Cloud Compliance Blog

2010 Access Governance Trends

For the past year I've been telling anyone who will listen that ineffective IT access controls represent an ongoing security vulnerability as well as a compliance liability for many regulated firms. The Ponemon Institute has published a new survey that not only confirms what I've been saying, but shows that it's getting worse. What a surprise.

Here's how Ponemon summarizes the problem:

When employees, temporary employees, contractors and partners have inappropriate access to information resources -- that is, access that violates security policies and regulations or that is inappropriate for their current jobs -- companies are subject to serious compliance and business risks.

Fair enough. But many enterprises and security-conscious organizations have a "least privilege" policy to ensure that, as regulations and best practices require, users are provided access to ONLY those resources for which they have a legitimate business need. Doesn't that prevent the inappropriate access referred to above?

Not really. Although least privilege sounds simple enough, in practice it has proven extraordinarily difficult to achieve. This is especially true in dynamic enterprise environments, where activities related to onboarding, offboarding, outsourcing, partnering, and use of contractors threaten to overwhelm whatever business processes exist. These challenges are exacerbated by the coordination required between line-of-business managers, IT staff, HR, security, and compliance staff to manage access controls. In fact, Bruce Schneier, a prominent security guru, states unequivocally that perfect access control just isn't possible. 

Schneier must be on to something. The Ponemon survey, sponsored by Aveksa, found that most relevant metrics for access management are trending down. Here are the top two findings:

• User access rights continue to be poorly managed. Eighty-seven percent of respondents believe that individuals have too much access to information resources that are not pertinent to their job description - up nine percent from the 2008 study.
• Organizations are not able to keep pace with changes to users' job responsibilities and they face serious noncompliance and business risk as a result. Nearly three out of four organizations (72 percent) said they cannot quickly respond to changes in employee access requirements; and more than half (52 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.

What's at risk when access controls are ineffective? Survey respondents' concern was highest for company applications, intellectual property and general business information. Not to mention audit findings.

So what's the primary cause of poor performance in IT access management? A plurality of respondents say "We cannot keep up with our organization's information resources."  This is consistent with Schneier's observation that organizations are simply too chaotic to make it work. So what should be done?

According to the IAM experts, this is where access certification comes in. Here's what Aveksa has to say about access certification:

Good access governance requires the regular review and certification of user entitlements and roles to ensure that access rights to enterprise information assets are appropriate and meet regulatory mandates and guidelines for Sarbanes Oxley, PCI, GLBA, MAR, FERC/NERC, Basel II and HIPAA compliance.  

Many IAM solution providers have integrated modules to help you with your access certification. The problem is, this level of certification -- while important -- involves a review of the rather complicated matrix of staff and roles/entitlement assignments that have overwhelmed organizations in the first place. 

It's not as if organizations don't know they have probable vulnerabilities: the vast majority say it's "likely" that users are over-entitled.

Here's what we can conclude: Organizations suspect that their users have more access than is required, a clear violation of compliance regulations as well as a security risk. And auditors have proven their worst fears, as excessive access rights have remained the top audit finding for years. So we know that organizations are motivated to solve this problem. But despite the availability of comprehensive role-based access control IAM systems, regulated enterprises apparently still do not have the right tools to manage access controls. What they are missing is any kind of feedback that quantify the effectiveness of their access controls.

Current approaches have obviously failed to achieve the desired and necessary level of security and compliance. That's why Cloud Compliance was formed -- to address this and related access audit issues through an innovative SaaS-based capability called Identity and Access Assessment (IdAA). Cloud Compliance provides visibility into not just who is accessing what, but who should access what. And when excessive access rights inevitably occur, Cloud Compliance analytics help determine the root cause and effective remediation strategies.

Identity and Access Assessment (IdAA)

Ronald Reagan famously said "Trust, but verify". He could very well have been talking about entitlement management systems, which manage authorization to critical applications and other IT resources. Such systems are trusted to maintain control over entitlements (also called privileges or access rights). However, the systems themselves rarely have verification or assessment capabilities. This may be adequate for smaller organizations or enterprises where roles change infrequently. But the dynamic nature of most enterprises -- with layoffs, restructurings, aggressive use of contractors and other service providers -- makes assessment not only prudent, but necessary to ensure effective access controls and audit compliance.

Entitlements

Deloitte, in The 6th Annual Global Security Survey, reports that excessive entitlements, also known as excessive access rights, was the top audit finding over the past year -- for the second year in a row! In other words, a fundamental access control that represents a compliance exposure and security vulnerability was the top audit finding in 2007 and, despite all the attention that garnered, was also the top audit finding in 2008 (the latest year for which survey data exist).

Since all major regulatory frameworks, including SOX, PCI DSS, GLBA, NERC and HIPAA, require access controls, many thousands of companies are obligated to prevent excessive access rights and yet, according to the Deloitte survey, have failed to effectively do so.

Not only is excessive access rights the top audit finding, but IDC states that such vulnerabilities result in major financial exposure -- and that up to 60% of rights on most systems are expired and therefore dormant. The problem is that IT and security staff at most companies don't know that dormant accounts exist -- or more precisely, they suspect they exist but don't know how to find or remediate them.

Why is this a hard problem to solve?

Access Controls in the Real World

A paper written by a team at Dartmouth describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for three weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement, and they directly address the challenge of effectively managing access controls.

What they found was that the frequent shifting of staff may from one department or role to another often results in users accumulating entitlements over time. Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out:

"As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access."

This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:

Figure 1: Privileging in traditional hierarchical corporate structures (left) vs. in dynamically, "matrixed" organizations (right). An arrow represents a supervising relationship (directed graph). Note that on the left, each person has exactly one direct supervisor, whereas on the right, each may have two or more.

 

And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2: 

Figure 2: Complexity and dynamicism in entitlement systems. The number of applications, entitlements and users make it a large-scale problem, and the number of daily modifications makes it a fast-moving target.

 

The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.

Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process more effective. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least. Quoting from the Dartmouth study:

"At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant."

In the real world, access rights are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.

Managing Entitlements

Andrew Jaquith, an analyst at Forrester, in his book Security Metrics states:

"Today's information security battleground is all about entitlements-who's got them, whether they were granted properly, and how to enforce them."

Companies large and small employ different approaches to entitlement management, with equal lack of success. Mostly, they do manual reviews of entitlements prior to audits by going through HR records, reviewing application logs, and interviewing LOB managers-a process inevitably referred to as a fire drill. Other approaches to entitlement management include development of custom reports for SEIM and log management systems, network-based user activity monitoring, and RBAC systems.

The management challenge is to determine what's a reasonable target level of excessive access rights in terms of percentage of overall rights granted, and then ensure that solutions are in place to consistently keep actual excessive access rights on or below the target. It's more expensive to establish an excessive access rights target of 2% than of 4%, for example. Therefore, management must determine what level constitutes "enough" security, doesn't break the budget or put an undue burden on IT or line-of-business staff, and yet meets the compliance requirements as measured by auditors. What auditors are looking for is a sustainable, measureable process that demonstrates visibility (can the company detect when and where it has excessive access rights?) and the ability to remediate problems when they occur (can the company eliminate excessive access rights within a reasonable amount of time from their detection?).

Top Audit Findings

As the Deloitte survey reports, current approaches have failed to achieve the desired and necessary level of compliance -- not just for excessive access rights, but for access controls in general.

Figure 3: Top internal and external findings for 2007 and 2008, ranked by percentage of respondents citing findings in each category, taken from the Deloitte survey.

 

Here's an explanation of each of the findings:

Excessive access rights. Note that despite the improvement from 2007, excessive access rights remained the top audit finding in 2008 as noted above. Part of the reason that excessive access rights has been the top finding for the past two years is that auditors have raised the standard, from evidence of the existence of a process to evidence that the process is effective.

Segregation of duties. Segregation of duties, also referred to as separation of duties and abbreviated SoD, is one of the most fundamental concepts of security and control, and also one of the most difficult to achieve.

Access control compliance with procedures. This audit issue is closely related to excessive access rights; access control is required to prevent users without appropriate rights from accessing audited resources.

Lack of audit trails/logging, lack of documentation of controls, and lack of review of audit trails. These three top findings are grouped together because they represent the facet of access audit where technology and process come together. Application logs, which represent the most effective way to determine user access activity, are an essential tool for ensuring that access controls are compliant. And reports that list who has access to what, along with who should have access to what, become critical components of how access controls are documented.

Excessive developers' access to production systems and data. This audit finding is challenging to address, because it's unrealistic in most operating environments to completely block developers from accessing production systems for troubleshooting and critical maintenance operations. The objective, then, is not to prevent such access but to note when it's risen to an "excessive" level.

Lack of clean-up of access rules following a transfer or termination. Few if any organizations effectively manage rights and access rules in a real-world environment with re-org, restructurings, layoffs, role re-definitions and transfers-especially transfers. Because transfers are not a discrete event so much as a process where an employee has overlapping responsibilities between new job and old job-and therefore must maintain access rights for both jobs.

It's clear from the Deloitte survey that access controls are problematic. While organizations are reasonably effective in ensuring that only authorized users may log in to critical resources, they fail to consistently determine which users should be authorized to access those resources. Meanwhile, auditors have learned where to look in order to find users with excessive access rights and other access control violations; hence, an increasingly high rate of audit findings.

Is Perfect Access Control Possible?

The well-known security guru, Bruce Schneier, in a recent article entitled Is Perfect Access Control Possible?, discusses many of these same points and concludes:

"In the end, a perfect access control system just isn't possible; organizations are simply too chaotic for it to work."

Schneier refers to the Dartmouth study's finding that 50-90% of users are over-entitled in large organizations. Over-entitlement leads to risk, and therefore attracts the attention of auditors as explained in the Dartmouth study:

"It may not seem problematic for employees to have access to systems they never use or are unaware of. However, such access introduces risk. The root of the problem is that unnecessary or uncontrolled access can lead to unintended data editing, accidental disclosure, or internal misuse. That is why Sarbanes-Oxley auditors will flag unnecessary access as a weakness."

Auditors have learned in recent years how to find and flag excessive access rights, which is the top cause of audit findings. And not only is audit compliance an issue, but as noted above in the IDC report excess entitlements represent a huge financial liability. Thus, imperfect access controls represent a security vulnerability, a financial liability, and a compliance exposure. Despite these compelling motivations, we find from research by Deloitte, IDC, Forrester, Dartmouth and Bruce Schneier that present-day access controls are largely ineffective, especially in highly dynamic organizations.

What does the future hold for access control? New technologies are on the horizon that, by taking an approach referred to as Identity and Access Assessment (IdAA), enable visibility into the effectiveness of access controls. Such solutions perform data mining to analyze access activity over time and thus identify access control issues for remediation.

Cloud Compliance

Cloud Compliance is developing an IdAA solution to improve the efficacy of compliance solutions and reduce the cost of achieving compliance. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights to prevent audit findings and ensure access control compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC. Our solution enables customers to identify access audit deficiencies before auditors arrive, and without manual process costs that otherwise dominate. 

Here's how it works: Cloud Compliance employs SaaS-based data mining analytics that examines users' access activity to identify and report on excessive access rights and other access controls. The Cloud Compliance solution can assess your organization's identity and access controls in five simple steps:

1.      Point your browser to the Cloud Compliance SaaS site

2.      Using Cloud Compliance's automatic wizard, select which resources and applications you wish to assess. This is a matter of identifying the SSO system, SIEM, MSSP (if you have a log retention service), or the targeted application servers' log files and entitlements data.

3.      Upload entitlements info and log data to the Cloud Compliance SaaS site.

4.      Review the graphical analytics to determine performance versus benchmarks, and to remediate any policy violations

5.      Repeat steps 3 and 4 periodically. The amount of time between assessments represents the maximum lag time between when a violation occurs and when it's identified.

It's that easy!

Our innovative ability to measure, report and ultimately remediate potential audit findings enables our customers to resolve compliance problems prior to an audit. In addition, Cloud Compliance's graphical analytics highlight trends and identify root causes to compliance issues, by audited application, or by business unit, providing valuable insight into potential security vulnerabilities. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

For further information, see the Cloud Compliance use case demo at http://www.cloud-compliance.com/product/demo/.

Cloud Compliance Security

As with all cloud-based services, security can be a concern. That's especially true for services that address compliance issues and access vulnerabilities. Cloud Compliance employs the Amazon EC2 (Elastic Compute Cloud) service which has extensive and comprehensive physical and logical controls, including:

§         State of the art intrusion detection systems

§         Authorized staff must pass two-factor authentication at least twice

§         Immediate deprovisioning of admin when no longer has business need

§         Extensive background check of staff with potential access to customer data

§         All admin access logged and audited

§         Network security: DDoS, MITM, and firewall

§         Firewall requires customer's X.509 certificate and key to authorize changes

§         API calls to launch and terminate instances and perform other functions require X.509 certificate

§         S3 (storage) read permissions controlled by ACL

§         S3 authentication using HMAC-SHA1 signatures

§         Storage device decommission based on NIST 800-88 (media sanitation)

§         AWS recurring SAS-70 Type II certification

Cloud Compliance encrypts data in transit as well as data at rest (there's also an option that precludes the need to store any log or entitlement data at all). And it's worthwhile pointing out that the Cloud Compliance solution does not require access to personal identifying information (PII); only a non-sensitive subset of entitlement data and log records are required.

Compliance Made Easy

Cloud Compliance's Identity and Access Assessment service is easy to adopt and provides immediate results. We solve access control issues that go by many names: excessive access rights; least privilege policy violations; excessive privileges; dormant accounts; and excessive entitlements. These access control issues have been identified, studied and reported on by major audit firms such as Deloitte, analysts such as Forrester and IDC, academic research teams such as from Dartmouth, and enterprises around the world. Yet, until Cloud Compliance, there was no effective solution available. Now, with our SaaS-based IdAA, achieving access audit compliance is not only possible -- it's easy.

 

Note: A PDF of this post can be found here.

Clouds for Compliance: Do the Benefits Outweigh the Risks?

A new white paper, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, has just been published by ISACA. The paper provides a short overview of cloud service models and deployment models, and lists the well-known business benefits of cloud computing -- with cost savings at the head of the list. Ease of deployment, high availability, scalability, efficiency and resiliency round out the list of cloud computing benefits.

But what's interesting to IT and security professionals are the risks and security concerns associated with cloud computing. To those following the literature and debates on cloud security the concerns listed in the white paper are familiar: what is the reputation, history and sustainability of the cloud service provider (CSP); where does data reside, and does it matter if that question can't be answered precisely; how well is information protected; who can have access to sensitive or confidential information; and can sensitive information be located in the event of a disaster. Many of these issues at a minimum can be addressed in contractual service level agreements (SLAs), but writing tight SLAs is not the same as mitigating risk.

The ISACA white paper is relatively brief and high-level. Many other information resources exist that delve into great detail on CSP exposures and vulnerabilities, both real and imagined. But additional detail and technical depth isn't necessarily what organizations need to determine whether cloud benefits outweigh the risks for their situation. Specifically, they need to assess the risk related to their sensitive data that would be operated on or stored in the cloud.

Every organization should -- and many organizations do -- have a data classification strategy in place. COBIT 4.1, for example, mandates that organizations should "Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data... It is used as the basis for applying controls such as access controls, archiving or encryption" (section PO2.3). The following classification guide, from the State of New York's CSCIC, is a good example of an approach for classifying data based on risk levels with regard to data confidentiality, integrity and availability:

 

Here is another approach, then, to dealing with cloud security risks: Limit cloud-based applications to only those that operate on low- or moderate-risk data. Put another way, your organization may decide to reap the economic benefits of cloud-based services -- but only for applications that fall within acceptably low risk profiles.

This evaluation process is already being employed, if only implicitly. Tens of thousands of companies have opted for SaaS-based CRM solutions, the most well-known being from Salesforce.com. Customer information, while valuable to the organization, is not so critical that having it stored in the cloud is viewed as an unacceptably high risk.

On the other hand, many companies I've spoken to believe that the risk of storing personal identifying information (PII) or other highly-confidential information in the cloud is unacceptably high-at least at the current level of cloud security maturity.

My company, Cloud Compliance, has a keen interest in this question. We believe that internal user names and logon activity are no more sensitive than CRM data currently being stored in the cloud by so many companies. While we've found many organizations that agree with our risk assessment, there are others who aren't so sure.

Identity and Access Assessment (IdAA) solutions such as that being developed by Cloud Compliance need to upload two data sets to the cloud in order to perform their analytics:

1. log records from SSO systems, log management systems or from application servers which show all access activity (log on and log off) and includes user IDs and time/date of access; and
2. rights or entitlement information from AD, the applications or from an identity management system which lists which users have entitlements to which applications. (Note that if the entitlement/identity management system includes personal identifying information such as SSN or home address it is not included in data sent to the cloud. Also note that data in transit as well as data at rest is encrypted.)

(Please visit our product page for more information on how our solution works as well as a use case demo.)

This is the relevant risk management question: If you assume that IdAA solutions reduce if not prevent audit findings related to access controls, is it worth the risk to have your user names, login activity and entitlement information stored in the cloud?

Here's another way to look at it: Is your internal entitlement and activity data more or less sensitive than your customer data that's being stored in the cloud by Salesforce.com and other CRM SaaS solutions?

I am very interested in your views. Please leave a comment on the blog, or send me your opinion at rforkish@cloud-compliance.com. I'll report back in a future post on the collective wisdom of the blog readers.

Is Compliance the New Security Standard?

I went to an informative "Cornerstones of Trust 2009" conference yesterday in San Mateo, CA. One of the sessions I attended was "Compliance is Not The Same as Security!". It's an important topic, especially for IT/security staff facing challenges getting their security initiatives funded during these tough economic times.

There was a theme that ran throughout the session which I can summarize as this: "CEOs are being short-sighted by not investing in the [fill in the blank] security initiative. Don't they realize that a breach is inevitable, given enough time? And the cost of the [fill in the blank] security initiative is much, much lower than the cost of dealing with a breach (estimated at over $200 per record). Not to mention that preventing said breach provides other tangible and intangible benefits including protecting the brand, preventing customer erosion due to loss of trust, and avoiding a calamitous drop in stock prices."

Given the compelling case for securing the enterprise, why do CEOs fail to invest more in security solutions? Does this simply represent a failure of IT and security staff to make a compelling business case? Or are the CEOs in fact being short-sighted?

Let's try looking at this from the CEO's perspective. He or she is continuously under scrutiny by Wall Street, and the most common measure of the CEO's and the company's performance is by comparing various financial metrics to a relevant peer group, typically the company's competitors and other players in the same industry. Investors want to know - especially in an economic downturn - whether the CEO is keeping expenses in line. In other words, does the company spend a higher percentage in any category than peer company XYZ? If so, is there a measurable ROI from this higher rate of spending? If not, it looks to an investor like wasteful spending or lack of discipline. How should a CEO respond to that?

Risk management is the only rational way to frame the debate. But now we've entered the world of probabilities and risk assessments. What we know to be true is that no amount of spending can guarantee there will be no breaches. The management decision is one of making rational trade-offs between the probability of an event, and the cost of reducing that possibility - but not eliminating it.

In recent years, a new dimension has entered the debate: compliance. Regulatory standards apply now to public companies (SOX), healthcare (HIPAA), card handlers and retail (PCI), various aspects of financial services (primarily GLBA, but including the entire range of FFIEC audits), and other sectors. Most companies therefore have a mandatory level of security that's required in order to meet compliance requirements; failure to do so results in audit findings, and possible material weakness reports. No CEO wants that.

Security spending for compliance, then, is a given. And while compliance spending may not comprehensively protect the enterprise against a breach, it does provide one important bit of protection: liability. From the CEO's perspective, while the cost per record of responding to a breach may be high, it's nowhere near the potential cost of lawsuits resulting from said breach. And achieving compliance appears to provide a liability shield.

Therefore, the CEO thought process might go something like this: Security spending for compliance is mandatory. And while additional security-related spending might make us more secure, it doesn't add anything in terms of liability protection. Furthermore, there's no guarantee that additional security spending will prevent a breach, but there's a strong likelihood that it will increase spending compared to industry benchmarks. By spending on compliance we are protected against the biggest exposure, which is legal liability. It's not perfect, but given the pressure on margins it will have to do.

If compliance standards are strengthened, then of course the company - as well as all of its competitors - will increase spending to comply. And there's plenty of room for improvement in reducing IT audit findings; see here and here to read about top IT audit findings.

Cloud Compliance is developing an Identity and Access Control (IdAA) solution to improve the efficacy of compliance solutions, and reduce the cost of achieving compliance. Due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks and ensuring that their security spending is in line with their peers. Finally, in contrast to most identity management systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Insider Risk: Now More Than Ever

It should come as no surprise that the current economic climate has increased the risk of fraud from insiders. But the degree to which the insider threat problem has increased is a surprise, as described in a Dark Reading article Bankers Gone Bad: Financial Crisis Making The Threat Worse. According to a new survey by Actimize, nearly 80 percent of financial institutions worldwide say the insider threat problem has increased in the wake of the economic downturn. Only 28 percent of financial institutions had not suffered an insider breach in the past 12 months (not including the breaches we don't yet know about).

How do insiders commit fraud? The profile of the bank fraudster that typically commits these crimes is a trusted, full-time employee, one who is well-versed in its operations and how to circumvent them and remain under the radar. And a favorite method is to use a dormant account resulting from excessive user entitlements:

"Some security measures for limiting user access to sensitive data, such as minimizing user privileges, don't apply cleanly for banks... The best thing they can do is proactively monitor and look for signs that user entitlements aren't being abused."

If looking for signs that user entitlements aren't being abused was possible, everyone would do it, right? Well, it has to be cheap, too: according to the survey, the biggest single challenge to meeting the threat is the cost of doing so.

In the past 12 months, 70 percent of financial institutions say they have experienced a case of data theft by one of their employees. Nearly half of the banks in the Actimize survey say they are losing 1% to 4% -- four percent! -- of their total revenues to insider fraud. With that as incentive, the most plausible explanation for failing to prevent fraud resulting from excessive user entitlements is that banks don't know how. What they do know is that perfect access control isn't possible, and that Identity Management (IdM) systems combined with manual reviews still fails to identify many excessive entitlements.

And they also know that excessive entitlements (also known as excessive access rights) was the top audit finding for the past two years.

Cloud Compliance is developing an Identity and Access Assessment (IdAA) solution to manage entitlements (also called privileges, or access rights). We identify users with excess entitlements, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Field Study: Entitlements, Privileges and Information Risk

I came across a paper written by a team at Dartmouth (hat tip to Bruce Schneier) that describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for 3 weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement - a topic we've delved into on many occasions including here and here.

Due to the dynamic nature of large banks - and many other organizations - it is quite common for people to move between internal organizations and be transferred across information boundaries.

The frequent shifting of staff may result in information users collecting system entitlements over time if the system access is not actively managed, resulting in a toxic combination of privileges.

We knew about the gradual accumulation of entitlements over time. But a toxic combination of privileges? What's that?

A toxic combination is a conflict of system access that allows a user to break the law, violate rules of ethics, damage customers' trust, or even create the appearance of impropriety.

How did we get from over-entitlements to toxic combinations?

Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out

As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access.

This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:

And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2: 

 

The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.

Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process easier to manage. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least:

At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant.

We explored in an earlier post whether perfect access control was possible. Unfortunately, the answer is no. So if over-entitlement is the norm, leading to toxic combinations of privileges or entitlements, and access control systems - which are so costly to deploy and manage - aren't able to fully solve the problem, then what's an organization to do? Especially an organization that is highly regulated by SOX, FFIEC and FINRA?

Cloud Compliance is developing an Identity and Access Control (IdAA) solution to manage entitlements (also called privileges, or access rights). We identify users with excess entitlements, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Is Perfect Access Control Possible?

Bruce Schneier, the Chief Security Technology Officer of BT and a highly regarded security guru, engaged in a point/counter-point debate with Marcus Ranum in an Information Security Magazine article entitled Schneier-Ranum Face-Off: Is Perfect Access Control Possible?

The question is particularly relevant today, especially in light of the fact that, as I've reported here and here, excessive access rights were the top audit finding over the past two years. Why is that? The general consensus is that organizations should implement a role-based access control (RBAC) system to manage entitlements. But as Schneier points out:

RBAC is very hard to implement correctly. Organizations generally don't even know who has what role. The employee doesn't know, the boss doesn't know--and these days the employee might have more than one boss -- and senior management certainly doesn't know.

Ranum seems to argue that at least part of the problem is that we're paying for decisions made over the past decade to make critical data easier to access and where it can be managed more cheaply, and that many of these decisions were incompetent and negligent.

What both Schneier and Ranum agree on is that over-entitlement is the norm today, and these excess entitlements -- also called excessive access rights -- represent a security and compliance exposure.

So where does that leave us? Based on what I've seen and the customers I've spoken to, I have to agree with Schneier's assessment:

In the end, a perfect access control system just isn't possible; organizations are simply too chaotic for it to work.

If RBAC systems are so hard to implement correctly, and even if doing so still leaves the organization with excessive access rights and their associated risks and vulnerabilities, what can be done? As I've suggested in my prior post, user activity monitoring in the form of an Identity and Access Control solution can complement RBAC identity management systems by providing feedback that uncovers excess entitlement in the form of dormant (aka zombie) accounts. Therefore, even if RBAC is very hard to implement correctly, and a perfect access control system just isn't possible, at least the organization can gain visibility into and remove the vulnerabilities and compliance exposure associated with excessive access rights.

Cloud Compliance is developing an Identity and Access Control (IdAA) solution as referred to above. We identify dormant accounts, and provide tools for isolating high rates of dormancy by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to software-based IdM solutions, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Identity and Access Assessment

Deloitte reports that excessive access rights was the top audit finding for the most recent two years surveyed. Not only is it the top audit finding, but IDC states that excessive access rights result in the biggest financial exposure for organizations—and up to 60% of rights on most systems are expired and therefore dormant. The problem is that IT and security staff at most companies don’t know that this condition exists—or more precisely, they suspect it exists but don’t know where.

Compounding the problem for these companies is that auditors have in recent years learned that by spot-checking recent transfers and terminations, they are more than likely to uncover excessive access rights. This has contributed to the high rate of audit findings in recent years.

Conventional wisdom holds that the solution to this issue is better Identity Management (IdM) systems with role-based access control (RBAC) capabilities and a user interface that can be understood by line-of-business managers, who could then be counted on to keep access rights current and accurate. Unfortunately LOB managers are often reluctant partners in this enterprise; the path of least resistance for them is to keep existing rights when in doubt. And the high rate of audit findings suggests the weakness of this approach.

Whether companies have an IdM system or not, they most likely prepare for audits by manually analyzing HR records and job descriptions in conjunction with role definitions and entitlements. This quarterly or annual process is invariably referred to by customers as a fire drill. In many cases, contractors or temp workers are brought in for this task—adding to the expense but rarely improving the outcome as measured by audit findings.

In the real world, access rights or entitlements are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business staff, and IT exacerbate the problem.

There is no perfect IdM system and there’s no foolproof rights management process. Since the systems and processes for managing rights inevitably fall short of 100% accuracy, some kind of feedback or assessment mechanism is required to achieve least privilege objectives and improve IT audit performance. That’s why Cloud Compliance is developing the industry’s first Identity and Access Assessment (IdAA) system—to provide feedback that identifies, reports on and helps remediate excessive access rights and other access audit issues.

Cloud Compliance will address the IdAA challenge with a unique, innovative SaaS solution. Our cloud-based analytics assesses log-based access activity for selected applications, typically those that are audited or that access sensitive data such as personal identifying information (PII). We identify dormant (aka zombie) accounts, and provide tools for isolating high rates of dormancy by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a multi-tenant SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to software-based IdM solutions, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants,  advisors or professional services to deploy, and no huge upfront capital expense to incur.

Ronald Reagan famously said “Trust, but verify”.  Many IdM systems are trusted to maintain entitlement and access rights.  But the systems themselves rarely have verification capabilities.  They would benefit greatly from an Identity and Access Assessment solution that provided verification, and in doing so improved audit performance and regulatory compliance.

More Security Metrics

Although I wrote about Security Metrics: Replacing Fear, Uncertainty and Doubt by Andrew Jaquith earlier, a single post doesn't do this important topic justice. The key theme as expressed by Jaquith is

...information security is one of the few management disciplines that has yet to submit itself to serious analytic scrutiny.

This lack of analytic scrutiny in the form of security metrics makes risk management especially difficult for executive understanding and guidance, especially when discussing the necessary level of investment required. Executives ideally want their security and compliance metrics to answer the following questions:

• How effective are my security processes?
• Am I better off than I was this time last year?
• How do I compare with my peers?
• Am I spending the right amount of money?
• What are my risk transfer options?

As previously discussed, most functions within an enterprise-HR, finance, manufacturing, supply chain, call center, e-commerce and operations-have the ability to measure their performance by tracking key metrics, and comparing with other companies in a peer group. Such metrics share the characteristics of being simple to explain, readily lending themselves to benchmarking, and being consistently and automatically collected.

Without such metrics, we're doomed to reactive rather than proactive risk management. Or, as Jaquith calls it, we're on the hamster wheel of pain:

 

 

Here are Jaquith's suggested questions for management when measuring audit and compliance processes and their related investments:

1. How much time and effort are security staff spending on audit-related activities? (Metrics: # regulatory audits completed, time/cost of audit activities)
2. Have audits uncovered serious weaknesses in existing controls? (Metrics: % security compliance reviews with material weaknesses, % key external requirements compliant per external audit)
3. How much time and effort are security staff spending fixing problems uncovered by audits? (Metrics: # pending deficiencies and estimated time/cost to complete, time/cost spent on remediation activities)
4. Have audit activities uncovered problems with controls that would affect customer trust or privacy? (Metric: # pending customer-related deficiencies and estimated time/cost to complete)

Only by employing security metrics and submitting to serious analytic scrutiny can an enterprise get security and compliance risk management off of the hamster wheel of pain and onto a level playing field with other disciplines.

I agree with Andrew Jaquith when he says that today's information security battleground is all about entitlements-who's got them, whether they were granted properly, and how to enforce them. The way to prevail on this "entitlements battleground" is to be well-armed with security metrics. Cloud Compliance will be arming their customers with entitlement assessment solutions whose metrics are based on the principles espoused by Jaquith in his book.

Security Metrics

Andrew Jaquith, in his book Security Metrics: Replacing Fear, Uncertainty and Doubt, describes the value of metrics in general and in doing so identifies one of the key challenges in ensuring system security:

Today's information security battleground is all about entitlements -- who's got them, whether they were granted properly, and how to enforce them.

The book describes how metrics can be applied in managing security systems in general, and in entitlements/access rights in particular. Jaquith, a senior analyst at Forrester, cites examples of how other disciplines and industries use key metrics to compare their operations to peer companies. For example, freight companies know their freight cost per mile and loading factors-as well as those of their competitors. Management can therefore set meaningful objectives and measure themselves against comparable companies. Choosing to be above, on, or below an industry average is a question of strategy as well as operational efficiency. For example, a freight company may be willing to have a lower load factor than its peers if that's the tradeoff required to offer faster delivery times (for which it presumably charges a premium).

Similarly, warehousing firms measure and compare their cost/square foot and inventory turns, and e-commerce companies measure their website conversion rates. And of course financial metrics have been standardized and reported on for years. Companies can therefore compare relevant metrics to those of their peers in order to better evaluate their internal performance.

Could such a use of metrics apply to security? And can metrics be of use in the "entitlements battleground"?

First, let's look at Jacquith's definition of a good metric:

1. consistently measured, without subjective criteria;
2. cheap to gather, preferably in an automated way;
3. expressed as a cardinal number or percentage, not with qualitative labels such as high, medium and low;
4. expressed using at least one unit of measure, such as "defects" or "dormant accounts"; and
5. contextually specific -- relevant enough to decision-makers so that they can take action.

So what about the "information security battleground", namely entitlements and access rights? What metrics are relevant to that? Jaquith lists pertinent questions and the metrics that can guide management actions, for example: Does the organization review employee entitlements? An example metric would be % accounts dormant. (The complete discussion starts on page 117 of Jaquith's book under the heading Ensuring System Security.)

Cloud Compliance's solution includes the key metric "% accounts dormant". Is it a good metric? According to Jaquith's five criteria above it is: consistently measured; cheap to gather; expressed objectively as a percentage; expressed using a clear unit of measure (dormant accounts); and relevant enough to management so that they can take action. In addition, our solution provides a threshold percentage so that management can readily tell when action is required.

Finally, one of the advantages of a SaaS solution such as that offered by Cloud Compliance is the global statistical perspective that can be provided, which allows customers to compare their performance to that of their peers. By knowing, for example, industry averages for key metrics such as % accounts dormant Cloud Compliance's customers can benchmark their internal performance and security objectives to those of comparable organizations. What better way to arm oneself for the information security battleground known as entitlements management?

The definition and application of security metrics is ongoing. One resource I recommend is Securitymetrics.org, which provides empirical strategies for decision-makers and security practitioners and which includes links to digests, presentations, and handouts from past Metricon Workshops.