Insights: the Aveksa Blog

Aveksa Named a Leader in Gartner Magic Quadrant

Jason Garbis — Mon, 09 Jan 2012 02:44:26 +0000

We’re pleased to announce that Aveksa was named a Leader in the new “Magic Quadrant for Identity and Access Governance”, published last month by Gartner. In the report, the authors (Gartner Analysts Earl Perkins and Perry Carpenter) state: “managing identity and access is more than an operational concern. Rather, it requires governance of identity and entitlement life cycles in the enterprise.”

They also note that the need for (and recognition of the need for) identity and access management governance is growing – they estimate that IAG-led projects will double from one-third of all IAM projects, to two-thirds by 2013.

We’re happy to have been named a leader in this report, and are grateful to our customers — the reason for our success.

SharePoint Access a Key Factor in Bradley Manning Leaks

Jason Garbis — Mon, 19 Dec 2011 03:31:25 +0000

According to the Army’s digital forensic expert, accused WikiLeaker Bradley Manning obtained classified Guantanamo Bay detainee assessments from a SharePoint site, and subsequently leaked them to WikiLeaks. Wired magazine states that the forensic analyst discovered “scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same” [1]

Unauthorized SharePoint access is a common security gap, in many organizations. We’ve seen numerous customers struggling with this, unable to get their arms around who has access to which SharePoint site, and what types of data (classification, risk level, and content) are thus accessible.

While most organizations don’t need to worry about employee access to classified information, rogue access to confidential corporate information can nonetheless be damaging and expensive – as clearly demonstrated by the RSA and Sony incidents this year.

I’m sure there will be additional Information Security-related aspects of the ongoing Manning hearing, and we’ll continue to cover them here.

Bradley Manning Hearing Starts Today

Jason Garbis — Fri, 16 Dec 2011 14:38:32 +0000

The much-anticipated hearing for accused leaker Bradley Manning starts today. This is not a trial for establishing guilt or innocence, but rather the military equivalent of a grand jury hearing — giving prosecutors and defense the opportunity to present information, intended to convince a judge that there is enough to proceed to a trial.

There’s been a tremendous amount of media coverage and protest around this, related to both Manning’s actions, as well as the government’s treatment of the accused. Staying away from the political aspects of these, we’ll be monitoring the Information Security aspects of the hearing. Portions of the hearing will be open to journalists, while some will be closed to the public, due to security considerations.

The Guardian has a good overview, here , and their journalist @Edpilkington is live tweeting the trial.

Questions in Advance of the Bradley Manning Hearing

Jason Garbis — Fri, 09 Dec 2011 03:08:49 +0000

Next week’s military assignment of accused leaker Bradley Manning promises to be interesting at many different levels, with defense and prosecution sparring in the press over witnesses and legal strategies. Putting aside the political and legal aspects, we will be watching this closely to see how much of a role access management plays, and to find some answers to questions that are relevant to us as practitioners in this space. Specifically, did the Army know what classified information Private Manning had access to? Would they have been able to effectively restrict his access to it, had they chosen to do so? Did they try, and fail to prevent this? Was there a sufficiently well-thought out and well-executed data security strategy in place, for this sensitive information?

According to publicly released defense documents[1], the Army was not doing an at-all adequate job in securing the data resources on shared, secure systems – one of the witnesses “will testify that the information assurance procedures were not being followed by the brigade” and that “the brigade did not have an Approval to Operate (ATO) or an Interim Approval to Operate (IATO) for their network. Additionally, the brigade did not receive a formal IA [Information Assurance] certification and accreditation inspection during its tour, contrary to the guidance in MNF-I Directives”[2].

Like many of the enterprises I speak with, this organization had both internal and external information security guidelines, and was not doing a good-enough job meeting them. Could an effective Access Governance solution have prevented these leaks from occurring? This certainly appears to be the case, and we look forward to learning more next week, as the hearing begins.

[1] DEFENSE REQUEST FOR ARTICLE 32 WITNESSES http://www.wired.com/images_blogs/threatlevel/2011/12/Defense-Article-32-Witness-List.pdf
[2] ibid, page 9

Account versus Entitlement Reviews (part 2)

Jason Garbis — Tue, 06 Dec 2011 03:24:33 +0000

Continuing from my previous entryon this topic, I’m continuing the discussion about different approaches toward capturing user entitlement information, specifically considering the merits of doing so at the account level versus at the entitlement level. Typically, having a system that provides more insight into the details of which application (or data) entitlements a user has is better – so that the appropriate people in the organization can make better, more informed, and more granular access decisions.

But, in two scenarios, it does make sense to capture and use data just at an account level. The first situation is in a period of transition – where the organization may not yet have the infrastructure or capability to capture, normalize, process, and present detailed entitlements to reviewers (or to users requesting access). This is a perfectly fine approach, and can be quite useful as a way to put in place business processes for review or access request, and to begin to familiarize end users with them – as long as there’s a concrete plan to ultimately move to reviewing and requesting at an entitlement level. These shouldn’t be left indefinitely at an account level – it simply doesn’t provide enough visibility or control, isn’t audit-proof, and will likely lead to a false sense of security.

The second scenario is when the information about an account’s existence is in fact sufficient for its designated purpose. For example, one of our customers keeps track of which employees have accounts on their mainframe system. None of the applications on the mainframe are subject to entitlement reviews, so they don’t need to capture the entitlement details. Instead, they use the account information as part of their Leaver process – so that when a person departs the organization, IT has a clear view of whether or not a mainframe account needs to be deprovisioned, and can act accordingly. This is a simple, yet effective scenario, and a great example of the value of having an Access Management Database (XMDB) with complete information about identities and access, even beyond traditional focus of access governance systems

In general, of course, organizations need to capture and operationalize with a detailed view of user entitlements, in order to meet their access-related security and compliance goals.

Great Reporting by Wired Magazine on How False Illinois SCADA Attack Came To Be

Jason Garbis — Thu, 01 Dec 2011 15:17:43 +0000

Here’s a terrific, clear article from Wired Magazine, explaining the series of events and mis-steps behind last week’s erroneous report and subsequent news maelstrom on the (fictional) Cyber-attack on the Illinois water-control system.

Even though this turned out to be a simple mechanical failure, and not a cyber-attack, we must keep in mind that these SCADA systems have in fact been breached successfully (see my blog posting below), and must strengthen our security accordingly.

FBI: Hackers Have Accessed City Infrastructures via Compromised SCADA Systems

Jason Garbis — Tue, 29 Nov 2011 19:48:54 +0000

According to the FBI Cyber Division, hackers have accessed the SCADA (Supervisory Control and Data Acquisition) infrastructures in 3 major US cities. As reported today in Information Age, the FBI’s deputy assistant director stated that 3 US cities have recently had SCADA systems taken over by hackers.

Fortunately these hackers did not cause any damage, but this certainly does raise the profile and the risk associated with such industrial control systems. Please, take the time to make a baseline assessment of your infrastructure, and get clear visibility into whether you have these kinds of industrial control systems, and who has access to them.

Was this related to the alleged Illinois SCADA compromise? According to Information Age, the FBI speaker “would not clarify” whether it was related. However, I believe that we need to take at face value yesterday’s assertion from the FBI and the US Department of Homeland Security that no intrusion occurred in Illinois, at the Curran-Gardner Public Water District.

Take a Deep Breath – The Alleged Illinois Water District SCADA Hack Did Not Occur (But, Put In Place a Thoughtful Security Program — Now)

Jason Garbis — Mon, 28 Nov 2011 18:49:37 +0000

According to the US Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), “ICS-CERT and the FBI found no evidence of a cyber intrusion” and that “there is no evidence to support claims made in the initial Illinois STIC report…that any credentials were stolen, or that the vendor was involved in any malicious activity” [1]

While this is a relief, it’s distressing to see, based on commentary and media coverage, how vulnerable these industrial control systems apparently are. And, in a bitter irony, the coverage and attention raised by what turned out to be a media event (as opposed to an actual security event), will in fact raise the likelihood of future attacks on industrial control systems.

So, organizations with these kinds of control systems in place — please, do two things, immediately:

Read through the Department of Homeland Security document Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
Evaluate and improve your access management systems, to ensure that you have an effective program enforcing the principle of least access.

[1] http://www.us-cert.gov/control_systems/pdf/ICSB-11-327-01.pdf

Upcoming Trial for Accused WikiLeaks Source Bradley Manning

Jason Garbis — Wed, 23 Nov 2011 04:03:36 +0000

Private Bradley Manning, who has been charged with 22 counts associated with the leaks of classified information to WikiLeaks, will be facing a pre-trial hearing starting December 16, during which his defense attorneys plan to call 50 witnesses to testify. Most of this will be open to the public, and will likely be covered in-depth by the media.

From an information security perspective, I’m particularly interested in seeing how much of a role access management plays in both the prosecution and defense arguments. According to a Wired Magazine article, expert testimony “might include assessments of forensic evidence from classified networks and databases that contained the sensitive documents Manning is charged with downloading and leaking.”

We’ll be using this blog to discuss the information security aspects of the trial, and explore any implications to the larger identity management industry.

IT Business Edge: Making It Easier to Do the Right GRC Thing

Jason Garbis — Tue, 22 Nov 2011 21:36:49 +0000

Here’s a link to a new article in IT Business Edge, summarizing a discussion with Aveksa CEO Vick Vaishnavi. In this article, the author succinctly explains the challenges around governing user access, and how Aveksa’s solutions can help improve security and efficiency.