Most organizations have to demonstrate that they are compliant in an increasingly regulatory landscape. An important objective of compliance efforts is to ensure that the right people have appropriate access, particularly to high-risk applications and sensitive data such as cardholder information and personal health information. To satisfy these regulatory requirements, organizations conduct periodic reviews, typically every six months or a year, in which managers and other authorized personnel periodically review users’ access and attest to whether those access rights are correct.
Based on media accounts, the number of security breaches per year is increasing dramatically. In many of these breaches, it has become apparent that the breached organizations were unaware that a security breach occurred. So why is this the case? Why are organizations more susceptible to breaches, even after performing periodic certification reviews and essentially passing audits?
The reason is the significant surge in the volume, variety and velocity of information. The Big Data storm has made it extremely challenging, if not impossible, for organizations to enforce high security standards while also achieving a high level of productivity. Much can change with users, their roles and responsibilities, their access rights and the resources they access in the time in-between periodic access reviews.
Hence, even though users’ access information is presented to reviewers, there is typically no context around that information. Reviewers do not quite know how or why or when users obtained the access. In fact, a recent survey conducted by Courion found 43 percent of IT Security executives agreeing with the statement that their organization is unaware of when access privileges are increased or when access behavior departs from the norm. In addition, the volume of data that is presented is considerable, if not overwhelming. These reasons invariably drive reviewers to rubber stamp. Clearly, this is not an effective tactic to truly mitigate organizational risk.
What organizations need is a continuous and comprehensive approach to identify access risks and employ preventative controls to mitigate those risks. The Courion Access Assurance Suite provides organizations with the ability to automatically revoke inappropriate access and/or perform risk-based certifications reviews when a policy violation occurs or when a threat is detected.
Risk-based certification reviews provide complete context around the information being reviewed, thereby enabling managers to make more educated and informed decisions on whether a user’s access is appropriate or not. By performing these narrowly focused risk-based certification reviews on a continuous basis, organizations can not only satisfy audit requirements, but also mitigate potential risks in a more intelligent and efficient manner.
At last week’s Gartner IAM Summit in Las Vegas, it was fascinating to see how the conference has grown. Over 1,200 attendees made this the largest Gartner IAM event to date, which says there is a huge amount of interest in identity and access management. Many were there to understand the basics, but there was plenty for IAM professionals looking to strategize for the future and who are seeking to maximize their IAM investment.
The highlights for Courion were two presentations that attracted close to 200 attendees. One was a case study featuring our own Kurt Johnson and Mark Teehan, an IAM Program Manager from Harvard Pilgrim Health Care.
In the presentation Mark described how his organization, a health benefits company that serves more than 1.2 million members, expanded its IAM program to reduce access risk across the organization by constantly monitoring and analyzing data generated by its IAM systems. The company has moved beyond provisioning and certification by implementing tools and processes to proactively identify and remediate the access issues that lead to business risk. For example, the organization has reduced orphaned and abandoned accounts and established a management process for system and non-human accounts, and has reduced accounts with privileged capabilities and those with unnecessary access. The session really resonated with attendees, judging by the number of questions and post-session conversations that occurred.
I held a lunch session that described how to assess risk before an IAM implementation. I reviewed how an Identity and Access Intelligence solution can help diagnose access risk in any organization and how an organization can take the findings from that diagnosis to formulate an actionable remediation plan. I spoke with a number of attendees who are working on the basics of IAM but who can clearly see the value of being more proactive. These attendees confirmed their desire to eventually deploy a continuous monitoring solution to address access risk.
For conference attendees who missed either session, or anyone who is interested in the topic, I highly recommend tuning into our upcoming webinar:
Tim Callahan, CISO of Aflac, and Kurt Johnson, VP of Strategy for Courion will present, Keep a Constant Vigil: Risk-Aware IAM on Monday December 15th at 11:00 a.m. Eastern.
This webinar will help an IAM professional at any level. I hope you can tune in!
We recently conducted a survey and the findings reveal that while IT security executives understand the risk factors that lead to a data breach, their organizations may not be able to effectively remediate those access risks. Here's an infographic that highlights some of the findings:
Click here to view the complete survey findings.
A theme that is echoed over and over again in Identity and Access Management is that organizations do not have a comprehensive view of what is actually ‘in’ their environment.
For example, quite often they are unable to reliably answer fundamental questions such as
• Who has access to what?
• Are there active, but abandoned accounts?
• Are there ungoverned privileged accounts?
• Do people have more access than they should when compared to what their peers have?
• Are there unused entitlements and if so what are those?
This is only a small subset of the questions that organizations strive to answer, and uncovering such information often highlights inefficient and sometimes even broken processes, for example:
• Contractor accounts are not disabled correctly. This may lead to active but abandoned accounts
• Administrators grant administrative privileges directly in target systems, circumventing a request approval process. This may lead to un-governed privileged accounts.
• Employees perform different job functions over the course of their tenure in the organization and access may not have been revoked appropriately. This may lead to people having excessive access when compared to what their peers have.
Over the past decade, many organizations have employed some level of automation. In traditional IAM automation may help streamline certain processes, but it does not provide a continuous and comprehensive solution to address and mitigate all access risk issues. It is essential to realize that while automation can be a boon to organizations, automating inaccurate and broken processes can be a bane.
The key is to adopt an approach that combines strong fundamental IAM capabilities and access intelligence. Organizations must not only understand ‘what’ is in their environment and remediate policy violations, but also identify inefficient and broken processes and employ strong fundamental IAM strategies to appropriately address those. Yes, this is a shift from the traditional approach but it will only enable organizations to focus on the most important areas and mitigate risk quickly and effectively.
This week at London’s Hotel Russell, the Identity Management 2014 conference brought together hundreds of technology professionals and security specialists across government and enterprises of all sizes and industries.
It was fascinating to hear from industry leaders discussing the next generation of Identity and Access Management, representing diverse firms and organizations such as ISACA, Visa Europe, Ping Identity, CyberArk, and beverage giant SABMiller.
A highlight for me was a session that included Nick Taylor, Director of IAM at Deloitte, and Andrew Bennett, CTO of global private bank Kleinwort Benson.
Taylor discussed the challenges that IAM professionals face in making access governance reviews business friendly, as often there is not enough context to understand the risks that they face. For example, an equities trader making lots of trades at a certain time of the day may be normal, but maybe not so normal if that trader is doing it from different locations or geographies.
Bennett supported that notion by pointing out that technical jargon can mask risk that exists, so he recommended that the financial services industry look into the concept of identity and access intelligence and start taking it on now. Adopting such a solution is not a case of throwing more tools at the problem; it is a matter of having the right tool to make sense of the mess.
Also good to hear our partner Ping Identity's session “It’s Not About the Device – It’s All About the Standards” and how modern identity protocols allow the differentiation of business & personal identities.
Overall a good conference that provided attendees with lots of opportunity to learn best practices and hear how their colleagues are approaching identity management. But rather than waiting for next year’s conference, anyone can learn more in the near term by attending Courion’s upcoming webinar Data Breach - Top Tips to Protect, Detect and Deter on Thursday November 20th at 11 a.m. ET, 8 a.m. PT, 4 p.m. GMT.
“Too much to do, too few resources.”
This is a phrase that all too frequently comes up in the discussions that I have with IT staff in organizations around the globe. They feel never-ending pressure to improve security and service to the business, but usually with the same or fewer resources. This is a challenge that is especially glaring when trying to marry solid Identity and Access Management practices with current business processes.
For example, a security manager I spoke to at a large health organization was nearly brought to tears as he talked about the need to accurately track an ever-changing user population where the same person might move through multiple roles and through multiple access scenarios in the course of just a week. At another organization, a help desk manager I worked with wrestled daily with an avalanche of access requests from users who had no idea what access to request, and were seeking help from administrators who in turn had no idea what access users actually needed.
What’s often needed in these situations is an IAM program that is centered on incremental progress that can provide some instant relief while also generating the time and resources needed so that the program can subsequently be expanded into a comprehensive solution. The key is to know where to begin, and to aim for quick business value. Those quick wins will help free-up resources by simplifying and automating processes that typically suck-up valuable manpower and time. Each incremental win then makes it easier to maintain momentum and expand user buy-in within the organization.
To get started with an IAM program that supports this kind of continuous improvement, you should first understand your identity and access landscape. By leveraging intelligence, as with Courion’s Access Insight, you can get an immediate evaluation of Microsoft Active Directory, a key system for most organizations. The dashboards included with Access Insight highlight potentially urgent security issues as well as IAM processes that may be broken. Access Insight integrates with the Access Assurance Suite or other IAM solutions so you can drill down to fix those broken processes and promptly disable access for terminations and properly manage non-employee access.
Another benefit of getting the big picture view of your identity and access landscape with Access Insight is to better understand who has access to what and to put automated processes in place to refresh that information at least daily. Even the most complex scenarios benefit greatly from putting rules in place that can automatically map access for 70-95% of the workforce. Allowances can be made for exceptions to be handled manually so that no one falls through the cracks.
With this real-time access information available as a foundation, you can then tackle any number of pain points. For example, most often, the onboarding and offboarding processes for user accounts cry out for attention. Offboarding, both planned and unplanned, is generally simple to address with an intelligence-enabled IAM solution such as the Courion Access Assurance Suite, alleviating security and/or audit concerns.
In addition, automating at least basic, birthright access for new hires can be both a quick win and a foundation for continuous improvement. Role-based access can be incrementally added to the new hire process. You can pick and choose where it’s worth investing effort, for example, where job turnover is high, or where access is very similar across a function. Implementing some roles into this process delivers a triple win – providing the right access (better security) at the right time (improved service) and reducing the number of access requests (boost IT efficiency).
Leveraging intelligence, you can start to cut down on the effort required to develop roles. Intelligence solutions such as Access Insight use analytics to attack the mountain of access data available to find those access patterns to suggest appropriate access for a user. Let the computer do the work!
If your help desk is struggling to keep up, there are several ways to alleviate the pressure while also enhancing security and providing better customer service. For example, a streamlined, centralized access request process provides these multiple benefits.
I often remember an IT manager I worked with at a manufacturing company whose request process included 140 different forms! It was a huge improvement when we helped his organization move to a simple, one-stop access request shopping solution that included a full audit trail and built-in approval process.
With an Intelligent-enabled IAM solution such as the Courion Access Assurance Suite, the request process is enhanced, because it provides guidance to the user regarding what to request. This is done via intelligent modeling of user access, which suggests access options for users in similar roles. The Access Assurance Suite also provides ‘guard rails’ against the inadvertent provisioning of inappropriate access because it automatically checks for possible policy violations, such as Segregation of Duty, during the request process.
As fundamental as it may seem, a self-service password management solution is also of great benefit to users, IT and help desk staff. Password reset calls often account for 25% or more of help desk calls. Shifting those inbound requests to a self-service process will free up IT and help desk time to tackle more high value activities while allowing end users to avoid waiting on a phone to get a password reset.
Last on this list but not last in priority, is the recertification of user access. Access recertification is a best practice and, likely, a legal and audit requirement. With an intelligence-enabled IAM solution in place this effort can begin by assembling data that details ‘who has access to what’. You can then leverage that information to provide a business-friendly recertification process that does not tax IT resources with hours of assembling spreadsheets from a multitude of systems.
While periodic re-certifications are important and necessary, Intelligence also allows you to trigger automated ‘micro-certifications’ based on policies you define. For example, you may create a policy where a user who gets access to highly sensitive data outside the norm kicks off an access recertification process. This type of risk-aware micro-certification reduces the kind of access risk that exists where waiting six months for the next review could be dangerous. This has the added benefit of maintaining compliance continuously, thus expediting the next audit you face.
Clearly, it’s possible to make significant progress in a relatively short time. The key is that these are not Band-Aid solutions, but the bricks that form a solid foundation for building a comprehensive, flexible and risk-aware IAM solution.
Kurt Johnson, Vice President of Strategy and Corporate Development, has posted a blog on Wired Innovations Insight titled, Data Breach? Just Tell It Like It Is.
In the post, Kurt discusses the negative PR implications of delayed breach disclosure and recommends improving your breach deterrence and detection capabilities by continuously monitoring identity and access activity for anomalous patterns and problems, such as orphan accounts, duties that need to be segregated, ill-conceived provisioning or just unusual activity.
Read the full post now.
Today Courion was named a leader in the 2014 Leadership Compass for Access Governance by KuppingerCole, a global analyst firm. Courion’s Access Assurance Suite was recognized for product features and Innovation, and as a very strong offering that covers virtually all standard requirements. In the management summary of the report, Courion is highlighted as the first to deliver advanced access intelligence capabilities.
Courion was also recognized as a leader in the Gartner Magic Quadrant for Identity Governance and Administration (IGA) and as a leader in the KuppingerCole Leadership Compass for Identity Provisioning earlier this year.
The US Department of Homeland Security recently published a Public Service Announcement, “Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information”, touching on multiple (and all too familiar) insider threat scenarios.
This announcement is the proverbial icing on the “insider threat” cake baked a long time ago. Disgruntled employees, malfeasance, or general conduct unbecoming is nothing new. What is new is recognition that bad actors act with alarming efficiency to siphon off value from companies. These 21st century digital pickpockets of sensitive data and proprietary information are a new challenge with their blazing speed and seemingly invisible movement within their firms.
Of the ten recommendations offered to confront this issue, seven focus on Identity and Access Management (IAM) tasks. First on the list is: Conduct a regular review of employee access and terminate any account that individuals do not need to perform their daily job responsibilities.
Clearly a prudent recommendation. Yet, an elusive goal for even the most sophisticated IAM teams. How do you align regular reviews with a continuously evolving threat? How do you elevate existing risk management operating procedures without impeding your normal course of business? With internal personnel moves occurring by the hour, how can you possibly ensure that the right people have the right access to the right information and are doing the right things with it?
The way forward must be a combination of strong IAM fundamentals coupled with innovative capability found in identity and access intelligence solutions such as Courion’s Access InsightTM. Access Insight helps firms redefine access management practices to take IAM beyond the traditional and into the exceptional. For example, Harvard Pilgrim Health Care uses Access Insight to document exactly who is accessing PHI in order to streamline and enhance their audit readiness to federal HIPPA regulations.
Tasks previously impractical to pursue are now within reach when you leverage Access Insight’s big data framework. This actionable intelligence enables you to close the access risk process gap inherent in traditional IAM models. For example, Universal American uses Access Insight to analyze and compare current user access behavior to historical norms in near real-time to spot unusual behavior and trigger actionable alerts.
Allow us to speak with you about our proven approaches to reduce access risk. Ask about how our Access Risk Quick Scan offer can help you uncover your organization’s access risk – in just hours. Check us out and let us help you take your IAM beyond the traditional to the truly exceptional.
We all have skeletons in our IT closets that we'd rather forget about. In nearly every organization’s network, there is a legacy application or old piece of infrastructure that is bound to reach the end of its useful life at some point, yet plans for removal of obsolete technology typically do not exist. What we often fail to consider, however, is the fate of our service accounts associated with these aging applications and infrastructure. Unmanaged or unused service accounts represent a qualified, and in the case of Target Corporation, hugely quantifiable, risk to any organization. Continuous intelligence-based pattern recognition and monitoring using an identity and access analytics product like Courion Access Insight is the easiest and most effective way to mitigate such risk.
Service accounts are accounts on a system that are intended to be used by software in order to gain access to and interact with other software. Correspondingly, It is common practice that passwords for such service accounts are not frequently changed so that the loss of this interconnectivity can be avoided. These accounts are also frequently highly privileged, allowing a large number of activities to be integrated between systems.
How is this a risk if the accounts aren't meant for humans?
The Target breach was no more complicated than the hacks often seen on the news when someone has altered the message displayed on a road construction sign: an attacker finds or knows of a default service account and password that exists on the system and exploits it to gain access.
The Target breach was only slightly more complicated: attackers were aware of a service account laid down automatically by the installation of BMC software. The attackers were able to leverage that service account to elevate the privileges of a new account they created for themselves on the network, and the rest is history. The attack cost Target an estimated $2.2 billion, and highlighted that some common IT practices may not be "best" practices at all.
How can this threat be managed? How does one even identify a service account?
When the service accounts have been purposefully created, identification of these accounts can be straightforward. Naming conventions within your IAM system can be applied that mark an account as a service account. However, too often, there's no such obvious clue. This is where the pattern and trend recognition provided by an identity and access intelligence solution like Access Insight becomes key. The intelligence engine acts like a detective. It uses the circumstantial evidence about an account's activity and history to determine its purpose. The engine analyzes things like password reset history, login history, privilege patterns, ownership, and more to determine accounts that may be service accounts and which may represent a high risk of compromise.
We have quarterly compliance reviews, surely that will catch the risks, right?
Modern access governance is critical, but there are some gaps that modern attackers have learned to exploit. The biggest gap is speed. The typical organization will perform compliance reviews quarterly. These compliance reviews are great for looking back in time and reviewing what has happened, but they're not timely enough to catch an attacker red-handed.
As an analogy, consider the robbery of a bank vault. If it is discovered three months later, the knowledge of what happened doesn't really help much. But if an alarm sounds right away and summons the police, this will help. Similarly, Access Insight gives you the tools to sound that alarm immediately, so you can understand what is happening within your network so you can take steps to remediate it at that moment, not in three months when the hacker is long gone with your data.
The next biggest gap is complexity. Large organizations can suffer from data overload. A compliance review may or may not catch every single service account risk in the organization which may be hidden somewhere amongst the thousands of pages of mundane, normal accounts. They're easy to overlook, and hard to find after the fact. Access Insight uses built-in algorithms combined with risk weighting you tailor to your network. This provides you with a color-coded, prioritized view of your organization's risk.
How fast can the problem be tackled?
To assist with this problem, Courion now offers a complimentary quick scan evaluation of access risk which leverages Access Insight, to help organizations gauge whether they have an ungoverned or unmanaged service account problem. This quick scan can often be completed in a single day and provides a prioritized view of where remedial action is needed most. Of course, fully deploying Access Insight on your network, regardless of what IAM suite you have installed, will give you the visibility, or insight, you really need through continuous monitoring to find and fix access-related risk, now and on an ongoing basis, not just at a point in time.