Posted by Robbie Forkish on Thu, Apr 22, 2010
For the past year I've been telling anyone who will listen that ineffective IT access controls represent an ongoing security vulnerability as well as a compliance liability for many regulated firms. The Ponemon Institute has published a new survey that not only confirms what I've been saying, but shows that it's getting worse. What a surprise.
Here's how Ponemon summarizes the problem:
When employees, temporary employees, contractors and partners have inappropriate access to information resources -- that is, access that violates security policies and regulations or that is inappropriate for their current jobs -- companies are subject to serious compliance and business risks.
Fair enough. But many enterprises and security-conscious organizations have a "least privilege" policy to ensure that, as regulations and best practices require, users are provided access to ONLY those resources for which they have a legitimate business need. Doesn't that prevent the inappropriate access referred to above?
Not really. Although least privilege sounds simple enough, in practice it has proven extraordinarily difficult to achieve. This is especially true in dynamic enterprise environments, where activities related to onboarding, offboarding, outsourcing, partnering, and use of contractors threaten to overwhelm whatever business processes exist. These challenges are exacerbated by the coordination required between line-of-business managers, IT staff, HR, security, and compliance staff to manage access controls. In fact, Bruce Schneier, a prominent security guru, states unequivocally that perfect access control just isn't possible.
Schneier must be on to something. The Ponemon survey, sponsored by Aveksa, found that most relevant metrics for access management are trending down. Here are the top two findings:
- User access rights continue to be poorly managed. Eighty-seven percent of respondents believe that individuals have too much access to information resources that are not pertinent to their job description - up nine percent from the 2008 study.
- Organizations are not able to keep pace with changes to users' job responsibilities and they face serious noncompliance and business risk as a result. Nearly three out of four organizations (72 percent) said they cannot quickly respond to changes in employee access requirements; and more than half (52 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
What's at risk when access controls are ineffective? Survey respondents' concern was highest for company applications, intellectual property and general business information. Not to mention audit findings.
So what's the primary cause of poor performance in IT access management? A plurality of respondents say "We cannot keep up with our organization's information resources." This is consistent with Schneier's observation that organizations are simply too chaotic to make it work. So what should be done?
According to the IAM experts, this is where access certification comes in. Here's what Aveksa has to say about access certification:
Good access governance requires the regular review and certification of user entitlements and roles to ensure that access rights to enterprise information assets are appropriate and meet regulatory mandates and guidelines for Sarbanes Oxley, PCI, GLBA, MAR, FERC/NERC, Basel II and HIPAA compliance.
Many IAM solution providers have integrated modules to help you with your access certification. The problem is, this level of certification -- while important -- involves a review of the rather complicated matrix of staff and roles/entitlement assignments that have overwhelmed organizations in the first place.
It's not as if organizations don't know they have probable vulnerabilities: the vast majority say it's "likely" that users are over-entitled.
Here's what we can conclude: Organizations suspect that their users have more access than is required, a clear violation of compliance regulations as well as a security risk. And auditors have proven their worst fears, as excessive access rights have remained the top audit finding for years. So we know that organizations are motivated to solve this problem. But despite the availability of comprehensive role-based access control IAM systems, regulated enterprises apparently still do not have the right tools to manage access controls. What they are missing is any kind of feedback that quantify the effectiveness of their access controls.
Current approaches have obviously failed to achieve the desired and necessary level of security and compliance. That's why Cloud Compliance was formed -- to address this and related access audit issues through an innovative SaaS-based capability called Identity and Access Assessment (IdAA). Cloud Compliance provides visibility into not just who is accessing what, but who should access what. And when excessive access rights inevitably occur, Cloud Compliance analytics help determine the root cause and effective remediation strategies.
Posted by Robbie Forkish on Mon, Jan 04, 2010
Ronald Reagan famously said "Trust, but verify". He could very well
have been talking about entitlement management systems, which manage
authorization to critical applications and other IT resources. Such systems are
trusted to maintain control over entitlements (also called privileges or access
rights). However, the systems themselves rarely have verification or assessment
capabilities. This may be adequate for smaller organizations or enterprises
where roles change infrequently. But the dynamic nature of most
enterprises -- with layoffs, restructurings, aggressive use of contractors and
other service providers -- makes assessment not only prudent, but necessary to
ensure effective access controls and audit compliance.
Entitlements
Deloitte, in The
6th Annual Global Security Survey, reports that excessive entitlements,
also known as excessive access rights, was the top audit finding over the past
year -- for the second year in a row! In other words, a fundamental access control
that represents a compliance exposure and security vulnerability was the top
audit finding in 2007 and, despite all the attention that garnered, was also
the top audit finding in 2008 (the latest year for which survey data exist).
Since all major regulatory frameworks, including SOX, PCI
DSS, GLBA, NERC and HIPAA, require access controls, many thousands of companies
are obligated to prevent excessive access rights and yet, according to the
Deloitte survey, have failed to effectively do so.
Not only is excessive access rights the top audit finding, but IDC
states that such vulnerabilities result in major financial exposure -- and
that up to 60% of rights on most systems are expired and therefore dormant. The
problem is that IT and security staff at most companies don't know that dormant
accounts exist -- or more precisely, they suspect they exist but don't know how to
find or remediate them.
Why is this a hard problem to solve?
Access Controls in the Real World
A paper
written by a team at Dartmouth describes observations from field study
research of both retail and investment banks. The study was more in-depth than
most surveys we hear about; for example, the study team was embedded for three
weeks in the security group of an investment bank. The report focuses primarily
on internal access controls and the risks of over-entitlement, and they
directly address the challenge of effectively managing access controls.
What they found was that the frequent shifting of staff may from one department
or role to another often results in users accumulating entitlements over time.
Part of the problem is this: Entitlement management systems assume that an
employee's direct supervisor can make informed decisions about what
entitlements are required to do their job. But as the Dartmouth team points
out:
"As more
organizations take on a matrix structure, it becomes less evident who reports
to whom and who is responsible for permitting and terminating data access."
This leads to ambiguous and
unwieldy structures for assigning entitlements, or privileges, as shown in
Figure 1:
Figure 1: Privileging
in traditional hierarchical corporate structures (left) vs. in dynamically,
"matrixed" organizations (right). An arrow represents a supervising
relationship (directed graph). Note that on the left, each person has exactly
one direct supervisor, whereas on the right, each may have two or more.
And even if the corporate structure and reporting relationship is clear in
all cases, the degree of scale and complexity makes entitlement management a
big problem as shown in Figure 2:
Figure 2: Complexity and dynamicism in
entitlement systems. The number of applications, entitlements and users make it
a large-scale problem, and the number of daily modifications makes it a
fast-moving target.
The biggest challenge isn't the massive number of entitlements and users,
however, but the highly dynamic nature of employees and organizational
structure within the firm.
Conventional wisdom holds that role-based access control (RBAC) systems are
the answer. By allowing organizations to segregate the massive numbers of
employees and entitlements into work groups, RBAC systems make the entitlement
management process more effective. But the size, complexity and dynamic nature
of many large enterprises make role-based access control challenging, to say
the least. Quoting from the Dartmouth study:
"At one very
large retail bank that we interviewed, the CISO had recently completed an RBAC
project creating 11,000 roles across the firm to control access to nearly
22,000 applications. Developing the roles took a team two years and the ongoing
review process was expected to be significant."
In the real world, access rights are constantly changing, for legitimate
reasons: employees are hired and terminated; contractors come and go; service
providers and outsource firms require access on a project basis with often
unclear timelines; federated identity management systems expand the concept of
trusted user beyond the enterprise boundary; departments and whole companies
undergo reorganizations; mergers and acquisitions result in major
restructurings; layoffs lead to rapid and sometime undocumented role changes;
and employees transferring within a company inevitably have to overlap
responsibilities (and access) between their old and new jobs. Unclear and
imperfect communications between HR, line-of-business (LOB) staff, and IT
exacerbate the problem.
Managing
Entitlements
Andrew Jaquith, an analyst at Forrester, in his book Security
Metrics states:
"Today's
information security battleground is all about entitlements-who's got them,
whether they were granted properly, and how to enforce them."
Companies large and small employ different approaches to entitlement
management, with equal lack of success. Mostly, they do manual reviews of
entitlements prior to audits by going through HR records, reviewing application
logs, and interviewing LOB managers-a process inevitably referred to as a fire
drill. Other approaches to entitlement management include development of custom
reports for SEIM and log management systems, network-based user activity
monitoring, and RBAC systems.
The management challenge is to determine what's a reasonable target level of
excessive access rights in terms of percentage of overall rights granted, and
then ensure that solutions are in place to consistently keep actual excessive
access rights on or below the target. It's more expensive to establish an
excessive access rights target of 2% than of 4%, for example. Therefore,
management must determine what level constitutes "enough" security, doesn't
break the budget or put an undue burden on IT or line-of-business staff, and
yet meets the compliance requirements as measured by auditors. What auditors
are looking for is a sustainable, measureable process that demonstrates
visibility (can the company detect when and where it has excessive access
rights?) and the ability to remediate problems when they occur (can the company
eliminate excessive access rights within a reasonable amount of time from their
detection?).
Top Audit
Findings
As the Deloitte survey reports, current approaches
have failed to achieve the desired and necessary level of compliance -- not just
for excessive access rights, but for access controls in general.
Figure 3: Top internal
and external findings for 2007 and 2008, ranked by percentage of respondents
citing findings in each category, taken from the Deloitte survey.
Here's an explanation of each of the findings:
Excessive access rights. Note that despite the improvement from
2007, excessive access rights remained the top audit finding in 2008 as noted
above. Part of the reason that excessive access rights has been the top finding
for the past two years is that auditors have raised the standard, from evidence
of the existence of a process to
evidence that the process is effective.
Segregation of duties. Segregation of
duties, also referred to as separation of duties and abbreviated SoD, is one of
the most fundamental concepts of security and control, and also one of the most
difficult to achieve.
Access control compliance with procedures.
This audit issue is closely related to excessive access rights; access control
is required to prevent users without appropriate rights from accessing audited
resources.
Lack of audit trails/logging, lack of
documentation of controls, and lack of review of audit trails. These three
top findings are grouped together because they represent the facet of access
audit where technology and process come together. Application logs, which
represent the most effective way to determine user access activity, are an
essential tool for ensuring that access controls are compliant. And reports
that list who has access to what, along with who should have access to what,
become critical components of how access controls are documented.
Excessive developers' access to production
systems and data. This audit finding is challenging to address, because
it's unrealistic in most operating environments to completely block developers
from accessing production systems for troubleshooting and critical maintenance
operations. The objective, then, is not to prevent such access but to note when
it's risen to an "excessive" level.
Lack of clean-up of access rules following a
transfer or termination. Few if any organizations effectively manage rights
and access rules in a real-world environment with re-org, restructurings,
layoffs, role re-definitions and transfers-especially transfers. Because
transfers are not a discrete event so much as a process where an employee has
overlapping responsibilities between new job and old job-and therefore must
maintain access rights for both jobs.
It's clear from the Deloitte survey that access controls are problematic.
While organizations are reasonably effective in ensuring that only authorized
users may log in to critical resources, they fail to consistently determine
which users should be authorized to
access those resources. Meanwhile, auditors have learned where to look in order
to find users with excessive access rights and other access control violations;
hence, an increasingly high rate of audit findings.
Is Perfect
Access Control Possible?
The well-known security guru, Bruce Schneier, in a recent
article entitled Is Perfect
Access Control Possible?, discusses many of these same points and
concludes:
"In
the end, a perfect access control system just isn't possible; organizations are
simply too chaotic for it to work."
Schneier refers to the Dartmouth study's finding that 50-90%
of users are over-entitled in large organizations. Over-entitlement leads to
risk, and therefore attracts the attention of auditors as explained in the
Dartmouth study:
"It may not seem problematic for employees
to have access to systems they never use or are unaware of. However, such
access introduces risk. The root of the problem is that unnecessary or
uncontrolled access can lead to unintended data editing, accidental disclosure,
or internal misuse. That is why Sarbanes-Oxley auditors will flag unnecessary
access as a weakness."
Auditors have learned in recent years how to find and flag
excessive access rights, which is the top cause of audit findings. And not only
is audit compliance an issue, but as noted above in the IDC report excess
entitlements represent a huge financial liability. Thus, imperfect access
controls represent a security vulnerability, a financial liability, and a
compliance exposure. Despite these compelling motivations, we find from
research by Deloitte, IDC, Forrester, Dartmouth and Bruce Schneier that
present-day access controls are largely ineffective, especially in highly
dynamic organizations.
What does the future hold for access control? New
technologies are on the horizon that, by taking an approach referred to as
Identity and Access Assessment (IdAA), enable visibility into the effectiveness
of access controls. Such solutions perform data mining to analyze access
activity over time and thus identify access control issues for remediation.
Cloud
Compliance
Cloud Compliance is
developing an IdAA solution to improve the efficacy of compliance solutions
and reduce the cost of achieving compliance. We combine the economies of cloud computing
with fundamental performance management principles to provide easy, low cost
analysis of access rights to prevent audit findings and ensure access control
compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC. Our
solution enables customers to identify access audit deficiencies before
auditors arrive, and without manual process costs that otherwise
dominate.
Here's how it works: Cloud Compliance employs SaaS-based
data mining analytics that examines users' access activity to identify and
report on excessive access rights and other access controls. The Cloud
Compliance solution can assess your organization's identity and access controls
in five simple steps:
1. Point
your browser to the Cloud Compliance SaaS site
2. Using
Cloud Compliance's automatic wizard, select which resources and applications
you wish to assess. This is a matter of identifying the SSO system, SIEM, MSSP
(if you have a log retention service), or the targeted application servers' log
files and entitlements data.
3. Upload
entitlements info and log data to the Cloud Compliance SaaS site.
4. Review
the graphical analytics to determine performance versus benchmarks, and to
remediate any policy violations
5. Repeat
steps 3 and 4 periodically. The amount of time between assessments represents
the maximum lag time between when a violation occurs and when it's identified.
It's that easy!
Our innovative ability to measure, report and ultimately
remediate potential audit findings enables our customers to resolve compliance
problems prior to an audit. In addition, Cloud Compliance's graphical analytics
highlight trends and identify root causes to compliance issues, by audited
application, or by business unit, providing valuable insight into potential
security vulnerabilities. Furthermore, due to our global visibility as a
cloud-based SaaS solution, we capture statistics industry-wide that our
customers can access for setting their own policy benchmarks. Finally, the
Cloud Compliance SaaS solution requires no software to install, maintain and
operate, no appliances to deploy, no consultants, advisors or professional
services to deploy, and no huge upfront capital expense to incur.
For further information, see the Cloud Compliance use case
demo at http://www.cloud-compliance.com/product/demo/.
Cloud
Compliance Security
As with all cloud-based services, security can be a concern.
That's especially true for services that address compliance issues and access
vulnerabilities. Cloud Compliance employs the Amazon EC2 (Elastic Compute
Cloud) service which has extensive and comprehensive physical and logical
controls, including:
§
State of the art intrusion detection systems
§
Authorized staff must pass two-factor
authentication at least twice
§
Immediate deprovisioning of admin when no longer
has business need
§
Extensive background check of staff with
potential access to customer data
§
All admin access logged and audited
§
Network security: DDoS, MITM, and firewall
§
Firewall requires customer's X.509 certificate
and key to authorize changes
§
API calls to launch and terminate instances and
perform other functions require X.509 certificate
§
S3 (storage) read permissions controlled by ACL
§
S3 authentication using HMAC-SHA1 signatures
§
Storage device decommission based on NIST 800-88
(media sanitation)
§
AWS recurring SAS-70 Type II certification
Cloud Compliance encrypts data in transit as well as data at
rest (there's also an option that precludes the need to store any log or entitlement data
at all). And it's worthwhile pointing out that the Cloud Compliance solution
does not require access to personal identifying information (PII); only a
non-sensitive subset of entitlement data and log records are required.
Compliance
Made Easy
Cloud Compliance's Identity and Access Assessment service is
easy to adopt and provides immediate results. We solve access control issues
that go by many names: excessive access rights; least privilege policy
violations; excessive privileges; dormant accounts; and excessive entitlements. These access control issues have
been identified, studied and reported on by major audit firms such as Deloitte,
analysts such as Forrester and IDC, academic research teams such as from
Dartmouth, and enterprises around the world. Yet, until Cloud Compliance, there
was no effective solution available. Now, with our SaaS-based IdAA, achieving
access audit compliance is not only possible -- it's easy.
Note: A PDF of this post can be found here.
Posted by Robbie Forkish on Mon, Nov 30, 2009
In my previous post I wrote about a Gartner recommendation that organizations implement user activity monitoring as part of a strategy to manage external and internal threats, and for regulatory compliance. Gartner suggests integrating Identity and Access Management (IAM) capabilities with a SIEM system to achieve user activity monitoring, but other approaches work as well if not better.
Why is user activity monitoring needed? Since all major regulatory frameworks -- including SOX, PCI DSS, GLBA, and HIPAA -- require least privilege access controls, thousands of companies are obligated to prevent excessive access rights and yet, according to Deloitte, have failed to adequately do so. The reason this is a hard problem has to do with the dynamic nature of the enterprise-especially in an economic downturn -- with layoffs, restructurings, aggressive use of contractors and other service providers, along with the need for federated identity and access management as enterprises collaborate.
Conventional wisdom holds that the best practice for resolving this issue is to adopt an IAM system with role-based access control (RBAC) capabilities. Unfortunately, such systems provide no user activity monitoring or other assessment mechanisms and as a result are notoriously ineffective. While these systems ensure that only authorized users may log in to critical resources, they fail to consistently determine which users should be authorized to access those resources. As a result, as reported by a Dartmouth field study and by IDC, over-entitlement is the norm. In many organizations over 50% of access rights are dormant, representing a huge security vulnerability as well as a significant compliance exposure.
This is where user activity monitoring comes in. Organizations can assess user privileges, or entitlements, through user activity monitoring in order to identify excess entitlements. That few organizations do so is indicated by the high rate of audit findings for such access controls. Two additional methods of implementing user activity monitoring, besides the SIEM+IAM integration suggested by Gartner, are network-based activity monitoring and log-based activity monitoring.
Many organizations collect NetFlow data for IP traffic analysis reasons, and analyze this data for user activity monitoring. While NetFlow shows source and destination IP address and port number, it doesn't show authenticated user names nor application names (applications can in many cases be deduced with destination IP address and port number, but it's practically impossible to link source IP address to user names). NetFlow is therefore inadequate in most cases for tracking user access to audited applications.
Some organizations have adopted a network-based user activity monitoring system which goes beyond NetFlow to record, not just source and destination IP addresses, but authenticated user names and which application was accessed. While far superior to a NetFlow-only approach, network based activity monitoring has several challenges:
- Span port scarcity - span ports are used for a variety of applications, and without a network monitoring system such as one from Gigamon span port availability could be a constraint;
- Span port data loss - most switches are vulnerable to packet loss on their span ports during peak traffic bursts. Even a data loss rate of under 1% can render such a solution inadequate for forensic purposes;
- Application-side scalability - network activity monitoring requires a probe on every ingress span into the application infrastructure;
- User-side scalability - a probe must be placed in every subnet with its own AD or other authorization system, which can make for a very expensive deployment in a distributed environment or one with many remote offices;
- Encryption - as the percentage of encrypted sessions inside the data center increases, it leaves a larger blind spot for network-based approaches;
- Technical challenges with today's DPI silicon in monitoring 10G links - the latest generation network processor with DPI capabilities can monitor 4-5 Gbps, far short of the 20 Gbps required for full-duplex traffic monitoring of a 10G link; and
- No visibility to access from behind the monitored span port - network activity monitoring is blind to local access, e.g. from the application server's console port. It also can't see application-to-application access.
Despite these challenges, enterprises are deploying network-based access activity monitoring system because they otherwise do not have effective solutions for preventing excessive access rights.
An alternate approach to network-based access activity monitoring is log-based user activity monitoring, which does not suffer from the limitations and constraints listed above. Cloud Compliance, for example, reads log files for audited applications in order to prevent excessive access rights and other access audit violations. The log-based approach precludes the need for hardware to be deployed, is scalable, detects 100% of access activity (regardless of encryption, 10G links, and source of access) and, when deployed as a SaaS solution, eliminates the need for installation, software maintenance, and a large upfront capital outlay.
Posted by Robbie Forkish on Fri, Oct 30, 2009
A new white paper,
Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, has just been published by
ISACA. The paper provides a short overview of cloud service models and deployment models, and lists the well-known business benefits of cloud computing -- with cost savings at the head of the list. Ease of deployment, high availability, scalability, efficiency and resiliency round out the list of cloud computing benefits.
But what's interesting to IT and security professionals are the risks and security concerns associated with cloud computing. To those following the literature and debates on cloud security the concerns listed in the white paper are familiar: what is the reputation, history and sustainability of the cloud service provider (CSP); where does data reside, and does it matter if that question can't be answered precisely; how well is information protected; who can have access to sensitive or confidential information; and can sensitive information be located in the event of a disaster. Many of these issues at a minimum can be addressed in contractual service level agreements (SLAs), but writing tight SLAs is not the same as mitigating risk.
The ISACA white paper is relatively brief and high-level. Many other information resources exist that delve into great detail on CSP exposures and vulnerabilities, both real and imagined. But additional detail and technical depth isn't necessarily what organizations need to determine whether cloud benefits outweigh the risks for their situation. Specifically, they need to assess the risk related to their sensitive data that would be operated on or stored in the cloud.
Every organization should -- and many organizations do -- have a data classification strategy in place. COBIT 4.1, for example, mandates that organizations should "Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data... It is used as the basis for applying controls such as access controls, archiving or encryption" (section PO2.3). The following classification guide, from the State of New York's CSCIC, is a good example of an approach for classifying data based on risk levels with regard to data confidentiality, integrity and availability:
Here is another approach, then, to dealing with cloud security risks: Limit cloud-based applications to only those that operate on low- or moderate-risk data. Put another way, your organization may decide to reap the economic benefits of cloud-based services -- but only for applications that fall within acceptably low risk profiles.
This evaluation process is already being employed, if only implicitly. Tens of thousands of companies have opted for SaaS-based CRM solutions, the most well-known being from Salesforce.com. Customer information, while valuable to the organization, is not so critical that having it stored in the cloud is viewed as an unacceptably high risk.
On the other hand, many companies I've spoken to believe that the risk of storing personal identifying information (PII) or other highly-confidential information in the cloud is unacceptably high-at least at the current level of cloud security maturity.
My company, Cloud Compliance, has a keen interest in this question. We believe that internal user names and logon activity are no more sensitive than CRM data currently being stored in the cloud by so many companies. While we've found many organizations that agree with our risk assessment, there are others who aren't so sure.
Identity and Access Assessment (IdAA) solutions such as that being developed by Cloud Compliance need to upload two data sets to the cloud in order to perform their analytics:
- log records from SSO systems, log management systems or from application servers which show all access activity (log on and log off) and includes user IDs and time/date of access; and
- rights or entitlement information from AD, the applications or from an identity management system which lists which users have entitlements to which applications. (Note that if the entitlement/identity management system includes personal identifying information such as SSN or home address it is not included in data sent to the cloud. Also note that data in transit as well as data at rest is encrypted.)
(Please visit our product page for more information on how our solution works as well as a use case demo.)
This is the relevant risk management question: If you assume that IdAA solutions reduce if not prevent audit findings related to access controls, is it worth the risk to have your user names, login activity and entitlement information stored in the cloud?
Here's another way to look at it: Is your internal entitlement and activity data more or less sensitive than your customer data that's being stored in the cloud by Salesforce.com and other CRM SaaS solutions?
I am very interested in your views. Please leave a comment on the blog, or send me your opinion at rforkish@cloud-compliance.com. I'll report back in a future post on the collective wisdom of the blog readers.
Posted by Robbie Forkish on Fri, Sep 11, 2009
Deloitte reports that excessive access rights was the top audit finding for the most recent two years surveyed. Not only is it the top audit finding, but IDC states
that excessive access rights result in the biggest financial exposure
for organizations—and up to 60% of rights on most systems are expired
and therefore dormant. The problem is that IT and security staff at
most companies don’t know that this condition exists—or more precisely,
they suspect it exists but don’t know where.
Compounding the problem for these companies is that auditors have in
recent years learned that by spot-checking recent transfers and
terminations, they are more than likely to uncover excessive access
rights. This has contributed to the high rate of audit findings in
recent years.
Conventional wisdom holds that the solution to this issue is better
Identity Management (IdM) systems with role-based access control (RBAC)
capabilities and a user interface that can be understood by
line-of-business managers, who could then be counted on to keep access
rights current and accurate. Unfortunately LOB managers are often
reluctant partners in this enterprise; the path of least resistance for
them is to keep existing rights when in doubt. And the high rate of
audit findings suggests the weakness of this approach.
Whether companies have an IdM system or not, they most likely prepare for audits by manually
analyzing HR records and job descriptions in conjunction with role
definitions and entitlements. This quarterly or annual process is
invariably referred to by customers as a fire drill. In many cases,
contractors or temp workers are brought in for this task—adding to the
expense but rarely improving the outcome as measured by audit findings.
In the real world, access rights or entitlements are constantly
changing, for legitimate reasons: employees are hired and terminated;
contractors come and go; service providers and outsource firms require
access on a project basis with often unclear timelines; federated
identity management systems expand the concept of trusted user beyond
the enterprise boundary; departments and whole companies undergo
reorganizations; mergers and acquisitions result in major
restructurings; layoffs lead to rapid and sometime undocumented role
changes; and employees transferring within a company inevitably have to
overlap responsibilities (and access) between their old and new jobs.
Unclear and imperfect communications between HR, line-of-business
staff, and IT exacerbate the problem.
There is no perfect IdM system and there’s no foolproof rights
management process. Since the systems and processes for managing rights
inevitably fall short of 100% accuracy, some kind of feedback or
assessment mechanism is required to achieve least privilege objectives
and improve IT audit performance. That’s why Cloud Compliance
is developing the industry’s first Identity and Access Assessment
(IdAA) system—to provide feedback that identifies, reports on and helps
remediate excessive access rights and other access audit issues.
Cloud Compliance will address the IdAA challenge with a unique,
innovative SaaS solution. Our cloud-based analytics assesses log-based
access activity for selected applications, typically those that are
audited or that access sensitive data such as personal identifying
information (PII). We identify dormant (aka zombie) accounts, and
provide tools for isolating high rates of dormancy by group, business
unit or by application. Such tools enable root cause identification,
and provide the necessary insight for remediation and process
improvement. Furthermore, due to our global visibility as a
multi-tenant SaaS solution, we capture statistics industry-wide that
our customers can access for setting their own policy benchmarks.
Finally, in contrast to software-based IdM solutions, the Cloud
Compliance SaaS solution requires no software to install, maintain and
operate, no appliances to deploy, no consultants, advisors or
professional services to deploy, and no huge upfront capital expense to
incur.
Ronald Reagan famously said “Trust, but verify”. Many IdM systems
are trusted to maintain entitlement and access rights. But the systems
themselves rarely have verification capabilities. They would benefit
greatly from an Identity and Access Assessment solution that provided
verification, and in doing so improved audit performance and regulatory
compliance.
Posted by Robbie Forkish on Fri, Aug 28, 2009
I recently ran across a study from IDC on insider risk management that was based on a survey of over 400 respondents in the U.S. and Europe; CIOs and heads of IT accounted for 71% of respondents. The survey had some interesting findings regarding the sources of insider risk and where to invest in order to best manage those risks.
The majority of respondents (52%) characterized their incidents arising from insider threats as predominantly accidental, while only 19% believed they were deliberate. Of course the costs related to disclosure of sensitive information are the same whether the incident was deliberate or not: failed audits, regulatory actions and fines, brand erosion, legal fees, lost employee productivity, and lost customers.
A key finding of the study was:
Out of date and/or excessive privilege and access control rights for users are viewed as having the most financial impact on organizations.
If insider risk management is measured in terms of its financial impact, then this is the most urgent problem to address -- and the one with the best ROI.
This finding with regard to out of date and/or excessive privilege and access control rights is consistent with the Deloitte survey, which reported that excessive access rights (a different term for the same risk phenomenon) was the top "internal/external audit finding over the past 12 months"-for the second year in a row. And as IDC points out, since this is a requirement across all major regulatory frameworks, a company with excessive access rights could fail multiple audits including SOX, EU privacy laws, HIPAA and PCI.
What causes this high rate of excessive access rights? IDC reports that "contractors and temporary staff represent the greatest internal risk" for companies. And the vertical segment with the highest rate of incidents, due to provisioning/deprovisioning delays, was IT outsourcing.
Here's the ranking of average number of internal incidents per year, by incident type:
Excessive privilege/access control rights -- what Deloitte calls excessive access rights -- ranked third behind negligence and internal malware/spyware attacks. But two additional incident types are merely different manifestations of the same fundamental issue: Data loss through external attacks by previous employees is enabled due to rights that were not deprovisioned in a timely fashion upon termination; and exposure through provisioning/deprovisioning delays is the most prevalent cause of excessive access rights. If we add the three incident types together -- excessive privilege, attacks by previous employees, and deprovisioning delays -- it's by far the greatest source of internal risk, accounting for over 35 incidents per year on average.
Consistent with this point, IDC made a rather shocking revelation:
In years past, IDC has estimated that as many as 60% of all accounts on most systems are expired.
This would suggest that, if IDC estimates are anywhere close to the actual level of dormant accounts, there's a ticking time bomb out there just waiting to be exploited by an insider or discovered by an auditor.
This is why Cloud Compliance has focused on the problem of excessive access rights, excessive privilege/access control rights, and deprovisioning delays. Our Identity and Access Assessment (IdAA) solution detects excessive access rights and other access control vulnerabilities through innovative, cloud-based analytics; our solution also provides tools for root cause identification and remediation. All of this is accomplished with no appliances or enterprise software to install and maintain, no professional services to manage, and with no upfront capital expenditure required.