Category Archives: Access Governance

Aveksa Named a Leader in Gartner Magic Quadrant

Posted on January 8, 2012 | Leave a comment

We’re pleased to announce that Aveksa was named a Leader in the new “Magic Quadrant for Identity and Access Governance”, published last month by Gartner. In the report, the authors (Gartner Analysts Earl Perkins and Perry Carpenter) state: “managing identity and access is more than an operational concern. Rather, it requires governance of identity and entitlement life cycles in the enterprise.”

They also note that the need for (and recognition of the need for) identity and access management governance is growing – they estimate that IAG-led projects will double from one-third of all IAM projects, to two-thirds by 2013.

We’re happy to have been named a leader in this report, and are grateful to our customers — the reason for our success.

→ Leave a comment

Posted in Access Governance, Analyst Reports

Tagged ,

Account versus Entitlement Reviews (part 2)

Posted on December 6, 2011 | Leave a comment

Continuing from my previous entryon this topic, I’m continuing the discussion  about different approaches toward capturing user entitlement information, specifically considering the merits of doing so at the account level versus at the entitlement level. Typically, having a system that provides more insight into the details of which application (or data) entitlements a user has is better – so that the appropriate people in the organization can make better, more informed, and more granular access decisions.

But, in two scenarios, it does make sense to capture and use data just at an account level. The first situation is in a period of transition – where the organization may not yet have the infrastructure or capability to capture, normalize, process, and present detailed entitlements to reviewers (or to users requesting access).  This is a perfectly fine approach, and can be quite useful as a way to put in place business processes for review or access request, and to begin to familiarize end users with them – as long as there’s a concrete plan to ultimately move to reviewing and requesting at an entitlement level. These shouldn’t be left indefinitely at an account level – it simply doesn’t provide enough visibility or control, isn’t audit-proof, and will likely lead to a false sense of security.

The second scenario is when the information about an account’s existence is in fact sufficient for its designated purpose.  For example, one of our customers keeps track of which employees have accounts on their mainframe system. None of the applications on the mainframe are subject to entitlement reviews, so they don’t need to capture the entitlement details. Instead, they use the account information as part of their Leaver process – so that when a person departs the organization, IT has a clear view of whether or not a mainframe account needs to be deprovisioned, and can act accordingly. This is a simple, yet effective scenario, and a great example of the value of having an Access Management Database (XMDB) with complete information about identities and access, even beyond traditional focus of access governance systems

In general, of course, organizations need to capture and operationalize with a detailed view of user entitlements, in order to meet their access-related security and compliance goals.

→ Leave a comment

Posted in Access Governance

Tagged

IT Business Edge: Making It Easier to Do the Right GRC Thing

Posted on November 22, 2011 | Leave a comment

Here’s a link to a new article in IT Business Edge, summarizing a discussion with Aveksa CEO Vick Vaishnavi.  In this article, the author succinctly explains the challenges around governing user access, and how Aveksa’s solutions can help improve security and efficiency.

 

 

→ Leave a comment

Posted in Access Governance, Media Coverage

Tagged ,

Account versus Entitlement Reviews

Posted on November 3, 2011 | 1 Comment

In my role at Aveksa, I’m fortunate enough to be able to talk to customers and prospective customers on a regular basis. I truly enjoy meeting these folks, asking a few questions, and learning about their Identity Management priorities, challenges, and the business and technology drivers behind them. People love to talk about what they do, and always seem happy to share.

One of the things I’ve noticed periodically is that organizations will review user access at the account level – making access decisions based on whether an individual has an account in a given application, and not on what specific capabilities they have within the app. This is arguably better than nothing, but also arguably worse than nothing!

I’ve tried to summarize the pros and cons of such an approach below:

Access Reviews at the Account Level

Pros

  • Satisfies “checkbox” audit requirements
  • Will remove some unauthorized access rights
  • Increases awareness of this application from a security perspective
  • Establishes processes for account data collection, and ownership of review process

Cons

  • May not satisfy auditors’ requirements
  • Cannot distinguish scope of user access rights
  • May lead to false sense of security

While access certification at the account level is less than ideal, on balance it can be quite useful as a transitory state, to help the organization begin to establish access governance processes, ownership, and accountability. For most applications and resources, it shouldn’t be considered as a desired end state**.

The good news is that all the enterprises I’ve spoken with recognize that the correct approach is to perform access reviews at the entitlement level, and are determined to accomplish this.

** as always in life and computers, there are exceptions! I’ll be writing about this in an upcoming blog posting, under the category of “when doing a bad thing is good”

→ 1 Comment

Posted in Access Governance

Tagged

Introducing Access Fulfillment Express

Posted on October 19, 2011 | Leave a comment

Today, all of us Aveksa are pleased to announce a new product offering, Access Fulfillment Express™ (which we affectionately refer to as AFX). We’ve designed and built this product to address what we see as a clear need within our customer base, and in the Identity Management industry in general – a way to eliminate the cost, complexity, and frustration typically associated with provisioning implementations.   Talking to customers, analysts, and other influencers, we’ve seen this frustration, and believe that the fundamental problem is that typical provisioning systems intermingle business logic and integration logic, and rely on a coding-centric implementation approach.

The result is that implementations take on the negative characteristics of point-to-point integration projects, where business policies (such as who should have access to what) are implemented at the same architectural layer, and with the same language, as integration mechanics (such as the mapping of a message to a set of application API calls).  We believe differently — that the business logic belongs at the access governance layer – it’s the only place with full identity context, with the ability to define rules and processes that are applicable to business users, and is independent of the technology and mechanics of target systems. And, that such systems should avoid the need for custom coding, and instead provide a configuration-centric solution.

Consider, for instance, the creation of a rule that controls the approval process for a user’s request for application access.  This rule should be able to take into consideration attributes of the requested entitlement (such as its sensitivity), attributes of the requesting person (department, role),  and full identity context (what other entitlements does this person have, and will this new one violate any SoD policies?).  This rule should not be in any way connected to how the system integrates with the target application (which after all can and likely will change over time), and should definitely not be hard-coded in a programming language (thus requiring a software engineering cycle to make even minor adjustments).

The integration layer of AFX is based on a loosely-coupled, open approach – using a well-establish communication architecture, the Enterprise Service Bus (ESB).  By leveraging an open source ESB, and by publishing both the message format and source code for the adapters used with AFX, enterprises can embrace AFX with full confidence in the solution’s extensibility and flexibility, without fear of investing in a proprietary, closed architecture.

In short, we believe that the combination of cleanly separating business logic from integration logic, and leveraging an open integration platform, will provide enterprises with the reduced costs and improved efficiency that they’ve been asking for. We’ll be writing more about AFX over the coming months, and look forward to discussing it with you.

→ Leave a comment

Posted in Access Fulfillment, Access Governance, Identity Management

Tagged , ,

Aveksa Welcomes John McMahon to the Board of Directors

Posted on October 4, 2011 | Leave a comment

We’re pleased to announce today that John McMahon has joined the Aveksa Board of Directors. As a software industry veteran, John brings a great deal of insight and experience, having held leadership positions in firms such as BMC, BladeLogic, Cisco, PTC, and Ariba.  John, on behalf of the entire Aveksa team, welcome! We look forward to working closely with you, as we continue Aveksa’s journey of growth and scale.

→ Leave a comment

Posted in Access Governance

UBS Announces $2B Rogue Trading Loss ; Connection to Lack of Access Governance

Posted on September 15, 2011 | Leave a comment

Today’s financial and information security headlines are focused on UBS’s announcement of $2B in losses due to unauthorized trades.  The rogue trader has been arrested, and an investigation is ongoing.

While the details of how this happened will likely be determined and revealed over the next few weeks, there’s (at least as of now) a clear parallel to the Société Générale case from a few years ago.   Here’s a key quote from today’s WSJ article (emphasis added):

“According to Mr. Adoboli’s LinkedIn profile, he is a director at UBS’s ETF desk within a unit called Delta1 Trading. He previously worked as a trade-support analyst at the bank

This clearly indicates a potential lack of solid access governance at UBS – one very possible scenario is that Mr. Adoboli maintained access rights from his previous role, and carried them forward into his trading role.  As a result, these leftover entitlements may well have been what enabled this fraud.

Very clearly, UBS and other enterprises need to have a solid grasp of who has access to what, with

  • Solid processes to detect internal job changes, and respond to them with entitlement reviews
  • Regular manager reviews of user entitlements

It’s also important to make sure that these are presented in business-understandable terms, so that supervisors can make informed and accurate decisions about whether to maintain or revoke each user entitlement.

→ Leave a comment

Posted in Access Governance, Insider Fraud

Aveksa announces CertifiedXS Partner Program

Posted on September 7, 2011 | Leave a comment

I’m pleased to announce  Aveksa’s new partner program, CertifiedXS.  Pronounced “Certified Access”, this new program will provide our customers with the ability to easily find well-qualified implementation partners, with the assurance that these partners have met our stringent qualifications, and have solid, real-world experience implementing the Aveksa access governance solution.

With our program launch partners (Advancive, Column Technologies, and ILANTUS), we’re excited to have this newly structured program in place, and have a number of new implementation partners in progress.   The full program is outlined here

By proactively educating our implementation partners, and ensuring that they are well-prepared, we ensure that our customers will have successful deployments, which is our top priority.  It’s about quality, not quantity.

→ Leave a comment

Posted in Access Governance, Partnerships

VMware adding native DLP ; Underscores need for Identity Context

Posted on August 29, 2011 | Leave a comment

Here’s a well-written article from InfoWorld, explaining VMware’s forthcoming DLP (Data Loss Prevention) solution, to be announced at this week’s VMworld show.  Clearly, this is a first step – while based on RSA’s DLP Suite, the new VMware solution is not integrated into it (and is reflective of the complex EMC-VMW relationship).

As a VMware partner, customer, and ecosystem participant, I’m pleased to see that they will be offering APIs, through which third-party vendors (such as Aveksa), as well as customers can integrate. For example, at Aveksa we can easily foresee using these APIs to pull in classification metadata, and use this to augment and inform decisions about access to data resources. This is exactly the use case that our Data Access Governance customers are asking for, and are doing today with other DLP products.

DLP, while technically interesting and important, is only one piece of the puzzle — you need both DLP metadata *and* identity insight in order to enable IT and the business to make well-informed access decisions.  That is, being able to automatically classify the sensitivity of data resources is a great first step, but the key second step is to use this classification to decide who should and should not have access to this data – and this kind of decision-making requires solid information about identities and their business & technical roles.  Industry analysts agree with this – see the recent Forrester report “Your Data Protection Strategy Will Fail Without Identity Context” – for a great explanation.

As a software vendor, we’re glad to be able to provide this context, and help enterprises leverage their DLP solutions to make better access decisions, and to have successful data protection initiatives.

→ Leave a comment

Posted in Access Governance

Aveksa and Column Technologies’ Partnership

Posted on August 10, 2011 | Leave a comment

All of us at Aveksa are pleased to announce today a new, strategic partnership between Aveksa and Column Technologies. Column, a leading consulting and services firm, will now be including Aveksa in the set of IT Service Management architectures that they offer to their customers.

Column has over a decade of experience implementing ITSM Solutions, based on the market-leading offerings from BMC Software. With the addition of Aveksa’s solution, Column can now provide customers with a solution that integrates Aveksa’s capable access governance product into an enterprise’s ITSM Suite.

Operationally, this will typically flow along the following lines: An enterprise is using the BMC Remedy Suite for their change management processes. As they implement the Aveksa Access governance solution (whether for basic access certification, or for more advanced scenarios such as role management and access request), these operations will result in change requests, change approvals, and change execution. Like many enterprises, they want to be able to integrate these access-driven changes with their ITSM solution. Because Aveksa has an embedded workflow engine, and because its change approval and execution processes are flexible, Column will be able to help organizations choose the level of integration that’s appropriate for them.  Often, organizations use Remedy Service Desk as the vehicle through which all access changes are executed.  In this scenario, Aveksa automatically creates a prepopulated  ticket within Remedy, initiating the standard change management process. Once the ticket is closed within Remedy, Aveksa tracks this, and monitors the source system to validate that the requested change was properly executed.

This is just one example of how these products are typically used together.  Naturally, each enterprise’s requirements and priorities are different — and Column’s skilled consultants will work with you to design and implement the solution best-suited to your environment.

For more information, you can find today’s press release here.

→ Leave a comment

Posted in Access Governance, ITSM, Partnerships

Tagged