CA Community






This Blog
Syndication

May 2008 - Posts

Embarrassing Questions -- and how IAM can help eliminate them

Published: May 26 2008, 11:11 AM | 1 Comment(s)
by Sumner Blount

 

I work with many members of the CA IAM sales and technical teams to help them understand and communicate the business values of IAM.  As a general rule, this is fairly straightforward since the benefits of IAM have become quite clear over past few years.  The tried-and-true benefits, include (each one is linked to a CA whitepaper on that topic):  a) reduces IT costs, b) reduces security risk, c) enables easier compliance, and d) enables new business opportunities.  There are certainly variations on these themes (such as "IT process automation" as a component of "reducing IT costs", or "providing a better user experience" as a component of "enables new  business opportunities"), but these four key points generally cover the primary drivers for the IAM market, and illustrate why it has been growing so fast for so long.

 

But, when talking to customers who are considering adopting IAM, sometimes these broad benefits don't hit home as much as we'd like them to.  It's not that they don't constitute very compelling business benefits of IAM.  It is just that the IT people who quickly understand the value of IAM often need to get funding or resources from people in their organization who don't live the problems every day and thus need to discover more intense pains to get the IAM projects prioritized

 

I have found that sometimes what I will call "the embarrassing question" can be very effective at driving home the pain that IAM systems can help to alleviate.  An "embarrassing question" is one that

a) highlights a problem that the customer almost certainly has,

b) involves information that the customer *should* know, but often doesn't, and

c) for which the answer, in and of itself, is an excellent selling point for IAM. 

 

Let me show you what I mean. One of the benefits of automated de-provisioning is that it helps to eliminate the problem of orphan accounts.  In this case, an orphan account is one in which the owner has departed the company (and is possibly disgruntled and interested in getting access to corporate information for nefarious purposes).  In many IT environments, orphan accounts can be a significant problem.  

Example: a study of 850 IT, security, HR, and C-level executives found that:

  • 27% reported more than 20 "orphaned" accounts on their systems.
  • 38% said they have no way of knowing if terminated employees have accessed systems through their orphaned accounts;
  • 15% said they have experienced it at least once.
  • 30% said it takes more than three days to terminate an account after an employee leaves; 12% said it takes more than a month.

http://www.eweek.com/c/a/Security/Old-User-Accounts-Pose-Current-Security-Risks-for-Enterprises/

A related condition is when an account has a live owner (employee), but the account hasn't been accessed for a very long time.  That is typically called an inactive account, but for the sake of simplicity, let's call them both orphan accounts.  In the former case (the terminated employee), the risk of damage is much greater than in the second case, but the basic problem is the same - an account that should be terminated is still active.

 

A question I have used to drive home the value of IAM is "if I looked on your systems right now, how many orphan accounts would I find?"  Statistics have shown that upwards of 30% of all accounts on most systems don't have active owners, so this is clearly a widespread problem.  There are several possible answers to this question, and the corresponding logical conclusion that the customer might reach:

  • "I don't know" -- "I don't even know the answer to this question...this could be a significant, undetected risk for me. I better deploy IAM to help get this under control quickly."
  • <any non-zero number> -- "I deserve credit for knowing that I have this problem, but...I still have it. I better deploy automated de-provisioning to help reduce this risk"
  • "zero" -- if truthful, this is an unlikely answer....unless of course they already have excellent identity management processes in place

 

The reason that I call this an embarrassing question is that either of the first two responses are, by far, the most likely, and both imply a lack of sufficient control within the IT organization.  In effect, either one of these truthful answers indicates that the IT processes are not effective or not under control.  And, presumably the person in this discussion is responsible for the IT processes.  Hence, a question that can be awkward to answer truthfully.

 

Another example of this type of embarrassing question is "How many Superusers do you have on your systems, and do any of them have any access rights that they don't need or shouldn't have?"  The answer to the second part of the question, in virtually all IT environments, is "Yes".  I've never seen an IT environment in which at least some of the Superusers did not have excessive entitlements for their job responsibilities.  Sometimes, the impact might be minimal (e.g., they can control the printer even though they never need that access right), but in other cases it can constitute a significant risk (e.g., they can stop the system logging process so as to mask all events for a short period).  Merely answering the question will show conclusively that the customer has a security risk, and potentially a compliance problem that they may not have wanted to face before. 

 

In my discussions with customers, I have found that the problem of excessive entitlements for Superusers, as well as the related "superuser anonymity" problem (whereby all superusers are denoted as "root" in the audit logs so that specific security events cannot be associated with a specific individual) are two of the most common deterrents to a smooth IT security audit.  The first problem allows improper actions to be taken, and the second problem prevents their detection.  And, only when faced with a direct question like this do many people start to really internalize how exposed they might be.  If the Superuser is careless, then results can be very damaging.  If the Superuser is malicious, the results could be catastrophic.   (more detail on this issue)

 

While I certainly don't like selling on fear...the reality is that there are risky practices out there in the real world.  Sometimes the most effective way to show a customer that they have a compelling need for IAM is to highlight the "clear and present danger" of some aspect of their existing IT environment.  I have found these two areas - orphan/unowned accounts and excessive superuser entitlements - to be among the most common problems that scream out for an IAM solution (automated de-provisioning and a host access management solution, respectively). 

 

Do you have thoughts or comments on this issue?  Feel free to post them here, or send them directly to me at sumner.blount@ca.com

 

 

Share this post:  
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Compliance Messages at RSA....some thoughts

Published: May 14 2008, 04:52 PM | no comments
by Sumner Blount

 

Although it's been a few weeks since the RSA show, I wanted to pass on something that struck me as I walked around the show floor, checking out all the booths.  Last year, the hot buzzword of the show seemed to be "compliance".  Everyone was jumping on that bandwagon in their marketing, because customers seemed to view their compliance challenges as the biggest problem that they faced.  And, when large enterprises express a major problem that they face, you can bet that very soon most software companies will begin to use that messaging in their marketing activities.  But, this year, a strong compliance emphasis was not in evidence at the RSA show.  Sure, there were a few pure compliance vendors there, but the amount of general compliance marketing was, in my view, less than in previous years.

 

What does this mean?  Do customers not care about compliance any more?  Have they given up on adopting technology to help them solve this problem?  Or, have they already solved it?

 

The answer, I believe, is "no" to all of these questions.  I actually think that the lack of overwhelming compliance messaging is good news.  It means that large enterprises have recognized the importance of automating their compliance activities....for example, using identity and access management solutions.....and have embarked on that journey already.  They have experienced the pain of attempting compliance with each regulation as it comes along, with the high costs and redundant effort that this approach entails.  They have seen how onerous compliance audits can be when their security controls are not automated or easily auditable.  So, they have begun to deploy solutions (particularly IAM) to help them along in this process.  They have adopted industry frameworks (such as CobiT) as best practices, and are using these frameworks to help them "rationalize" controls across a range of regulations, thereby minimizing the redundant effort that their compliance "silos" caused them in the past.  In summary, they have embarked on the "IAM compliance journey", and therefore are not highly swayed by a purely compliance pitch that was used in the past by almost all types of software security products.

 

But, they also recognize that their journey is just that....an ongoing process of automating and improving their security controls to further ease their compliance burden.  They will likely continue to automate their controls and testing processes,  making ongoing audits much less challenging, as well as ensuring that new regulations can be accommodated much more easily than in the past.

 

The following graphic illustrates some of the common characteristics of the phases of compliance automation and optimization.  As always, your mileage may vary......    But, a useful exercise is to ask yourself where you are on this continuum of maturity level, and what improvements (in technology, improved processes, etc) you need in order to be able to move to the next phase.  If you're down near the bottom left of the graph, don't despair.  I think many companies are trying to get through the "Reduce Costs" phase without too much pain.  Very few are actually in the Optimize phase.

 

Share this post:  
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Security, Privacy, and Trust -- Mission Impossible?

Published: May 12 2008, 11:11 AM | no comments
by Mike Small

 

Scott McNealy famously said "You have zero privacy - get over it". The recent

stories regarding the loss of personal data have put a sharp perspective on the

question of privacy. Polls show that people say they will only deal with

organization that they can trust to protect their personal data. What can

organizations do to achieve this trust?

 

Privacy

What is privacy and why does it matter? In this context the concern is the

capability for people to control what information about themselves is made

available to other people. There is no universal agreement on what information is

private; different cultures hold different views on this.

 

Privacy is a balance of the rights of an individual against the good of a group.

Sometimes privacy is in the interests of the group as well as the individual;

identity theft being one example of this. It is in everyone's interest that

information that could be used to impersonate an individual should not be publicly

available.

 

In Europe privacy of personal information is principally governed by two

directives 94/96/EC on personal data, and 2002/58/EC on privacy of electronic

communications. The Organization for Economic Co-operation and Development

has also published a set of principles for data privacy. These principles form the

basis for privacy of personal information in Europe.

 

Trust

Trust is important since it forms the basis upon which personal and commercial

transactions take place. In the context of information privacy, individuals allow

their personal and private information to be held by organizations trusting that it

will be stored and processed in accordance with the principals mentioned above.

The recent personal data breaches are a breach of trust by the organizations

holding the personal information.

 

What happens when there is a breach of trust? Traditionally commerce depends

upon legal enforcement. However, because of difficulties of legal enforcement on

the internet, new models of trust are emerging. An example of this is that

adopted by eBay' where each buyer and seller has a feedback rating.

 

Individuals are increasingly making decisions based on their perception of trust.

In September 2007 a study, conducted by the independent research consultancy

YouGov, showed that concerns over Identity Theft is changing online behaviour

and reveals which types of organizations the public trust to protect their personal

details. For example, while 60% of respondents answered that they would trust

their bank to keep their personal data secure, only 25% would trust the

government.

 

 

Security

Information systems security is what organizations use to ensure privacy of

personal information. Models for secure information processing grew out of the

needs by government and military agencies to use computing systems to handle

sensitive data. These were described in the Orange Book which was replaced by

the Common Criteria (ISO/ISEC 15048) for computer security. BS7799 provided

a more comprehensive set of standards and best practices for information

security management. This was later adopted as ISO 17799 and has now been

renamed as two standards ISO 27001/2. Specific industry standards have also

emerged such as the Payment Card Industry Data Security Standard (PCI-DSS).

These standards are well known and yet a survey conducted by CA across 482

organizations in EMEA found that while 62% of these were holding regulated

information in their IT systems:

  • - Only 33% were able to identify orphan accounts (user accounts which cannot be related to a single person as owner) in their IT systems.
  • - Only 41% were able to report on the access rights to information that were possessed by the users of their IT systems
  • - Only 51% were able to monitor access to their IT servers.

 

What needs to be done?

If organizations followed the letter and the spirit of the ISO27001/2 standards

there would be fewer or no data breaches. It is time for compliance with these

standards to become mandatory where personal data is being held and for there

to be penalties for non compliance.

 

The card payment industry has taken a significant step towards improving

protection of card data through the creation of the PCI-DSS. Any organization

involved in credit card transactions needs to become fully compliant with this

standard.

 

An important advance recommended in the UK House of Lords report on Personal

Internet Security would be a data security breach notification law. This should

include workable definitions of data security breaches, covering both a threshold

for the sensitivity of the data lost, and criteria for the accessibility of that data.

Another recommendation of that report is that major companies, particularly the

software vendors, must now make the development of more secure technologies

their top design priority.

 

There should be training and formal accreditation for people who are responsible

for information security systems. In addition people in organizations who have

access to regulated data should have an appropriate level of training on privacy

requirements. You cannot drive a car without a driving license - so why should

you be able to manage access to the personal data of thousands of people

without proper training?

 

 

Share this post:  
Leave a comment

 

By: Mike Small
Mike Small is principal consultant for security management strategy at CA, where he is responsible for the technical strategy for CA's security management software product line within Europe, Middle East and Africa. Mike has worked for CA since 1994 where he developed CA’s identity and access management...
Read More..

More Posts