ignore it!"

One of your first actions should be to sit down with your finance team, or the finance professionals in your IT organization - and learn about the rules.

What are the rules regarding amortization of capital expenses?  What is the definition of useful life for software (at least software that works!), and is there a maximum useful life?  (For the record, Courion customers have illustrated that the useful life of Provisioning Software (at least software that works!) is at least 10 years....Note that you will probably have a maximum.  Some other areas of focus:

• Software capitalization policies.  Software costs not only can be amortized, but they typically are not applied to your IT Operating Budget until the software is implemented.  In the case of Customer X, Courion has been delivering 50 Connectors over the course of 9 months.  The amortized license and maintenance cost of each connector does not show up on the IT Operating (Expense) Budget report until it is implemented.
• Services capitalization policies.  You may be able to capitalize services consulting expenditures.  Ironically for we in the techie world, this is a situation in which words really do matter!  Services such as design, configuration, testing and installation may be eligible for capitalization.  But be careful of your terms because services such as consulting, project management, data conversion, overhead are typically not eligible.
• Vendor contract options.  Talk to your vendor about providing a term or subscription contract if your organization's policy for "maximum" useful life of software is very short (18-24 months)

4. Step up to the plate - Extract the costs

Now comes the hard part - when you put the budgeting information, Activity-based Costing and Accounting Policies together to create a plan.  In order to "make budget" where none exists, you have to be willing to extract the costs that you have identified via the Activity-based Costing.  And you and your vendor partner will have to commit to achieving concrete objects within agreed upon timeframes - so that you can book savings when you need to in order to not use budget dollars.

In the case of Customer X, they eliminated sufficient manual administrative work by automating the provisioning and attestation process for an additional 100 applications to reduce staff to pay for the entire project.  And while the manual work was most time intensive for applications that were not "Key Financial Applications", by bundling the work for those with Key Financial Applications, Company X was able to significantly improve controls around these key applications and improve their management of risk (and audit position).

So there you have it.  Four simple steps to self-funding IAM initiatives:

1. Understand the budgets
2. Perform activity-based costing
3. Understanding your organization's accounting policies
4. Make the hard decisions and extract the cost

If a CISO follows this approach, he or she will drive considerable value to their organization by reducing risk and streamlining operations.  But more important even than delivering the value of this sort of self-funded initiative, the CISO will also transition from insurance salesman to business enabler.

Primary Observation from Catalyst 2009 – the Connector Problem

Another summer is waning and another Catalyst San Diego is behind us. As a regular attendee, I would give this year's conference fairly good marks. For me the key takeaways were:

• The Lighting Round
• The virtual compliance gap
• The conspicuous lack of customer case studies demonstrating deep and broad success in the identity space.

The Lightning Rounds were new to the format this year. Vendors were given a very short time to explain why they mattered. It seemed an effective way to give attendees a taste of each dish so that they might go back and find out more if they were interested.  Most importantly, it was, dare I say, fun to watch - no time for death by PowerPoint sales pitches here - the presenting executives had their 6 minutes of fame and they were either going to bask in the glow of the lighting flash or be incinerated by it.

There was also a special moment for me that was akin to that rare time in adolescence when your parent does something that you are actually proud of. When my boss, Courion CEO Chris Zannetos, took the podium, he skipped the "Courion is about ensuring the right people get the right access to the right resources and they are doing the right things" blurb and went right to the heart of the matter - "This [use your favorite expletive] is hard". Clearly, automating identity and access management yields speed, efficiency and control and, while there are enough failed or mediocre deployments out there to make people wonder if it's worth all the fuss, there are brilliant successes, too. Chris used his time to share the key ingredients required for success - understand the risk, control and financial implications, take an incremental approach and, most crucially, choose your vendor partner with great care:

• Ask for references and ask these references the tough questions. How many systems and applications are you managing? At what level of granularity? How long did the deployment take? What are you actually automating? How many people did it take to deploy? How many does it take to maintain?
• Do a POC - a real POC, not a demo. Make the vendor take the shrink wrap off the software and install it on your iron and watch how difficult this is to do.
• Ask them to share the risk. Will they commit to a price for all future connectors? Will they lead with a fixed price proposal for everything you need?

Chris took the high road and I was proud (please don't tell him).

The virtual compliance gap was also interesting - the identity track folks touched on the difficulty of demonstrating compliance in a virtual world and so did the virtualization folks, but it's clear a lot of work needs to be done before these areas converge. How, exactly, do you demonstrate compliance to geographically specific regulations when that data (and the entire application and server that's instantiating your business process) is automatically floated between different data centers in different parts of the world to manage power consumption? This is a topic for a future blog.

Finally, the conspicuous lack of deeply successful case studies was, for me, the most important observation and not entirely disconnected from Chris' comments about the importance of partnering with the right vendor. There were several "customer success" stories but the only one I heard that showed deep and lasting success was Wendy Booker from SunTrust Banks (full disclosure: a Courion customer.) In Wendy's case, she covered how they funded a robust access assurance program that manages fine grained entitlements for 35,000 people, with detailed roles and 50+ custom connectors automating all aspects of provisioning and compliance for hundreds of systems and applications - yielding dramatic control, efficiency and service quality improvements.

I hope I didn't miss an important session but most of the other deployments described seemed superficial, such as the case where it took 18 months to do 25 roles for 25,000 people and they only covered RACF and AD. Really? Most companies I know with 25,000 people are dealing in the range of 500-1000 applications, with hundreds of them being KFA (key financial applications for SOX) or HRA (high risk applications for the business). Surely 25 roles for this level of complexity does not begin to address the problem or opportunities.

I began to realize that the elephant in the room is connectors. All provisioning and/or compliance vendors have connectors for RACF and AD but this doesn't begin to meet the need for companies with this kind of scale and complexity. At Courion, we have 160+ out-of-the-box connectors, but what's the likelihood they will be the 160+ most important of the 1000+ that you need?

That's it then--the Achilles heel of the Provisioning and Access Compliance world is connectors. Can your vendor give you a low fixed price for as many as you need? Can they commit to a price in advance, even before you know what the applications are, so that you can plan and manage your deployment out of Phase I and into something that truly enables the business? The answer in almost all cases is, "No".

This is a problem that Courion has been working on for a long time - we understand the issues that make this difficult and we have tooled ourselves to address them. Today, not at some time in the future, we provide our customers unlimited connectors with speed and efficiency, and at one low fixed price - perhaps there's some fodder here for a future blog as well.

Creating Budget Where None Exists

In my last Blog I mentioned that that many customers had no formal IT budget.  In these volatile economic times, budget has become irrelevant as CFO's and other business executives are doling out money spoonful by spoonful, just as Captain Queeg doled out strawberries on the ill-fated USS Caine (yes, I realize that referencing a Humphrey Bogart movie dates me!).

Some customers adapted to this new reality by finding ways to continue to improve the security of their business operations via "self-funding" access provisioning and compliance automation projects.  One such organization - let's call them Customer X - recently executed a $1 million+ program with Courion to "get ahead of auditors" in access control and improve service to the business that will not use a single budget dollar!

This was possible because the customer's staff

• were very smart about how they structured the project
• knew their "provisioning and compliance attestation" operations deeply
• were willing to make and execute some difficult decisions
• worked with a vendor (Courion) whose product and services could deliver concrete business results - and that was willing to sign up to achieve operational milestones

I can understand that this may be difficult to believe....one million dollars spent, but no budget dollars spent?  It might be even harder to believe knowing that this customer had already automated provisioning for 30,000+ end users across 100 applications and in support of hiring, termination, promotions/role changes, and acquisitions.  This new project called for the addition of some provisioning and attestation workflows - and the development and implementation of 50 connectors (software) to industry-specific third party and homegrown systems which managed access to 210 applications.

So, how did they "make budget" where none exists?  They used a 4-part formula:

1. Understand the Budgets

The first thing that Customer X understood was that there wasn't one budget...there were multiple budgets.  They, like most organizations, had an Expense Budget which outlined the areas in which the IT organization would spend during the year.  Often called the IT Operations Budget, this is typically what people view as "The Budget", and it sets Financial Executives' expectations on what expenses from IT will be reflected in the organization's Income Statement. 

They had a Capital Appropriations Budget, which identified investment in assets which would benefit the organization beyond just one fiscal year.  Items on the Capital Appropriations Budget are reflected in the IT Operations Budget, but the costs are "capitalized".  That is, the value is amortized (spread out) across the useful life of the asset.  So what might appear as $120,000 in the Capital Appropriations Budget, would be represented by $60,000 in the IT Operations Budget for an asset with a 2 year useful life.

And finally, they had a Capital Expenditure Budget, which details the expected outflow of cash throughout the course of the year.

Most importantly they understood that their organization's goals and time-frame of relevance were different across these budgets. When they first approached executive management about this project, the response was "we have no budget."  What that meant was that there was no placeholder in the Capital Appropriations Budget.  They had made their plans for the year 6 months prior, and they were not willing to change priorities to place these 50 Connectors higher on the list.

But the sponsoring Executive did not let the effort stop there.  He knew that the company was focused on the overall Income Statement, and not on the Cash Balance or Capital Budget.  He told the team:  "bring me a plan that has a maximum hit on the IT Operations (Expense) Budget of $20,000 in 2009, and a net positive effective on that budget and cash flow neutral by mid year 2010." 

This Executive understood that cash is different than expenditure (agreement to pay) which is different than expense.  For example, if a company licensing $600,000 of software that is delivered immediately and has a useful life of 3 years, with an agreement to pay 50% on signing and 50% 18 months after signing (for this example, we will assume no maintenance or services costs), the resultant impact would be:

	Year 1	Year 2	Year 3
Capital Expenditure Budget Impact	-$300,000	-$300,000	$0
Expense Budget Impact	-$200,000	-$200,000	-$200,000
Capital Appropriations Budget Impact	-$600,000	$0	$0

The moral:  keep reminding yourself that cash isn't agreement to pay which isn't expense.  And make sure that you understand the varied goals and management time-frames your organization puts around the Expense Budget, the Capital Appropriations Budget and the Capital Expenditure Budget.

LINK TO PART 2  -   The rest of the formula (Steps 2-4) to Create Budget Where None Exists - Understanding your operations, Understanding your firm's accounting rules, Extract the cost!

IAM Priority Remains Strong for Surveyed

There have been a number of indicators in the past few weeks which suggest the market for automated identity and access management (IAM) solutions will continue to see solid growth.

Industry expert and Network World columnist Dave Kearns recently reported on the results of a survey fielded at The Experts Conference this Spring, which found that:

1. User provisioning and de-provisioning, and compliance reporting were the second and third toughest challenges facing the 240 IT managers surveyed
2. Getting better tools and automation was at the top of the respondents' wish lists for the third year in a row.

Dave rightly points out that:  "It's been more than 10 years since the first provisioning applications/services were introduced and yet it's still presenting problems to IT departments. Admittedly, there's more to provision these days what with outsourced services and cloud-based apps." 

Additionally, a recent Deloitte & Touche survey of life sciences and healthcare organizations found that identity and access management is a top operational imperative and a core enabler of enterprise applications as access to information and data is a growing need.

Finally, Courion's own June survey found that of the 59% of companies that have some form of automated tools in place (commercial or homegrown) for provisioning and de-provisioning employee access,  they are still only covering a fraction of their systems and resources, making the continued opportunity to increase business value very compelling.

Many organizations today think that implementing an integrated IAM solution is a daunting, risky, and time-consuming process, and therefore hesitate to ensure that their access controls are appropriate for the business.  The truth is that today, the right access assurance strategy can be implemented quickly, cost effectively, and in stages that will minimize upfront investment and maximize short-term returns.  Getting quick wins under your belt can help validate your longer term security and compliance strategy. 

So, is your organization being protected from sensitive data breaches caused by inappropriate access?  If "no", then you're not alone, but that shouldn't be a welcome feeling.