Introducing Aveksa’s Access Governance-as-a-Service

Posted on November 14, 2011 | Leave a comment

The team at Aveksa is pleased to announce  a new offering – a hosted Access Governance solution, delivered in an as-a-Service model. In conjunction with ILANTUS, Aveksa’s trusted implementation partner, smaller and mid-sized businesses now have the option of an off-premise, hosted deployment, running within on Rackspace , the industry’s leading hosting provider. In addition, this new offering is structured with a pay-as-you-go pricing structure, eliminating upfront capital expenses and providing customers with a simple way to balance cost with derived value.

One unique challenge for smaller organizations is that they typically don’t have sufficient IT or Information Security staff in place to implement an on-premise access governance solution, and often haven’t yet established business processes around access management. To address this need, ILANTUS is uniquely structuring this offering around fixed-price, fixed-time implementations – providing customers with not just a hosted and managed access governance system, but guidance around establishing the operating processes necessary for success.

As a result, with Aveksa and ILANTUS, customers can quickly and efficiently meet access-related compliance requirements, and implement efficient business processes for users to request access — with zero risk and at an affordable cost. ILANTUS has great depth of experience in the Identity Management arena, with over 11 years of implementations, so customers can proceed with confidence. Please feel free to contact us or ILANTUS with any questions about this new offering.

→ Leave a comment

Posted in Cloud Computing, Product Announcements

Heading to the Gartner Identity and Access Management Show?

Posted on November 12, 2011 | Leave a comment

Join Aveksa at next week’s Gartner IAM show in San Diego. Stop by our booth to say hello, test your IAM knowledge, and enter to win a fabulous prize!

Also join us on Wednesday morning at 9.15, when an Aveksa customer explains their IAM business challenges, approaches, and benefits obtained from implementing the Aveksa solution.

 

→ Leave a comment

Posted in Events

Tagged

Account versus Entitlement Reviews

Posted on November 3, 2011 | 1 Comment

In my role at Aveksa, I’m fortunate enough to be able to talk to customers and prospective customers on a regular basis. I truly enjoy meeting these folks, asking a few questions, and learning about their Identity Management priorities, challenges, and the business and technology drivers behind them. People love to talk about what they do, and always seem happy to share.

One of the things I’ve noticed periodically is that organizations will review user access at the account level – making access decisions based on whether an individual has an account in a given application, and not on what specific capabilities they have within the app. This is arguably better than nothing, but also arguably worse than nothing!

I’ve tried to summarize the pros and cons of such an approach below:

Access Reviews at the Account Level

Pros

  • Satisfies “checkbox” audit requirements
  • Will remove some unauthorized access rights
  • Increases awareness of this application from a security perspective
  • Establishes processes for account data collection, and ownership of review process

Cons

  • May not satisfy auditors’ requirements
  • Cannot distinguish scope of user access rights
  • May lead to false sense of security

While access certification at the account level is less than ideal, on balance it can be quite useful as a transitory state, to help the organization begin to establish access governance processes, ownership, and accountability. For most applications and resources, it shouldn’t be considered as a desired end state**.

The good news is that all the enterprises I’ve spoken with recognize that the correct approach is to perform access reviews at the entitlement level, and are determined to accomplish this.

** as always in life and computers, there are exceptions! I’ll be writing about this in an upcoming blog posting, under the category of “when doing a bad thing is good”

→ 1 Comment

Posted in Access Governance

Tagged

Introducing Access Fulfillment Express

Posted on October 19, 2011 | Leave a comment

Today, all of us Aveksa are pleased to announce a new product offering, Access Fulfillment Express™ (which we affectionately refer to as AFX). We’ve designed and built this product to address what we see as a clear need within our customer base, and in the Identity Management industry in general – a way to eliminate the cost, complexity, and frustration typically associated with provisioning implementations.   Talking to customers, analysts, and other influencers, we’ve seen this frustration, and believe that the fundamental problem is that typical provisioning systems intermingle business logic and integration logic, and rely on a coding-centric implementation approach.

The result is that implementations take on the negative characteristics of point-to-point integration projects, where business policies (such as who should have access to what) are implemented at the same architectural layer, and with the same language, as integration mechanics (such as the mapping of a message to a set of application API calls).  We believe differently — that the business logic belongs at the access governance layer – it’s the only place with full identity context, with the ability to define rules and processes that are applicable to business users, and is independent of the technology and mechanics of target systems. And, that such systems should avoid the need for custom coding, and instead provide a configuration-centric solution.

Consider, for instance, the creation of a rule that controls the approval process for a user’s request for application access.  This rule should be able to take into consideration attributes of the requested entitlement (such as its sensitivity), attributes of the requesting person (department, role),  and full identity context (what other entitlements does this person have, and will this new one violate any SoD policies?).  This rule should not be in any way connected to how the system integrates with the target application (which after all can and likely will change over time), and should definitely not be hard-coded in a programming language (thus requiring a software engineering cycle to make even minor adjustments).

The integration layer of AFX is based on a loosely-coupled, open approach – using a well-establish communication architecture, the Enterprise Service Bus (ESB).  By leveraging an open source ESB, and by publishing both the message format and source code for the adapters used with AFX, enterprises can embrace AFX with full confidence in the solution’s extensibility and flexibility, without fear of investing in a proprietary, closed architecture.

In short, we believe that the combination of cleanly separating business logic from integration logic, and leveraging an open integration platform, will provide enterprises with the reduced costs and improved efficiency that they’ve been asking for. We’ll be writing more about AFX over the coming months, and look forward to discussing it with you.

→ Leave a comment

Posted in Access Fulfillment, Access Governance, Identity Management

Tagged , ,

Aveksa Welcomes John McMahon to the Board of Directors

Posted on October 4, 2011 | Leave a comment

We’re pleased to announce today that John McMahon has joined the Aveksa Board of Directors. As a software industry veteran, John brings a great deal of insight and experience, having held leadership positions in firms such as BMC, BladeLogic, Cisco, PTC, and Ariba.  John, on behalf of the entire Aveksa team, welcome! We look forward to working closely with you, as we continue Aveksa’s journey of growth and scale.

→ Leave a comment

Posted in Access Governance

UBS Announces $2B Rogue Trading Loss ; Connection to Lack of Access Governance

Posted on September 15, 2011 | Leave a comment

Today’s financial and information security headlines are focused on UBS’s announcement of $2B in losses due to unauthorized trades.  The rogue trader has been arrested, and an investigation is ongoing.

While the details of how this happened will likely be determined and revealed over the next few weeks, there’s (at least as of now) a clear parallel to the Société Générale case from a few years ago.   Here’s a key quote from today’s WSJ article (emphasis added):

“According to Mr. Adoboli’s LinkedIn profile, he is a director at UBS’s ETF desk within a unit called Delta1 Trading. He previously worked as a trade-support analyst at the bank

This clearly indicates a potential lack of solid access governance at UBS – one very possible scenario is that Mr. Adoboli maintained access rights from his previous role, and carried them forward into his trading role.  As a result, these leftover entitlements may well have been what enabled this fraud.

Very clearly, UBS and other enterprises need to have a solid grasp of who has access to what, with

  • Solid processes to detect internal job changes, and respond to them with entitlement reviews
  • Regular manager reviews of user entitlements

It’s also important to make sure that these are presented in business-understandable terms, so that supervisors can make informed and accurate decisions about whether to maintain or revoke each user entitlement.

→ Leave a comment

Posted in Access Governance, Insider Fraud

Aveksa announces CertifiedXS Partner Program

Posted on September 7, 2011 | Leave a comment

I’m pleased to announce  Aveksa’s new partner program, CertifiedXS.  Pronounced “Certified Access”, this new program will provide our customers with the ability to easily find well-qualified implementation partners, with the assurance that these partners have met our stringent qualifications, and have solid, real-world experience implementing the Aveksa access governance solution.

With our program launch partners (Advancive, Column Technologies, and ILANTUS), we’re excited to have this newly structured program in place, and have a number of new implementation partners in progress.   The full program is outlined here

By proactively educating our implementation partners, and ensuring that they are well-prepared, we ensure that our customers will have successful deployments, which is our top priority.  It’s about quality, not quantity.

→ Leave a comment

Posted in Access Governance, Partnerships

Article on RSA breach – original phishing email discovered

Posted on August 31, 2011 | Leave a comment

Here‘s a link to a good article on the RSA breach, based on a researcher’s location of the actual email & file that initiated the attack.  The article explains how attackers leveraged the compromised user’s network access to get to their real target — the SecurID encryption keys.  This is a good lesson about how organizations need to better control user access rights. Or, at least start with getting clear visibility to what users have access to. If this user had had limited (i.e. appropriate)  network access to shared drives, this attack could have been avoided

 

 

→ Leave a comment

Posted in Security Breaches

Tagged ,

VMware adding native DLP ; Underscores need for Identity Context

Posted on August 29, 2011 | Leave a comment

Here’s a well-written article from InfoWorld, explaining VMware’s forthcoming DLP (Data Loss Prevention) solution, to be announced at this week’s VMworld show.  Clearly, this is a first step – while based on RSA’s DLP Suite, the new VMware solution is not integrated into it (and is reflective of the complex EMC-VMW relationship).

As a VMware partner, customer, and ecosystem participant, I’m pleased to see that they will be offering APIs, through which third-party vendors (such as Aveksa), as well as customers can integrate. For example, at Aveksa we can easily foresee using these APIs to pull in classification metadata, and use this to augment and inform decisions about access to data resources. This is exactly the use case that our Data Access Governance customers are asking for, and are doing today with other DLP products.

DLP, while technically interesting and important, is only one piece of the puzzle — you need both DLP metadata *and* identity insight in order to enable IT and the business to make well-informed access decisions.  That is, being able to automatically classify the sensitivity of data resources is a great first step, but the key second step is to use this classification to decide who should and should not have access to this data – and this kind of decision-making requires solid information about identities and their business & technical roles.  Industry analysts agree with this – see the recent Forrester report “Your Data Protection Strategy Will Fail Without Identity Context” – for a great explanation.

As a software vendor, we’re glad to be able to provide this context, and help enterprises leverage their DLP solutions to make better access decisions, and to have successful data protection initiatives.

→ Leave a comment

Posted in Access Governance

Aveksa a Leader in Forrester Wave Report

Posted on August 24, 2011 | Leave a comment

Yesterday, independent research firm Forrester Research, Inc.  released a new Wave report: The Forrester Wave™ : Role Management and Access Recertification: Q3 2011. This is the first ranked analyst report for the Access Governance market space, and we’re very pleased to have been ranked as a leading vendor for both strategy and current offering.  See our press release  for the official word on this, and information about how to obtain a copy of the report.

The team here at Aveksa has worked hard on this, and worked closely with the folks at Forrester for the past few months. This is definitely a result that we’re proud of — but most importantly, I’d like to thank our customers, who are truly the ones responsible for our success.

→ Leave a comment

Posted in Analyst Reports

Tagged ,