Cloud Compliance Blog

Identity and Access Assessment (IdAA)

Ronald Reagan famously said "Trust, but verify". He could very well have been talking about entitlement management systems, which manage authorization to critical applications and other IT resources. Such systems are trusted to maintain control over entitlements (also called privileges or access rights). However, the systems themselves rarely have verification or assessment capabilities. This may be adequate for smaller organizations or enterprises where roles change infrequently. But the dynamic nature of most enterprises -- with layoffs, restructurings, aggressive use of contractors and other service providers -- makes assessment not only prudent, but necessary to ensure effective access controls and audit compliance.

Entitlements

Deloitte, in The 6th Annual Global Security Survey, reports that excessive entitlements, also known as excessive access rights, was the top audit finding over the past year -- for the second year in a row! In other words, a fundamental access control that represents a compliance exposure and security vulnerability was the top audit finding in 2007 and, despite all the attention that garnered, was also the top audit finding in 2008 (the latest year for which survey data exist).

Since all major regulatory frameworks, including SOX, PCI DSS, GLBA, NERC and HIPAA, require access controls, many thousands of companies are obligated to prevent excessive access rights and yet, according to the Deloitte survey, have failed to effectively do so.

Not only is excessive access rights the top audit finding, but IDC states that such vulnerabilities result in major financial exposure -- and that up to 60% of rights on most systems are expired and therefore dormant. The problem is that IT and security staff at most companies don't know that dormant accounts exist -- or more precisely, they suspect they exist but don't know how to find or remediate them.

Why is this a hard problem to solve?

Access Controls in the Real World

A paper written by a team at Dartmouth describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for three weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement, and they directly address the challenge of effectively managing access controls.

What they found was that the frequent shifting of staff may from one department or role to another often results in users accumulating entitlements over time. Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out:

"As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access."

This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:

Figure 1: Privileging in traditional hierarchical corporate structures (left) vs. in dynamically, "matrixed" organizations (right). An arrow represents a supervising relationship (directed graph). Note that on the left, each person has exactly one direct supervisor, whereas on the right, each may have two or more.

 

And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2: 

Figure 2: Complexity and dynamicism in entitlement systems. The number of applications, entitlements and users make it a large-scale problem, and the number of daily modifications makes it a fast-moving target.

 

The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.

Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process more effective. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least. Quoting from the Dartmouth study:

"At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant."

In the real world, access rights are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.

Managing Entitlements

Andrew Jaquith, an analyst at Forrester, in his book Security Metrics states:

"Today's information security battleground is all about entitlements-who's got them, whether they were granted properly, and how to enforce them."

Companies large and small employ different approaches to entitlement management, with equal lack of success. Mostly, they do manual reviews of entitlements prior to audits by going through HR records, reviewing application logs, and interviewing LOB managers-a process inevitably referred to as a fire drill. Other approaches to entitlement management include development of custom reports for SEIM and log management systems, network-based user activity monitoring, and RBAC systems.

The management challenge is to determine what's a reasonable target level of excessive access rights in terms of percentage of overall rights granted, and then ensure that solutions are in place to consistently keep actual excessive access rights on or below the target. It's more expensive to establish an excessive access rights target of 2% than of 4%, for example. Therefore, management must determine what level constitutes "enough" security, doesn't break the budget or put an undue burden on IT or line-of-business staff, and yet meets the compliance requirements as measured by auditors. What auditors are looking for is a sustainable, measureable process that demonstrates visibility (can the company detect when and where it has excessive access rights?) and the ability to remediate problems when they occur (can the company eliminate excessive access rights within a reasonable amount of time from their detection?).

Top Audit Findings

As the Deloitte survey reports, current approaches have failed to achieve the desired and necessary level of compliance -- not just for excessive access rights, but for access controls in general.

Figure 3: Top internal and external findings for 2007 and 2008, ranked by percentage of respondents citing findings in each category, taken from the Deloitte survey.

 

Here's an explanation of each of the findings:

Excessive access rights. Note that despite the improvement from 2007, excessive access rights remained the top audit finding in 2008 as noted above. Part of the reason that excessive access rights has been the top finding for the past two years is that auditors have raised the standard, from evidence of the existence of a process to evidence that the process is effective.

Segregation of duties. Segregation of duties, also referred to as separation of duties and abbreviated SoD, is one of the most fundamental concepts of security and control, and also one of the most difficult to achieve.

Access control compliance with procedures. This audit issue is closely related to excessive access rights; access control is required to prevent users without appropriate rights from accessing audited resources.

Lack of audit trails/logging, lack of documentation of controls, and lack of review of audit trails. These three top findings are grouped together because they represent the facet of access audit where technology and process come together. Application logs, which represent the most effective way to determine user access activity, are an essential tool for ensuring that access controls are compliant. And reports that list who has access to what, along with who should have access to what, become critical components of how access controls are documented.

Excessive developers' access to production systems and data. This audit finding is challenging to address, because it's unrealistic in most operating environments to completely block developers from accessing production systems for troubleshooting and critical maintenance operations. The objective, then, is not to prevent such access but to note when it's risen to an "excessive" level.

Lack of clean-up of access rules following a transfer or termination. Few if any organizations effectively manage rights and access rules in a real-world environment with re-org, restructurings, layoffs, role re-definitions and transfers-especially transfers. Because transfers are not a discrete event so much as a process where an employee has overlapping responsibilities between new job and old job-and therefore must maintain access rights for both jobs.

It's clear from the Deloitte survey that access controls are problematic. While organizations are reasonably effective in ensuring that only authorized users may log in to critical resources, they fail to consistently determine which users should be authorized to access those resources. Meanwhile, auditors have learned where to look in order to find users with excessive access rights and other access control violations; hence, an increasingly high rate of audit findings.

Is Perfect Access Control Possible?

The well-known security guru, Bruce Schneier, in a recent article entitled Is Perfect Access Control Possible?, discusses many of these same points and concludes:

"In the end, a perfect access control system just isn't possible; organizations are simply too chaotic for it to work."

Schneier refers to the Dartmouth study's finding that 50-90% of users are over-entitled in large organizations. Over-entitlement leads to risk, and therefore attracts the attention of auditors as explained in the Dartmouth study:

"It may not seem problematic for employees to have access to systems they never use or are unaware of. However, such access introduces risk. The root of the problem is that unnecessary or uncontrolled access can lead to unintended data editing, accidental disclosure, or internal misuse. That is why Sarbanes-Oxley auditors will flag unnecessary access as a weakness."

Auditors have learned in recent years how to find and flag excessive access rights, which is the top cause of audit findings. And not only is audit compliance an issue, but as noted above in the IDC report excess entitlements represent a huge financial liability. Thus, imperfect access controls represent a security vulnerability, a financial liability, and a compliance exposure. Despite these compelling motivations, we find from research by Deloitte, IDC, Forrester, Dartmouth and Bruce Schneier that present-day access controls are largely ineffective, especially in highly dynamic organizations.

What does the future hold for access control? New technologies are on the horizon that, by taking an approach referred to as Identity and Access Assessment (IdAA), enable visibility into the effectiveness of access controls. Such solutions perform data mining to analyze access activity over time and thus identify access control issues for remediation.

Cloud Compliance

Cloud Compliance is developing an IdAA solution to improve the efficacy of compliance solutions and reduce the cost of achieving compliance. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights to prevent audit findings and ensure access control compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC. Our solution enables customers to identify access audit deficiencies before auditors arrive, and without manual process costs that otherwise dominate. 

Here's how it works: Cloud Compliance employs SaaS-based data mining analytics that examines users' access activity to identify and report on excessive access rights and other access controls. The Cloud Compliance solution can assess your organization's identity and access controls in five simple steps:

1.      Point your browser to the Cloud Compliance SaaS site

2.      Using Cloud Compliance's automatic wizard, select which resources and applications you wish to assess. This is a matter of identifying the SSO system, SIEM, MSSP (if you have a log retention service), or the targeted application servers' log files and entitlements data.

3.      Upload entitlements info and log data to the Cloud Compliance SaaS site.

4.      Review the graphical analytics to determine performance versus benchmarks, and to remediate any policy violations

5.      Repeat steps 3 and 4 periodically. The amount of time between assessments represents the maximum lag time between when a violation occurs and when it's identified.

It's that easy!

Our innovative ability to measure, report and ultimately remediate potential audit findings enables our customers to resolve compliance problems prior to an audit. In addition, Cloud Compliance's graphical analytics highlight trends and identify root causes to compliance issues, by audited application, or by business unit, providing valuable insight into potential security vulnerabilities. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

For further information, see the Cloud Compliance use case demo at http://www.cloud-compliance.com/product/demo/.

Cloud Compliance Security

As with all cloud-based services, security can be a concern. That's especially true for services that address compliance issues and access vulnerabilities. Cloud Compliance employs the Amazon EC2 (Elastic Compute Cloud) service which has extensive and comprehensive physical and logical controls, including:

§         State of the art intrusion detection systems

§         Authorized staff must pass two-factor authentication at least twice

§         Immediate deprovisioning of admin when no longer has business need

§         Extensive background check of staff with potential access to customer data

§         All admin access logged and audited

§         Network security: DDoS, MITM, and firewall

§         Firewall requires customer's X.509 certificate and key to authorize changes

§         API calls to launch and terminate instances and perform other functions require X.509 certificate

§         S3 (storage) read permissions controlled by ACL

§         S3 authentication using HMAC-SHA1 signatures

§         Storage device decommission based on NIST 800-88 (media sanitation)

§         AWS recurring SAS-70 Type II certification

Cloud Compliance encrypts data in transit as well as data at rest (there's also an option that precludes the need to store any log or entitlement data at all). And it's worthwhile pointing out that the Cloud Compliance solution does not require access to personal identifying information (PII); only a non-sensitive subset of entitlement data and log records are required.

Compliance Made Easy

Cloud Compliance's Identity and Access Assessment service is easy to adopt and provides immediate results. We solve access control issues that go by many names: excessive access rights; least privilege policy violations; excessive privileges; dormant accounts; and excessive entitlements. These access control issues have been identified, studied and reported on by major audit firms such as Deloitte, analysts such as Forrester and IDC, academic research teams such as from Dartmouth, and enterprises around the world. Yet, until Cloud Compliance, there was no effective solution available. Now, with our SaaS-based IdAA, achieving access audit compliance is not only possible -- it's easy.

 

Note: A PDF of this post can be found here.

User Activity Monitoring

In my previous post I wrote about a Gartner recommendation that organizations implement user activity monitoring as part of a strategy to manage external and internal threats, and for regulatory compliance. Gartner suggests integrating Identity and Access Management (IAM) capabilities with a SIEM system to achieve user activity monitoring, but other approaches work as well if not better.

Why is user activity monitoring needed? Since all major regulatory frameworks -- including SOX, PCI DSS, GLBA, and HIPAA -- require least privilege access controls, thousands of companies are obligated to prevent excessive access rights and yet, according to Deloitte, have failed to adequately do so. The reason this is a hard problem has to do with the dynamic nature of the enterprise-especially in an economic downturn -- with layoffs, restructurings, aggressive use of contractors and other service providers, along with the need for federated identity and access management as enterprises collaborate.

Conventional wisdom holds that the best practice for resolving this issue is to adopt an IAM system with role-based access control (RBAC) capabilities. Unfortunately, such systems provide no user activity monitoring or other assessment mechanisms and as a result are notoriously ineffective. While these systems ensure that only authorized users may log in to critical resources, they fail to consistently determine which users should be authorized to access those resources. As a result, as reported by a Dartmouth field study and by IDC, over-entitlement is the norm. In many organizations over 50% of access rights are dormant, representing a huge security vulnerability as well as a significant compliance exposure.

This is where user activity monitoring comes in. Organizations can assess user privileges, or entitlements, through user activity monitoring in order to identify excess entitlements. That few organizations do so is indicated by the high rate of audit findings for such access controls. Two additional methods of implementing user activity monitoring, besides the SIEM+IAM integration suggested by Gartner, are network-based activity monitoring and log-based activity monitoring.

Many organizations collect NetFlow data for IP traffic analysis reasons, and analyze this data for user activity monitoring. While NetFlow shows source and destination IP address and port number, it doesn't show authenticated user names nor application names (applications can in many cases be deduced with destination IP address and port number, but it's practically impossible to link source IP address to user names). NetFlow is therefore inadequate in most cases for tracking user access to audited applications.

Some organizations have adopted a network-based user activity monitoring system which goes beyond NetFlow to record, not just source and destination IP addresses, but authenticated user names and which application was accessed. While far superior to a NetFlow-only approach, network based activity monitoring has several challenges:

• Span port scarcity - span ports are used for a variety of applications, and without a network monitoring system such as one from Gigamon span port availability could be a constraint;
• Span port data loss - most switches are vulnerable to packet loss on their span ports during peak traffic bursts. Even a data loss rate of under 1% can render such a solution inadequate for forensic purposes;
• Application-side scalability - network activity monitoring requires a probe on every ingress span into the application infrastructure;
• User-side scalability - a probe must be placed in every subnet with its own AD or other authorization system, which can make for a very expensive deployment in a distributed environment or one with many remote offices;
• Encryption - as the percentage of encrypted sessions inside the data center increases, it leaves a larger blind spot for network-based approaches;
• Technical challenges with today's DPI silicon in monitoring 10G links - the latest generation network processor with DPI capabilities can monitor 4-5 Gbps, far short of the 20 Gbps required for full-duplex traffic monitoring of a 10G link; and
• No visibility to access from behind the monitored span port - network activity monitoring is blind to local access, e.g. from the application server's console port. It also can't see application-to-application access.

Despite these challenges, enterprises are deploying network-based access activity monitoring system because they otherwise do not have effective solutions for preventing excessive access rights.

An alternate approach to network-based access activity monitoring is log-based user activity monitoring, which does not suffer from the limitations and constraints listed above. Cloud Compliance, for example, reads log files for audited applications in order to prevent excessive access rights and other access audit violations. The log-based approach precludes the need for hardware to be deployed, is scalable, detects 100% of access activity (regardless of encryption, 10G links, and source of access) and, when deployed as a SaaS solution, eliminates the need for installation, software maintenance, and a large upfront capital outlay.

SIEM + IAM = User Activity Monitoring

Gartner, in a report entitled SIEM and IAM Technology Integration, points out that integration of identity and access management (IAM) and security information and event management (SIEM) technologies can provide audit capabilities that are much stronger than what IAM alone can deliver. In short they’re saying that SIEM + IAM = user activity monitoring, and that user activity monitoring is important for both threat management and compliance management.

The top Gartner recommendation in the report is to:

Implement user activity monitoring as part of a strategy to manage external and internal threats and for regulatory compliance.

The report concludes by discussing SIEM customization requirements for integrating with any IAM system.

To summarize the thrust of the report: After collectively spending billions of dollars on SIEM and IAM systems, enterprises are now encouraged to invest further in the integration of these two expensive and complex technologies in order to achieve user activity monitoring. A fancy graphic is included in the report that shows the intersection of change management, activity management, and identity management; the title of the figure is “Moving From Activity Monitoring to Exception Monitoring.”

Of course we want all of our systems to highlight exceptions rather than simply report on activity, and of course we need to understand exceptions in terms of user activity monitoring if we are to eliminate serious vulnerabilities while reducing the top source of audit findings. But do we need to break the bank in order to detect excessive access rights, dormant accounts and other insider risks? Not if we employ an Identity and Access Assessment solution.

Think about it. An enterprise could pay 6 or 7 figures for a SIEM, another 6 or 7 figures for a complete set of IAM technologies, and, if they dare, another 5 or 6 figures for the customization required to integrate the two as Gartner (and their report sponsor) suggest. Of course an enterprise may already have SIEM and IAM systems in place, but customizing SIEMs for purposes of a serious integration project is not for the faint of heart. A better approach for most enterprises would be to pay 4 or 5 figures per year for a SaaS-based Identity and Access Assessment solution to address user activity monitoring exceptions that we all agree are critical to resolve.

Reducing access control vulnerabilities and excess entitlements are critical aspects of an overall security and compliance strategy. Cloud Compliance is developing an Identity and Access Control (IdAA) solution to address key challenges with IAM processes, especially in the area of user activity monitoring. We identify users who have rights they no longer need, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Field Study: Entitlements, Privileges and Information Risk

I came across a paper written by a team at Dartmouth (hat tip to Bruce Schneier) that describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for 3 weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement - a topic we've delved into on many occasions including here and here.

Due to the dynamic nature of large banks - and many other organizations - it is quite common for people to move between internal organizations and be transferred across information boundaries.

The frequent shifting of staff may result in information users collecting system entitlements over time if the system access is not actively managed, resulting in a toxic combination of privileges.

We knew about the gradual accumulation of entitlements over time. But a toxic combination of privileges? What's that?

A toxic combination is a conflict of system access that allows a user to break the law, violate rules of ethics, damage customers' trust, or even create the appearance of impropriety.

How did we get from over-entitlements to toxic combinations?

Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out

As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access.

This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:

And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2: 

 

The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.

Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process easier to manage. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least:

At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant.

We explored in an earlier post whether perfect access control was possible. Unfortunately, the answer is no. So if over-entitlement is the norm, leading to toxic combinations of privileges or entitlements, and access control systems - which are so costly to deploy and manage - aren't able to fully solve the problem, then what's an organization to do? Especially an organization that is highly regulated by SOX, FFIEC and FINRA?

Cloud Compliance is developing an Identity and Access Control (IdAA) solution to manage entitlements (also called privileges, or access rights). We identify users with excess entitlements, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Identity and Access Assessment

Deloitte reports that excessive access rights was the top audit finding for the most recent two years surveyed. Not only is it the top audit finding, but IDC states that excessive access rights result in the biggest financial exposure for organizations—and up to 60% of rights on most systems are expired and therefore dormant. The problem is that IT and security staff at most companies don’t know that this condition exists—or more precisely, they suspect it exists but don’t know where.

Compounding the problem for these companies is that auditors have in recent years learned that by spot-checking recent transfers and terminations, they are more than likely to uncover excessive access rights. This has contributed to the high rate of audit findings in recent years.

Conventional wisdom holds that the solution to this issue is better Identity Management (IdM) systems with role-based access control (RBAC) capabilities and a user interface that can be understood by line-of-business managers, who could then be counted on to keep access rights current and accurate. Unfortunately LOB managers are often reluctant partners in this enterprise; the path of least resistance for them is to keep existing rights when in doubt. And the high rate of audit findings suggests the weakness of this approach.

Whether companies have an IdM system or not, they most likely prepare for audits by manually analyzing HR records and job descriptions in conjunction with role definitions and entitlements. This quarterly or annual process is invariably referred to by customers as a fire drill. In many cases, contractors or temp workers are brought in for this task—adding to the expense but rarely improving the outcome as measured by audit findings.

In the real world, access rights or entitlements are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business staff, and IT exacerbate the problem.

There is no perfect IdM system and there’s no foolproof rights management process. Since the systems and processes for managing rights inevitably fall short of 100% accuracy, some kind of feedback or assessment mechanism is required to achieve least privilege objectives and improve IT audit performance. That’s why Cloud Compliance is developing the industry’s first Identity and Access Assessment (IdAA) system—to provide feedback that identifies, reports on and helps remediate excessive access rights and other access audit issues.

Cloud Compliance will address the IdAA challenge with a unique, innovative SaaS solution. Our cloud-based analytics assesses log-based access activity for selected applications, typically those that are audited or that access sensitive data such as personal identifying information (PII). We identify dormant (aka zombie) accounts, and provide tools for isolating high rates of dormancy by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a multi-tenant SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to software-based IdM solutions, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants,  advisors or professional services to deploy, and no huge upfront capital expense to incur.

Ronald Reagan famously said “Trust, but verify”.  Many IdM systems are trusted to maintain entitlement and access rights.  But the systems themselves rarely have verification capabilities.  They would benefit greatly from an Identity and Access Assessment solution that provided verification, and in doing so improved audit performance and regulatory compliance.

Security Metrics

Andrew Jaquith, in his book Security Metrics: Replacing Fear, Uncertainty and Doubt, describes the value of metrics in general and in doing so identifies one of the key challenges in ensuring system security:

Today's information security battleground is all about entitlements -- who's got them, whether they were granted properly, and how to enforce them.

The book describes how metrics can be applied in managing security systems in general, and in entitlements/access rights in particular. Jaquith, a senior analyst at Forrester, cites examples of how other disciplines and industries use key metrics to compare their operations to peer companies. For example, freight companies know their freight cost per mile and loading factors-as well as those of their competitors. Management can therefore set meaningful objectives and measure themselves against comparable companies. Choosing to be above, on, or below an industry average is a question of strategy as well as operational efficiency. For example, a freight company may be willing to have a lower load factor than its peers if that's the tradeoff required to offer faster delivery times (for which it presumably charges a premium).

Similarly, warehousing firms measure and compare their cost/square foot and inventory turns, and e-commerce companies measure their website conversion rates. And of course financial metrics have been standardized and reported on for years. Companies can therefore compare relevant metrics to those of their peers in order to better evaluate their internal performance.

Could such a use of metrics apply to security? And can metrics be of use in the "entitlements battleground"?

First, let's look at Jacquith's definition of a good metric:

1. consistently measured, without subjective criteria;
2. cheap to gather, preferably in an automated way;
3. expressed as a cardinal number or percentage, not with qualitative labels such as high, medium and low;
4. expressed using at least one unit of measure, such as "defects" or "dormant accounts"; and
5. contextually specific -- relevant enough to decision-makers so that they can take action.

So what about the "information security battleground", namely entitlements and access rights? What metrics are relevant to that? Jaquith lists pertinent questions and the metrics that can guide management actions, for example: Does the organization review employee entitlements? An example metric would be % accounts dormant. (The complete discussion starts on page 117 of Jaquith's book under the heading Ensuring System Security.)

Cloud Compliance's solution includes the key metric "% accounts dormant". Is it a good metric? According to Jaquith's five criteria above it is: consistently measured; cheap to gather; expressed objectively as a percentage; expressed using a clear unit of measure (dormant accounts); and relevant enough to management so that they can take action. In addition, our solution provides a threshold percentage so that management can readily tell when action is required.

Finally, one of the advantages of a SaaS solution such as that offered by Cloud Compliance is the global statistical perspective that can be provided, which allows customers to compare their performance to that of their peers. By knowing, for example, industry averages for key metrics such as % accounts dormant Cloud Compliance's customers can benchmark their internal performance and security objectives to those of comparable organizations. What better way to arm oneself for the information security battleground known as entitlements management?

The definition and application of security metrics is ongoing. One resource I recommend is Securitymetrics.org, which provides empirical strategies for decision-makers and security practitioners and which includes links to digests, presentations, and handouts from past Metricon Workshops.

Insider Risk Management

I recently ran across a study from IDC on insider risk management that was based on a survey of over 400 respondents in the U.S. and Europe; CIOs and heads of IT accounted for 71% of respondents. The survey had some interesting findings regarding the sources of insider risk and where to invest in order to best manage those risks.

The majority of respondents (52%) characterized their incidents arising from insider threats as predominantly accidental, while only 19% believed they were deliberate. Of course the costs related to disclosure of sensitive information are the same whether the incident was deliberate or not: failed audits, regulatory actions and fines, brand erosion, legal fees, lost employee productivity, and lost customers.

A key finding of the study was:

Out of date and/or excessive privilege and access control rights for users are viewed as having the most financial impact on organizations.

If insider risk management is measured in terms of its financial impact, then this is the most urgent problem to address -- and the one with the best ROI.

This finding with regard to out of date and/or excessive privilege and access control rights is consistent with the Deloitte survey, which reported that excessive access rights (a different term for the same risk phenomenon) was the top "internal/external audit finding over the past 12 months"-for the second year in a row. And as IDC points out, since this is a requirement across all major regulatory frameworks, a company with excessive access rights could fail multiple audits including SOX, EU privacy laws, HIPAA and PCI.

What causes this high rate of excessive access rights? IDC reports that "contractors and temporary staff represent the greatest internal risk" for companies. And the vertical segment with the highest rate of incidents, due to provisioning/deprovisioning delays, was IT outsourcing.

Here's the ranking of average number of internal incidents per year, by incident type:

 

 

Excessive privilege/access control rights -- what Deloitte calls excessive access rights -- ranked third behind negligence and internal malware/spyware attacks. But two additional incident types are merely different manifestations of the same fundamental issue: Data loss through external attacks by previous employees is enabled due to rights that were not deprovisioned in a timely fashion upon termination; and exposure through provisioning/deprovisioning delays is the most prevalent cause of excessive access rights. If we add the three incident types together -- excessive privilege, attacks by previous employees, and deprovisioning delays -- it's by far the greatest source of internal risk, accounting for over 35 incidents per year on average.

Consistent with this point, IDC made a rather shocking revelation:

In years past, IDC has estimated that as many as 60% of all accounts on most systems are expired.

This would suggest that, if IDC estimates are anywhere close to the actual level of dormant accounts, there's a ticking time bomb out there just waiting to be exploited by an insider or discovered by an auditor.

This is why Cloud Compliance has focused on the problem of excessive access rights, excessive privilege/access control rights, and deprovisioning delays. Our Identity and Access Assessment (IdAA) solution detects excessive access rights and other access control vulnerabilities through innovative, cloud-based analytics; our solution also provides tools for root cause identification and remediation. All of this is accomplished with no appliances or enterprise software to install and maintain, no professional services to manage, and with no upfront capital expenditure required.

Security from the Cloud

It's slightly ironic that while there are concerns about security in the cloud, there are a number of managed security services that provide security from the cloud. As outlined below, cloud-based Software-as-a-Service (SaaS) security solutions are being ever more widely adopted to save money and improve security.

Gartner reports that the current tough economic conditions drive many companies to look at cloud computing and SaaS offerings in order to cut expenses. There must be something to that, as Nemertes Research's 2009 Spring Benchmark finds that 60% of participants are planning to increase their use of managed services in 2009. And Infonetics Research reports that revenue derived from managed security SaaS will grow at a compound annual growth rate of 46% from 2008 to 2013. That's a phenomenal growth rate. "SaaS is definitely the future of managed network security," said Jeff Wilson, Infonetics Research's Principal Analyst for Network Security.

Companies are not willing to adopt SaaS for security at the expense of strong security capabilities. In fact, as shown in the following chart, the top driver behind SaaS for security is strength for security; cost is second. In other words, the drive to cut costs has also led to stronger security capabilities:

 

As more services are delivered from the cloud, scale economies will improve and the level of acceptance will result in SaaS security as a mainstream offering for SMBs as well as large enterprises. But there's another factor that comes into play that makes SaaS even more valuable, which I refer to as technical leverage. Take Salesforce.com, for example. Salesforce is the world's leading SaaS vendor. They now also offer a Platform-as-a-Service (PaaS) solution called Force.com. And with Force.com one can leverage their AppExchange, an online directory that provides customers a way to browse, test-drive, share and install applications developed on Force.com. One analyst refers to AppExchange as "the iTunes of business software". That's a powerful concept, and potentially significant leverage for Salesforce.com customers.

SaaS has fueled remarkable innovation, as vendors roll out cloud-based solutions for different aspects of security and compliance. Forrester's white paper on Authentication-as-a-Service, commissioned by VeriSign, describes challenges companies face with regard to authentication and how a cloud-based authentication service would be perceived. Expected benefits from such a service include improved reliability, reduced fraud, reduced identity theft, and improved scalability.

Symplified, which refers to itself as "The Cloud Security Company", provides identity management from the cloud. They claim an 80% savings compared to software. TriCypher offers a cloud-based single sign-on (SSO) service called myOneLogin that they claim can be deployed in minutes. Cloud Compliance offers a cloud-based identity and access assessment service for SOX, PCI DSS, GLBA and HIPAA that addresses the top causes of IT audit findings.

If we step back and look at the big picture, we observe that cloud-based authentication, identity management and compliance services represent additional forms of technical leverage. An enterprise can pick and choose from among SaaS offerings to build a complete security and compliance solution from best of breed components. And unlike software, SaaS solutions require no installation, no upgrades or patches, no maintenance, and typically cost significantly less than the software they replace. But most importantly, these innovative SaaS offerings enable companies to strengthen their overall security and compliance profile.

Security in the Cloud

It's 2009, so it must be time to cut expenses. Again. Which means many companies are taking a look at leveraging cloud services in order to save money. Will they have to sacrifice security in order to realize significant cost savings?

There are several valuable resources available for evaluating cloud security. In this post I discuss two, one from Gartner and the other from the Cloud Security Alliance.

In their June, 2008 report entitled "Assessing the Security Risks of Cloud Computing", Gartner lists seven specific security issues to investigate:

1. Privileged user access. I would concur with this as the top issue. In theory, once it's sent into the cloud your data could be accessible by admins--privileged users -- that you have never seen or vetted. What kind of protections can you apply to your data (such as encryption, access control lists)? What kind of screening and background checks are performed for admins? How comprehensive are the site's physical controls? Do they have (and use) video surveillance? Do they employ two-factor authorization, and how many times must an admin be authenticated before he or she has physical access to sensitive areas? Is all access logged? Are admins immediately de-provisioned when they are terminated or simply no longer have a business need for access? And so forth.

2. Regulatory compliance. What kind of compliance, such as SAS-70 Type II certification, has your cloud provider achieved? What kind of support do they provide for your certification requirements, such as PCI DSS and HIPAA?

3. Data location. Some compliance standards require that certain data not leave the current regional/national jurisdiction. Will your cloud provider commit to storing and processing your data within a specified jurisdiction?

4. Data segregation. What, if anything, is done to segregate data at rest? Have encryption schemes been tested by qualified specialists?

5. Recovery. Understand and evaluate your cloud provider's disaster recovery and business continuity strategies. An earthquake or flood that completely devastates your cloud-based applications and data constitutes an unacceptable risk for most enterprises.

6. Investigative support. Access to archived data may be required for litigation support, discovery requests or illegal activity investigation. Make sure your cloud provider can support these requirements.

7. Long-term viability. If your cloud provider goes out of business, you may not have access to critical resources stored in that provider's now-defunct data centers. You should have some assurance that your provider is viable for the long term, or protections in place against an unexpected shut down.

A more comprehensive resource has been developed by the Cloud Security Alliance, called "Security Guidance for Critical Areas of Focus in Cloud Computing"; you can find it here. The white paper covers many of the same points as Gartner, but with more depth on foundation and architectural issues, as well as additional items to consider including Information Lifecycle Management, Portability and Interoperability, Encryption and Key Management, and Identity and Access Management.

With regard to Identity and Access Management, the Cloud Security Alliance emphasizes the need for a robust federated identity management system that includes user and access lifecycle management as well as audit and compliance capabilities. At Cloud Compliance we couldn't agree more, and note that most IdM systems are rather weak on the audit and compliance front because they lack the ability to perform identity and access assessment. That's the service that Cloud Compliance provides.

Security and The Cloud Hype Cycle

Emerging technologies are inevitably subject to hype cycles. Cloud computing, for example, had reached what Gartner calls "the peak of inflated expectations" when experts were proclaiming in 2008 that cloud computing would effectively put all servers ever manufactured at our disposal, with virtual everything, infinite scalability, and at price points approaching zero. Every enterprise application was a candidate for cloud computing. It was all good.

I saw evidence in late June that we had arrived at the next stage of the hype cycle, the "trough of disillusionment", in a posting on Dark Reading entitled "Could The Cloud Lead To An Even Bigger 9/11?" Here's an excerpt:

"...a coordinated attack...could stop a country cold, with recovery taking years and massive infrastructure failures causing loss of life and resources never seen outside of an outright world war."

Wow. I have to admit that this is the first new technology I've encountered whose downside was on par with a world war. How worried should I be? To answer that, let's look again at where we are in the cloud computing hype cycle:

First, the amplitude of the hype curve has created a state known as "blogger heaven". And we're probably just past the nadir of the "trough of disillusionment". Which means there's a collective realization that cloud computing--like every new technology before it--has failed to live up to the inflated expectations of last year. Does that make it bad? Of course not. Are all articles, blogs, white papers and other resources now biased to the downside of cloud computing? No, that's too much of a generalization. But it's fair to say that among the thoughtful cautions being published these days one is bound to find more than a fair share of hand-wringing and forecasts of doom.

The driver for cloud services is economics. Cloud services, especially SaaS-based delivery models, promise huge cost savings compared to traditional enterprise software. The model is attractive, with the prospect of no upfront investment required, pay for only what you use, and no software to deploy or manage. And with most companies these days looking for any way to cut expenses, it's likely that question will come from senior management: How can we leverage the cloud to save money?

Well, one option is to tell the CFO, CEO and board members that cloud services are a bad idea because of the world war downside.

Another option for any company is to analyze specific requirements, and develop a cloud security strategy consistent with the sensitivity of data and company mission. A key area of focus -- for applications in the cloud or behind the enterprise firewall -- is controlling access to critical resources and data. Of course, not all clouds are created equal -- some have better controls than others. But when the silver lining is huge cost savings, it's worth the effort to investigate cloud offerings to find those that meet a company's unique security requirements.