Posted on Wed, Jul 28, 2010 @ 11:21 AM
The Verizon Business 2010 research report provides yet another data point on the importance of managing insider access risks.
"Misuse of access sits atop the list of threat actions that led to breaches in 2009."
Interesting to note that the volume of breaches shifted dramatically between Verizon's 2009 report and the 2010 report. While external threats were still the highest percentage of cause (70%), the percentage of breaches that involved insiders increased 26% over the previous year (48%).
2010 Verizon Data Breach Investigations Report
Many organizations are now waking up to the reality that insider access risks can rapidly materialize into compliance violations, operational loss and brand erosion that can seriously impact the business.
And don't think the insider access risk issue is limited to just privileged users. As our own research has shown, people have more access to information resources than is required for their job role. Implementing the right access change control framework and regular monitoring of access will greatly reduce the inherent access risk level for an organization.
Posted on Tue, Jul 13, 2010 @ 11:56 AM
Spotted this news article regarding an IT administrator that just got a year jail sentence for stealing and damaging data from his former employer.
http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=225800012&cid=nl_DR_DAILY_2010-07-13_h
This doesn't make a lot of sense to us. If all the credentials were revoked then how did he get in? Was there a backdoor that this IT administrator created on a network firewall or database server? On the other hand, could it have been an access governance control failure due to a lack of process automation for an access revocation request and no closed-loop change validation to ensure all that accounts and entitlement privileges were in fact removed?
Termination of access rights can be a challenge for most organizations when they lack the visibility into a user's access across all information resources and an access change control framework that can respond to events that regularly occur in the enterprise - such as when users join, transfer or are terminated from an organization Aveksa has seen 40% error rate in the timely fulfillment of revocation requests. Why? Too many organizations rely on their IT help desk systems to initiate and track access revocation requests. However, these systems lack the policy controls and request validation capabilities to provide an organization with the business assurance that the access was revoked and the risk of unauthorized access to networks, applications, data and cloud-based information has been mitigated. It's even more important to have an access change control framework in place when it involves a privileged user because the risk of a data loss occurring increases exponentially!
Posted on Fri, Jul 02, 2010 @ 07:30 AM
Yet again, another Federal government agency has been identified as having serious access management and access governance failures. As reported by InformationWeek, a new report from the Department of Homeland Security Office of the Inspector General identifies serious access governance issues at the Federal Emergency Management Agency (FEMA).
FEMA Cybersecurity Fix Could Take Years
"FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out."
It's not surprising that the Federal government is lagging behind commercial enterprises. In fact, this is issue was reflected in the findings of recent research conducted by the Ponemon institute and commissioned by Aveksa.
Based on the responses of the 100 government IT practitioners that participated in the global multi-industry survey, the results show that FEMA is not the only government agency with access related issues that must be resolved. Some of the findings included:
1. Access Management is a worsening problem for government organizations:
- Most respondents in government (79 percent) said their users have too much access to information resources that aren't pertinent to their role in the organization.
2. Government organizations can't keep pace with access change:
- Three out of four respondents (75 percent) say that they can't respond quickly enough to changes in employee access requirements
- More than half (60 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
3. Access policies are not regularly checked and enforced:
- Sixty percent of organizations do not have or do not strictly enforce access governance policies
- Sixty-three percent do not immediately check user access requests against security policies before the access is approved and assigned.
4. Organizations lack the budget, resources and staff to effectively govern user access:
- More two-thirds (68 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies.
- Fifty-nine percent of organizations reported that they don't have enough technologies to manage and govern end-user access to information resources
Click here to download the Ponemon Institute 2010 Access Governance Trends Survey
With the number of failures that continue to be identified, it's time for all government security Czars to focus on tackling the issue of governing user access as its a straightforward initiative that can be easily dealt with right now. The Federal government should look to the security thought leaders in industry that have tackled the access lifecycle management and policy enforcement challenge as they understand the best practices and have a framework for dealing with access change.
We would welcome a conversation with any Government agency or department security Czars on how to instantiate a set of effectively access governance business processes and policies. We would also be happy to connect these Czars with some of Aveksa's thought-leading customers to help them understand the an implementation roadmap and maturity model for achieving continuous access management and governance.
Posted on Mon, Apr 26, 2010 @ 04:32 PM
Great InfoWorld blog post on Ponemon-Aveksa survey on Access Governance. It seems like there is quite a bit of media coverage on the second survey, especially with the findings around access governance for cloud based applications. If you want to read the full survey results click here:
http://www.aveksa.com/company/access-governance-resource-center/PonemonInstitute2010AccessGovernanceTrendsSurvey.cfm
InfoWorld Cloud Computing blog
By David Linthicum
April 23, 2010
A recent survey shows that business folks are doing an end run around corporate IT by adopting cloud services
A Ponemon Institute survey recently piqued my interest. In the 2010 Access Governance Trends Survey, 87 percent of respondents said too many employees were able to access information that should have been out of reach. And guess what? Cloud computing was a factor -- 73 percent of respondents said that cloud-based applications were enabling business users to skirt organizational controls.
The core issue is IT's loss of control over its assets, including data. Let's face it -- departments are sick of waiting for development and deployment of core business applications or infrastructure services, and they're going directly to a cloud computing provider to get what they need. Think of it as a kind of technological infidelity.
Going around IT and straight to the cloud has become common practice in the last few years. Salesforce.com built its business selling directly to the sales staff rather than to IT; eventually, IT was forced to accept SaaS (software as a service) after the fact. I've watched those battles firsthand.
Today, things are even worse. Now you can get storage as a service, database as a service, and even complete application servers and app dev platforms that are delivered on-demand. With such endless resources available, corporate fiefdoms are creating so-called rogue clouds -- their own array of cloud computing services, including data repositories, that they alone control. IT may not have a clue about what's going on.
The trouble with the rogue approach is that there's no way to ensure that data is handled in accordance with corporate policies. Worse, that data may come with compliance issues, including personal medical or financial information where the law dictates how the data is handled and where it can reside.
IT can implement a few measures to correct this. First, if IT meets the business requirements of its internal clients, then those clients have no reason to look for other options. Second, IT needs to publish and promote data governance policies within the company. Violations most often occur due to a lack of understanding, rather than deliberate subversion.
IT may never have the bandwidth to prevent business folks from looking outside the firewall for the services they need -- after all, that's a big reason why cloud computing exists. Users are going to take matters into their own hands when they need to, not for malicious reaons, but to get things done. If the rules for handling data are crystal clear from the start, then "going rogue" to the cloud has far less potential to damage the business.
Posted on Wed, Apr 14, 2010 @ 11:40 AM
Aveksa sponsored a research survey conducted by Ponemon Institute on the state of Access Governance. This is the second survey that we've worked on with Ponemon Institute and this one has some interesting trend analysis on how well organizations are achieving their objectives for properly governing user access over the survey findings in 2008.
We like to invite you to join Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, and Deepak Taneja, President and Founder of Aveksa, as they review all the survey findings and discuss a set of recommendations for improving how access is managed. Attendees of the 2010 Access Governance Trends Survey web seminar will also get a link to download a free copy of the complete report findings.
Date: Thursday, April 22, 2010
Time: 1:00pm ET/12:00pm CT/10:00am PT
Duration: 60 minutes
Register to attend this webinar
This study surveyed several hundred experienced IT practitioners from both multinational corporations and government organizations. The overall objective of this study was to understand how well IT practitioners are achieving governing user access to information resources within their organizations.
Posted on Thu, Apr 08, 2010 @ 09:26 AM
Interesting to see what may be the beginnings of a consumer legal groundswell around data breaches that lead to identity theft. While many organizations haven't felt the wrath of customers taking action against them for the loss of personally identifiable information, that may now be changing as evident by this recent Dark Reading coverage of the class action lawsuit of Countrywide Financial. The importance of implementing good access governance controls should be of paramount importance, especially for business-to-consumer organizations. This clearly demonstrates that organizations need to think about how they better manage the business risks associated with providing access to sensitive information resources as what's at stake is more than just a loss of consumer data, customer trust and reputation - the legal risks and operational costs are going to be substantially higher moving forward.
http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224201969&cid=nl_DR_DAILY_2010-04-08_h
Customers Sue Countrywide Financial Over Theft And Sale Of Personal Data
Class-action suit seeks $20 million as well as answers about company's involvement
Apr 07, 2010 | 03:56 PM
By Tim Wilson
DarkReading
Customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information.
According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.
The data theft, originally attributed to a single employee working over a two-year-period, exposed tens of thousands of customer records.
The lawsuit alleges that Countrywide Financial employees stole and sold "tens of thousands, or millions" of customers' personal financial information, according to the news report.
The suit claims the defendants do not dispute that customers' private financial information was disseminated. It seeks to find out "whether the dissemination was intended as a plan or scheme, or was intentional; [and] whether any of the defendants was simply aiding and abetting, rather than an architect of the plan to disseminate the personal information."
The lawsuit also claims that the defendants were slow to admit the massive breaches of confidentiality, and offered little help when they finally did admit it. The defendants delayed disclosing the breaches to "gain time and money to extricate defendants from the financial stress [they] had created," the claim states.
The plaintiffs say their identities have been stolen or compromised, their credit histories have been "shattered," and they've been unable to obtain loans, lines of credit, or real estate financing. "Countrywide delayed several months before informing their customers," the complaint states. "Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures."
Posted on Fri, Feb 26, 2010 @ 03:49 PM
Great article today in the Boston Globe, our hometown newspaper, on one of the most stringent state-based privacy regulations in the US. We think this is just the beginning of updates to numerous state privacy regulations and the start of a trend that moves beyond the notification requirement to include a set of preventative controls. A number of companies in Massachusetts are concern with meeting the requirements of CMR 17. But remember that this mandate applies to any organization inside or outside the state that stores personally identifiable information (PII) on a resident of the Commonwealth of Massachusetts. Interesting to see that preventative controls for access to PII is specifically called out, as well as an audit review process to ensure control effectiveness.
http://www.boston.com/business/technology/articles/2010/02/26/theft_proofing_your_identity/
Theft-proofing your identity - by Hiawatha Bray
On Monday, tough new regulations to protect personal information collected from consumers will take effect in Massachusetts, and companies throughout the US are scrambling to get ready.
The new Massachusetts data security regulations apply to businesses and other entities that collect or process such private information as individual Social Security and credit card numbers. Although the rules did not apply to government bodies, Governor Patrick issued an executive order holding executive branch agencies to the same standards. The rules do apply to anyone with such information regarding Massachusetts residents, including companies from out of state.
By March 1, businesses that have such information must:
■ Create a written data security plan that identifies all sensitive information, security risks, and controls such as passwords
■ Designate an employee to be responsible for data security
■ Encrypt such information if it is stored on laptop computers or sent over the Internet
■ Lock up computers or other equipment on which the information is stored
■ Train employees on security procedures
■ Ensure any outside parties that might have access to the information, such as contractors, are in compliance with the regulations
■ Conduct an annual audit to ensure controls remain in place
"We get requests almost daily from New Jersey, Texas, California, pretty much everywhere in the country,'' said John McDonald, security evangelist for RSA, a division of Hopkinton data storage giant EMC Corp. that makes products used by businesses and governments to protect sensitive data.
The new rules are meant to protect the loss or theft of confidential information about consumers, such as Social Security and credit card numbers. They were set to take effect in January, but implementation was delayed to give businesses more time to get ready.
In recent years, confidential information regarding one out of six Massachusetts residents was compromised in data breaches that included hacker attacks on banks and companies that compile consumer data, such as retailer TJX Cos., headquartered in Framingham, and supermarket chain Hannaford Bros. Co., based in Scarborough, Maine.
Under the rules that take effect Monday, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules.
In addition, organizations must encrypt any personal information - scrambling files to conceal their content - when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it's stored on portable devices like laptops or thumb drives, to protect against identity theft if the devices are lost or stolen.
A preexisting law, enacted in 2007, requires institutions to inform state regulators if they suffer a loss of data that could result in identity theft. Organizations that fail to comply with the new regulations, and which suffer such a data breach, can be fined up to $5,000 for each violation.
Many small companies may be unprepared to comply with the new rules. Frank Vincentelli, chief technology officer of Integrated IT Solutions Inc. in Waltham, helps small and midsize businesses upgrade their computer systems to comply with the law. Vincentelli said that the cost of compliance can vary greatly, depending on the number of employees and customers a company has. It cost one client just $1,000 to get ready, while another had to spend $35,000.
"I know there are companies that have unmet requirements, and there's no practical way they're going to have these requirements met by the deadline,'' Vincentelli said.
Bob Baker, president of the Smaller Business Association of New England, said many of his group's members haven't focused on the issue.
"I think people are still anesthetized by it,'' Baker said. "I don't think there's been a call to action, even though there's been big data breaches and plenty of publicity.'' He predicted that many of the state's small businesses will not be in compliance on Monday.
Barbara Anthony, the Commonwealth's undersecretary of consumer affairs and business regulation, was more optimistic.
"I think most companies are ready,'' said Anthony, although she admitted that many small businesses may still be out of compliance. Anthony said that there's no provision in the law for conducting audits of local companies to confirm they're obeying the law.
Some major companies that have been victimized by identity thieves say they are ready to comply with the new law.
"With much of the work already completed, TJX intends to be in compliance with the new Massachusetts data security law when it takes effect,'' spokeswoman Sherry Lang said in an e-mailed statement. Miami hacker Albert Gonzalez pleaded guilty last year to aiding the theft of more than 40 million credit card numbers from TJX.
Another company allegedly victimized by Gonzalez, the supermarket chain Hannaford Bros., also says it's prepared.
"We have reviewed the requirements of the Massachusetts data privacy law, and we are confident that we are compliant with those requirements,'' said spokesman Michael Norton in an e-mailed statement.
The new rules don't apply to state government agencies, which hold vast amounts of personal data. But a 2008 executive order by Governor Deval Patrick applied the same standards to the state's executive branch as of last September. Dan Walsh, the Commonwealth's chief security officer, said that about three-quarters of the state's agencies have submitted self-assessments to demonstrate their compliance, and that the other agencies should have completed their assessments by June.
The cost and complexity of meeting the new standards may be offset by avoiding the high cost of a data breach. The Ponemon Institute, a privacy and information management research firm in Traverse City, Mich., surveyed 51 companies that had suffered security breaches. The affected businesses lost $204 for every customer record that was compromised. Repairing the damage cost the least-affected company $750,000, while one firm's identity theft cost it $31 million.
Posted on Wed, Feb 03, 2010 @ 04:18 PM
Great article by Mike Vizard of ITBusiness Edge that points out the need for effective access governance.
In his article he sites advice from Kelly Bissell, a principle with Deloitte & Touche, that organizations need to evaluate their data governance processes along an access control maturity model that encompasses the following concepts:
User life cycle management - a set of processes for managing user access within the environment from time of hire through termination or retirement.
Enterprise role management - processes associated with establishing a role-based structure that links applications from downstream applications to the broad enterprise, making it easier to grant appropriate access needed by users to perform their work.
Compliance management - composed of key compliance activities companies face for user access controls such as segregation of data (SoD), user access reviews, password policies, etc.
Enterprise identity and access management- a comprehensive set of processes and tools that enable security tasks for management of user identity, workflow processes, password management, and user and role administration.
Aveksa's has a similar perspective. The items mentioned above are really about providing a continuous approach for the management of user access across its entire lifecycle. When you combine enterprise role management and access policy automation with a set of event driven rules, you now have the ability to implement an access change management control framework. In essence, security can now become its own business process where governance is automatically embedded in the process.
The benefits that can be realized include; streamlined access delivery, lower operational overhead for IT and sustainable compliance. This approach will greatly simplify the complexity that IT organizations are having to deal with when managing changes to user access across hundreds of information resources and thousands of user entitlements.
Posted on Mon, Feb 01, 2010 @ 02:54 PM
We have seen countless articles on organizations that fail to remove access when it is no longer required for a person's functional role or when a person ends their relationship with the organization. An interesting article in the December 2009 issue of HR Magazine highlights the importance of access rights revocation from a legal perspective.
###
Be careful what computer use you authorize
The 9th U.S. Circuit Court of Appeals affirmed summary judgment against a substance abuse treatment center's claim under the Computer Fraud and Abuse Act (CFAA) that a former employee committed violations when he downloaded confidential company information for use in his personal consulting business while employed and continued to access the company's system after leaving its employ.
The court held that the employer authorized the employee to access the computer system as part of his job; that in exceeding employer-imposed limitations on access, the employee did not exceed authorized access under the law; and that undisputed evidence did not show either that the company deactivated the former employee's password or that he accessed the company's site after his employment ended.
###
What's interesting about this case is that the court found against the plaintiff (the company) because they did not deactivate the former employee's access credentials to a critical information resource. It's clear from this judgment that organizations have an obligation to proactively protect their information resources, and when failing to put the proper access controls in place the organization may be forgoing its ability to seek legal recourse.
If this organization had dynamic access governance in place, it would have been able to see that there was an orphaned account to a core information resource that couldn't be mapped to an active user in the company's HR system and revoke the account.
Posted on Sat, Jan 23, 2010 @ 01:15 PM
Aveksa was featured in a recent edition of Health Management Technology Magazine in their Forecast 2010 article on Electronic Health Records.
While modernizing the nations health care records system from paper-based to electronic is crutiual not only to improving patient care but also to lowering administrative costs. But in the race to digitize patient records, robust access security must be addressed as the number of users that might have access sensitive patient data will increase substantially, especially with some of the federated models that are being implemented by health care networks across the nation.
As more and more medical and administrative processes related to patient care and data are being outsourced to third parties for cost efficiencies, health care providers and payers must be concerned about the effectiveness of the security and access governance frameworks with their business associates. At the end of the day you can't outsource your business or regulatory liabilities when an access control failure materializes.
The damage to a health care organization's brand, reputation and the potential for loss of revenue as well as increases to operating expenses are very real risks that can materialize from an access governance failure.
The HITECH Act gave the HIPAA some real teeth and it's now apparent that the Federal Trade Commission (FTC) will be the enforcement arm for this regulation. The FTC has already demonstrated in past consumer privacy breach settlements that it will issue heavy fines and penalties on organizations that fail to implement the right access controls to protected information.