Posted on Wed, Aug 18, 2010 @ 09:45 AM
Another insider data breach story that dovetails our blog post from yesterday. It's amazing to see that organizations (including government entities) have very little in the way of access governance controls in place.
NetworkWorld article on Canada Revenue Agency Data Breach
Our friend Dave Kearns from Network World summed it up well in his article covering this news. "This incident could be the poster child for why you need governance, oversight and access control policies -- and enforcement. In this day an age it's not hard to implement, and in many places it's required by government fiat. Of course, most government's always exempt themselves from the fiats they enact."
"Best to review your governance, oversight and access control policies now -- before your organization features prominently (and ashamedly) in a newspaper headline!"
We encourage organizations not to wait until a control failure or regulatory audit finding happens in order to realized the importance of having proper governance over user access to critical information resources. Put an initiative in place now and avoid this known and pervasive risk. If you need assistance on building a business case for implementing an access governance solution, Aveksa has built a model that you can use and we'd be happy to step you through it.
Posted on Fri, Jul 02, 2010 @ 07:30 AM
Yet again, another Federal government agency has been identified as having serious access management and access governance failures. As reported by InformationWeek, a new report from the Department of Homeland Security Office of the Inspector General identifies serious access governance issues at the Federal Emergency Management Agency (FEMA).
FEMA Cybersecurity Fix Could Take Years
"FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out."
It's not surprising that the Federal government is lagging behind commercial enterprises. In fact, this is issue was reflected in the findings of recent research conducted by the Ponemon institute and commissioned by Aveksa.
Based on the responses of the 100 government IT practitioners that participated in the global multi-industry survey, the results show that FEMA is not the only government agency with access related issues that must be resolved. Some of the findings included:
1. Access Management is a worsening problem for government organizations:
- Most respondents in government (79 percent) said their users have too much access to information resources that aren't pertinent to their role in the organization.
2. Government organizations can't keep pace with access change:
- Three out of four respondents (75 percent) say that they can't respond quickly enough to changes in employee access requirements
- More than half (60 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
3. Access policies are not regularly checked and enforced:
- Sixty percent of organizations do not have or do not strictly enforce access governance policies
- Sixty-three percent do not immediately check user access requests against security policies before the access is approved and assigned.
4. Organizations lack the budget, resources and staff to effectively govern user access:
- More two-thirds (68 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies.
- Fifty-nine percent of organizations reported that they don't have enough technologies to manage and govern end-user access to information resources
Click here to download the Ponemon Institute 2010 Access Governance Trends Survey
With the number of failures that continue to be identified, it's time for all government security Czars to focus on tackling the issue of governing user access as its a straightforward initiative that can be easily dealt with right now. The Federal government should look to the security thought leaders in industry that have tackled the access lifecycle management and policy enforcement challenge as they understand the best practices and have a framework for dealing with access change.
We would welcome a conversation with any Government agency or department security Czars on how to instantiate a set of effectively access governance business processes and policies. We would also be happy to connect these Czars with some of Aveksa's thought-leading customers to help them understand the an implementation roadmap and maturity model for achieving continuous access management and governance.
Posted on Wed, Apr 14, 2010 @ 11:40 AM
Aveksa sponsored a research survey conducted by Ponemon Institute on the state of Access Governance. This is the second survey that we've worked on with Ponemon Institute and this one has some interesting trend analysis on how well organizations are achieving their objectives for properly governing user access over the survey findings in 2008.
We like to invite you to join Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, and Deepak Taneja, President and Founder of Aveksa, as they review all the survey findings and discuss a set of recommendations for improving how access is managed. Attendees of the 2010 Access Governance Trends Survey web seminar will also get a link to download a free copy of the complete report findings.
Date: Thursday, April 22, 2010
Time: 1:00pm ET/12:00pm CT/10:00am PT
Duration: 60 minutes
Register to attend this webinar
This study surveyed several hundred experienced IT practitioners from both multinational corporations and government organizations. The overall objective of this study was to understand how well IT practitioners are achieving governing user access to information resources within their organizations.
Posted on Thu, Apr 08, 2010 @ 09:26 AM
Interesting to see what may be the beginnings of a consumer legal groundswell around data breaches that lead to identity theft. While many organizations haven't felt the wrath of customers taking action against them for the loss of personally identifiable information, that may now be changing as evident by this recent Dark Reading coverage of the class action lawsuit of Countrywide Financial. The importance of implementing good access governance controls should be of paramount importance, especially for business-to-consumer organizations. This clearly demonstrates that organizations need to think about how they better manage the business risks associated with providing access to sensitive information resources as what's at stake is more than just a loss of consumer data, customer trust and reputation - the legal risks and operational costs are going to be substantially higher moving forward.
http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224201969&cid=nl_DR_DAILY_2010-04-08_h
Customers Sue Countrywide Financial Over Theft And Sale Of Personal Data
Class-action suit seeks $20 million as well as answers about company's involvement
Apr 07, 2010 | 03:56 PM
By Tim Wilson
DarkReading
Customers of Countrywide Financial have filed a class-action lawsuit over the 2008 data breach that enabled company insiders to steal and sell their personal information.
According to a Courthouse News Service report, the class-action lawsuit on behalf of 16 plaintiffs seeks $20 million in damages, plus punitive damages.
The data theft, originally attributed to a single employee working over a two-year-period, exposed tens of thousands of customer records.
The lawsuit alleges that Countrywide Financial employees stole and sold "tens of thousands, or millions" of customers' personal financial information, according to the news report.
The suit claims the defendants do not dispute that customers' private financial information was disseminated. It seeks to find out "whether the dissemination was intended as a plan or scheme, or was intentional; [and] whether any of the defendants was simply aiding and abetting, rather than an architect of the plan to disseminate the personal information."
The lawsuit also claims that the defendants were slow to admit the massive breaches of confidentiality, and offered little help when they finally did admit it. The defendants delayed disclosing the breaches to "gain time and money to extricate defendants from the financial stress [they] had created," the claim states.
The plaintiffs say their identities have been stolen or compromised, their credit histories have been "shattered," and they've been unable to obtain loans, lines of credit, or real estate financing. "Countrywide delayed several months before informing their customers," the complaint states. "Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures."
Posted on Thu, Dec 17, 2009 @ 08:30 AM
Kuppinger Cole had an interesting post today on their website titled "No Information Security Without Identity ."
In this article Martin Kuppinger states, "there are such things as data protection laws, for instance. And the public has a nagging habit of asking who actually has access to which sets of data and how in tarnation did they just get leaked again! Auditors are also prone to ask unpleasant questions about compliance issues concerning both external and internal regulations. The word "compliance", after all, means following the rules.
Data protection is actually a good example since it shows what IAM is really all about. Identity and Access Management, after all, isn't just an end in itself. Neither is it some purely theoretical problem. Instead, it's the result of a relatively simple demand that has been around since the early days of IT, namely: 'Make sure our information is safe!'
Part of IAM's job is protecting data, either directly or by protecting the systems that use and store data. That is also the backdrop against which compliance regulation, both internal and external, must be viewed. That also means that it is much easier to talk with business people about "access" rather than about "identity". The big question is how do we control and monitor access to information and systems? To do that, we need to know who is allowed to do what - and who isn't. The only way to achieve that goal is through true digital Identity Management. Anyone who thinks he can do it by granting rights and approvals based on IP addresses or MAC numbers is seriously kidding himself.
Good IAM is the fundament on which to build information security - nor else not. Individual measures such as banning or monitoring things like USB sticks can help, but only if they are part of an overall system. Companies today need an 'access strategy' which determines who is allowed to do what in my system. That cannot be done by a trying to apply and enforce a bundle of unconnected ad-hoc measures."
Martin brings up two very important points. First, "identity" is a language that is understood only by IT. But access is the language that the business understands. IT Security organizations must find a way to bridge this language barrier if they hope to drive accountability for governing user access into the business and enable the business to request the access in a context they will understand.
The second point that Martin makes is a trend that we see emerging, the convergence of data governance (information) with access governance (identity). By understanding the user and their relationship within the organization (role), we can improve how information access policies are enforced at run-time while ensuring that they are not overly restrictive to the business. We think this a pragmatic approach that enables information security policies to span across data, applications, systems, hosts, networks, cloud services, files and file shares.
Posted on Mon, Nov 02, 2009 @ 10:30 AM
We recently read a post on Earl Perkin's blog (Research VP at Gartner) regarding "the continuing problem of IAM business justification."
In his post he states..."Sure, I've seen press articles with a title that include "IAM business justification", and they do a decent job at outlining key drivers of IAM and some of the benefits, but those articles usually have two consistent characteristics: (1) they are PRIMARILY about the key drivers rather than benefits, and (2) when benefits are discussed, they are seldom tied to objective, measurable metrics, the type of metrics that business decisionmakers like to see before signing over a couple of million in dollars, euros, or yen to such an effort."
Aveksa has seen the exact same trend with customers. We get asked quite often to help build a business value/ROI justification by organizations that are considering an Access Governance solution to automate the processes associated with access certification, enterprise role lifecycle maintenance, access request and access change management.
Earl's right, establishing metrics to measure are key. And he is spot on that organizations focus too much on just cost containment when they should also be considering the importance of cost avoidance associated with the the operational business risks that can materialize from the misuse of access (compliance audit findings, fines and penalties as well as the potential for increases to operating expenses and the loss of revenue and brand reputation).
As he states, "customers focus too much on operational efficiency to the exclusion of possible justifications in the process or governance area of IT? The answer is ‘maybe'. While we would like to think that IAM has moved beyond its "pipes and pumps" view by our main customers, the fact is that we not produced enough in the way of identity intelligence, risk management and workflow optimization to warrant (yet) a seat at the big-boy table when discussing matters of IT governance or business process improvement. We're close, though (e.g. compliance reporting), and perhaps it's important that we include a justification rigor to run concurrent with efforts to deliver these higher-level IAM functions. (I'm actually giving advice to myself to ensure future research in these areas reflects this, so consider this a ‘note to self' comment as well as one to you.)"
Including metrics for cost avoidance will help to build a more complete value justification for investing in process and policy automation by providing metrics for business assurance (access risk management). It's what the organization really values IT security for - providing the assurance that the "bad events" won't happen.
If you want to learn more about how to build such a business case to justify an investment in your access governance initiative, click here.