Posted on Wed, Feb 03, 2010 @ 04:18 PM
Great article by Mike Vizard of ITBusiness Edge that points out the need for effective access governance.
In his article he sites advice from Kelly Bissell, a principle with Deloitte & Touche, that organizations need to evaluate their data governance processes along an access control maturity model that encompasses the following concepts:
User life cycle management - a set of processes for managing user access within the environment from time of hire through termination or retirement.
Enterprise role management - processes associated with establishing a role-based structure that links applications from downstream applications to the broad enterprise, making it easier to grant appropriate access needed by users to perform their work.
Compliance management - composed of key compliance activities companies face for user access controls such as segregation of data (SoD), user access reviews, password policies, etc.
Enterprise identity and access management- a comprehensive set of processes and tools that enable security tasks for management of user identity, workflow processes, password management, and user and role administration.
Aveksa's has a similar perspective. The items mentioned above are really about providing a continuous approach for the management of user access across its entire lifecycle. When you combine enterprise role management and access policy automation with a set of event driven rules, you now have the ability to implement an access change management control framework. In essence, security can now become its own business process where governance is automatically embedded in the process.
The benefits that can be realized include; streamlined access delivery, lower operational overhead for IT and sustainable compliance. This approach will greatly simplify the complexity that IT organizations are having to deal with when managing changes to user access across hundreds of information resources and thousands of user entitlements.
Posted on Tue, Dec 08, 2009 @ 05:27 PM
Gartner published a great research report on Entitlement Life Cycle Management: The Evolution of Role Life Cycle Management. Besides defining the difference between business and technical roles, Earl Perkins (the author) points out that roles are really all about assigning fine-grained access permissions (entitlements) to users based on their job function.
He states, "a discussion of roles can easily overlook an important point: The real effort to assign the appropriate levels of access actually rests at the granular level of the entitlement. An entitlement (also called by various audiences a "privilege," "permission," "access right" or "authorization") is currently the most granular construct for assigning the level of access to a job function based on enterprise access policies. In other words, an entitlement is the means by which an enterprise assigns a particular level of access to an IT-based resource, whether it is information in a database, a transaction in an application or a command in an IT system. A role is one method by which these entitlements may be grouped or aggregated to make the process of assigning those entitlements more efficient."
Well stated Earl. While technical and provisioning roles benefit an organization as an efficient IT security administration tool for automating the creation of accounts in user directories, this approach isn't able to understand a user's relationship with the organization in terms of the function that a user performs for the business and can map the specfic entitlements that are appropriate to the functional role. Enterprise business roles have evolved to achieve this objective.
Posted on Wed, Oct 28, 2009 @ 11:30 AM
Our friend Dave Kearns of NetworkWorld had an interesting article in his newsletter this week on "moving the discussion beyond authentication." This is an excerpt from his newsletter -
"A couple of years ago ("Are we bogged down in authentication discussions?,") I advocated moving away from authentication discussions slowly, that until we were sure who was logging in discussions of what they could access was merely academic. Now it's time to move on. I may, in fact, have denigrated the possibilities of XACML. I'm still not sure it's the best we could do but -- similar to my thoughts on PKI -- it's the best we can do right now. XACML is all about rule-based access control. Couple that with role-based and context-based access control and we might be on to something."
http://www.networkworld.com/newsletters/dir/2009/102609id2.html?source=NWWNLE_nlt_security_identity_2009-10-28
Dave, we couldn't agree more! While XACML provides a common technical language for access control in the cloud, there needs to be a common business language for the governance of user access to cloud based information resources. Using business roles, coupled with policy rules, will enable organizations to extend their access governance framework to cloud based information resources in order to pre-determine whether a person should have access and what specific access permissions they should be allowed to have as part of their job function.
A number of organizations we've spoken with recently have expressed concern regarding being able to properly govern user access to cloud based information resources. Business units are buying subscriptions to cloud based applications and services independently, without consulting with their IT security team. Beyond basic security administration for setting up accounts to cloud information resources, there is no easy way for an organization to apply their governance controls for access. As a result, an organization may be exposing itself to potential access related business risks and compliance violations (depending on the nature of the information resource).
Extending business roles (with embedded controls) to cloud based information resources must be an imperative for organizations.
Posted on Tue, Oct 20, 2009 @ 01:14 PM
Two weeks ago Aveksa participated in a panel discussion at the ISSE event in the Netherlands on Identity & Access Management trends coming out of a recent KPMG/Everett survey report.
Infosecurity Magazine article on Identity & Access Management investment priorities
We were quoted in InfoSecurity Magazine's coverage of the event in an article regarding market drivers for investing in Identity and Access Management projects. While it's clear that access compliance is still a major issue for organizations, we are seeing a trend towards leverage an investment in access governance technologies for more than just complying with regulations. Forward thinking organizations are quick to realize that most of their access governance failures are back-end issues created by a front-end access control problem.
Specifically this problem relates to how access change requests are managed within the organization. By leveraging a role-based access change management framework, organizations have a preventative control that ensures the appropriateness of access for all users at every change point. This approach simplifies the process for how access is requested by the business (the context of using business roles), streamlines how is delivered to business (accounts, groups, entitlements and technical roles are now mapped to business roles, which makes it easier for IT to fulfill access) and ensures that access controls have been applied (rules are used to design roles and rules that can be run at the point of request for entitlements outside of the role).
For many organizations, simplifying how user access is delivered to the business and how it is governed across the enterprise is now getting investment priority over many other IAM projects because this project can delivery business value quickly while reducing IT security overhead and organizational burden associated with compliance.
Posted on Thu, Oct 15, 2009 @ 03:02 PM
Dark Reading is covering a lot of stories lately that relate to access governance and risk management.
http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=220600156&cid=nl_DR_DAILY_H
Last week they featured an article on the "Six Steps Toward Better Database Security Compliance" that offered up some best practices related to access controls for information resources. Ericka Chickowski, the reporter who wrote the article for Dark Reading, was spot on with two best practices mentioned in the article:
###
3. Access Management and Segregation of Duties Figuring out who has access to regulated data, what kind of access they are given, and whether that access is appropriate for their jobs is at the heart of complying with regulatory mandates.
More complicated is the issue of segregation of duties and entitling permissions based on roles.
The task of segregating users based on roles means understanding each user's duties, experts say. And it can't be a one-time task. Organizations need to be vigilant to constantly review roles and entitlements to prevent toxic combinations of privileges.
5. Reporting On Compensating Controls In those instances where organizations have appropriate compensating controls in place, auditors want proof that these controls actually exist...
For example, you may tell an auditor that you're conducting a biweekly review to ensure access controls are appropriate. But if you can't produce evidence that the review is taking place according to schedule, the auditor will likely flag you...
###
As Erica points out, to get governance over user access you need to start with access visibility. Do you know who has to what information resources? Do you know what specific access rights they have (read, write, delete, etc.)? Is the access absolutely necessary in order for that person to do their job? Once you have a unified view of user access and apply access policy controls (like Segregation of Duties), chances are you will uncover a number of access governance issues that will need to be cleaned up (orphaned accounts, orphaned entitlements and inappropriate access). We have seen entitlement revocation rates as high as 40% with some of our customers on their first automated collection and certification of user access data. As mentioned in the article, having an auditable system of record is key to being able to demonstrate compliance. By the way, spreadsheets are not a "system of record."
Erica also points out that the use of business roles can simplify the task of compliance by providing a preventative control. She's right. Using a role-based approach to governing user access enables organizations to understand what is necessary for access (minimum required) in order to perform a job function as well as what is appropriate from a policy standpoint to ensure that access compliance and risk management objectives are being met. Using a role-based approach to governing user access also benefits an organization by simplifying compliance and enables access delivery to the business to be streamline. If you want to learn more about the benefits of role-based access governance you can read a whitepaper we've written on this topic that can found here: http://www.aveksa.com/company/resource-center/index.cfm
Posted on Wed, Oct 14, 2009 @ 10:30 AM
Interesting article from Dark Reading on database vulnerability being attributed to authorized users. http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220300753&cid=nl_DR_DAILY_H
What strikes us from this article is the importance of merging access governance and data governance frameworks. As you will see when you read the article, role-based access control is certainly mentioned but not given much attention as a preventative control. We agree that misuse of access entitlements by "authorized users" is creating the majority of data breaches but we would question whether an authorized user really needs access to sensitive information resources, and if so does an organization know what level of privilege to provide? As stated in this article, organizations have a difficult time understanding whether access is truly required.
"Unfettered access to data is another common problem in many database environments, experts say. In many cases, employees are given access to more information than they need to do their jobs."
What we see as a common access governance failure related to database access is when a user's role or relationship with an organization changes. Take for example a DBA that changes departments and now administers a different set of data or when a DBA changes their functional role by becoming an application developer. The likelihood that this individual would drag their database access entitlements from their old position into the new one is fairly common, and increases the chances of having someone misuse their access privileges.
So the real challenge is how to effectively manage change to user access where the frequency of these changes is high and the number of information resources (databases, applications, file shares, systems, etc.) that access change needs be managed against can be in the hundreds to thousands. Organization can benefit by having a roles-based access governance control framework in place as it will provide a preventative control that ensures access is always appropriate. By establishing business roles, organizations will now have a common language for expressing access that will work for the business to use when requesting access (as it is made up of specific information resource entitlements that are truly needed for a person's functional role) and works for an IT security or operations group that is tasked with access delivery to the business while ensuring that the access request doesn't introduce any compliance violations or business risk.
Organizations that don't leverage a role-based approach for governing access should have a process in place for review and certification of user access in order to provide dectective controls. A best practice for access change management using reviews would be to conduct a review of a user's access based on a change event, such as when an individual gets an entitlement to a high risk information resources or changes departments/functions within the organization. Incremental, event-driven reviews can provide a dynamic detective control that can catch and remediate access governance issues before an audit review period.
###
Databases' Most Serious Vulnerability: Authorized Users
New Dark Reading report outlines threats posed to databases by end users -- and how to protect your data
Oct 01, 2009 | 05:09 PM
By Ericka Chickowski
DarkReading
[Excerpted from "Protecting Your Databases From Careless End Users," a new report published today in Dark Reading's Database Security Tech Center.]
In all of their frenzy to protect sensitive data from hackers and thieves, many organizations overlook the most likely threat to their databases: authorized users.
While today's headlines might be full of compromises and SQL injection attacks, most database leaks are still caused by end users who have legitimate access to the data, experts say. Yet, according to "Protecting Your Databases From Careless End Users," a new report published today by Dark Reading, many enterprises still don't do enough to protect data from accidental leaks or insider theft.
To read the rest of the article, click below.
http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220300753&cid=nl_DR_DAILY_H