Tag Archives: access governance

Aveksa Named a Leader in Gartner Magic Quadrant

Posted on January 8, 2012 | Leave a comment

We’re pleased to announce that Aveksa was named a Leader in the new “Magic Quadrant for Identity and Access Governance”, published last month by Gartner. In the report, the authors (Gartner Analysts Earl Perkins and Perry Carpenter) state: “managing identity and access is more than an operational concern. Rather, it requires governance of identity and entitlement life cycles in the enterprise.”

They also note that the need for (and recognition of the need for) identity and access management governance is growing – they estimate that IAG-led projects will double from one-third of all IAM projects, to two-thirds by 2013.

We’re happy to have been named a leader in this report, and are grateful to our customers — the reason for our success.

→ Leave a comment

Posted in Access Governance, Analyst Reports

Tagged ,

Account versus Entitlement Reviews (part 2)

Posted on December 6, 2011 | Leave a comment

Continuing from my previous entryon this topic, I’m continuing the discussion  about different approaches toward capturing user entitlement information, specifically considering the merits of doing so at the account level versus at the entitlement level. Typically, having a system that provides more insight into the details of which application (or data) entitlements a user has is better – so that the appropriate people in the organization can make better, more informed, and more granular access decisions.

But, in two scenarios, it does make sense to capture and use data just at an account level. The first situation is in a period of transition – where the organization may not yet have the infrastructure or capability to capture, normalize, process, and present detailed entitlements to reviewers (or to users requesting access).  This is a perfectly fine approach, and can be quite useful as a way to put in place business processes for review or access request, and to begin to familiarize end users with them – as long as there’s a concrete plan to ultimately move to reviewing and requesting at an entitlement level. These shouldn’t be left indefinitely at an account level – it simply doesn’t provide enough visibility or control, isn’t audit-proof, and will likely lead to a false sense of security.

The second scenario is when the information about an account’s existence is in fact sufficient for its designated purpose.  For example, one of our customers keeps track of which employees have accounts on their mainframe system. None of the applications on the mainframe are subject to entitlement reviews, so they don’t need to capture the entitlement details. Instead, they use the account information as part of their Leaver process – so that when a person departs the organization, IT has a clear view of whether or not a mainframe account needs to be deprovisioned, and can act accordingly. This is a simple, yet effective scenario, and a great example of the value of having an Access Management Database (XMDB) with complete information about identities and access, even beyond traditional focus of access governance systems

In general, of course, organizations need to capture and operationalize with a detailed view of user entitlements, in order to meet their access-related security and compliance goals.

→ Leave a comment

Posted in Access Governance

Tagged

IT Business Edge: Making It Easier to Do the Right GRC Thing

Posted on November 22, 2011 | Leave a comment

Here’s a link to a new article in IT Business Edge, summarizing a discussion with Aveksa CEO Vick Vaishnavi.  In this article, the author succinctly explains the challenges around governing user access, and how Aveksa’s solutions can help improve security and efficiency.

 

 

→ Leave a comment

Posted in Access Governance, Media Coverage

Tagged ,

Account versus Entitlement Reviews

Posted on November 3, 2011 | 1 Comment

In my role at Aveksa, I’m fortunate enough to be able to talk to customers and prospective customers on a regular basis. I truly enjoy meeting these folks, asking a few questions, and learning about their Identity Management priorities, challenges, and the business and technology drivers behind them. People love to talk about what they do, and always seem happy to share.

One of the things I’ve noticed periodically is that organizations will review user access at the account level – making access decisions based on whether an individual has an account in a given application, and not on what specific capabilities they have within the app. This is arguably better than nothing, but also arguably worse than nothing!

I’ve tried to summarize the pros and cons of such an approach below:

Access Reviews at the Account Level

Pros

  • Satisfies “checkbox” audit requirements
  • Will remove some unauthorized access rights
  • Increases awareness of this application from a security perspective
  • Establishes processes for account data collection, and ownership of review process

Cons

  • May not satisfy auditors’ requirements
  • Cannot distinguish scope of user access rights
  • May lead to false sense of security

While access certification at the account level is less than ideal, on balance it can be quite useful as a transitory state, to help the organization begin to establish access governance processes, ownership, and accountability. For most applications and resources, it shouldn’t be considered as a desired end state**.

The good news is that all the enterprises I’ve spoken with recognize that the correct approach is to perform access reviews at the entitlement level, and are determined to accomplish this.

** as always in life and computers, there are exceptions! I’ll be writing about this in an upcoming blog posting, under the category of “when doing a bad thing is good”

→ 1 Comment

Posted in Access Governance

Tagged

Introducing Access Fulfillment Express

Posted on October 19, 2011 | Leave a comment

Today, all of us Aveksa are pleased to announce a new product offering, Access Fulfillment Express™ (which we affectionately refer to as AFX). We’ve designed and built this product to address what we see as a clear need within our customer base, and in the Identity Management industry in general – a way to eliminate the cost, complexity, and frustration typically associated with provisioning implementations.   Talking to customers, analysts, and other influencers, we’ve seen this frustration, and believe that the fundamental problem is that typical provisioning systems intermingle business logic and integration logic, and rely on a coding-centric implementation approach.

The result is that implementations take on the negative characteristics of point-to-point integration projects, where business policies (such as who should have access to what) are implemented at the same architectural layer, and with the same language, as integration mechanics (such as the mapping of a message to a set of application API calls).  We believe differently — that the business logic belongs at the access governance layer – it’s the only place with full identity context, with the ability to define rules and processes that are applicable to business users, and is independent of the technology and mechanics of target systems. And, that such systems should avoid the need for custom coding, and instead provide a configuration-centric solution.

Consider, for instance, the creation of a rule that controls the approval process for a user’s request for application access.  This rule should be able to take into consideration attributes of the requested entitlement (such as its sensitivity), attributes of the requesting person (department, role),  and full identity context (what other entitlements does this person have, and will this new one violate any SoD policies?).  This rule should not be in any way connected to how the system integrates with the target application (which after all can and likely will change over time), and should definitely not be hard-coded in a programming language (thus requiring a software engineering cycle to make even minor adjustments).

The integration layer of AFX is based on a loosely-coupled, open approach – using a well-establish communication architecture, the Enterprise Service Bus (ESB).  By leveraging an open source ESB, and by publishing both the message format and source code for the adapters used with AFX, enterprises can embrace AFX with full confidence in the solution’s extensibility and flexibility, without fear of investing in a proprietary, closed architecture.

In short, we believe that the combination of cleanly separating business logic from integration logic, and leveraging an open integration platform, will provide enterprises with the reduced costs and improved efficiency that they’ve been asking for. We’ll be writing more about AFX over the coming months, and look forward to discussing it with you.

→ Leave a comment

Posted in Access Fulfillment, Access Governance, Identity Management

Tagged , ,

Aveksa a Leader in Forrester Wave Report

Posted on August 24, 2011 | Leave a comment

Yesterday, independent research firm Forrester Research, Inc.  released a new Wave report: The Forrester Wave™ : Role Management and Access Recertification: Q3 2011. This is the first ranked analyst report for the Access Governance market space, and we’re very pleased to have been ranked as a leading vendor for both strategy and current offering.  See our press release  for the official word on this, and information about how to obtain a copy of the report.

The team here at Aveksa has worked hard on this, and worked closely with the folks at Forrester for the past few months. This is definitely a result that we’re proud of — but most importantly, I’d like to thank our customers, who are truly the ones responsible for our success.

→ Leave a comment

Posted in Analyst Reports

Tagged ,

“Dark Reading” on SQL Injection Attacks

Posted on August 2, 2011 | Leave a comment

Interesting overview of SQL injection attacks, in the current issue of Dark Reading (http://www.darkreading.com/ – look for it in the Supplement portion of Current Issue [registration required] )

I found this to be an easy read, and a good (and modestly technical) overview of the kinds of weaknesses that often exist in websites that utilize SQL behind a form.   While most of the recommendations are tailored to the SQL developer (such as #1: Input Validation, or  #3: Parameterized Queries), the one that’s different, and should be embraced by a broader audience is #5: Least Privileged Principle : “Give users only the access and privileges that they absolutely need to perform their jobs”.

And in order to do so, you clearly need visibility of who has access to what, and control of the process for evaluating, granting, and revoking access. In short, you need access governance.

 

→ Leave a comment

Posted in Data Access Governance, Security Breaches

Tagged , ,

Thoughts on our Recent Security Survey

Posted on July 7, 2011 | Leave a comment

Recently, Aveksa conducted a survey, asking enterprises what impact the recent (and ongoing) security breaches have had on their IT security practices and approaches.  The full results are in the press release, but I want to discuss them in more depth here in this forum.

First,  it’s clear that recent security breaches (such as those at RSA and Epsilon) are having an impact on InfoSecurity  – raising concerns, and sparking actions.  This is the appropriate response – things have gotten a lot more dangerous in the last 6 months, with attacks increasing both in severity and frequency.  InfoSecurity teams are justifiably worried, about the security of their organization, the potential impact of a breach, and about potential new security & compliance requirements that may be imposed upon them from internal & external compliance teams.  Unfortunately, this is not a simple problem, nor a single-dimensional one – in order to be effective, organizations need to address many aspects of their security systems – technical, people, and process — Security is not one thing that you buy, it’s many things that you do.

From our perspective as an access governance vendor, I’m glad that organizations are recognizing the role that access governance plays as part of their security strategy, as one of the “things you do”.  Let’s make this concrete – take a look at this diagram from the Verizon Business 2011 Data Breach Investigations Report (which I highly recommend reading)

 

 

This shows a sample incident chain, which illustrates part of their classification mechanism for security incidents. While this is an example, it does closely map to the chain of events in the RSA breach.  What’s key to understand is that the step labeled CE1, whereby the attacker expands the scope of their attack from the backdoor-infected laptop to a file server, is directly due to inappropriately enabled access rights to the shared files.  In this case, if the enterprise did in fact have visibility that everyone had access to the files, they could have easily flagged this, appropriately constrained the server, and broken this incident chain.

Fortunately our survey shows that many people understand this, with 67% of respondents choosing “Implement Stronger Access Governance Controls” as the most important IT initiative their company will implement in the coming year to help reduce security threats.

Image Source: 2011 Data Breach Investigations Report, Verizon


→ Leave a comment

Posted in Access Governance, Security Breaches

Tagged , ,

Healthcare Data Security

Posted on June 20, 2011 | Leave a comment

I wanted to point out (and recommend reading) a recent New York Times article, exploring recent data breaches at healthcare organizations, and current and potential government oversight.   It also includes a link to the US Department of Health & Human Services’ so-called “wall of shame”, which lists breaches of healthcare data affecting 500+ people.  It’s sobering to see not only the volume of breaches, but also the variety of breach types – ranging from the expected (unauthorized access/disclosure) to the low-tech (theft or inappropriate disposal of paper records).

The overall context of the article is around the intended shift to electronic medical records, and how this may well be impeded by the continued breaches.   This is a significant concern – the article states

“showing just how lax security can be, the inspector general of the Department of Health and Human Services said two weeks ago that the agency had found dozens of vulnerabilities in systems to protect records of patients at seven large hospitals…Auditors cited such problems as personal information that was not encrypted and was stored on computers that could be easily used by unauthorized user”.

Looking through the actual data – of the 288 records on the HHS website, 20% are breaches from paper records, while 74% are electronic records (6% are “other”).  What does this tell us? I read two things out of this data – first, we’re already well on our way toward electronic medical records.  Second, even old-fashioned paper-based data is difficult to control.   Ongoing conversion to electronic records won’t make securing this data any easier, and will often make data breaches more serious.  For example, in one case, electronic records with information about 1.7 million people (patients as well as staffers) was stolen from an unlocked records management company van.

These incidents illustrate the challenging and multi-layered aspects required for ensuring data security in an enterprise, and helps me, once again, appreciate the complexity and difficulty of the tasks performed by Information Security teams.  Thanks for working so hard to keep the enterprise secure, and our personal information private — we’re on your side!

→ Leave a comment

Posted in Access Governance, Security Breaches

Tagged , ,

Government Security News article about Aveksa, highlighting impact of data breaches

Posted on May 23, 2011 | Leave a comment

See this article  for an overview of Aveksa’s recent survey, and how organizations are responding to recent data breaches.

→ Leave a comment

Posted in Access Governance, Security Breaches

Tagged , , ,