On Tuesday December 10th at 11:00 a.m. Eastern, Nick Taylor, Senior Manager for Enterprise Risk Services at Deloitte will be joining us for a webinar titled, “Does Regulatory and Compliance Activity Actually Reduce Identity and Access Risk, or Is It a Rubber Stamp Exercise?” It’s sure to be an interesting conversation, and is a convenient way to earn Continuing Professional Education credits (CPEs) towards your CISSP certification.
Click here to register now.
The top audit issues from years ago are still today’s top audit issues – excessive access rights, removal of access after termination and lack of sufficient segregation of duties. Kind of makes you wonder why we bother preparing for and (hopefully) passing audits, given that breaches are becoming increasingly commonplace.
So does regulatory and compliance activity actually reduce risk? Join our panel to discuss:
- Providing least-privileged user access in an ever-changing environment
- Maintaining continuous compliance to get ahead of the audit
- Leveraging big identity and access data to uncover threats
If you register now and login on December 10th at 11:00, you’ll be eligible to receive CPE credit towards your Certified Information Security Systems Professional (CISSP) certification.
The plight of the marketer is to distill the essence of a company’s mission in a way that it can be easily understood by virtually anyone. Since joining the IAM technology sector, I have sought a way to describe identity and access management to my mother. My mother is not stupid. She is on the board of three organizations. She hangs out with high-powered people such as politicians, journalists and rock stars like Joan Jett. She possesses the wisdom of a woman approaching 80 years old. But she does not know what IAM stands for, and recently, when I encountered a ‘domestic issue’, I realized that it provides the perfect metaphor to help my mother better understand IAM and access risk.
We at Courion examine data relevant to identities, rights and entitlements, policies, resources and activities. I will map these as they exist in my household:
With our daughter now in college, there are four ‘users’ in our household. It’s me, my wife, our cat and a newly acknowledged mouse. By newly acknowledged, I mean that while we knew we had a co-habitant, we were willing to coexist peacefully with the ‘orphan account’ until recent activities, as described below, heightened our awareness.
Our role definitions are:
- I am the primary bread winner and alpha male. While I do not drink beer, I do enjoy watching football and other sports. I have access rights and entitlements to most everything, but not all things.
- My wife is the property manager and executive management. She has privileged access to all resources and must approve some things for me. For example, I must “ask permission from management” before I blow off yard work to go play golf. That is our segregation of duties to insure that there is no taking advantage of the system.
- The cat thinks he is the alpha male, but is not. He thinks he has privileged access but he does not. In my view, he has rights in excess of his role and he’s always looking for more and is very vocal about it – especially at mealtime.
- The mouse is the rogue entity. Nobody provisioned access for him, although he probably considers us the intruders. We suspect he hacked his way in with an advanced persistent attack.
We have policies that govern our actions. I do the yard work, keep the cars maintained, and loaf around on Sundays. My wife keeps the home, manages finances, and provides executive oversight. The cat is an indoor cat, so he willingly enforces the “don’t go outside” policy himself and is forbidden to go in certain areas of the house. The mouse, unaware of any policies, seems to have the run of everything – the worst orphan account, excessive rights and privileged access case I’ve ever seen.
My wife has system administrator access to all resources at all times. There are resources she chooses to avoid, like power tools and other gasoline powered items. I have system administrator access to some things, but not all. For example, my wife writes the checks. If I want to write a check I have to ask her for one (more SoD).
The cat thinks he can access all resources, but hey, he’s a cat so perception is reality. He roams freely and has multiple spots to crash. But he doesn’t spend money or use power tools, so access risks are low.
The mouse on the other hand, is another story altogether. Unfortunately, we thought the orphan account was harmless, but recent further examination of the mouse’s ‘activity’ illuminated our organization’s resource access problems.
My car is in the shop right now. Apparently, the mouse, given his unchecked elevated access privileges, built a nest under the hood of my car. What’s more, he’d taken cat food from the house and carried it to the car to build the rodent equivalent of a two-story condo with a gourmet kitchen in my engine compartment – the heat of the engine is his microwave. To add insult to injury, he dined on the ignition wiring harness – apparently quite the tasty dish. Who said he had access to that level of cuisine? And, where’s the cat? It’s his responsibility to watch that access and revoke privileges.
It was the twice annual audit (routine car maintenance) and the large fines and penalties (auto repair bill) that highlighted these compliance violations. The car functioned fine last spring. I had no idea what had transpired since my last audit. And, everything seemed normal from the driver’s seat. How did all of this unwind without me knowing about it?
I clearly needed better role definition and access privileges. But, what I really needed was continuous monitoring so I could have stopped the construction of the mouse ‘pad’ before the damage was done. I could have taken remedial action when I spotted it. My inaction is now costing me fines and penalties and the cat’s brand is tarnished beyond repair and his competence as a mouser is in question. In any case, I have to take serious action, now. I am going to remove all access for the mouse/mice with a more drastic move. I have to de-provision all access as quickly as I can.
Ok, by using this metaphor I don’t mean to make light of people’s misfortunes other than my own. Identity and access management and risk mitigation are serious business and can hurt organizations badly. Someone challenged my creativity to see if I could relate this story to IAM issues. What can this tell us?
Periodic reviews to check for compliance are required. But, do they reduce risks? Maybe. In this case, it can reduce the normal car care risks associated with oil change, fuel injector replacements, routine maintenance and the like. It did not, however, reduce the unforeseen risks associated with unauthorized access and excessive rights. Continuous monitoring and frequent access checks would have mitigated the risk and kept things more in line.
How frequently does your organization conduct access certification reviews? Are you examining all access related activity to assess risk? Have you provisioned proper access from the start and do you have automated means to revoke access and privileges quickly?
We all know that deploying an enterprise IAM solution is a journey that entails making many different and often times critical strategic decisions. This journey is often described as long, stressful and tedious, but should it be?
Choosing the right vendor can alleviate many of the hurdles that organizations face in an IAM deployment project and can result in a faster, more successful implementation. This blog is intended to help customers in their evaluation process of IAM vendors, by addressing some important aspects that need to be considered and by raising some questions that need to be answered:
Purpose: Clearly defining the purpose of the project helps consolidate and clarify expectations for the IAM project. This is often not given as much attention as needed. As a result, expectations are not clearly stated and hence organizations struggle to make the right choice in selecting a vendor. Ask yourself this question—What is the primary goal of this project? Some examples are:
- Is it the help desk call volume that you are trying to reduce
- Is it the end user experience that you are trying to improve
- Is it the auditors you are trying to answer
- Is it the overall risk posture that you are trying to secure
Sometimes, it could be one or more of these. If that is the case, then prioritize the goals. Understanding what it is that you are trying to accomplish and clearly stating the goals and priorities will go a long way in your evaluation process.
Impact: Organizations can be shortsighted when it comes to understanding the impact a project such as this may have across the organization. This goes beyond those obviously impacted, such as the end users who will use the solution and the administrators who will manage the solution:
- Is the solution easy to use and will end-users be able to use the solution readily?
- Is the solution easy to administer?
- Does the solution need programming skills sets to deploy and maintain?
- How many people are typically involved in administering the solution?
- Does it only help reduce the workload of people performing provisioning/de-provisioning actions?
- Involvement from target system owners, help desk administrators, HR and marketing:
- How does the solution integrate with the target systems?
- How much of the target system users’ time is needed to support the deployment?
- Does the solution help reduce help desk call volume?
- How is HR information leveraged and how much of the HR department’s time is needed to support the integration?
- Is marketing needed to promote the adoption of the solution? If so what tactics are planned to expedite adoption?
Many organizations do a good job determining which target systems need to be part of the IAM project. For those that struggle with this decision, a good place to start would be to consider:
- High volume applications, for which most of the requests come through.
- Target systems, for which the provisioning teams spend the most time on.
- High-risk applications, for which you lose sleep because you fear that your organization may be at risk if the system was to be compromised.
- The applications that need to be part of the overall solution. Is the solution capable of integrating with these systems easily during any stage of the deployment process?
Processes: More often than not, organizations tend to think that their situation is entirely unique and that a custom solution is absolutely essential to address every detail in every process they currently have. While it is true that no two organizations have exactly the same set of requirements, the need to address every single detail quite often proves to be detrimental to the pace of the project. The result is that the project drags on for a long time. By the time the project gets “on its feet”, the requirements may have changed again.
The point here is to go back to the drawing board and map out the goals and requirements in priority order. By doing so, organizations may realize that with the right IAM solution in place, there may be simpler and more efficient approaches to addressing problems that they had previously been tackling through cumbersome processes or work-arounds due to a lack of tools or available information. Organizations should consider the IAM solution as not just a solution that automates processes but also as a solution that provides the ability to improve existing processes where possible.
Technology: Based on everything discussed so far, you may already be thinking about the technology that can support all of this. After all, everything that needs to be accomplished in an IAM project is driven by the underlying technology. Therefore, choosing a solution that can address both immediate and future needs is strategically important. Some of the questions that might help in determining the right technology are:
- Can the product satisfy all the requirements determined thus far, such as
- Ease of use
- Ease of administration
- Ease of target integration
- Addresses various processes – both immediate and future needs
- Robustness—is the solution enterprise grade?
- What are the components of the overall IAM offering?
- Are each of those components built on the same platform, or are they cobbled together through acquisitions?
- What is the future road map for the product?
Ability to implement: Organizations dedicate a considerable amount of attention to choosing the “right technology”, but frequently undervalue the ability of the vendor to implement the solution. This often leads to an unbearably long IAM project or sometimes even a failed project. Key reasons for failed IAM projects include an inability to understand the magnitude of an enterprise IAM project, underestimating the complexities involved, not aligning expectations correctly, a failure to properly scope a stage-by-stage approach to achieve the ultimate goal and an inability to map out a proper path to success. The importance of choosing a vendor with the experience to clearly address each of these factors and consequently drive an enterprise wide IAM project to success cannot be overstated!
Conclusion: The factors addressed here and questions raised are not meant to be an exhaustive list of all that needs to be evaluated when choosing an IAM vendor, but are intended to highlight some of the key aspects you need to consider to make an informed decision to pick the right vendor and better ensure your success.
Managing an exploding number of users and identities as they match up to applications and resources can be a daunting task. It’s the traditional challenge of managing flexibility and performance against compliance and security. Sure we can do it quickly, but how many problems are we creating in the process?
One way to assess the value that intelligent IAM can provide to your organization is to understand the forces impacting IAM complexity and how that effects the organization. Consider this formula:
IAM Complexity = ((ID + Resources) * EC) ∆c
ID represents the number of identities managed by the organization and the anticipated growth of that identity pool over time. Does the community include identities outside of the organization, like supply chain participants? How quickly is the overall number increasing?
Resources are all the applications and data resources those user identities need to access at various times. This number is probably growing more slowly than the number of identities. But, the complexity rating goes up when you consider the confidentiality of those resources (ex: price list for the distributor network) and the reality that some of the applications being provisioned are being engaged without IT’s knowledge (SaaS applications).
EC represents environmental complexity. This is a variable that takes into account a wide range of factors, including stringent and changing regulatory environments, the degree of brand damage caused by a breach (higher damage, higher security), the growing inter-dependence and inter-connectivity of individuals and departments inside and outside the organization, global distribution, and heterogeneous computing platforms.
∆c represents the rate of change. How fast are things changing within your world? Are employees being hired and terminated on a regular basis? Do employees change roles or get promoted frequently? Are applications rolled out or retired on a regular basis? Does the regulatory environment change frequently or not at all?
Got it? Ok, how does the equation work? Identities are most likely growing the most quickly. Second are the applications and resources. But, while they may be in constant flux, the environmental complexity is much worse than identities or resources in terms of impact. However, the most debilitating variable is the rate of change. That’s the granddaddy of them all. So, of the variables, which one keeps you up at night – more identities, more assets and resources, environmental issues, or what’s changing?
Here’s a fictitious scenario to illustrate the point. I work at a company where things run very smoothly. We’ve been in business for generations and things just don’t change. Our employees are loyal and we’ve been working in the same jobs with the same partners forever. All our applications run on the same servers they’ve been running on for decades and we haven’t rolled out anything new in years. Cloud, mobile, social? Nah, no need. The business hums along and nothing changes. Ever.
If that sounds like your company, don’t waste your time evaluating IAM. You don’t need it. Go on raking in the money and sleep well at night.
But, like I said, that’s fiction. This is 2013 and it’s more accurate to say that company is Fantasy Land. With all the opportunities in a global market, a company like that has been dis-intermediated, has been put out of business by a low cost manufacturer out of an Asian country, or has a target on it from some enterprising group.
What about the opposite scenario? Our company has over 50,000 employees. Tenure is getting shorter and there are constant changes in roles and jobs. Our application and resource base turns over regularly with new applications constantly being rolled out and others retired. Some are in the cloud, some are SaaS, some run in house. We perform access certification reviews and audits quarterly and they are always a big deal – very disruptive and people are always very nervous. Mobile is everywhere and the business is always asking for something new, something based on the latest technology. Things are always changing. We may be buying a company, introducing new products and services, partnering with new companies, or re-organizing our company and resources. It’s a nightmare.
Does this sound more like your reality? Maybe you should consider looking at intelligent IAM.
Access to resources such as applications and data are the lifeblood of every company today. And providing access to employees, partners and company stakeholders has become increasingly complex. Nevertheless, users still expect immediate access to resources in order to get their jobs done. As a result, IT is constantly hustling to provide access quickly to maximize productivity.
As with most things in life, everything has a cost. While speed is imperative, providing improper or inaccurate access can impede business productivity and the company may be exposed to unnecessary or completely unforeseen risk.
To understand risk, you must first be aware of where threats exist by having visibility into the access granted, the resources and data behind the access granted, and how the granted access is being used. In order to do so, IT must walk-through and review a mountain of data in multiple not-necessarily-integrated systems to find the answer.
So how do you ensure that users have appropriate access given their roles, and that they are using those resources within governing policies? How do you easily and efficiently identify anomalies and outliers? How do you know which data points lead to risk when you must boil an ocean of big data to get to the answer? How do you do all of this continuously and in real time to manage risk on an ongoing basis?
At Courion, we think the answer lies in the big data inherent within IAM systems – Big Identity Data. Harnessing Big Identity Data brings IAM technology to its next evolutionary state and provides unprecedented value when applied correctly. The only way to do this is through a powerful analytical tool like Courion’s Access Insight. You must be able to aggregate billions of data points, apply analytics, and visualize risk and act on that information, not only to remediate at a single point in time, but also to improve ongoing processes or operations to prevent similar risks from occurring in the future.
Access Insight processes identity and access management data in a data cube, applies analytics, and produces intuitive visualizations of the relationships between the disparate elements of users’ identities, their access rights, their activity accessing application and data resources and the policies governing that access. Access Insight is completely integrated with Courion’s provisioning and governance modules to provide the tools needed to take action to remediate immediate risks as well as modify operations to prevent a reoccurrence of the same issue. As an Identity and Access Intelligence (IAI) solution, Access Insight can help you monitor access and compliance on a constant ongoing basis, despite the volume of Big Identity Data at hand.
In the coming months, you’ll hear us talk more about what we see as the next generation of IAM, intelligent IAM. Thanks to BID and the actionable analytics that Access Insight provides, we believe provisioning can be more informed by the existing activities and access in the enterprise and compliance can be maintained continuously, not just at individual points in time. The result? More efficient IT operations and streamlined audits.
Earlier this month Forrester released its Understand the State of Data Security and Privacy: 2013 to 2014 report which attributes 36% of information losses to inadvertent misuse of data by employees. In July, the FBI’s CIO said that fully 19% of security incidents involve malicious insiders. If my public school math (.36 + .19 * (1-.36)) is correct, that’s 48% of all losses are from insiders.
As a security professional, you also are a risk manager, correct? So it follows that:
- You align your scarce resources, such as budget, staff and strategic focus, in a manner commensurate with risks.
- You have suffered, are suffering or will soon suffer losses from inappropriate use of information.
- The pain you suffer may be from cash stolen from corporate bank accounts (which are not insured by the government like consumer accounts ;) or the loss of IP to a competitor; either way, the pain exists whether from an inside or outside threat
- The likelihood that the problem will originate from an insider or outside is virtually the same (48% +/- a 2% margin of error ;)
So you allocate at least 50% of your threat prevention efforts to insider threats, right? Well I hope so, but I doubt it.. I scoured the web but I couldn’t find much to suggest that many of us care.
There are entire Gartner Magic Quadrants on the topics of ‘Firewalls’ and ‘Intrusion Prevention Systems’, but there’s nothing, not even a market study, on ‘Insider Threat Prevention Systems’.
The only real data I could find on spending on insider threats are post-Snowden-Manning quotes from embarrassed US government officials saying that they spend “millions” on the problem. Millions . . . really? So the US Government IT spending is north of $100B (that’s billion), and the Financial Times tells us that 5.6% of the typical IT budget is spent on security, so it follows that is about $5.6 billion. So say $5.6 “millions” would be about 1/10th of 1% of the security budget, for 50% of the risk.
This seems like a big problem for our industry, so I’m going to explore it over my next few blogs. First, the why? Why don’t people care much about insider threats? I think it may have to do with the way the brain works ;) After that, I’ll discuss some best practices – there’s a wide range of simple things you can and should do, but probably aren’t doing, to reduce insider threat and react quickly when something does happen.
One of the strengths of Courion's Access Assurance Suite is its ability to manage all sorts of accesses and resources painlessly. The Suite's access catalog can be configured with everything from Active Directory group memberships to real, physical assets like laptops and mobile phones. With Courion in place, you can track information about who has access to which resources in your organization. You can track granular levels of ownership as well as approval rights. You can also control how much technical detail the end user can see about an access.
However, one of the perpetual challenges during implementations I've worked on is that our Access Catalog is only as accurate as the data with which it is loaded. It's a very powerful tool, but it isn't magic. It needs to know certain key pieces of information about your environment, and without good data, as my high school calculus teacher once said in reference to the latest model of graphing calculator: "Garbage in, garbage out."
If you're on the verge of starting your Courion implementation, or even if you're only here looking to begin the process of learning about Identity and Access Management, there are some important questions that you should be answering within your organization:
Who are the owners or responsible parties for each of your major applications?
Are the owners also the people responsible for approving or rejecting requests for access to the system? If not, who are these people?
Is access to any system controlled by another application (ex. AD Integrated Authentication via security group)
Who is responsible for providing approved access, especially If it is not one of the people cited above?
Our goal during an implementation is to build this catalog of access that gives you centralized, easy answers to the above questions, but gathering that data is a difficult and time-consuming process, and we cannot do it without your input.
Early identification of the stakeholders above will provide you invaluable resources for determining how each access item should be treated by the Access Assurance Suite.
It is reasonable to expect that you may receive some amount of pushback from these access owners at first. The task of compiling and assigning responsibility for every access item in your organization is a tedious addition to their regular responsibilities. However, if done correctly, and with their cooperation, their workload of tedious access requests will likely be reduced or eliminated once the Courion product suite is in place.
With this effort behind you, it will be far easier to monitor and manage access across the organization.
Courion recently launched an ad campaign directed at the CSO community. In the campaign, we reference a quote by Albert Einstein that reads, “Intellectuals solve problems, geniuses prevent them.” What exactly does that mean in the world of IAM and security?
IAM technology has been evolving from the early days of provisioning. Governance put a pretty front-end on those systems and shifted the focus to compliance. But, as most internal auditors will tell you, our current regulatory and compliance activity is not helping to stem the tide in this age of escalating cyber risk. Does passing the access certification audit really address threat and reduce risk? Do IAM systems offer a potential solution? They contain tremendous amounts of information about users, their entitlements, their roles and their access. Given the fact that the majority of breaches come from insider activity, IAM systems should be a major source of information required to crack that code. IAM is ripe for the next evolutionary step, to be more intelligent.
In the case of IAM, the ability to know and act on information can help you reduce risk. Our goal is to provide you with intelligent IAM solutions that enable you to provision in a more informed way, so, for example, you do not create identities with access rights that violate governance policies in the first place. And further, if your IT department is able to maintain compliance on a continuous basis by maintaining vigilance informed by the system, or by running mini-certifications at times convenient for your department, we’re confident the big audits won’t be such a, well, big deal, anymore.
Today’s goal of IAM has to be to prevent problems, not just identify them. We are keenly focused on making our IAM solutions smarter, or more intelligent, so that the molehills of minor risk don’t ever have the chance to become the mountain of a major breech that can destroy your company’s value, because you can clearly see where trouble is brewing and take remedial action whenever needed. At Courion, we are in the business of preventing problems in the first place, not solving them once they have already occurred.
Return on investment. When an organization spends capital, the prudent CFO wants to know how much is coming back in cost savings, and when. This is not groundbreaking stuff, but when it comes to it security in general and Identity and Access Management (IAM) in particular, finding the “R” for the ROI can be a real challenge. Often the “return” comes from a combination of efficiencies gained through automation and reduced organizational risk.
The first part is easy to get your head around, but still tricky to discuss in “CFO” terms. There are people executing manual tasks (creating, changing and terminating user accounts). In some organizations, teams of people are dedicated strictly to managing IT access. With automation, these teams get smaller and therefore cost less. But since these employees are more likely to be redeployed than let go, CFOs don’t usually see the “return”. So how to you quantify the value of the more useful stuff they are doing once they are no longer consumed with creating accounts for new hires? That’s going to take some doing.
Risk reduction is even more complicated, because now the return is more like the return on an insurance premium. If you never need it, it’s wasted money. When you do need it, the value is huge. To quantify the cost of risk, you are going to need to think like an insurance adjuster and start crunching statistical data. How much will a breach event cost the company? What are the chances it will happen with or without an IAM program in place?
The bottom line is, your “return” for any security program comes from any associated cost reduction combined with the reduced risk of loss. IAM is no different. There are significant opportunities to automate manual tasks and re-deploy staff to more interesting projects. At the same time, you will be reducing the organization’s exposure to risk of loss; loss of IP, loss of funds, and loss of reputation. Now if you’re going to present this to the CFO or the board and ask for a large capital expenditure, you better start gathering statistics.
So where to start? These 10 questions should open up the conversation, and lead to even more questions.
General IAM questions:
How many employees / non-employees do you need to manage access for?
What are your high risk and high volume applications? Are they the same applications?
What is it you are protecting, and what is it worth to the organization? What is it worth to the “bad guys”?
What is the likelihood you will lose control of these valuable assets BECAUSE of a lack of robust access controls?
Provisioning and Password Management Questions:
How many password resets and provisioning actions does your team process each year? How much time does that take?
What is the cost of those resources? (salaries, benefits, etc.)
How long do employees wait to get needed access or to have their password reset (lost productivity)?
Periodic Access Recertification Questions:
How often does your organization perform access reviews?
How many FTEs are needed to coordinate each review?
How much time do managers spend looking at access review worksheets? Can this time be reduced and by how much?
For more on building your business case, take a look at “It’s Not about the Money” which discusses how starting with a business case instead of just a budget line item can make you more likely to get final approval.
Tell Us What You Think: What questions are you asking to justify an IAM investment?
Guest post contributed by David Pignolet, Managing Director, SecZetta.
I’ve been involved in many IAM implementations. The driving factors for IAM solutions vary,
but commonly I see implementations that include self-password management/synchronization as well as automated account provisioning driven by the need for cost savings and efficiency. The great thing about these implementations is that they are helping to limit the risk within their organizations almost as an afterthought. It’s really a win-win situation.
What often gets lost in the mix however is the identity part of IAM. As a matter of course, “the people information” for employees is gathered from Human Resources, and while sometimes there’s another source of information for non-employees, most of the time it’s some field in Active Directory or accounts are named a certain way to signify that the accounts are associated with non-employees.
It’s a scary proposition when you think about it because who actually knows who these people are? Where’s the accountability? These non-employees certainly don’t have the same level of loyalty to the organization as employees, yet they are often granted the same or similar access with a fraction of the due diligence.
So why is this happening so often in organizations? From my experience it boils down to one of two things, politics or cost, and sometimes a combination of both. Most HR organizations think that their charter is to manage employees and the information pertaining to employees only. On top of that, licensing for their systems can be exhorbitant for the addition of a contingent workforce. Vendor Management organizations are only interested in contracts and certainly don’t want the responsibility of managing people. Unfortunately, Information Security and Information Technology are still responsible and held accountable for managing appropriate account access for these non-employees.
In my opinion, what is needed is a cost effective non-employee management system that allows and forces the business to manage data for non-employees that have access to an environment.