Cloud Compliance Blog

User Activity Monitoring

In my previous post I wrote about a Gartner recommendation that organizations implement user activity monitoring as part of a strategy to manage external and internal threats, and for regulatory compliance. Gartner suggests integrating Identity and Access Management (IAM) capabilities with a SIEM system to achieve user activity monitoring, but other approaches work as well if not better.

Why is user activity monitoring needed? Since all major regulatory frameworks -- including SOX, PCI DSS, GLBA, and HIPAA -- require least privilege access controls, thousands of companies are obligated to prevent excessive access rights and yet, according to Deloitte, have failed to adequately do so. The reason this is a hard problem has to do with the dynamic nature of the enterprise-especially in an economic downturn -- with layoffs, restructurings, aggressive use of contractors and other service providers, along with the need for federated identity and access management as enterprises collaborate.

Conventional wisdom holds that the best practice for resolving this issue is to adopt an IAM system with role-based access control (RBAC) capabilities. Unfortunately, such systems provide no user activity monitoring or other assessment mechanisms and as a result are notoriously ineffective. While these systems ensure that only authorized users may log in to critical resources, they fail to consistently determine which users should be authorized to access those resources. As a result, as reported by a Dartmouth field study and by IDC, over-entitlement is the norm. In many organizations over 50% of access rights are dormant, representing a huge security vulnerability as well as a significant compliance exposure.

This is where user activity monitoring comes in. Organizations can assess user privileges, or entitlements, through user activity monitoring in order to identify excess entitlements. That few organizations do so is indicated by the high rate of audit findings for such access controls. Two additional methods of implementing user activity monitoring, besides the SIEM+IAM integration suggested by Gartner, are network-based activity monitoring and log-based activity monitoring.

Many organizations collect NetFlow data for IP traffic analysis reasons, and analyze this data for user activity monitoring. While NetFlow shows source and destination IP address and port number, it doesn't show authenticated user names nor application names (applications can in many cases be deduced with destination IP address and port number, but it's practically impossible to link source IP address to user names). NetFlow is therefore inadequate in most cases for tracking user access to audited applications.

Some organizations have adopted a network-based user activity monitoring system which goes beyond NetFlow to record, not just source and destination IP addresses, but authenticated user names and which application was accessed. While far superior to a NetFlow-only approach, network based activity monitoring has several challenges:

• Span port scarcity - span ports are used for a variety of applications, and without a network monitoring system such as one from Gigamon span port availability could be a constraint;
• Span port data loss - most switches are vulnerable to packet loss on their span ports during peak traffic bursts. Even a data loss rate of under 1% can render such a solution inadequate for forensic purposes;
• Application-side scalability - network activity monitoring requires a probe on every ingress span into the application infrastructure;
• User-side scalability - a probe must be placed in every subnet with its own AD or other authorization system, which can make for a very expensive deployment in a distributed environment or one with many remote offices;
• Encryption - as the percentage of encrypted sessions inside the data center increases, it leaves a larger blind spot for network-based approaches;
• Technical challenges with today's DPI silicon in monitoring 10G links - the latest generation network processor with DPI capabilities can monitor 4-5 Gbps, far short of the 20 Gbps required for full-duplex traffic monitoring of a 10G link; and
• No visibility to access from behind the monitored span port - network activity monitoring is blind to local access, e.g. from the application server's console port. It also can't see application-to-application access.

Despite these challenges, enterprises are deploying network-based access activity monitoring system because they otherwise do not have effective solutions for preventing excessive access rights.

An alternate approach to network-based access activity monitoring is log-based user activity monitoring, which does not suffer from the limitations and constraints listed above. Cloud Compliance, for example, reads log files for audited applications in order to prevent excessive access rights and other access audit violations. The log-based approach precludes the need for hardware to be deployed, is scalable, detects 100% of access activity (regardless of encryption, 10G links, and source of access) and, when deployed as a SaaS solution, eliminates the need for installation, software maintenance, and a large upfront capital outlay.

SIEM + IAM = User Activity Monitoring

Gartner, in a report entitled SIEM and IAM Technology Integration, points out that integration of identity and access management (IAM) and security information and event management (SIEM) technologies can provide audit capabilities that are much stronger than what IAM alone can deliver. In short they’re saying that SIEM + IAM = user activity monitoring, and that user activity monitoring is important for both threat management and compliance management.

The top Gartner recommendation in the report is to:

Implement user activity monitoring as part of a strategy to manage external and internal threats and for regulatory compliance.

The report concludes by discussing SIEM customization requirements for integrating with any IAM system.

To summarize the thrust of the report: After collectively spending billions of dollars on SIEM and IAM systems, enterprises are now encouraged to invest further in the integration of these two expensive and complex technologies in order to achieve user activity monitoring. A fancy graphic is included in the report that shows the intersection of change management, activity management, and identity management; the title of the figure is “Moving From Activity Monitoring to Exception Monitoring.”

Of course we want all of our systems to highlight exceptions rather than simply report on activity, and of course we need to understand exceptions in terms of user activity monitoring if we are to eliminate serious vulnerabilities while reducing the top source of audit findings. But do we need to break the bank in order to detect excessive access rights, dormant accounts and other insider risks? Not if we employ an Identity and Access Assessment solution.

Think about it. An enterprise could pay 6 or 7 figures for a SIEM, another 6 or 7 figures for a complete set of IAM technologies, and, if they dare, another 5 or 6 figures for the customization required to integrate the two as Gartner (and their report sponsor) suggest. Of course an enterprise may already have SIEM and IAM systems in place, but customizing SIEMs for purposes of a serious integration project is not for the faint of heart. A better approach for most enterprises would be to pay 4 or 5 figures per year for a SaaS-based Identity and Access Assessment solution to address user activity monitoring exceptions that we all agree are critical to resolve.

Reducing access control vulnerabilities and excess entitlements are critical aspects of an overall security and compliance strategy. Cloud Compliance is developing an Identity and Access Control (IdAA) solution to address key challenges with IAM processes, especially in the area of user activity monitoring. We identify users who have rights they no longer need, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Field Study: Entitlements, Privileges and Information Risk

I came across a paper written by a team at Dartmouth (hat tip to Bruce Schneier) that describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for 3 weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement - a topic we've delved into on many occasions including here and here.

Due to the dynamic nature of large banks - and many other organizations - it is quite common for people to move between internal organizations and be transferred across information boundaries.

The frequent shifting of staff may result in information users collecting system entitlements over time if the system access is not actively managed, resulting in a toxic combination of privileges.

We knew about the gradual accumulation of entitlements over time. But a toxic combination of privileges? What's that?

A toxic combination is a conflict of system access that allows a user to break the law, violate rules of ethics, damage customers' trust, or even create the appearance of impropriety.

How did we get from over-entitlements to toxic combinations?

Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out

As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access.

This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:

And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2: 

 

The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.

Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process easier to manage. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least:

At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant.

We explored in an earlier post whether perfect access control was possible. Unfortunately, the answer is no. So if over-entitlement is the norm, leading to toxic combinations of privileges or entitlements, and access control systems - which are so costly to deploy and manage - aren't able to fully solve the problem, then what's an organization to do? Especially an organization that is highly regulated by SOX, FFIEC and FINRA?

Cloud Compliance is developing an Identity and Access Control (IdAA) solution to manage entitlements (also called privileges, or access rights). We identify users with excess entitlements, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Is Perfect Access Control Possible?

Bruce Schneier, the Chief Security Technology Officer of BT and a highly regarded security guru, engaged in a point/counter-point debate with Marcus Ranum in an Information Security Magazine article entitled Schneier-Ranum Face-Off: Is Perfect Access Control Possible?

The question is particularly relevant today, especially in light of the fact that, as I've reported here and here, excessive access rights were the top audit finding over the past two years. Why is that? The general consensus is that organizations should implement a role-based access control (RBAC) system to manage entitlements. But as Schneier points out:

RBAC is very hard to implement correctly. Organizations generally don't even know who has what role. The employee doesn't know, the boss doesn't know--and these days the employee might have more than one boss -- and senior management certainly doesn't know.

Ranum seems to argue that at least part of the problem is that we're paying for decisions made over the past decade to make critical data easier to access and where it can be managed more cheaply, and that many of these decisions were incompetent and negligent.

What both Schneier and Ranum agree on is that over-entitlement is the norm today, and these excess entitlements -- also called excessive access rights -- represent a security and compliance exposure.

So where does that leave us? Based on what I've seen and the customers I've spoken to, I have to agree with Schneier's assessment:

In the end, a perfect access control system just isn't possible; organizations are simply too chaotic for it to work.

If RBAC systems are so hard to implement correctly, and even if doing so still leaves the organization with excessive access rights and their associated risks and vulnerabilities, what can be done? As I've suggested in my prior post, user activity monitoring in the form of an Identity and Access Control solution can complement RBAC identity management systems by providing feedback that uncovers excess entitlement in the form of dormant (aka zombie) accounts. Therefore, even if RBAC is very hard to implement correctly, and a perfect access control system just isn't possible, at least the organization can gain visibility into and remove the vulnerabilities and compliance exposure associated with excessive access rights.

Cloud Compliance is developing an Identity and Access Control (IdAA) solution as referred to above. We identify dormant accounts, and provide tools for isolating high rates of dormancy by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to software-based IdM solutions, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.

Identity and Access Assessment

Deloitte reports that excessive access rights was the top audit finding for the most recent two years surveyed. Not only is it the top audit finding, but IDC states that excessive access rights result in the biggest financial exposure for organizations—and up to 60% of rights on most systems are expired and therefore dormant. The problem is that IT and security staff at most companies don’t know that this condition exists—or more precisely, they suspect it exists but don’t know where.

Compounding the problem for these companies is that auditors have in recent years learned that by spot-checking recent transfers and terminations, they are more than likely to uncover excessive access rights. This has contributed to the high rate of audit findings in recent years.

Conventional wisdom holds that the solution to this issue is better Identity Management (IdM) systems with role-based access control (RBAC) capabilities and a user interface that can be understood by line-of-business managers, who could then be counted on to keep access rights current and accurate. Unfortunately LOB managers are often reluctant partners in this enterprise; the path of least resistance for them is to keep existing rights when in doubt. And the high rate of audit findings suggests the weakness of this approach.

Whether companies have an IdM system or not, they most likely prepare for audits by manually analyzing HR records and job descriptions in conjunction with role definitions and entitlements. This quarterly or annual process is invariably referred to by customers as a fire drill. In many cases, contractors or temp workers are brought in for this task—adding to the expense but rarely improving the outcome as measured by audit findings.

In the real world, access rights or entitlements are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business staff, and IT exacerbate the problem.

There is no perfect IdM system and there’s no foolproof rights management process. Since the systems and processes for managing rights inevitably fall short of 100% accuracy, some kind of feedback or assessment mechanism is required to achieve least privilege objectives and improve IT audit performance. That’s why Cloud Compliance is developing the industry’s first Identity and Access Assessment (IdAA) system—to provide feedback that identifies, reports on and helps remediate excessive access rights and other access audit issues.

Cloud Compliance will address the IdAA challenge with a unique, innovative SaaS solution. Our cloud-based analytics assesses log-based access activity for selected applications, typically those that are audited or that access sensitive data such as personal identifying information (PII). We identify dormant (aka zombie) accounts, and provide tools for isolating high rates of dormancy by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a multi-tenant SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to software-based IdM solutions, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants,  advisors or professional services to deploy, and no huge upfront capital expense to incur.

Ronald Reagan famously said “Trust, but verify”.  Many IdM systems are trusted to maintain entitlement and access rights.  But the systems themselves rarely have verification capabilities.  They would benefit greatly from an Identity and Access Assessment solution that provided verification, and in doing so improved audit performance and regulatory compliance.

More Security Metrics

Although I wrote about Security Metrics: Replacing Fear, Uncertainty and Doubt by Andrew Jaquith earlier, a single post doesn't do this important topic justice. The key theme as expressed by Jaquith is

...information security is one of the few management disciplines that has yet to submit itself to serious analytic scrutiny.

This lack of analytic scrutiny in the form of security metrics makes risk management especially difficult for executive understanding and guidance, especially when discussing the necessary level of investment required. Executives ideally want their security and compliance metrics to answer the following questions:

• How effective are my security processes?
• Am I better off than I was this time last year?
• How do I compare with my peers?
• Am I spending the right amount of money?
• What are my risk transfer options?

As previously discussed, most functions within an enterprise-HR, finance, manufacturing, supply chain, call center, e-commerce and operations-have the ability to measure their performance by tracking key metrics, and comparing with other companies in a peer group. Such metrics share the characteristics of being simple to explain, readily lending themselves to benchmarking, and being consistently and automatically collected.

Without such metrics, we're doomed to reactive rather than proactive risk management. Or, as Jaquith calls it, we're on the hamster wheel of pain:

 

 

Here are Jaquith's suggested questions for management when measuring audit and compliance processes and their related investments:

1. How much time and effort are security staff spending on audit-related activities? (Metrics: # regulatory audits completed, time/cost of audit activities)
2. Have audits uncovered serious weaknesses in existing controls? (Metrics: % security compliance reviews with material weaknesses, % key external requirements compliant per external audit)
3. How much time and effort are security staff spending fixing problems uncovered by audits? (Metrics: # pending deficiencies and estimated time/cost to complete, time/cost spent on remediation activities)
4. Have audit activities uncovered problems with controls that would affect customer trust or privacy? (Metric: # pending customer-related deficiencies and estimated time/cost to complete)

Only by employing security metrics and submitting to serious analytic scrutiny can an enterprise get security and compliance risk management off of the hamster wheel of pain and onto a level playing field with other disciplines.

I agree with Andrew Jaquith when he says that today's information security battleground is all about entitlements-who's got them, whether they were granted properly, and how to enforce them. The way to prevail on this "entitlements battleground" is to be well-armed with security metrics. Cloud Compliance will be arming their customers with entitlement assessment solutions whose metrics are based on the principles espoused by Jaquith in his book.

Insider Risk Management

I recently ran across a study from IDC on insider risk management that was based on a survey of over 400 respondents in the U.S. and Europe; CIOs and heads of IT accounted for 71% of respondents. The survey had some interesting findings regarding the sources of insider risk and where to invest in order to best manage those risks.

The majority of respondents (52%) characterized their incidents arising from insider threats as predominantly accidental, while only 19% believed they were deliberate. Of course the costs related to disclosure of sensitive information are the same whether the incident was deliberate or not: failed audits, regulatory actions and fines, brand erosion, legal fees, lost employee productivity, and lost customers.

A key finding of the study was:

Out of date and/or excessive privilege and access control rights for users are viewed as having the most financial impact on organizations.

If insider risk management is measured in terms of its financial impact, then this is the most urgent problem to address -- and the one with the best ROI.

This finding with regard to out of date and/or excessive privilege and access control rights is consistent with the Deloitte survey, which reported that excessive access rights (a different term for the same risk phenomenon) was the top "internal/external audit finding over the past 12 months"-for the second year in a row. And as IDC points out, since this is a requirement across all major regulatory frameworks, a company with excessive access rights could fail multiple audits including SOX, EU privacy laws, HIPAA and PCI.

What causes this high rate of excessive access rights? IDC reports that "contractors and temporary staff represent the greatest internal risk" for companies. And the vertical segment with the highest rate of incidents, due to provisioning/deprovisioning delays, was IT outsourcing.

Here's the ranking of average number of internal incidents per year, by incident type:

 

 

Excessive privilege/access control rights -- what Deloitte calls excessive access rights -- ranked third behind negligence and internal malware/spyware attacks. But two additional incident types are merely different manifestations of the same fundamental issue: Data loss through external attacks by previous employees is enabled due to rights that were not deprovisioned in a timely fashion upon termination; and exposure through provisioning/deprovisioning delays is the most prevalent cause of excessive access rights. If we add the three incident types together -- excessive privilege, attacks by previous employees, and deprovisioning delays -- it's by far the greatest source of internal risk, accounting for over 35 incidents per year on average.

Consistent with this point, IDC made a rather shocking revelation:

In years past, IDC has estimated that as many as 60% of all accounts on most systems are expired.

This would suggest that, if IDC estimates are anywhere close to the actual level of dormant accounts, there's a ticking time bomb out there just waiting to be exploited by an insider or discovered by an auditor.

This is why Cloud Compliance has focused on the problem of excessive access rights, excessive privilege/access control rights, and deprovisioning delays. Our Identity and Access Assessment (IdAA) solution detects excessive access rights and other access control vulnerabilities through innovative, cloud-based analytics; our solution also provides tools for root cause identification and remediation. All of this is accomplished with no appliances or enterprise software to install and maintain, no professional services to manage, and with no upfront capital expenditure required.