Access Governance Issues Identified at FEMA

 digg it |   delicious |   StumbleUpon |  reddit 

Yet again, another Federal government agency has been identified as having serious access management and access governance failures. As reported by InformationWeek, a new report from the Department of Homeland Security Office of the Inspector General identifies serious access governance issues at the Federal Emergency Management Agency (FEMA).  

FEMA Cybersecurity Fix Could Take Years  

"FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out."

It's not surprising that the Federal government is lagging behind commercial enterprises. In fact, this is issue was reflected in the findings of recent research conducted by the Ponemon institute and commissioned by Aveksa.

Based on the responses of the 100 government IT practitioners that participated in the global multi-industry survey, the results show that FEMA is not the only government agency with access related issues that must be resolved. Some of the findings included:

1. Access Management is a worsening problem for government organizations:

• Most respondents in government (79 percent) said their users have too much access to information resources that aren't pertinent to their role in the organization.

2. Government organizations can't keep pace with access change:

• Three out of four respondents (75 percent) say that they can't respond quickly enough to changes in employee access requirements
• More than half (60 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.

3. Access policies are not regularly checked and enforced:

• Sixty percent of organizations do not have or do not strictly enforce access governance policies
• Sixty-three percent do not immediately check user access requests against security policies before the access is approved and assigned.

4. Organizations lack the budget, resources and staff to effectively govern user access:

• More two-thirds (68 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies.
• Fifty-nine percent of organizations reported that they don't have enough technologies to manage and govern end-user access to information resources

Click here to download the Ponemon Institute 2010 Access Governance Trends Survey

With the number of failures that continue to be identified, it's time for all government security Czars to focus on tackling the issue of governing user access as its a straightforward initiative that can be easily dealt with right now.  The Federal government should look to the security thought leaders in industry that have tackled the access lifecycle management and policy enforcement challenge as they understand the best practices and have a framework for dealing with access change. 

We would welcome a conversation with any Government agency or department security Czars on how to instantiate a set of effectively access governance business processes and policies.  We would also be happy to connect these Czars with some of Aveksa's thought-leading customers to help them understand the an implementation roadmap and maturity model for achieving continuous access management and governance.

Access Governance Failure At DoD

 digg it |   delicious |   StumbleUpon |  reddit 

Interesting to see that access governance control failures are continuing to happen at all levels in the Federal Government.

http://www.wired.com/threatlevel/2009/09/montgomery/

Intelligence Analyst Charged With Hacking into Top Secret Anti-Terror Program

An analyst at a Defense Department spy satellite agency faces federal hacking charges after allegedly poking around in a top-secret system used in a classified terrorism investigation involving the FBI and the U.S. Army.

Brian Keith Montgomery worked on a covert program for the National Geospatial-Intelligence Agency - the spy agency in charge of satellite and aerial image collection. On April 9, he was carrying out his duties when he saw a message that "provided significant detail about a classified operation" that was unrelated to his job, according to an affidavit filed by a Pentagon investigator in the case.

According to the government, Montgomery ignored a security warning in the message he saw, and twice logged in to a classified system used in the terrorism investigation: first on April 9, when he stayed on for two hours, and then on April 14. He'd gotten the password from another classified message to which he also had legitimate access.

Curiously, just by accessing the system, Montgomery endangered the terrorism investigation, and "caused harm to the U.S. Army and the FBI," according to the affidavit by Dexter Wells, an agent with the Defense Criminal Investigative Service.

Montgomery's alleged motives are unclear, but he told DCIS that he was very interested in the information in the program, Wells wrote. Montgomery also told investigators that he'd thought he was allowed to log in to the system, and hadn't noticed a warning saying that only officials participating in the operation were allowed to use the password.

"It was not until I was called on the carpet, that I went back and read the warning notice in the message traffic," Montgomery allegedly told DCIS.

The nature of the system at issue is not clear, but it was used from all around the U.S. as part of the terrorism investigation, and was being monitored by the FBI at the time of his alleged access. That's evidently what led to the probe of Montgomery, who worked at a National Geospatial-Intelligence Agency facility at Fort Belvoir in northern Virginia.

There are no allegations that Montgomery did anything with the information he obtained.

 ###

We see too major issues here:

1. As we have seen in numerous employee snooping incidents, such as at the US State Department, hoping that users within the enterprise will remember access policies that live in a three ring binder on the IT Security organization's bookshelf is wishful thinking.  Putting a warning in a message that states that only authorized system users who are working on particular case or project should be logging in to view the information is not an effective access governance control.  Controls need to be automated to ensure that policies are enforced in a consistent fashion across the entire enterprise and all legitimate users.  In this situation, I wouldn't hold the employee accountable for snooping as there we no real controls for limiting access. The DoD is responsible for enabling this situation to occur as they knew the likelihood was high that some users did not have a legitimate reason to access the information, which is why they put the warning in the message.   

2. There appears to be no access governance framework in place at the DoD based on the news reports of this event.  If a user is authorized with credentials to log into the system as part of performing their job function, controlling what they can and can't do requires access administration capabilities that far exceeds what a system account password provides.  Controlling access is best done at the entitlement level, which is where the specific access rights are assigned to a person and the determination is made for what they can or shouldn't be able to do within the system. Had the DoD leveraged an dynamic access governance control framework they could have avoided this situation by administering access using role attributes.  This approach enables user entitlements to be assigned based on a case log or project assignment code that would map to a particular user's task or process role within the department. This would make the determination of who is, and is not, authorized to view specific content based on the work they have been assigned.