Posted on Fri, Feb 26, 2010 @ 03:49 PM
Great article today in the Boston Globe, our hometown newspaper, on one of the most stringent state-based privacy regulations in the US. We think this is just the beginning of updates to numerous state privacy regulations and the start of a trend that moves beyond the notification requirement to include a set of preventative controls. A number of companies in Massachusetts are concern with meeting the requirements of CMR 17. But remember that this mandate applies to any organization inside or outside the state that stores personally identifiable information (PII) on a resident of the Commonwealth of Massachusetts. Interesting to see that preventative controls for access to PII is specifically called out, as well as an audit review process to ensure control effectiveness.
http://www.boston.com/business/technology/articles/2010/02/26/theft_proofing_your_identity/
Theft-proofing your identity - by Hiawatha Bray
On Monday, tough new regulations to protect personal information collected from consumers will take effect in Massachusetts, and companies throughout the US are scrambling to get ready.
The new Massachusetts data security regulations apply to businesses and other entities that collect or process such private information as individual Social Security and credit card numbers. Although the rules did not apply to government bodies, Governor Patrick issued an executive order holding executive branch agencies to the same standards. The rules do apply to anyone with such information regarding Massachusetts residents, including companies from out of state.
By March 1, businesses that have such information must:
■ Create a written data security plan that identifies all sensitive information, security risks, and controls such as passwords
■ Designate an employee to be responsible for data security
■ Encrypt such information if it is stored on laptop computers or sent over the Internet
■ Lock up computers or other equipment on which the information is stored
■ Train employees on security procedures
■ Ensure any outside parties that might have access to the information, such as contractors, are in compliance with the regulations
■ Conduct an annual audit to ensure controls remain in place
"We get requests almost daily from New Jersey, Texas, California, pretty much everywhere in the country,'' said John McDonald, security evangelist for RSA, a division of Hopkinton data storage giant EMC Corp. that makes products used by businesses and governments to protect sensitive data.
The new rules are meant to protect the loss or theft of confidential information about consumers, such as Social Security and credit card numbers. They were set to take effect in January, but implementation was delayed to give businesses more time to get ready.
In recent years, confidential information regarding one out of six Massachusetts residents was compromised in data breaches that included hacker attacks on banks and companies that compile consumer data, such as retailer TJX Cos., headquartered in Framingham, and supermarket chain Hannaford Bros. Co., based in Scarborough, Maine.
Under the rules that take effect Monday, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules.
In addition, organizations must encrypt any personal information - scrambling files to conceal their content - when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it's stored on portable devices like laptops or thumb drives, to protect against identity theft if the devices are lost or stolen.
A preexisting law, enacted in 2007, requires institutions to inform state regulators if they suffer a loss of data that could result in identity theft. Organizations that fail to comply with the new regulations, and which suffer such a data breach, can be fined up to $5,000 for each violation.
Many small companies may be unprepared to comply with the new rules. Frank Vincentelli, chief technology officer of Integrated IT Solutions Inc. in Waltham, helps small and midsize businesses upgrade their computer systems to comply with the law. Vincentelli said that the cost of compliance can vary greatly, depending on the number of employees and customers a company has. It cost one client just $1,000 to get ready, while another had to spend $35,000.
"I know there are companies that have unmet requirements, and there's no practical way they're going to have these requirements met by the deadline,'' Vincentelli said.
Bob Baker, president of the Smaller Business Association of New England, said many of his group's members haven't focused on the issue.
"I think people are still anesthetized by it,'' Baker said. "I don't think there's been a call to action, even though there's been big data breaches and plenty of publicity.'' He predicted that many of the state's small businesses will not be in compliance on Monday.
Barbara Anthony, the Commonwealth's undersecretary of consumer affairs and business regulation, was more optimistic.
"I think most companies are ready,'' said Anthony, although she admitted that many small businesses may still be out of compliance. Anthony said that there's no provision in the law for conducting audits of local companies to confirm they're obeying the law.
Some major companies that have been victimized by identity thieves say they are ready to comply with the new law.
"With much of the work already completed, TJX intends to be in compliance with the new Massachusetts data security law when it takes effect,'' spokeswoman Sherry Lang said in an e-mailed statement. Miami hacker Albert Gonzalez pleaded guilty last year to aiding the theft of more than 40 million credit card numbers from TJX.
Another company allegedly victimized by Gonzalez, the supermarket chain Hannaford Bros., also says it's prepared.
"We have reviewed the requirements of the Massachusetts data privacy law, and we are confident that we are compliant with those requirements,'' said spokesman Michael Norton in an e-mailed statement.
The new rules don't apply to state government agencies, which hold vast amounts of personal data. But a 2008 executive order by Governor Deval Patrick applied the same standards to the state's executive branch as of last September. Dan Walsh, the Commonwealth's chief security officer, said that about three-quarters of the state's agencies have submitted self-assessments to demonstrate their compliance, and that the other agencies should have completed their assessments by June.
The cost and complexity of meeting the new standards may be offset by avoiding the high cost of a data breach. The Ponemon Institute, a privacy and information management research firm in Traverse City, Mich., surveyed 51 companies that had suffered security breaches. The affected businesses lost $204 for every customer record that was compromised. Repairing the damage cost the least-affected company $750,000, while one firm's identity theft cost it $31 million.
Posted on Wed, Feb 03, 2010 @ 04:18 PM
Great article by Mike Vizard of ITBusiness Edge that points out the need for effective access governance.
In his article he sites advice from Kelly Bissell, a principle with Deloitte & Touche, that organizations need to evaluate their data governance processes along an access control maturity model that encompasses the following concepts:
User life cycle management - a set of processes for managing user access within the environment from time of hire through termination or retirement.
Enterprise role management - processes associated with establishing a role-based structure that links applications from downstream applications to the broad enterprise, making it easier to grant appropriate access needed by users to perform their work.
Compliance management - composed of key compliance activities companies face for user access controls such as segregation of data (SoD), user access reviews, password policies, etc.
Enterprise identity and access management- a comprehensive set of processes and tools that enable security tasks for management of user identity, workflow processes, password management, and user and role administration.
Aveksa's has a similar perspective. The items mentioned above are really about providing a continuous approach for the management of user access across its entire lifecycle. When you combine enterprise role management and access policy automation with a set of event driven rules, you now have the ability to implement an access change management control framework. In essence, security can now become its own business process where governance is automatically embedded in the process.
The benefits that can be realized include; streamlined access delivery, lower operational overhead for IT and sustainable compliance. This approach will greatly simplify the complexity that IT organizations are having to deal with when managing changes to user access across hundreds of information resources and thousands of user entitlements.
Posted on Mon, Feb 01, 2010 @ 02:54 PM
We have seen countless articles on organizations that fail to remove access when it is no longer required for a person's functional role or when a person ends their relationship with the organization. An interesting article in the December 2009 issue of HR Magazine highlights the importance of access rights revocation from a legal perspective.
###
Be careful what computer use you authorize
The 9th U.S. Circuit Court of Appeals affirmed summary judgment against a substance abuse treatment center's claim under the Computer Fraud and Abuse Act (CFAA) that a former employee committed violations when he downloaded confidential company information for use in his personal consulting business while employed and continued to access the company's system after leaving its employ.
The court held that the employer authorized the employee to access the computer system as part of his job; that in exceeding employer-imposed limitations on access, the employee did not exceed authorized access under the law; and that undisputed evidence did not show either that the company deactivated the former employee's password or that he accessed the company's site after his employment ended.
###
What's interesting about this case is that the court found against the plaintiff (the company) because they did not deactivate the former employee's access credentials to a critical information resource. It's clear from this judgment that organizations have an obligation to proactively protect their information resources, and when failing to put the proper access controls in place the organization may be forgoing its ability to seek legal recourse.
If this organization had dynamic access governance in place, it would have been able to see that there was an orphaned account to a core information resource that couldn't be mapped to an active user in the company's HR system and revoke the account.
Posted on Sat, Jan 23, 2010 @ 01:15 PM
Aveksa was featured in a recent edition of Health Management Technology Magazine in their Forecast 2010 article on Electronic Health Records.
While modernizing the nations health care records system from paper-based to electronic is crutiual not only to improving patient care but also to lowering administrative costs. But in the race to digitize patient records, robust access security must be addressed as the number of users that might have access sensitive patient data will increase substantially, especially with some of the federated models that are being implemented by health care networks across the nation.
As more and more medical and administrative processes related to patient care and data are being outsourced to third parties for cost efficiencies, health care providers and payers must be concerned about the effectiveness of the security and access governance frameworks with their business associates. At the end of the day you can't outsource your business or regulatory liabilities when an access control failure materializes.
The damage to a health care organization's brand, reputation and the potential for loss of revenue as well as increases to operating expenses are very real risks that can materialize from an access governance failure.
The HITECH Act gave the HIPAA some real teeth and it's now apparent that the Federal Trade Commission (FTC) will be the enforcement arm for this regulation. The FTC has already demonstrated in past consumer privacy breach settlements that it will issue heavy fines and penalties on organizations that fail to implement the right access controls to protected information.
Posted on Thu, Dec 17, 2009 @ 08:30 AM
Kuppinger Cole had an interesting post today on their website titled "No Information Security Without Identity ."
In this article Martin Kuppinger states, "there are such things as data protection laws, for instance. And the public has a nagging habit of asking who actually has access to which sets of data and how in tarnation did they just get leaked again! Auditors are also prone to ask unpleasant questions about compliance issues concerning both external and internal regulations. The word "compliance", after all, means following the rules.
Data protection is actually a good example since it shows what IAM is really all about. Identity and Access Management, after all, isn't just an end in itself. Neither is it some purely theoretical problem. Instead, it's the result of a relatively simple demand that has been around since the early days of IT, namely: 'Make sure our information is safe!'
Part of IAM's job is protecting data, either directly or by protecting the systems that use and store data. That is also the backdrop against which compliance regulation, both internal and external, must be viewed. That also means that it is much easier to talk with business people about "access" rather than about "identity". The big question is how do we control and monitor access to information and systems? To do that, we need to know who is allowed to do what - and who isn't. The only way to achieve that goal is through true digital Identity Management. Anyone who thinks he can do it by granting rights and approvals based on IP addresses or MAC numbers is seriously kidding himself.
Good IAM is the fundament on which to build information security - nor else not. Individual measures such as banning or monitoring things like USB sticks can help, but only if they are part of an overall system. Companies today need an 'access strategy' which determines who is allowed to do what in my system. That cannot be done by a trying to apply and enforce a bundle of unconnected ad-hoc measures."
Martin brings up two very important points. First, "identity" is a language that is understood only by IT. But access is the language that the business understands. IT Security organizations must find a way to bridge this language barrier if they hope to drive accountability for governing user access into the business and enable the business to request the access in a context they will understand.
The second point that Martin makes is a trend that we see emerging, the convergence of data governance (information) with access governance (identity). By understanding the user and their relationship within the organization (role), we can improve how information access policies are enforced at run-time while ensuring that they are not overly restrictive to the business. We think this a pragmatic approach that enables information security policies to span across data, applications, systems, hosts, networks, cloud services, files and file shares.
Posted on Tue, Dec 08, 2009 @ 05:27 PM
Gartner published a great research report on Entitlement Life Cycle Management: The Evolution of Role Life Cycle Management. Besides defining the difference between business and technical roles, Earl Perkins (the author) points out that roles are really all about assigning fine-grained access permissions (entitlements) to users based on their job function.
He states, "a discussion of roles can easily overlook an important point: The real effort to assign the appropriate levels of access actually rests at the granular level of the entitlement. An entitlement (also called by various audiences a "privilege," "permission," "access right" or "authorization") is currently the most granular construct for assigning the level of access to a job function based on enterprise access policies. In other words, an entitlement is the means by which an enterprise assigns a particular level of access to an IT-based resource, whether it is information in a database, a transaction in an application or a command in an IT system. A role is one method by which these entitlements may be grouped or aggregated to make the process of assigning those entitlements more efficient."
Well stated Earl. While technical and provisioning roles benefit an organization as an efficient IT security administration tool for automating the creation of accounts in user directories, this approach isn't able to understand a user's relationship with the organization in terms of the function that a user performs for the business and can map the specfic entitlements that are appropriate to the functional role. Enterprise business roles have evolved to achieve this objective.
Posted on Tue, Dec 01, 2009 @ 12:10 PM
We came across this Ponemon Institute study, sponsored by Crowe, on the state of compliance with HIPAA/HITEC. The report is available for download from Crowe's website.
http://go.crowe.com/content/CroweLP?eid=TR9014D&origRef=benchmark
The majority of the respondents to the study are not substantially in compliance with HIPAA/HITECH and the author recommends that they get more aggressive in their approach for complying with the regulation. What was interesting to us was the impact that certain requirements of HIPAA/HITECH regulation would have on a healthcare organization. Access governance and access management policy was the second most highly rated organization impact (31%).
One area of concern that Aveksa identified in a whitepaper we published earlier this year is that healthcare organizations are racing to modernize their patient records systems from manual to electronic. This is a good thing. But if done without having a good access governance control framework in place, the organizational and compliance risks of access control failures will be expodentially higher than they are today. To read our whitepaper on Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach, go here.
Posted on Fri, Nov 20, 2009 @ 08:41 AM
Aveksa is hosting a webinar on December 9th at 1:00pm (eastern US) on the emergence of access governance in the identity and access management space.
During this webinar Gerry Gebel, Vice President & Service Director of Burton Group, and Deepak Taneja, Founder & President of Aveksa, will discuss the challenges that organizations face with governing user access to information resources and how an access governance layer has emerged that separates the business perspectives of this challenge from the underlying runtime identity management infrastructure.
What you'll learn by attending this webinar:
- Understand the complexity of achieving access transparency
- The emergence of the access governance for transparency, visibility and business control
- Why user provisioning systems can't provide access governance
- A process-centric approach for managing & governing access (Aveksa's 4R approach)
- Implementing a continuous, access change management control framework
- The importance of processes for certification and policy for rules enforcement (SoD)
- The organizational maturity phases to achieving access governance
- The value that organizations are realizing from implementing access governance
To register for this webinar Click Here
Posted on Tue, Nov 10, 2009 @ 12:17 PM
For those of you that are not currently at Gartner IAM Summit in San Diego, it's clear that the emerging trends for IAM is that security needs to become a business-centric process. Much of Earl Perkin's keynote focused on this idea and numerous sessions at the IAM Summit are also hitting on this trend as well. The business is getting frustrated with the IT security organization because the approach for requesting access and applying access policies is inefficient and ineffective.
The current approach for managing access at the application, data or system level is creating so much complexity that IT is not able to keep pace with access change in order to meet their service agreements with the business. The pace of change to access is also creating issues for managing and mitigating business risks associated with providing users access.
A number of customers that we are speaking with at this event are still struggling with the basics of getting the visibility to user access across the enterprise and being able to apply the proper controls while keeping up with change. We are advising them that they need to improve their process for how business users select access and embed governance (business policy controls for access) into the process, providing a preventative access control framework that will simplify the access change management process.
Posted on Mon, Nov 02, 2009 @ 10:30 AM
We recently read a post on Earl Perkin's blog (Research VP at Gartner) regarding "the continuing problem of IAM business justification."
In his post he states..."Sure, I've seen press articles with a title that include "IAM business justification", and they do a decent job at outlining key drivers of IAM and some of the benefits, but those articles usually have two consistent characteristics: (1) they are PRIMARILY about the key drivers rather than benefits, and (2) when benefits are discussed, they are seldom tied to objective, measurable metrics, the type of metrics that business decisionmakers like to see before signing over a couple of million in dollars, euros, or yen to such an effort."
Aveksa has seen the exact same trend with customers. We get asked quite often to help build a business value/ROI justification by organizations that are considering an Access Governance solution to automate the processes associated with access certification, enterprise role lifecycle maintenance, access request and access change management.
Earl's right, establishing metrics to measure are key. And he is spot on that organizations focus too much on just cost containment when they should also be considering the importance of cost avoidance associated with the the operational business risks that can materialize from the misuse of access (compliance audit findings, fines and penalties as well as the potential for increases to operating expenses and the loss of revenue and brand reputation).
As he states, "customers focus too much on operational efficiency to the exclusion of possible justifications in the process or governance area of IT? The answer is ‘maybe'. While we would like to think that IAM has moved beyond its "pipes and pumps" view by our main customers, the fact is that we not produced enough in the way of identity intelligence, risk management and workflow optimization to warrant (yet) a seat at the big-boy table when discussing matters of IT governance or business process improvement. We're close, though (e.g. compliance reporting), and perhaps it's important that we include a justification rigor to run concurrent with efforts to deliver these higher-level IAM functions. (I'm actually giving advice to myself to ensure future research in these areas reflects this, so consider this a ‘note to self' comment as well as one to you.)"
Including metrics for cost avoidance will help to build a more complete value justification for investing in process and policy automation by providing metrics for business assurance (access risk management). It's what the organization really values IT security for - providing the assurance that the "bad events" won't happen.
If you want to learn more about how to build such a business case to justify an investment in your access governance initiative, click here.