View my documents ()
 Home > Insights 

Identity and Access Management (IAM)

Focusing on our views about deployment challenges, and some of the important trends related to Identity and Access Management

May 2008 - Posts

  • Embarrassing Questions -- and how IAM can help eliminate them

     

    I work with many members of the CA IAM sales and technical teams to help them understand and communicate the business values of IAM.  As a general rule, this is fairly straightforward since the benefits of IAM have become quite clear over past few years.  The tried-and-true benefits, include (each one is linked to a CA whitepaper on that topic):  a) reduces IT costs, b) reduces security risk, c) enables easier compliance, and d) enables new business opportunities.  There are certainly variations on these themes (such as "IT process automation" as a component of "reducing IT costs", or "providing a better user experience" as a component of "enables new  business opportunities"), but these four key points generally cover the primary drivers for the IAM market, and illustrate why it has been growing so fast for so long.

     

    But, when talking to customers who are considering adopting IAM, sometimes these broad benefits don't hit home as much as we'd like them to.  It's not that they don't constitute very compelling business benefits of IAM.  It is just that the IT people who quickly understand the value of IAM often need to get funding or resources from people in their organization who don't live the problems every day and thus need to discover more intense pains to get the IAM projects prioritized

     

    I have found that sometimes what I will call "the embarrassing question" can be very effective at driving home the pain that IAM systems can help to alleviate.  An "embarrassing question" is one that

    a) highlights a problem that the customer almost certainly has,

    b) involves information that the customer *should* know, but often doesn't, and

    c) for which the answer, in and of itself, is an excellent selling point for IAM. 

     

    Let me show you what I mean. One of the benefits of automated de-provisioning is that it helps to eliminate the problem of orphan accounts.  In this case, an orphan account is one in which the owner has departed the company (and is possibly disgruntled and interested in getting access to corporate information for nefarious purposes).  In many IT environments, orphan accounts can be a significant problem.  

    Example: a study of 850 IT, security, HR, and C-level executives found that:

    • 27% reported more than 20 "orphaned" accounts on their systems.
    • 38% said they have no way of knowing if terminated employees have accessed systems through their orphaned accounts;
    • 15% said they have experienced it at least once.
    • 30% said it takes more than three days to terminate an account after an employee leaves; 12% said it takes more than a month.

    http://www.eweek.com/c/a/Security/Old-User-Accounts-Pose-Current-Security-Risks-for-Enterprises/

    A related condition is when an account has a live owner (employee), but the account hasn't been accessed for a very long time.  That is typically called an inactive account, but for the sake of simplicity, let's call them both orphan accounts.  In the former case (the terminated employee), the risk of damage is much greater than in the second case, but the basic problem is the same - an account that should be terminated is still active.

     

    A question I have used to drive home the value of IAM is "if I looked on your systems right now, how many orphan accounts would I find?"  Statistics have shown that upwards of 30% of all accounts on most systems don't have active owners, so this is clearly a widespread problem.  There are several possible answers to this question, and the corresponding logical conclusion that the customer might reach:

    • "I don't know" -- "I don't even know the answer to this question...this could be a significant, undetected risk for me. I better deploy IAM to help get this under control quickly."
    • <any non-zero number> -- "I deserve credit for knowing that I have this problem, but...I still have it. I better deploy automated de-provisioning to help reduce this risk"
    • "zero" -- if truthful, this is an unlikely answer....unless of course they already have excellent identity management processes in place

     

    The reason that I call this an embarrassing question is that either of the first two responses are, by far, the most likely, and both imply a lack of sufficient control within the IT organization.  In effect, either one of these truthful answers indicates that the IT processes are not effective or not under control.  And, presumably the person in this discussion is responsible for the IT processes.  Hence, a question that can be awkward to answer truthfully.

     

    Another example of this type of embarrassing question is "How many Superusers do you have on your systems, and do any of them have any access rights that they don't need or shouldn't have?"  The answer to the second part of the question, in virtually all IT environments, is "Yes".  I've never seen an IT environment in which at least some of the Superusers did not have excessive entitlements for their job responsibilities.  Sometimes, the impact might be minimal (e.g., they can control the printer even though they never need that access right), but in other cases it can constitute a significant risk (e.g., they can stop the system logging process so as to mask all events for a short period).  Merely answering the question will show conclusively that the customer has a security risk, and potentially a compliance problem that they may not have wanted to face before. 

     

    In my discussions with customers, I have found that the problem of excessive entitlements for Superusers, as well as the related "superuser anonymity" problem (whereby all superusers are denoted as "root" in the audit logs so that specific security events cannot be associated with a specific individual) are two of the most common deterrents to a smooth IT security audit.  The first problem allows improper actions to be taken, and the second problem prevents their detection.  And, only when faced with a direct question like this do many people start to really internalize how exposed they might be.  If the Superuser is careless, then results can be very damaging.  If the Superuser is malicious, the results could be catastrophic.   (more detail on this issue)

     

    While I certainly don't like selling on fear...the reality is that there are risky practices out there in the real world.  Sometimes the most effective way to show a customer that they have a compelling need for IAM is to highlight the "clear and present danger" of some aspect of their existing IT environment.  I have found these two areas - orphan/unowned accounts and excessive superuser entitlements - to be among the most common problems that scream out for an IAM solution (automated de-provisioning and a host access management solution, respectively). 

     

    Do you have thoughts or comments on this issue?  Feel free to post them here, or send them directly to me at sumner.blount@ca.com

     

     

    Share this post: Email it! | bookmark it! | digg it! | reddit!
    Posted May 26 2008, 11:11 AM by Sumner Blount with 1 comment(s)

  • Compliance Messages at RSA....some thoughts

     

    Although it's been a few weeks since the RSA show, I wanted to pass on something that struck me as I walked around the show floor, checking out all the booths.  Last year, the hot buzzword of the show seemed to be "compliance".  Everyone was jumping on that bandwagon in their marketing, because customers seemed to view their compliance challenges as the biggest problem that they faced.  And, when large enterprises express a major problem that they face, you can bet that very soon most software companies will begin to use that messaging in their marketing activities.  But, this year, a strong compliance emphasis was not in evidence at the RSA show.  Sure, there were a few pure compliance vendors there, but the amount of general compliance marketing was, in my view, less than in previous years.

     

    What does this mean?  Do customers not care about compliance any more?  Have they given up on adopting technology to help them solve this problem?  Or, have they already solved it?

     

    The answer, I believe, is "no" to all of these questions.  I actually think that the lack of overwhelming compliance messaging is good news.  It means that large enterprises have recognized the importance of automating their compliance activities....for example, using identity and access management solutions.....and have embarked on that journey already.  They have experienced the pain of attempting compliance with each regulation as it comes along, with the high costs and redundant effort that this approach entails.  They have seen how onerous compliance audits can be when their security controls are not automated or easily auditable.  So, they have begun to deploy solutions (particularly IAM) to help them along in this process.  They have adopted industry frameworks (such as CobiT) as best practices, and are using these frameworks to help them "rationalize" controls across a range of regulations, thereby minimizing the redundant effort that their compliance "silos" caused them in the past.  In summary, they have embarked on the "IAM compliance journey", and therefore are not highly swayed by a purely compliance pitch that was used in the past by almost all types of software security products.

     

    But, they also recognize that their journey is just that....an ongoing process of automating and improving their security controls to further ease their compliance burden.  They will likely continue to automate their controls and testing processes,  making ongoing audits much less challenging, as well as ensuring that new regulations can be accommodated much more easily than in the past.

     

    The following graphic illustrates some of the common characteristics of the phases of compliance automation and optimization.  As always, your mileage may vary......    But, a useful exercise is to ask yourself where you are on this continuum of maturity level, and what improvements (in technology, improved processes, etc) you need in order to be able to move to the next phase.  If you're down near the bottom left of the graph, don't despair.  I think many companies are trying to get through the "Reduce Costs" phase without too much pain.  Very few are actually in the Optimize phase.

     

    Share this post: Email it! | bookmark it! | digg it! | reddit!
    Posted May 14 2008, 04:52 PM by Sumner Blount with no comments

  • Security, Privacy, and Trust -- Mission Impossible?

     

    Scott McNealy famously said "You have zero privacy - get over it". The recent

    stories regarding the loss of personal data have put a sharp perspective on the

    question of privacy. Polls show that people say they will only deal with

    organization that they can trust to protect their personal data. What can

    organizations do to achieve this trust?

     

    Privacy

    What is privacy and why does it matter? In this context the concern is the

    capability for people to control what information about themselves is made

    available to other people. There is no universal agreement on what information is

    private; different cultures hold different views on this.

     

    Privacy is a balance of the rights of an individual against the good of a group.

    Sometimes privacy is in the interests of the group as well as the individual;

    identity theft being one example of this. It is in everyone's interest that

    information that could be used to impersonate an individual should not be publicly

    available.

     

    In Europe privacy of personal information is principally governed by two

    directives 94/96/EC on personal data, and 2002/58/EC on privacy of electronic

    communications. The Organization for Economic Co-operation and Development

    has also published a set of principles for data privacy. These principles form the

    basis for privacy of personal information in Europe.

     

    Trust

    Trust is important since it forms the basis upon which personal and commercial

    transactions take place. In the context of information privacy, individuals allow

    their personal and private information to be held by organizations trusting that it

    will be stored and processed in accordance with the principals mentioned above.

    The recent personal data breaches are a breach of trust by the organizations

    holding the personal information.

     

    What happens when there is a breach of trust? Traditionally commerce depends

    upon legal enforcement. However, because of difficulties of legal enforcement on

    the internet, new models of trust are emerging. An example of this is that

    adopted by eBay' where each buyer and seller has a feedback rating.

     

    Individuals are increasingly making decisions based on their perception of trust.

    In September 2007 a study, conducted by the independent research consultancy

    YouGov, showed that concerns over Identity Theft is changing online behaviour

    and reveals which types of organizations the public trust to protect their personal

    details. For example, while 60% of respondents answered that they would trust

    their bank to keep their personal data secure, only 25% would trust the

    government.

     

     

    Security

    Information systems security is what organizations use to ensure privacy of

    personal information. Models for secure information processing grew out of the

    needs by government and military agencies to use computing systems to handle

    sensitive data. These were described in the Orange Book which was replaced by

    the Common Criteria (ISO/ISEC 15048) for computer security. BS7799 provided

    a more comprehensive set of standards and best practices for information

    security management. This was later adopted as ISO 17799 and has now been

    renamed as two standards ISO 27001/2. Specific industry standards have also

    emerged such as the Payment Card Industry Data Security Standard (PCI-DSS).

    These standards are well known and yet a survey conducted by CA across 482

    organizations in EMEA found that while 62% of these were holding regulated

    information in their IT systems:

    • - Only 33% were able to identify orphan accounts (user accounts which cannot be related to a single person as owner) in their IT systems.
    • - Only 41% were able to report on the access rights to information that were possessed by the users of their IT systems
    • - Only 51% were able to monitor access to their IT servers.

     

    What needs to be done?

    If organizations followed the letter and the spirit of the ISO27001/2 standards

    there would be fewer or no data breaches. It is time for compliance with these

    standards to become mandatory where personal data is being held and for there

    to be penalties for non compliance.

     

    The card payment industry has taken a significant step towards improving

    protection of card data through the creation of the PCI-DSS. Any organization

    involved in credit card transactions needs to become fully compliant with this

    standard.

     

    An important advance recommended in the UK House of Lords report on Personal

    Internet Security would be a data security breach notification law. This should

    include workable definitions of data security breaches, covering both a threshold

    for the sensitivity of the data lost, and criteria for the accessibility of that data.

    Another recommendation of that report is that major companies, particularly the

    software vendors, must now make the development of more secure technologies

    their top design priority.

     

    There should be training and formal accreditation for people who are responsible

    for information security systems. In addition people in organizations who have

    access to regulated data should have an appropriate level of training on privacy

    requirements. You cannot drive a car without a driving license - so why should

    you be able to manage access to the personal data of thousands of people

    without proper training?

     

     

    Share this post: Email it! | bookmark it! | digg it! | reddit!
    Posted May 12 2008, 11:11 AM by Mike Small with no comments
 
 
Page Tools