Posted by Robbie Forkish on Mon, Nov 30, 2009
In my previous post I wrote about a Gartner recommendation that organizations implement user activity monitoring as part of a strategy to manage external and internal threats, and for regulatory compliance. Gartner suggests integrating Identity and Access Management (IAM) capabilities with a SIEM system to achieve user activity monitoring, but other approaches work as well if not better.
Why is user activity monitoring needed? Since all major regulatory frameworks -- including SOX, PCI DSS, GLBA, and HIPAA -- require least privilege access controls, thousands of companies are obligated to prevent excessive access rights and yet, according to Deloitte, have failed to adequately do so. The reason this is a hard problem has to do with the dynamic nature of the enterprise-especially in an economic downturn -- with layoffs, restructurings, aggressive use of contractors and other service providers, along with the need for federated identity and access management as enterprises collaborate.
Conventional wisdom holds that the best practice for resolving this issue is to adopt an IAM system with role-based access control (RBAC) capabilities. Unfortunately, such systems provide no user activity monitoring or other assessment mechanisms and as a result are notoriously ineffective. While these systems ensure that only authorized users may log in to critical resources, they fail to consistently determine which users should be authorized to access those resources. As a result, as reported by a Dartmouth field study and by IDC, over-entitlement is the norm. In many organizations over 50% of access rights are dormant, representing a huge security vulnerability as well as a significant compliance exposure.
This is where user activity monitoring comes in. Organizations can assess user privileges, or entitlements, through user activity monitoring in order to identify excess entitlements. That few organizations do so is indicated by the high rate of audit findings for such access controls. Two additional methods of implementing user activity monitoring, besides the SIEM+IAM integration suggested by Gartner, are network-based activity monitoring and log-based activity monitoring.
Many organizations collect NetFlow data for IP traffic analysis reasons, and analyze this data for user activity monitoring. While NetFlow shows source and destination IP address and port number, it doesn't show authenticated user names nor application names (applications can in many cases be deduced with destination IP address and port number, but it's practically impossible to link source IP address to user names). NetFlow is therefore inadequate in most cases for tracking user access to audited applications.
Some organizations have adopted a network-based user activity monitoring system which goes beyond NetFlow to record, not just source and destination IP addresses, but authenticated user names and which application was accessed. While far superior to a NetFlow-only approach, network based activity monitoring has several challenges:
- Span port scarcity - span ports are used for a variety of applications, and without a network monitoring system such as one from Gigamon span port availability could be a constraint;
- Span port data loss - most switches are vulnerable to packet loss on their span ports during peak traffic bursts. Even a data loss rate of under 1% can render such a solution inadequate for forensic purposes;
- Application-side scalability - network activity monitoring requires a probe on every ingress span into the application infrastructure;
- User-side scalability - a probe must be placed in every subnet with its own AD or other authorization system, which can make for a very expensive deployment in a distributed environment or one with many remote offices;
- Encryption - as the percentage of encrypted sessions inside the data center increases, it leaves a larger blind spot for network-based approaches;
- Technical challenges with today's DPI silicon in monitoring 10G links - the latest generation network processor with DPI capabilities can monitor 4-5 Gbps, far short of the 20 Gbps required for full-duplex traffic monitoring of a 10G link; and
- No visibility to access from behind the monitored span port - network activity monitoring is blind to local access, e.g. from the application server's console port. It also can't see application-to-application access.
Despite these challenges, enterprises are deploying network-based access activity monitoring system because they otherwise do not have effective solutions for preventing excessive access rights.
An alternate approach to network-based access activity monitoring is log-based user activity monitoring, which does not suffer from the limitations and constraints listed above. Cloud Compliance, for example, reads log files for audited applications in order to prevent excessive access rights and other access audit violations. The log-based approach precludes the need for hardware to be deployed, is scalable, detects 100% of access activity (regardless of encryption, 10G links, and source of access) and, when deployed as a SaaS solution, eliminates the need for installation, software maintenance, and a large upfront capital outlay.
Posted by Robbie Forkish on Tue, Nov 24, 2009
Gartner, in a report entitled SIEM and IAM Technology Integration,
points out that integration of identity and access management (IAM) and
security information and event management (SIEM) technologies can
provide audit capabilities that are much stronger than what IAM alone
can deliver. In short they’re saying that SIEM + IAM = user activity
monitoring, and that user activity monitoring is important for both
threat management and compliance management.
The top Gartner recommendation in the report is to:
Implement user activity monitoring as part of a strategy to manage external and internal threats and for regulatory compliance.
The report concludes by discussing SIEM customization requirements for integrating with any IAM system.
To summarize the thrust of the report: After collectively spending
billions of dollars on SIEM and IAM systems, enterprises are now encouraged
to invest further in the integration of these two expensive and complex
technologies in order to achieve user activity monitoring. A fancy
graphic is included in the report that shows the intersection of change
management, activity management, and identity management; the title of
the figure is “Moving From Activity Monitoring to Exception Monitoring.”
Of course we want all of our systems to highlight
exceptions rather than simply report on activity, and of course we need
to understand exceptions in terms of user activity monitoring if we are
to eliminate serious vulnerabilities while reducing the top source of audit findings. But do we need to break the bank in order to detect excessive access rights, dormant accounts and other insider risks? Not if we employ an Identity and Access Assessment solution.
Think about it. An enterprise could pay 6 or 7 figures for a SIEM,
another 6 or 7 figures for a complete set of IAM technologies, and, if
they dare, another 5 or 6 figures for the customization required to
integrate the two as Gartner (and their report sponsor) suggest. Of
course an enterprise may already have SIEM and IAM systems in place,
but customizing SIEMs for purposes of a serious integration project is
not for the faint of heart. A better approach for most enterprises
would be to pay 4 or 5 figures per year for a SaaS-based Identity and
Access Assessment solution to address user activity monitoring
exceptions that we all agree are critical to resolve.
Reducing access control vulnerabilities and excess entitlements are
critical aspects of an overall security and compliance strategy. Cloud Compliance is developing an Identity and Access Control (IdAA) solution to address key challenges with IAM processes, especially in the area of user activity monitoring. We identify users who have rights they no longer need, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.
Posted by Robbie Forkish on Fri, Oct 23, 2009
I recently ran across an article by Paul Smocer of BITS entitled "The Future of Banking Enterprise Access Management & Authentication" in Security Strategies in which he discusses the four component areas of IAM, and the challenges facing each. Smocer defines the four aspects of IAM as follows:
- Enrollment/Identification -- Assigning a "persona" to employees
- Authentication -- Validating the employee is legitimate
- Provisioning -- Assigning and rescinding "rights" to an employee
- Review/Monitoring -- Ongoing and periodic validation of users and their rights.
Enrollment/Identification. The largest challenge here is establishing and maintaining a common set of user ID's from disparate systems. In general, the more legacy systems, the larger the challenge. And the challenge grows to the extent the organization has a higher rate of "joiners" and "leavers".
Authentication.The challenges in authentication simply have to do with the diversity of authentication methodologies and structures, which imposes additional resource requirements to manage.
Provisioning. The act of provisioning rights to users to allow access to specific systems' functions seems straightforward enough. The focus in most organizations is on the speed with which rights (also called privileges, or entitlements) can be assigned. Delays impact productivity! But as Smocer points out, deprovisioning rights also presents a challenge:
"An employee who has rights he or she no longer needs presents a threat in terms of data exposure, data loss or fraud."
Some organizations have begun to move to role-based access control (RBAC) processes, but they only work well where the environment is static or large groups have common access requirements. And for dynamic organizations?
"Where there is a diversity of roles and/or a diversity of access requirements, [RBAC] processes often fall short."
So, failure to deprovision rights can present a threat, but the recommended RBAC processes to manage this risk aren't effective where there is a diversity of roles and/or of access requirements. How, then, should such an organization deal with the provisioning challenge? The article doesn't say. But we do know one thing: this must be happening at a large number of organizations, because excessive access rights has been the top audit finding for each of the past two years.
Review/Monitoring. A key challenge in this area is that many provisioning systems require the line of business manager to validate the accuracy of entitlements. This is often a low priority for a busy business manager, who often makes the issue go away by rubber-stamping the current entitlement assignments. Another problem with relying on the user's manager to provision and deprovision rights is that many enterprises have adopted matrix organizational structure where there's no single manager to assess entitlement requirements and integrity as reported by Dartmouth researchers. Better review and monitoring of entitlements is clearly required, due to the known deficiencies of the provisioning processes and underscored by the high rate of audit findings.
What can be done? Cloud Compliance is developing an Identity and Access Control (IdAA) solution to address key challenges with IAM processes, especially in the areas of provisioning and review/monitoring. We identify users who have rights they no longer need, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.