Posted on Fri, Jul 02, 2010 @ 07:30 AM
Yet again, another Federal government agency has been identified as having serious access management and access governance failures. As reported by InformationWeek, a new report from the Department of Homeland Security Office of the Inspector General identifies serious access governance issues at the Federal Emergency Management Agency (FEMA).
FEMA Cybersecurity Fix Could Take Years
"FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out."
It's not surprising that the Federal government is lagging behind commercial enterprises. In fact, this is issue was reflected in the findings of recent research conducted by the Ponemon institute and commissioned by Aveksa.
Based on the responses of the 100 government IT practitioners that participated in the global multi-industry survey, the results show that FEMA is not the only government agency with access related issues that must be resolved. Some of the findings included:
1. Access Management is a worsening problem for government organizations:
- Most respondents in government (79 percent) said their users have too much access to information resources that aren't pertinent to their role in the organization.
2. Government organizations can't keep pace with access change:
- Three out of four respondents (75 percent) say that they can't respond quickly enough to changes in employee access requirements
- More than half (60 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
3. Access policies are not regularly checked and enforced:
- Sixty percent of organizations do not have or do not strictly enforce access governance policies
- Sixty-three percent do not immediately check user access requests against security policies before the access is approved and assigned.
4. Organizations lack the budget, resources and staff to effectively govern user access:
- More two-thirds (68 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies.
- Fifty-nine percent of organizations reported that they don't have enough technologies to manage and govern end-user access to information resources
Click here to download the Ponemon Institute 2010 Access Governance Trends Survey
With the number of failures that continue to be identified, it's time for all government security Czars to focus on tackling the issue of governing user access as its a straightforward initiative that can be easily dealt with right now. The Federal government should look to the security thought leaders in industry that have tackled the access lifecycle management and policy enforcement challenge as they understand the best practices and have a framework for dealing with access change.
We would welcome a conversation with any Government agency or department security Czars on how to instantiate a set of effectively access governance business processes and policies. We would also be happy to connect these Czars with some of Aveksa's thought-leading customers to help them understand the an implementation roadmap and maturity model for achieving continuous access management and governance.
Posted on Mon, Feb 01, 2010 @ 02:54 PM
We have seen countless articles on organizations that fail to remove access when it is no longer required for a person's functional role or when a person ends their relationship with the organization. An interesting article in the December 2009 issue of HR Magazine highlights the importance of access rights revocation from a legal perspective.
###
Be careful what computer use you authorize
The 9th U.S. Circuit Court of Appeals affirmed summary judgment against a substance abuse treatment center's claim under the Computer Fraud and Abuse Act (CFAA) that a former employee committed violations when he downloaded confidential company information for use in his personal consulting business while employed and continued to access the company's system after leaving its employ.
The court held that the employer authorized the employee to access the computer system as part of his job; that in exceeding employer-imposed limitations on access, the employee did not exceed authorized access under the law; and that undisputed evidence did not show either that the company deactivated the former employee's password or that he accessed the company's site after his employment ended.
###
What's interesting about this case is that the court found against the plaintiff (the company) because they did not deactivate the former employee's access credentials to a critical information resource. It's clear from this judgment that organizations have an obligation to proactively protect their information resources, and when failing to put the proper access controls in place the organization may be forgoing its ability to seek legal recourse.
If this organization had dynamic access governance in place, it would have been able to see that there was an orphaned account to a core information resource that couldn't be mapped to an active user in the company's HR system and revoke the account.
Posted on Mon, Nov 02, 2009 @ 10:30 AM
We recently read a post on Earl Perkin's blog (Research VP at Gartner) regarding "the continuing problem of IAM business justification."
In his post he states..."Sure, I've seen press articles with a title that include "IAM business justification", and they do a decent job at outlining key drivers of IAM and some of the benefits, but those articles usually have two consistent characteristics: (1) they are PRIMARILY about the key drivers rather than benefits, and (2) when benefits are discussed, they are seldom tied to objective, measurable metrics, the type of metrics that business decisionmakers like to see before signing over a couple of million in dollars, euros, or yen to such an effort."
Aveksa has seen the exact same trend with customers. We get asked quite often to help build a business value/ROI justification by organizations that are considering an Access Governance solution to automate the processes associated with access certification, enterprise role lifecycle maintenance, access request and access change management.
Earl's right, establishing metrics to measure are key. And he is spot on that organizations focus too much on just cost containment when they should also be considering the importance of cost avoidance associated with the the operational business risks that can materialize from the misuse of access (compliance audit findings, fines and penalties as well as the potential for increases to operating expenses and the loss of revenue and brand reputation).
As he states, "customers focus too much on operational efficiency to the exclusion of possible justifications in the process or governance area of IT? The answer is ‘maybe'. While we would like to think that IAM has moved beyond its "pipes and pumps" view by our main customers, the fact is that we not produced enough in the way of identity intelligence, risk management and workflow optimization to warrant (yet) a seat at the big-boy table when discussing matters of IT governance or business process improvement. We're close, though (e.g. compliance reporting), and perhaps it's important that we include a justification rigor to run concurrent with efforts to deliver these higher-level IAM functions. (I'm actually giving advice to myself to ensure future research in these areas reflects this, so consider this a ‘note to self' comment as well as one to you.)"
Including metrics for cost avoidance will help to build a more complete value justification for investing in process and policy automation by providing metrics for business assurance (access risk management). It's what the organization really values IT security for - providing the assurance that the "bad events" won't happen.
If you want to learn more about how to build such a business case to justify an investment in your access governance initiative, click here.