Posted by Robbie Forkish on Fri, Oct 23, 2009
I recently ran across an article by Paul Smocer of BITS entitled "The Future of Banking Enterprise Access Management & Authentication" in Security Strategies in which he discusses the four component areas of IAM, and the challenges facing each. Smocer defines the four aspects of IAM as follows:
- Enrollment/Identification -- Assigning a "persona" to employees
- Authentication -- Validating the employee is legitimate
- Provisioning -- Assigning and rescinding "rights" to an employee
- Review/Monitoring -- Ongoing and periodic validation of users and their rights.
Enrollment/Identification. The largest challenge here is establishing and maintaining a common set of user ID's from disparate systems. In general, the more legacy systems, the larger the challenge. And the challenge grows to the extent the organization has a higher rate of "joiners" and "leavers".
Authentication.The challenges in authentication simply have to do with the diversity of authentication methodologies and structures, which imposes additional resource requirements to manage.
Provisioning. The act of provisioning rights to users to allow access to specific systems' functions seems straightforward enough. The focus in most organizations is on the speed with which rights (also called privileges, or entitlements) can be assigned. Delays impact productivity! But as Smocer points out, deprovisioning rights also presents a challenge:
"An employee who has rights he or she no longer needs presents a threat in terms of data exposure, data loss or fraud."
Some organizations have begun to move to role-based access control (RBAC) processes, but they only work well where the environment is static or large groups have common access requirements. And for dynamic organizations?
"Where there is a diversity of roles and/or a diversity of access requirements, [RBAC] processes often fall short."
So, failure to deprovision rights can present a threat, but the recommended RBAC processes to manage this risk aren't effective where there is a diversity of roles and/or of access requirements. How, then, should such an organization deal with the provisioning challenge? The article doesn't say. But we do know one thing: this must be happening at a large number of organizations, because excessive access rights has been the top audit finding for each of the past two years.
Review/Monitoring. A key challenge in this area is that many provisioning systems require the line of business manager to validate the accuracy of entitlements. This is often a low priority for a busy business manager, who often makes the issue go away by rubber-stamping the current entitlement assignments. Another problem with relying on the user's manager to provision and deprovision rights is that many enterprises have adopted matrix organizational structure where there's no single manager to assess entitlement requirements and integrity as reported by Dartmouth researchers. Better review and monitoring of entitlements is clearly required, due to the known deficiencies of the provisioning processes and underscored by the high rate of audit findings.
What can be done? Cloud Compliance is developing an Identity and Access Control (IdAA) solution to address key challenges with IAM processes, especially in the areas of provisioning and review/monitoring. We identify users who have rights they no longer need, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.
Posted by Robbie Forkish on Tue, Sep 29, 2009
I came across
a paper written by a team at Dartmouth (hat tip to Bruce Schneier) that describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for 3 weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement - a topic we've delved into on many occasions including
here and
here.
Due to the dynamic nature of large banks - and many other organizations - it is quite common for people to move between internal organizations and be transferred across information boundaries.
The frequent shifting of staff may result in information users collecting system entitlements over time if the system access is not actively managed, resulting in a toxic combination of privileges.
We knew about the gradual accumulation of entitlements over time. But a toxic combination of privileges? What's that?
A toxic combination is a conflict of system access that allows a user to break the law, violate rules of ethics, damage customers' trust, or even create the appearance of impropriety.
How did we get from over-entitlements to toxic combinations?
Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out
As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access.
This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:
And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2:
The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.
Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process easier to manage. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least:
At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant.
We explored in an earlier post whether perfect access control was possible. Unfortunately, the answer is no. So if over-entitlement is the norm, leading to toxic combinations of privileges or entitlements, and access control systems - which are so costly to deploy and manage - aren't able to fully solve the problem, then what's an organization to do? Especially an organization that is highly regulated by SOX, FFIEC and FINRA?
Cloud Compliance is developing an Identity and Access Control (IdAA) solution to manage entitlements (also called privileges, or access rights). We identify users with excess entitlements, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.
Posted by Robbie Forkish on Fri, Sep 11, 2009
Deloitte reports that excessive access rights was the top audit finding for the most recent two years surveyed. Not only is it the top audit finding, but IDC states
that excessive access rights result in the biggest financial exposure
for organizations—and up to 60% of rights on most systems are expired
and therefore dormant. The problem is that IT and security staff at
most companies don’t know that this condition exists—or more precisely,
they suspect it exists but don’t know where.
Compounding the problem for these companies is that auditors have in
recent years learned that by spot-checking recent transfers and
terminations, they are more than likely to uncover excessive access
rights. This has contributed to the high rate of audit findings in
recent years.
Conventional wisdom holds that the solution to this issue is better
Identity Management (IdM) systems with role-based access control (RBAC)
capabilities and a user interface that can be understood by
line-of-business managers, who could then be counted on to keep access
rights current and accurate. Unfortunately LOB managers are often
reluctant partners in this enterprise; the path of least resistance for
them is to keep existing rights when in doubt. And the high rate of
audit findings suggests the weakness of this approach.
Whether companies have an IdM system or not, they most likely prepare for audits by manually
analyzing HR records and job descriptions in conjunction with role
definitions and entitlements. This quarterly or annual process is
invariably referred to by customers as a fire drill. In many cases,
contractors or temp workers are brought in for this task—adding to the
expense but rarely improving the outcome as measured by audit findings.
In the real world, access rights or entitlements are constantly
changing, for legitimate reasons: employees are hired and terminated;
contractors come and go; service providers and outsource firms require
access on a project basis with often unclear timelines; federated
identity management systems expand the concept of trusted user beyond
the enterprise boundary; departments and whole companies undergo
reorganizations; mergers and acquisitions result in major
restructurings; layoffs lead to rapid and sometime undocumented role
changes; and employees transferring within a company inevitably have to
overlap responsibilities (and access) between their old and new jobs.
Unclear and imperfect communications between HR, line-of-business
staff, and IT exacerbate the problem.
There is no perfect IdM system and there’s no foolproof rights
management process. Since the systems and processes for managing rights
inevitably fall short of 100% accuracy, some kind of feedback or
assessment mechanism is required to achieve least privilege objectives
and improve IT audit performance. That’s why Cloud Compliance
is developing the industry’s first Identity and Access Assessment
(IdAA) system—to provide feedback that identifies, reports on and helps
remediate excessive access rights and other access audit issues.
Cloud Compliance will address the IdAA challenge with a unique,
innovative SaaS solution. Our cloud-based analytics assesses log-based
access activity for selected applications, typically those that are
audited or that access sensitive data such as personal identifying
information (PII). We identify dormant (aka zombie) accounts, and
provide tools for isolating high rates of dormancy by group, business
unit or by application. Such tools enable root cause identification,
and provide the necessary insight for remediation and process
improvement. Furthermore, due to our global visibility as a
multi-tenant SaaS solution, we capture statistics industry-wide that
our customers can access for setting their own policy benchmarks.
Finally, in contrast to software-based IdM solutions, the Cloud
Compliance SaaS solution requires no software to install, maintain and
operate, no appliances to deploy, no consultants, advisors or
professional services to deploy, and no huge upfront capital expense to
incur.
Ronald Reagan famously said “Trust, but verify”. Many IdM systems
are trusted to maintain entitlement and access rights. But the systems
themselves rarely have verification capabilities. They would benefit
greatly from an Identity and Access Assessment solution that provided
verification, and in doing so improved audit performance and regulatory
compliance.
Posted by Robbie Forkish on Fri, Aug 28, 2009
I recently ran across a study from IDC on insider risk management that was based on a survey of over 400 respondents in the U.S. and Europe; CIOs and heads of IT accounted for 71% of respondents. The survey had some interesting findings regarding the sources of insider risk and where to invest in order to best manage those risks.
The majority of respondents (52%) characterized their incidents arising from insider threats as predominantly accidental, while only 19% believed they were deliberate. Of course the costs related to disclosure of sensitive information are the same whether the incident was deliberate or not: failed audits, regulatory actions and fines, brand erosion, legal fees, lost employee productivity, and lost customers.
A key finding of the study was:
Out of date and/or excessive privilege and access control rights for users are viewed as having the most financial impact on organizations.
If insider risk management is measured in terms of its financial impact, then this is the most urgent problem to address -- and the one with the best ROI.
This finding with regard to out of date and/or excessive privilege and access control rights is consistent with the Deloitte survey, which reported that excessive access rights (a different term for the same risk phenomenon) was the top "internal/external audit finding over the past 12 months"-for the second year in a row. And as IDC points out, since this is a requirement across all major regulatory frameworks, a company with excessive access rights could fail multiple audits including SOX, EU privacy laws, HIPAA and PCI.
What causes this high rate of excessive access rights? IDC reports that "contractors and temporary staff represent the greatest internal risk" for companies. And the vertical segment with the highest rate of incidents, due to provisioning/deprovisioning delays, was IT outsourcing.
Here's the ranking of average number of internal incidents per year, by incident type:
Excessive privilege/access control rights -- what Deloitte calls excessive access rights -- ranked third behind negligence and internal malware/spyware attacks. But two additional incident types are merely different manifestations of the same fundamental issue: Data loss through external attacks by previous employees is enabled due to rights that were not deprovisioned in a timely fashion upon termination; and exposure through provisioning/deprovisioning delays is the most prevalent cause of excessive access rights. If we add the three incident types together -- excessive privilege, attacks by previous employees, and deprovisioning delays -- it's by far the greatest source of internal risk, accounting for over 35 incidents per year on average.
Consistent with this point, IDC made a rather shocking revelation:
In years past, IDC has estimated that as many as 60% of all accounts on most systems are expired.
This would suggest that, if IDC estimates are anywhere close to the actual level of dormant accounts, there's a ticking time bomb out there just waiting to be exploited by an insider or discovered by an auditor.
This is why Cloud Compliance has focused on the problem of excessive access rights, excessive privilege/access control rights, and deprovisioning delays. Our Identity and Access Assessment (IdAA) solution detects excessive access rights and other access control vulnerabilities through innovative, cloud-based analytics; our solution also provides tools for root cause identification and remediation. All of this is accomplished with no appliances or enterprise software to install and maintain, no professional services to manage, and with no upfront capital expenditure required.