Purdue Pharma L.P., a privately held pharmaceutical company based in Stamford Connecticut, has selected the Courion Access Assurance Suite™ after an evaluation of several competing offerings. The pharmaceutical company will leverage the intelligence capabilities of access assurance suite to maintain regulatory compliance and mitigate risk.
Purdue Pharma, together with its network of independent associated US companies, has administrative, research and manufacturing facilities in Connecticut, New Jersey and North Carolina.
With implementation of the intelligence capabilities within the Courion IAM Suite, Purdue will be able to leverage this product to automate routine IAM tasks and maintain compliance with US Food & Drug Administration requirements.
Now that Cloud Identity Summit is over, I’m taking some time to reflect on the Intelligence workshop. In the workshop we looked at some of the IAM approaches used today and some of their limitations. Given that the bad guys are motivated and creative, we need to look to new techniques to detect and deter them. Applying analytics and Intelligence fundamentally changes the game from the traditional approaches.
Reports on data breaches illustrate the large contribution that hackers make to data breaches as compared to other methods such as lost laptop or lost media. As an example, check out:
– Ponemon’s 2014 report on the cost of data breaches, which states, “In most countries, the primary root cause of the data breach is a malicious insider or criminal attack.”
– Verizon Data Breach Investigations Report, which states,“ . . . 92% of the 100,000 incidents we’ve analyzed from the last ten years can be described in just nine basic patterns.”
– New York State Attorney General Data Breach Report, “Hacking attacks accounted for over 40 percent of data security breaches, between 2006 and 2013.”
So just how prevalent are data breaches? Consider these statistics:
These numbers come from the aforementioned New York State Attorney General Report which analyzed data breaches:
– 20M: the population of New York City in July 2013
– 7.4M: the number of residents breached in 2013, that’s about 85% of the population
– 900: the number of breaches in 2013, about 2.5 per day or 8,000 records/breach. BTW, the number has tripled since 2006
– $1.3B: the cost to the public and private citizens of these breaches
So what’s missing from today’s techniques? We see two (2) major challenges.
Deterrence: What can you do NOW in IAM to reduce the likelihood of a breach? Clean house and reduce the attack surface: get rid of abandoned accounts, make sure orphan accounts are properly managed, eliminate access that is not needed, keep Superuser administrator accounts to a minimum, manage to least privilege. For further confirmation of these suggestions, see the 2014 Verizon DBIR recommendations and the SANS 5 Security Control recommendations:
The 2014 Verizon Data Breach Incident Report recommends 4 identity and access management tactics to address insider and privilege misuse:
– Know your data and who has access to it
– Review user accounts
– Watch for data exfiltration
– Publish audit results
And the SANS Institute, a leader in computer security training, offers version 5 of the organization’s Top 20 Critical Security Controls, which recommend several identity management processes:
– Controlled Use of Administrative Privileges
– Maintenance, Monitoring, and Analysis of Audit Logs
– Account Monitoring and Control
– Data Protection
Monitoring and Detection: Cleaning your house (reducing the attack surface) is good, but you must detect when a “spill occurs”. By monitoring and taking actions on the anomalies, you’re able to start reducing the window available for exploit, so you need to be keeping constant watch with identity and access intelligence or analytics.
To get the big picture of access across everything (from person to data) you’ll need to understand and analyze relationships between different objects and systems . . . but this quickly becomes millions and billions of relationships in the typical organization. As Mark Diodati of Ping Identity talked about in his “Modern Identity” presentation, the difficult of managing identity and access increases with distance, which you can think of as “remoteness.”
The second challenge has to do with time, more specifically reaction time. Our ability to detect and react to a breach or vulnerability is moving slower than the adversary. Hence we’re have little (or no) time to act . . . we’re constantly “on our heels”.
Let’s look at a typical lifecycle with IAM. The frequency between “Assign” and “Review” may be months, quarters, or even longer:
Assign Access >> Time passes >> Things Change >> Review Access & Remediate
How do we increase the frequency of our detect/react cycle to better combat the adversary? By improving our capabilities around:
We need to continually analyze and understand the complexity and monitor. “Monitor” can be done on the order of hours or minutes . . . allowing the “Review” steps to happen much more quickly.
Assign Access >> Monitor as Time Passes & Things Change >> Review Access & Remediate
The Insider and Privilege Misuse section of the Verizon DBIR summarizes the discovery timeline (figure 38). Detection within days (34%) is good, but many took months (11%) or years (2%) to discover.
By applying Intelligence and Analytics, we can continually update and understand complexity, and then detect and act on things that we have been proactively looking for . . . increasing our speed and frequency. In addition, with all of the complex relationships analyzed and at hand, we’re free to slice, dice, drill down and apply forensics to identify the next/upcoming set of things to monitor . . . adding those into the category of complex items that we can:
Traditional approaches are an important part of providing security, speed, and value to the business . . . but we can do better. As CIOs and CISOs, we are in an arms race with the bad guys, and in some ways it’s an arms race to keep up with the complexity of the business’s environment. Through the application of Analytics and Intelligence along with other approaches, we can understand and manage complexity and act on it more quickly, mitigating breaches quickly, or even better reducing risk and avoiding some them altogether.
The headache of Sarbanes-Oxley (SOX) reporting requirements is just about to get easier for Old Republic National Title Insurance Company, since the title insurer selected Courion ComplianceCourier™ for its access certification solution.
The public company, which has more than 4,000 employees, must comply with Sarbanes-Oxley (SOX) reporting requirements. And not unlike many companies we speak with, the IT department was finding the challenge of answering “who has access to what” was absorbing too much manpower and time. The manual data process of gathering user access information and compiling it into spreadsheets was also vulnerable to error.
With ComplianceCourier, Old Republic will be able to centralize and automate the access control process, reducing the risk of unauthorized access. What’s more, the access certification solution will allow the company to audit existing access by user, application, administrator, group, or workstation and meet SOX compliance requirements more easily. The efficiency of IT operations will be improved and as an added bonus, the active directory structure will be consolidated. To read more, click here.
Your data is everywhere. And so are your applications. In the past, everything resided in the data center, but today they're stored in the cloud, by a partner (MSP), and even running on mobile devices.
Your customers, partners and employees are also everywhere. As a security professional, you need to ensure that the right people have access to the right data and are doing the right things with it. That's where Intelligent Identity Access Management comes in. But in the era of cloud-computing, who knows where the data physically resides? And with users and accounts spread around the globe, how can you ensure the data is being accessed by the right people, according to your policies? Again, that's where Intelligent Identity Access Management is crucial.
If your data were just centrally located and being accessed by individuals and devices that you manage, traditional IAM solutions work well. But that's probably not the case. You have data in internal and outsourced systems. Some of the outsourced systems may be wholly controlled by your contracts, while others may be shared among thousands of other organizations. And that data is being accessed by employees, partners and customers from their homes, phones and tablets, on planes trains and automobiles.
From a security perspective, it's imperative to provision, govern and monitor information access wherever that information resides and however it's being accessed, whether those are physically in your IT environment or in the cloud. So what are your options?
Options for Provisioning, Governance and Monitoring in the Cloud
Two obvious questions are "where's my IAM solution?" and "where's my data?" After all, both must reside somewhere and be secured. If we constrain the answers to those questions to "on premise" or "in the cloud", we have four options.
1. Host internally, manage internal applications
Traditional IAM solutions reside on IT managed hardware within an enterprise. They're typically located in a server room where they can be physically controlled by IT. They are configured to manage applications that also reside on servers physically controlled by IT. This is a largely closed system, with the administrative control and the application resources both co-located within IT. It makes security simpler, but in the era of cloud computing, is becoming increasingly rare.
2. Host internally, manage internal and cloud-based applications
As enterprise applications have migrated outside of the data center, the need to manage those applications has fallen to traditional IAM solutions. IAM vendors like Courion have evolved their suites to natively connect to cloud-based systems from an on premise administration point. Existing "connector libraries" have been extended to include connectors to cloud-based systems. These new connectors sit side-by-side with existing on premise connectors and reach out to cloud applications.
This evolution has been largely seamless, as the same architecture used for managing internal resources has been applied to external, cloud-based resources. The protocols change, like using SOAP over HTTP rather than files over SMB, or RESTful web services rather than SOAP, but the architecture and techniques survived.
3. Host in the cloud, manage internal and cloud-based applications
Just as enterprise applications are now hosted in the cloud, there is increasing interest in hosting security systems in the cloud. This enables enterprises to focus on their core competencies rather than security management and identity management, while at the same time optimizing CapEx for OpEx expenditures.
Early experiments are promising, with IAM solutions providing tunneling capabilities from cloud-based infrastructure. Tunneling can be through VPNs, reverse proxies or dedicated appliances. Over time, this will likely become the preferred deployment option.
4. Host in the cloud; manage cloud-based applications
If an enterprise has no data in house, then a pure cloud-based solution is ideal. Operating on Office 365 + SalesForce + ADP, a cloud-based IAM solution can effectively provision and govern cloud-based applications. This scenario eliminates the complexity and cost of network tunneling solutions since everything is natively in the cloud. Here, the protocols are rapidly standardizing on RESTFul web services, with common token-based security and federation. However, like the all-internal scenario, all-cloud environments are rare.
Hybrid – the viable solution
Of these options, only two are typically feasible, since most organizations have some data on premise and some in the cloud. There are exceptions, like a startup which is native-cloud or in certain government situations, but in general, a hybrid solution is required. Choosing between the 2nd and 3rd option described above, whether you host your IAM solution in the cloud or host it internally, comes down to a deployment choice.
Courion has customers who are doing each. Most run our IAM solution on premise, while some use deployment in the cloud. For cloud deployments, most choose private cloud infrastructure, while some go for public infrastructure. But the predominant approach, even in 2014, is to deploy on premise. This is chiefly because most data still resides locally, so most applications reside locally, tilting the equation to an internally hosted IAM solution. As more enterprise applications migrate to the cloud, the decision to host the Courion suite in the cloud will likely shift.
Unlike enterprise data however, people have already shifted to the cloud. Mobile devices, from phones to tablets, are the norm. Most organizations provide secure access to critical systems on a 7x24 basis, to individuals located on premise and on the go. So parts of your IAM infrastructure must be either in the cloud, or on the edge (DMZ).
Again, Courion solutions are well suited for this shift. The most common security transaction, other than login, is the humble Password Reset. This must be accessible from anywhere and must be very reliable. It's required from the road, at night, on weekends and 2 minutes before the big sales presentation. Courion customers have hosted their password reset infrastructure in the DMZ for exactly this purpose. In addition, the Courion suite is tooled with a clean interface so customers, partners and employees are met with a consumer-grade experience, accessible on their laptop, tablet or phone.
As your data and apps move to the cloud, so do your identity repositories and access control models, as mentioned earlier. Your IAM solution can span both, but it's still advantageous to consolidate identities and provide a more seamless and simple sign on experience for customers, partners and employees. Enter Ping Identity, another cloud app that integrates with Courion solutions. Just as we expanded to cloud apps as they entered the business, a strong partnership allows for seamless integration with Ping to offer federation and SSO capabilities.
Single Sign On (SSO) impacts the decision of where to deploy an IAM solution. While IAM can provision, govern and monitor access applications in cloud-based and on premise environments, SSO systems provide seamless application login and access to the user community. By coupling the flexibility of Courion's industry leading IAM solution with the SSO and federation capabilities of Ping, organizations can manage access across all of their applications. Because both products leverage a common structure with Active Directory, the result is great experience for the end user and a manageable system for IT.
As the computing world shifts to the cloud, with consumer-grade technology leading the enterprise, our customers, partners and employees expect great access to information. As security professionals, our job is to balance "great" access with "secure" access. We make choices every day in choosing the solutions we deploy and the infrastructure on which it resides. Courion is here to help.
In order to explain what makes Intelligent IAM Intelligent, we must first discuss why IAM needs to be intelligent. Fundamentally, IAM is a resource allocation process that operates on the simple principle that people should only have access to the resources they need in order to do their job. So, basically, IAM is used to implement the Marxist philosophy, “to each according to need”. Therein lies one of the problems: without intelligence, IAM operations are inconsistent and can be easily corrupted; resulting in decreased efficiency of workers, increased risk to the corporation (more on that later) or both. The folks with the power have the ability to give some people (the privileged class, like their friends) more access than they need, while others (the exploited workers) may not have access to the resources they truly need, which leads to civil unrest and the potential collapse of corporate society as we know it.
However, given appropriate guidelines (rules) and sufficient information (knowledge), traditional IAM has evolved into an inherently intelligent process for managing resource allocation, such as Courion’s Intelligent IAM solution. On the front end, access requests are evaluated to see if they violate any business rules, such as, “If you aren’t in the Sales department, then you can’t have access to the company sales commission report.”
Such business rules combined with knowledge about the access recipients request and should receive enables the access assignment process to be an intelligent activity; ensuring that people do or don’t get access to corporate resources as determined by their functional role or their operational needs. On the back end, the entire corporate environment is continuously monitored, looking for evidence of any business rule violations.
Today’s corporations are challenged by a complex, mobile and open society; problems don’t necessarily get introduced through the front door. Therefore, it’s critical to have an intelligent IAM system like Courion’s to both prevent problems from being created and to maintain a watchful eye and take immediate action, such as automatic notifications or even automatically disabling access or accounts should issues be discovered.
As an example, Courion’s solution can easily distinguish between a company’s finance department server, which is obviously a far more sensitive resource than a Marketing department’s color printer – (unless you consider the price of replacement ink cartridges, and then it’s not so obvious.) Consequently, Courion’s Intelligent IAM solution, based upon a number of criteria, can determine who should and shouldn’t have access to such sensitive resources. This scenario alludes to a fundamental concept that guides the Courion solution: the concept of risk as it pertains to the corporation. The system defines risk as a combination of likelihood, as in “OK, so what are the odds that will happen?”, and impact, as in, “So if it happens, how bad can it really be?” In general, a customer can configure the system to behave in accordance with their risk tolerance, which boils down to a basic question, “Just how lucky do you really feel?”
But it’s not just a pattern matching exercise based upon a bunch of If / Then conditions. Courion’s Intelligent IAM solution not only knows which resources are more sensitive than others, but it also automatically adjusts its knowledge and its perspective over time.
As an analogy, a key isn’t necessarily an inherently sensitive resource. The risk associated with giving someone that key depends upon a variety of dynamic variables, such as who is going to get the key, what other keys may be behind the door that this key unlocks, how many other people also have a copy of this key, and exactly who are they?
So, while it may have seemed like a good idea to give Fred a key to the supply room, a week later we now know that all of Fred’s buddies also have a key to the supply room. More specifically, we know that Fred’s good friend Barney just got access to an additional key that unlocks the back door of the supply room. Consequently, the risk that the company’s expensive monogrammed tissue paper goes missing from the supply room has increased dramatically.
It’s this broad contextual view across a dynamically evolving environment, coupled with the knowledge of what is and isn’t an acceptable level of risk, and the ability to adapt its perspective to changing conditions that makes Courion’s Intelligent IAM solution such a valuable tool for ensuring appropriate access to corporate resources, such as prized paper goods.
However, perhaps one of the more subtle benefits provided by Courion’s Intelligent IAM solution is that it takes the burden off of the IT folks who no longer have to justify to angry users why their request was denied. It now becomes a much easier conversation:
“I’m sorry. I like you, and I feel your pain. I want to give you access to the Executive rest room, but I just don’t have that kind of power. You see, we use Courion’s Intelligent IAM solution and it can distinguish between what you want and what you need. So, it knows that you want access to the executive rest room, but it also knows that you don’t really need access to the executive rest room. It’s not like the old days when I might be persuaded to give you what you want. Even if I could give you such access, the Courion solution is always watching and it’s configured to notify the entire executive team of rule violations, and not only that, it will automatically take away your access. It will simply lock the door. Therefore, continuing to try to open the door might be embarrassing, even for you. Why don’t you just use that nice restroom down the hall like the rest of us and then go back to your desk and listen to some music; I suggest a tune from The Rolling Stones – “You can't always get what you want, but if you try sometimes, you just might find, you get what you need.”
I recently met with a Courion customer, one of the largest accountable care organizations in the US. This customer is based outside of Orlando, Florida, so naturally the topic of Disney came up. Over the past year Disney has figured out a way to use technology to distribute guests more evenly throughout the parks via their "Fastpass+" system. The end result is higher customer satisfaction by reducing wait times and increased revenue because now – you guessed it – vacationers can spend more time in the gift shops and restaurants.
Disney is able to accomplish this by setting up profiles that track your ride preferences in addition to your purchases. Vacationers can go through Disney's website portal, which is personalized based on their preferences, to make ride selections, dining reservations, and plans with others who also have profiles on the portal.
This was a massive investment and IT project for Disney. Naturally, it got me wondering, do they segregate this portal from their corporate networks? Are their employees also customers, and do they co-mingle their profiles? What about contractors they hire? Do they have access to the networks and are they constantly being monitored? Do they set up profiles on the portal as well? Remember that the Target data breach came about as a result of third party HVAC vendor’s access being compromised.
I then asked the Courion customer what he looks for in an identity and access intelligence system like Access Insight®. This is when the conversation got serious. He made it clear where Access Insight fits in.
"What if someone has what appears to be a safe access, but they happen to be an expert programmer? Once they're in your system they may start to make some movement that would cause your security people to ask questions like, 'Why has a person who should only have certain access suddenly be asking for access here, here, and here?' Those are the types of movements that really are suspicious and in some of the security breaches we've read about, only after the fact they say, 'Oh wow, if we had seen how somebody started to move along the access chain quickly at two in the morning, we would've been able to call this out.'"
"That's what Access Insight does. It alerts that there is movement that should not be, and we have a team on call 24 x 7 to monitor for alerts like that. It helps us understand if the movement is a natural course of action or a natural workflow. Or is this something that we need to wake some people up right now and stop and then investigate in the morning? Access Insight affords us the opportunity to see that."
He also acknowledged that most companies have very intricate infrastructure systems, and their IT departments are very well-schooled in protecting their environment. They receive penetration challenges every single day and they swat them back quickly. But what differentiates Access Insight is it sees someone who has been given permission to come in under the guise of a role that fits the job profile, but suddenly that person starts traversing the network because they have an extra skill or access that you don't know about. Access Insight keeps monitoring the people with permissions so that any activity that takes place out of the normal parameters you would expect to see, sends off an alert for your security team to stop, investigate, and take action if necessary.
This is something all organizations, from our Orlando-based customer to Disney, need to consider as the news of insider threats continues to rise. Knowing how sensitive company information is being accessed, at what time and for what purpose is also key. Having this insight will ensure that insiders, nefarious or naïve, don't get a data breach fast pass.
Last week Gartner held its 20th annual Security and Risk Management Summit in National Harbor, MD. Leading into GartnerSEC each year, the analysts have shared their key IT security trends and predictions which have been formalized as a series of "Gartner Predicts" statements. As you can guess, there has been a lot of change in these over the past 20 years. And, while there was more discussed than can reasonably be covered in this blog post, there was enough for me to say that by 2014 Kurt will have a 70% chance of writing a blog covering 30% of them. So here goes.
John Girard kicked things off with the opening keynote, saying, "Digital business will impact your professional life more than the emergence of the Internet." Bold statement; but I think he's right. He described the new business models arising from the blurring of digital and physical worlds and cited Lyft, Uber, Bitcoin and the Internet of Things (IoT) as a few examples. With more connected products, comes more connected risk. This led to the first Gartner Predicts unveiling which said, "By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk." Ouch! There was further discussion that the majority of security organizations are reactive and that more CISOs are focused on the events of today and the past while CEOs are looking to the events of tomorrow. This is a major cultural disconnect between business and security.
Gartner discussed this notion of digital risk management through the eyes of the CISO, CIO and CEO, but they didn’t stop there. There is a lot going on in digital business across multiple technology silos including traditional IT, OT (operational technology like SCADA), physical security (e.g. controls around driverless cars) and the Internet of Things. As a result, Paul Proctor called out the need for a new role - the Digital Risk Officer. Gartner Predicts that, "By 2017, 1/3 of large enterprise engaging in digital business will have a Digital Risk Officer or equivalent." This is not a new name for the CISO. Digital Risk Officers will manage the risk implications of digital innovation especially around how it changes the risk appetite for key business stakeholders. This is all about "smart risk" balancing security and business opportunity.
Throughout the conference Gartner mentioned many IT security technology trends. Some of these, I think, are especially relevant to this theme of smart risk which closely mirrors Courion’s discussion of intelligent IAM. One trend is around the need for big data security analytics. This is nothing new as we've heard a lot about the need for broad continuous security monitoring. I would remind everyone that this goes beyond machine data and MUST incorporate identity and access data analytics. Big data is about the 3Vs: volume, velocity, and variety. All of the identities, policies, resources, access rights and entitlements, and user activity certainly meets this requirement.
Gartner also talked about the need for intelligent, context-aware security analytics. This was called out in another Gartner Predicts stating, "By 2020, 40% of enterprises will have a 'security data warehouse'." This security data warehouse must store and analyze data and incorporate context to assist in determining what is “normal” and identify variances from the norm. I argue that identity and access analytics are key components to this warehouse and an absolute must in any discussion of true context.
Furthering this point Gartner called out the IT security trend of adaptive access which is about context aware access control that balances trust and risk. It stresses that access must reflect the specific conditions around access. This not only helps to prevent threats but also enables the allowance of access that might previously have been blocked - access from a widening variety of devices and from social IDs accessing corporate assets in a way that understands the risk profile and applies access controls accordingly. This is about balancing that need of access with the risk.
I found these predictions and trends rather interesting given all that Courion has been discussing around the notion of intelligent IAM. There are many parallels where we have talked about how access is critical to the business. John Girard is right in that digital business could impact our professional lives in ways we have never seen before. But, digital innovation means nothing if the business is blocked from appropriate access. This must be balanced with the risk of providing access to so many users and devices, not only to ensure it meets regulatory requirements, but that it effectively assesses and manages the inherent vulnerabilities. This clearly forces us to change our thinking from traditional IAM of provisioning, authentication and periodic certification review to one that adds a thorough understanding of what is happening on a continuous basis with user (and device) access and what is going on with that access. This can’t wait for the annual certification review, now can it?
Paul Proctor discussed the fact that for years we've fallen into the trap of believing more funding and smarter people are the keys behind better security. It's more than that. It's about changing the culture from one of chasing compliance and reacting to every threat that occurred yesterday to taking a proactive approach to balance business and risk. Context is key. Identity and access are critical parts of that puzzle that cannot be overlooked. There are challenges ahead, and the emergence of true Digital Risk Officers aside, we need a smarter approach that is proactive rather than reactive.
Actually, they got my wife. On Father’s Day. Here’s how events unfolded:
Sunday June 15th, Morning of Father’s Day
The weather was perfect, my wife and kids made an amazing breakfast. Bacon, poached eggs, and vegan waffles. The vegan waffles were a touch hard, but my son is allergic to milk and eggs, so it was perfect that he could enjoy this breakfast with me. We even had a couple of Bloody Marys made with celery and bacon flavored vodka. All served outside on our deck in the sun.
After gorging on bacon and relaxing with my vodka and tomato concoction, I decided to take the kids for a walk to the traveling carnival that had set up at our local Elks. I had a coupon too, all you can ride for 20 bucks … kids loved this. I assure you the carnival ripped me off, but that was to be expected. $3.50 ATM convenience fee, $3.00 sodas and $8.00 for the large cotton candy that my kids split. I was feeling a bit robbed, but making my kids smile on Father’s Day just felt good.
Sunday June 15th, Evening of Father’s Day
After we got home and had some dinner, my wife ran some errands and I was reading bedtime stories (Book 5 of the “39 Clues” series “The Black Circle”) when my phone buzzed. It buzzed with my wife’s special pattern (iPhone’s “Heartbeat”) so I figured I’d check it out. The text was simple “hey babe, something’s up with the bank can you check the account?” I finished reading the chapter, gave a good night kiss and went right to work, pulling up our bank’s mobile app.
Having just been paid, I expected to have money in my account. But I didn’t. Instead, I had a large negative balance. According to the transaction record, someone has just bought something or some set of things from a Target in Ontario, Canada. Something else was going on because that negative balance was far more than just that one transaction. That’s when I noticed there was a message on our home phone.
“Hi Jennifer this is Fraud Alert, we work with your bank, please call us as soon as you can at …” “OK,” I thought to myself, “this is not good.”
My wife, it turns out, had been denied a $2.94 iced coffee that evening because fraud alert had picked up some out of character large transactions on her debit card. As I write this, I have no idea how they got their hands on her card numbers. However from Friday to Sunday someone in Ontario pretended to be my wife and went on a spending spree at Target, Walmart and a few other merchants. Moreover, we learned later, these thieves had access to her social security number and mother’s maiden name. They had used that information to attempt, after the fact, to let the bank know they were traveling to Canada and would be buying lots of stuff.
Why write about this on a blog about Identity management? In addition to providing an effective method to teach my wife and children about the virtues of strong passwords and two factor authentication, it all illustrates something quite striking about data breaches – they can destroy your brand.
Monday June 16th, the Aftermath
I’m sitting with the customer service representative at my bank. She’s very nice and does a great job talking me through the process, which is:
1. We fill out a form listing all fraudulent transactions
2. My wife needs to file a police report which I will return to the bank
3. I will get my money back provisionally, and the bank will “investigate”
Assuming they believe me, I get to keep my money. Otherwise, I don’t. I’m not worried because I know my wife was not in Ontario buying 90 inch plasmas from Target and Walmart on Father’s Day. She was with me, serving bacon and Bloodies, going on amusement rides and eating fried dough. But maybe I looked nervous because as I was leaving her office the bank rep said as an aside:
“Oh and don’t worry about the investigation because Target’s involved, you’ll be fine.”
Which made me think: “How long will ‘Target’ be synonymous with ‘Identify theft’?” Once a trusted brand, now reduced to association with one of the most pervasive and personal crimes of our time. Of course, this is terrible for Target, particularly if my local banker casually reinforces the association every time someone is in her office reporting fraud. And that is going on at every bank in the country on a weekly, if not daily, basis.
So what can retailers, or other organizations do to avoid this fate? It’s quite simple really – remember the fraud alert phone call from earlier in this story? By noticing odd patterns in big data (like someone using the same card at a Dunkin’ Donuts in Massachusetts and a gas station in Ontario) the bank was able to shut down the card and prevent further loss.
Technologies are now emerging, like Courion’s Access Insight, which can do the same thing with the big data generated by identity systems. With Access Insight, odd patterns of behavior, violations of policy, unused accounts, or privilege escalation can be found in near real time and risky access can be shut down before data (like my wife’s social security number) leaves your building.
That would be almost as perfect as bacon on Father’s day.
For more information on what to do when your identity is stolen, and also to learn what I’ve been up to this week, check out the Federal Trade Commission’s resource here.
Americans have come to expect their Presidents to clearly and concisely communicate the principles by which the government will defend the country and exercise power across the globe. Recently, President Obama addressed the commencement crowd at West Point and shared his vision for how the United States and the U.S. Military should lead in the future. His speech included some strong parallels to the challenges which a Chief Information Security Officer and security staff face every day.
President Obama stated that “ . . . just because we have the best hammer, does not mean that every problem is a nail.” That resonates strongly in our world. With business staff aggressively driving information and processing access out to all stakeholders, the environment is rapidly growing more complex. Correspondingly, one security solution does not eliminate all threats, identify all vulnerabilities, secure all critical assets. This is something that our industry’s sales people – as well as practitioners – should keep in mind.
The President moved on from this statement to share his central message: that the United States should be careful to apply its power to only the most critical national security interests to avoid excess cost in lives and money. Regardless of whether each of us agrees with President Obama’s conclusion of what this means in terms of deploying troops and engaging adversaries, it is hard to disagree with the premise of prioritization: deliver the most effective and efficient use of resources as possible to manage the most critical interests.
But how can you be discriminating in where you apply resources? How do governments try to achieve this? They gather intelligence and evaluate the risks to their national security based on insight gleaned from this intelligence. Long ago, American defense doctrine conceded that it could not provide 100% security. Even if it were achievable, the United States would go bankrupt if it attempted to eliminate all risks. So how do you know which national interests are critical? By understanding what risks they pose.
Is there a parallel in your world of information security? Have you clearly communicated to your business executives and Board of Directors how you have prioritized risk and as a result how you propose to protect your organization’s interests?
Traditionally organizations have moved from one point solution to the next based on today’s audit requirements or as a reaction to the most recently publicized recent breach. How often do vendors ask customers: “Why are you now able to get funding?” only to hear that there was a failed audit? Just last week, a senior information security executive at one of our retail customers told us that the Target breach created an ideal opportunity for him to make the case for investment in identity and access management at his company.
Unfortunately, the solutions provided by vendors have been hammers rather than scalpels: scan all file servers for protected health information, eliminate all orphan accounts, filter all network traffic. Costly, and not feasible options.
CISOs need to take a leaf out of the National Security playbook. Recognize that breaches will happen, sensitive information will leak – nothing can be 100% secure. Communicate your Defense Doctrine to your executives and Board of Directors. And deploy intelligence to understand the risk to your organizations – to focus preventative and remediation solutions on a prioritized list of the most important areas of your complex information and access infrastructure . . . the areas in which the risk is greatest.
Courion is partnering with leading CISOs to achieve this today.
We are very proud to be a pioneer in the use of big data and business intelligence technologies to enable businesses and their IT organizations to look through the ever-growing complexity of their access infrastructure to understand the risk related to people, assets and access. We have delivered the industry’s leading Identity and Access Intelligence solution to identify and understand hidden identity and access-related risk, and have embedded our Access Intelligence Engine in our Governance and Provisioning solutions. We are dedicated to helping our customers use Intelligence to focus their efforts on the most important areas of risk to their organization, make better decisions in real-time about who should access what, and enable IAM to take its proper position in the effort to prevent, detect and respond to on-line threats.
Winston Churchill was known as a leader of ‘deliberate conduct.’ He would often attach a bright red sticker emblazoned with the words “Action This Day” to his memos to prioritize and make clear to his subordinates that he expected specific action that day.
For those who care about identity and access within their organizations, how do you view your daily responsibilities? Do you see your job as a short term, tactical set of tasks? Or do you have a long term and strategic view that will not only reduce business risk and improve operating performance, but also allow you to tell a story to C-level executives or even a board of directors, so they can see how your actions are crucial to reducing risk and protecting the brand?
In other words, are you ready to take “Action This Day” to raise the profile of your job responsibilities? What if you had a way to present your plan for career growth in the context of identity and access management?
Provisioning is often viewed as a short-term tactical function. It’s a daily process to efficiently add users and give them access to the applications they need to perform their jobs when they first join your company, and to quickly delete them when they leave your organization. A great place to start.
Governance (or attestation) requires a medium-term view, as it introduces automation and efficiencies to streamline the annual or semi-annual audits that many of us find so disruptive. This too is still a largely tactical function.
Courion’s Identity and Access Intelligence solution, Access Insight, gives organizations the ability to address long term strategic organizational needs. It does this by flagging policy violations at the time of provisioning. It conducts ongoing micro-certifications that flag compliance violations that occur between when users are provisioned and when the next audit is conducted so those audits are streamlined and can be completed more quickly with fewer disruptions. In short, Access Insight gives you the ability to:
- Find elevated privileges that were previously unknown
- Uncover administrator accounts that had been created but never used
- Identify abandoned contractor accounts that need to be terminated
- Find terminated employee accounts that need to be de-provisioned
Imagine stepping into your CEO or COO’s office and explaining, with accompanying visuals, the risk you reduced for the company along with your plan to maintain compliance for the company on an ongoing basis. Who do you suppose will get tapped for the next promotion within your organization?
Courion also offers an Access Risk Assessment, a point-in-time snapshot or health check that uses Access Insight as a service offering.
The Access Risk Assessment can be used as a communications tool with C level executives to explain why an investment in Identity and Access Intelligence, also known as Identity Analytics, will reduce your risk and improve your department’s day to day operating efficiency when it comes to provisioning and governance tasks.
So are you ready to change the conversation from the tactical short term to the long term strategic? Take a lesson from Churchill and take “Action This Day.”