Posted on Wed, Aug 18, 2010 @ 09:45 AM
Another insider data breach story that dovetails our blog post from yesterday. It's amazing to see that organizations (including government entities) have very little in the way of access governance controls in place.
NetworkWorld article on Canada Revenue Agency Data Breach
Our friend Dave Kearns from Network World summed it up well in his article covering this news. "This incident could be the poster child for why you need governance, oversight and access control policies -- and enforcement. In this day an age it's not hard to implement, and in many places it's required by government fiat. Of course, most government's always exempt themselves from the fiats they enact."
"Best to review your governance, oversight and access control policies now -- before your organization features prominently (and ashamedly) in a newspaper headline!"
We encourage organizations not to wait until a control failure or regulatory audit finding happens in order to realized the importance of having proper governance over user access to critical information resources. Put an initiative in place now and avoid this known and pervasive risk. If you need assistance on building a business case for implementing an access governance solution, Aveksa has built a model that you can use and we'd be happy to step you through it.
Posted on Tue, Aug 17, 2010 @ 11:39 AM
It's no surprise to anyone at Aveksa that insider access threat is a growing problem, as identified by Verizon's 2010 Data Breach Investigations Report.
"For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent."
"Identity and access management are essential controls that companies need to block -- or at least, slow down -- attackers."
Verizon 2010 Data Breach Investigations Report
While many organizations focused their security efforts on hardening the perimeter and putting in a layered security approach for external attacks, little has been done to have this same level of protection against insider threats (with the exception of where regulatory requirements define the risks and specify the controls).
Companies must certainly put controls in place to detect breaches. However, progressive organizations are focusing their efforts on implementing an access control framework that includes both detective as well as preventative controls.
Risk management best practice requires an organization to minimize a high level of inherent risk (such as with users that have the highest level of privileges within an information resource). But it's not just users with root and system administration level privileges that can be a threat to an organization. It could be a user that has access to sensitive information. Do they really need this access in order to do their current job? Does having these entitlements create a toxic combination of access that violates a regulatory mandate or introduces a potential business risk? These are the questions that organizations need to be able to answer in order to provide the assurance that insider access risks are being properly managed.
The reality is that organizations aren't doing a good job governing user access at any level. Why? Because the amount of change to user access is constantly happening. A 2010 Ponemon Institute study commissioned by Aveksa on Access Governance Trends found that on a monthly basis 10% of all users in an organization will require some change to their access.
Ponemon 2010 Access Governance Trends Survey
Implementing an access change management control framework that detects access change events, pre-determines what access is appropriate for a user to have given their functional role in the organization, and knows what they no longer need for access will enable the management of the complete life-cycle of a user's access while providing a set of dynamic controls that will minimize access related risks.
Posted on Tue, Jul 13, 2010 @ 11:56 AM
Spotted this news article regarding an IT administrator that just got a year jail sentence for stealing and damaging data from his former employer.
http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=225800012&cid=nl_DR_DAILY_2010-07-13_h
This doesn't make a lot of sense to us. If all the credentials were revoked then how did he get in? Was there a backdoor that this IT administrator created on a network firewall or database server? On the other hand, could it have been an access governance control failure due to a lack of process automation for an access revocation request and no closed-loop change validation to ensure all that accounts and entitlement privileges were in fact removed?
Termination of access rights can be a challenge for most organizations when they lack the visibility into a user's access across all information resources and an access change control framework that can respond to events that regularly occur in the enterprise - such as when users join, transfer or are terminated from an organization Aveksa has seen 40% error rate in the timely fulfillment of revocation requests. Why? Too many organizations rely on their IT help desk systems to initiate and track access revocation requests. However, these systems lack the policy controls and request validation capabilities to provide an organization with the business assurance that the access was revoked and the risk of unauthorized access to networks, applications, data and cloud-based information has been mitigated. It's even more important to have an access change control framework in place when it involves a privileged user because the risk of a data loss occurring increases exponentially!
Posted on Fri, Jul 02, 2010 @ 07:30 AM
Yet again, another Federal government agency has been identified as having serious access management and access governance failures. As reported by InformationWeek, a new report from the Department of Homeland Security Office of the Inspector General identifies serious access governance issues at the Federal Emergency Management Agency (FEMA).
FEMA Cybersecurity Fix Could Take Years
"FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out."
It's not surprising that the Federal government is lagging behind commercial enterprises. In fact, this is issue was reflected in the findings of recent research conducted by the Ponemon institute and commissioned by Aveksa.
Based on the responses of the 100 government IT practitioners that participated in the global multi-industry survey, the results show that FEMA is not the only government agency with access related issues that must be resolved. Some of the findings included:
1. Access Management is a worsening problem for government organizations:
- Most respondents in government (79 percent) said their users have too much access to information resources that aren't pertinent to their role in the organization.
2. Government organizations can't keep pace with access change:
- Three out of four respondents (75 percent) say that they can't respond quickly enough to changes in employee access requirements
- More than half (60 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
3. Access policies are not regularly checked and enforced:
- Sixty percent of organizations do not have or do not strictly enforce access governance policies
- Sixty-three percent do not immediately check user access requests against security policies before the access is approved and assigned.
4. Organizations lack the budget, resources and staff to effectively govern user access:
- More two-thirds (68 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies.
- Fifty-nine percent of organizations reported that they don't have enough technologies to manage and govern end-user access to information resources
Click here to download the Ponemon Institute 2010 Access Governance Trends Survey
With the number of failures that continue to be identified, it's time for all government security Czars to focus on tackling the issue of governing user access as its a straightforward initiative that can be easily dealt with right now. The Federal government should look to the security thought leaders in industry that have tackled the access lifecycle management and policy enforcement challenge as they understand the best practices and have a framework for dealing with access change.
We would welcome a conversation with any Government agency or department security Czars on how to instantiate a set of effectively access governance business processes and policies. We would also be happy to connect these Czars with some of Aveksa's thought-leading customers to help them understand the an implementation roadmap and maturity model for achieving continuous access management and governance.
Posted on Thu, Apr 08, 2010 @ 09:26 AM
Interesting to see what may be the beginnings of a consumer legal groundswell around data breaches that lead to identity theft. While many organizations haven't felt the wrath of customers taking action against them for the loss of personally identifiable information, that may now be changing as evident by this recent Dark Reading coverage of the class action lawsuit of Countrywide Financial. The importance of implementing good access governance controls should be of paramount importance, especially for business-to-consumer organizations. This clearly demonstrates that organizations need to think about how they better manage the business risks associated with providing access to sensitive information resources as what's at stake is more than just a loss of consumer data, customer trust and reputation - the legal risks and operational costs are going to be substantially higher moving forward.
http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224201969&cid=nl_DR_DAILY_2010-04-08_h
Customers Sue Countrywide Financial Over Theft And Sale Of Personal Data
Class-action suit seeks $20 million as well as answers about company's involvement
Apr 07, 2010 | 03:56 PM
By Tim Wilson
DarkReading
Customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information.
According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.
The data theft, originally attributed to a single employee working over a two-year-period, exposed tens of thousands of customer records.
The lawsuit alleges that Countrywide Financial employees stole and sold "tens of thousands, or millions" of customers' personal financial information, according to the news report.
The suit claims the defendants do not dispute that customers' private financial information was disseminated. It seeks to find out "whether the dissemination was intended as a plan or scheme, or was intentional; [and] whether any of the defendants was simply aiding and abetting, rather than an architect of the plan to disseminate the personal information."
The lawsuit also claims that the defendants were slow to admit the massive breaches of confidentiality, and offered little help when they finally did admit it. The defendants delayed disclosing the breaches to "gain time and money to extricate defendants from the financial stress [they] had created," the claim states.
The plaintiffs say their identities have been stolen or compromised, their credit histories have been "shattered," and they've been unable to obtain loans, lines of credit, or real estate financing. "Countrywide delayed several months before informing their customers," the complaint states. "Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures."
Posted on Wed, Feb 03, 2010 @ 04:18 PM
Great article by Mike Vizard of ITBusiness Edge that points out the need for effective access governance.
In his article he sites advice from Kelly Bissell, a principle with Deloitte & Touche, that organizations need to evaluate their data governance processes along an access control maturity model that encompasses the following concepts:
User life cycle management - a set of processes for managing user access within the environment from time of hire through termination or retirement.
Enterprise role management - processes associated with establishing a role-based structure that links applications from downstream applications to the broad enterprise, making it easier to grant appropriate access needed by users to perform their work.
Compliance management - composed of key compliance activities companies face for user access controls such as segregation of data (SoD), user access reviews, password policies, etc.
Enterprise identity and access management- a comprehensive set of processes and tools that enable security tasks for management of user identity, workflow processes, password management, and user and role administration.
Aveksa's has a similar perspective. The items mentioned above are really about providing a continuous approach for the management of user access across its entire lifecycle. When you combine enterprise role management and access policy automation with a set of event driven rules, you now have the ability to implement an access change management control framework. In essence, security can now become its own business process where governance is automatically embedded in the process.
The benefits that can be realized include; streamlined access delivery, lower operational overhead for IT and sustainable compliance. This approach will greatly simplify the complexity that IT organizations are having to deal with when managing changes to user access across hundreds of information resources and thousands of user entitlements.
Posted on Mon, Feb 01, 2010 @ 02:54 PM
We have seen countless articles on organizations that fail to remove access when it is no longer required for a person's functional role or when a person ends their relationship with the organization. An interesting article in the December 2009 issue of HR Magazine highlights the importance of access rights revocation from a legal perspective.
###
Be careful what computer use you authorize
The 9th U.S. Circuit Court of Appeals affirmed summary judgment against a substance abuse treatment center's claim under the Computer Fraud and Abuse Act (CFAA) that a former employee committed violations when he downloaded confidential company information for use in his personal consulting business while employed and continued to access the company's system after leaving its employ.
The court held that the employer authorized the employee to access the computer system as part of his job; that in exceeding employer-imposed limitations on access, the employee did not exceed authorized access under the law; and that undisputed evidence did not show either that the company deactivated the former employee's password or that he accessed the company's site after his employment ended.
###
What's interesting about this case is that the court found against the plaintiff (the company) because they did not deactivate the former employee's access credentials to a critical information resource. It's clear from this judgment that organizations have an obligation to proactively protect their information resources, and when failing to put the proper access controls in place the organization may be forgoing its ability to seek legal recourse.
If this organization had dynamic access governance in place, it would have been able to see that there was an orphaned account to a core information resource that couldn't be mapped to an active user in the company's HR system and revoke the account.
Posted on Thu, Dec 17, 2009 @ 08:30 AM
Kuppinger Cole had an interesting post today on their website titled "No Information Security Without Identity ."
In this article Martin Kuppinger states, "there are such things as data protection laws, for instance. And the public has a nagging habit of asking who actually has access to which sets of data and how in tarnation did they just get leaked again! Auditors are also prone to ask unpleasant questions about compliance issues concerning both external and internal regulations. The word "compliance", after all, means following the rules.
Data protection is actually a good example since it shows what IAM is really all about. Identity and Access Management, after all, isn't just an end in itself. Neither is it some purely theoretical problem. Instead, it's the result of a relatively simple demand that has been around since the early days of IT, namely: 'Make sure our information is safe!'
Part of IAM's job is protecting data, either directly or by protecting the systems that use and store data. That is also the backdrop against which compliance regulation, both internal and external, must be viewed. That also means that it is much easier to talk with business people about "access" rather than about "identity". The big question is how do we control and monitor access to information and systems? To do that, we need to know who is allowed to do what - and who isn't. The only way to achieve that goal is through true digital Identity Management. Anyone who thinks he can do it by granting rights and approvals based on IP addresses or MAC numbers is seriously kidding himself.
Good IAM is the fundament on which to build information security - nor else not. Individual measures such as banning or monitoring things like USB sticks can help, but only if they are part of an overall system. Companies today need an 'access strategy' which determines who is allowed to do what in my system. That cannot be done by a trying to apply and enforce a bundle of unconnected ad-hoc measures."
Martin brings up two very important points. First, "identity" is a language that is understood only by IT. But access is the language that the business understands. IT Security organizations must find a way to bridge this language barrier if they hope to drive accountability for governing user access into the business and enable the business to request the access in a context they will understand.
The second point that Martin makes is a trend that we see emerging, the convergence of data governance (information) with access governance (identity). By understanding the user and their relationship within the organization (role), we can improve how information access policies are enforced at run-time while ensuring that they are not overly restrictive to the business. We think this a pragmatic approach that enables information security policies to span across data, applications, systems, hosts, networks, cloud services, files and file shares.
Posted on Wed, Oct 28, 2009 @ 11:30 AM
Our friend Dave Kearns of NetworkWorld had an interesting article in his newsletter this week on "moving the discussion beyond authentication." This is an excerpt from his newsletter -
"A couple of years ago ("Are we bogged down in authentication discussions?,") I advocated moving away from authentication discussions slowly, that until we were sure who was logging in discussions of what they could access was merely academic. Now it's time to move on. I may, in fact, have denigrated the possibilities of XACML. I'm still not sure it's the best we could do but -- similar to my thoughts on PKI -- it's the best we can do right now. XACML is all about rule-based access control. Couple that with role-based and context-based access control and we might be on to something."
http://www.networkworld.com/newsletters/dir/2009/102609id2.html?source=NWWNLE_nlt_security_identity_2009-10-28
Dave, we couldn't agree more! While XACML provides a common technical language for access control in the cloud, there needs to be a common business language for the governance of user access to cloud based information resources. Using business roles, coupled with policy rules, will enable organizations to extend their access governance framework to cloud based information resources in order to pre-determine whether a person should have access and what specific access permissions they should be allowed to have as part of their job function.
A number of organizations we've spoken with recently have expressed concern regarding being able to properly govern user access to cloud based information resources. Business units are buying subscriptions to cloud based applications and services independently, without consulting with their IT security team. Beyond basic security administration for setting up accounts to cloud information resources, there is no easy way for an organization to apply their governance controls for access. As a result, an organization may be exposing itself to potential access related business risks and compliance violations (depending on the nature of the information resource).
Extending business roles (with embedded controls) to cloud based information resources must be an imperative for organizations.
Posted on Thu, Oct 15, 2009 @ 03:02 PM
Dark Reading is covering a lot of stories lately that relate to access governance and risk management.
http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=220600156&cid=nl_DR_DAILY_H
Last week they featured an article on the "Six Steps Toward Better Database Security Compliance" that offered up some best practices related to access controls for information resources. Ericka Chickowski, the reporter who wrote the article for Dark Reading, was spot on with two best practices mentioned in the article:
###
3. Access Management and Segregation of Duties Figuring out who has access to regulated data, what kind of access they are given, and whether that access is appropriate for their jobs is at the heart of complying with regulatory mandates.
More complicated is the issue of segregation of duties and entitling permissions based on roles.
The task of segregating users based on roles means understanding each user's duties, experts say. And it can't be a one-time task. Organizations need to be vigilant to constantly review roles and entitlements to prevent toxic combinations of privileges.
5. Reporting On Compensating Controls In those instances where organizations have appropriate compensating controls in place, auditors want proof that these controls actually exist...
For example, you may tell an auditor that you're conducting a biweekly review to ensure access controls are appropriate. But if you can't produce evidence that the review is taking place according to schedule, the auditor will likely flag you...
###
As Erica points out, to get governance over user access you need to start with access visibility. Do you know who has to what information resources? Do you know what specific access rights they have (read, write, delete, etc.)? Is the access absolutely necessary in order for that person to do their job? Once you have a unified view of user access and apply access policy controls (like Segregation of Duties), chances are you will uncover a number of access governance issues that will need to be cleaned up (orphaned accounts, orphaned entitlements and inappropriate access). We have seen entitlement revocation rates as high as 40% with some of our customers on their first automated collection and certification of user access data. As mentioned in the article, having an auditable system of record is key to being able to demonstrate compliance. By the way, spreadsheets are not a "system of record."
Erica also points out that the use of business roles can simplify the task of compliance by providing a preventative control. She's right. Using a role-based approach to governing user access enables organizations to understand what is necessary for access (minimum required) in order to perform a job function as well as what is appropriate from a policy standpoint to ensure that access compliance and risk management objectives are being met. Using a role-based approach to governing user access also benefits an organization by simplifying compliance and enables access delivery to the business to be streamline. If you want to learn more about the benefits of role-based access governance you can read a whitepaper we've written on this topic that can found here: http://www.aveksa.com/company/resource-center/index.cfm