Venkat Rajaji

Recent Posts

Real vs. Regulatory Risk

Posted by Venkat Rajaji on Thu, Apr 28, 2016

Risk is a word you hear every day and it has become common place across the security industry. What is risk? What does it really mean? And why is it so important? Most importantly, how should we think about the impact of these risks and how we mitigate it?


Riisk is composed of: Impact x Likelihood. 

Impact- The damage caused by the risk, criticality of the assets, the actual data in the systems, the liability associated with an audit finding

Likelihood - The probability that an event will occur. When we think about likelihood we think about usage patterns, access levels for individuals and accounts,and exposure or vulnerability of such systems.

 

Within the context of Information Security there are two types of risk that companies face, real risk and regulatory risk.

 

Regulatory risk is associated with not being complaint with any number iStock_000026774677_Large_1.jpgof regulations. The penalty for this might be financial penalties, incarceration or a drop in stock prices if said issues are "material" enough to require reporting. For example, compliance within the healthcare industry with data privacy and HIPAA, companies within the Financial Services industry and SOX compliance, or retail organizations or anyone else accepting credit cards who must adhere to PCI compliance. What regulatory risk calls for is the implementation of a governance process for which to ensure compliance.

 

When you think about real risk, you're thinking about things like customer and consumer data, credit card information, employee data, SSNs, and access to processes like the recent Iranian nuclear processing  centrifuges that were hacked into and then stopped and started over and over until they blew up.  Here, governance process is not enough. This is now about protection and the impact is far greater than just a fine. Reputational damage, brand image, liability, and other major financial damages will impact the company.

 

Compliance regulations have helped and have forced companies to put in place governance processes to mitigate some risk. However, this drive for compliance has led to a lot of rubber stamping. Reason being, there is too much data and we don't know what is important and what is just another request. So the compliance checks themselves often don't do enough to protect the companies or their customers.

 

cyber-311111.jpgWe need the ability to really understand risk within the constricts of impact and likelihood. In order to satisfy both regulatory needs and to mitigate against real risk we need solutions that provide context for these risks. Context might be things like access levels, known vulnerabilities to systems, criticality of business systems and the data stored in those systems. This helps us better understand our enterprise risk.  Done correctly, this automation and intelligence also dramatically improves understanding of how you are actually doing and how that is changing over time (read actually managing this stuff), efficiency (read cost savings) and efficacy (real and regulatory risk reduction).

 

To manage both real and regulatory risk, you need to deter bad touches (inappropriate access) to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens, and ebook_Assessing_the_Risk.pngonce you do that, you better figure out how to remediate the issues really quickly. The Courion suite of solutions are designed to solve exactly this problem across both the physical (vulnerability management) and logical (access management) worlds.

 

Looking for more information on how to mitigate both real and regulatory risk? Download Assessing the Risk of Identity and Access to learn how to identify and remediate both your real and regulatory risk. 

Tags: risk management, security risk, cyber risk, risk

Assessing the Risk of Identity and Access, Part 2

Posted by Venkat Rajaji on Thu, Jun 18, 2015

Venkat Rajaji VP of Product Management & Marketing

In part one of this blog, we shared reasons why your security team may not be able to sleep at night: risks to your information technology infrastructure that may be caused by risk from identities and their access. We discussed the most common access risks—from the routine to those caused by changes in the business—and provided some reasons why you may want to look inside, and not just invest in perimeter security. If you haven’t yet read part one, you can do so here.

So now that we know what the risks are, let’s discuss ways to mitigate these access risks and gain visibility into your organization.

Identity and Access Management Controls

When we look at provisioning identities or certifying access for governance, it quickly becomes a rubber-stamping process. You want to make sure the right people have the right access but what if you don’t know what that person needs for his or her job? Do you reject or approve? Other than a slowdown in productivity, there is no bad outcome if you don’t approve access, but instead request additional sign-offs. After all, with hundreds of thousands of people and identities, access rights and roles, policies and regulations, actions, and resources, you have trillions of access relationships to manage.

In a survey conducted by Courion about the access risks that cause the most anxiety, number one on the list—at 46 percent—was privileged account access; that is, accounts such as those used by administrators that have increased levels of permission and elevated access to critical networks, systems, applications, or transactions. Other anxiety-causing access issues that accounted for 31 percent were unnecessary entitlements and abandoned or orphaned accounts. What this tells us is that over half of the anxiety in your organization is based on provisioning.

To effectively address this issue, we need to start looking at not just passing our audit at the end of the year but also at the true impact of risk created through increased or inaccurate access credentialing on an ongoing basis.

But what if with each request you received you also knew the perceived risk of approving or rejecting it? What if you could take a look at all of your credentials across your system and see who was the greatest risk? That’s where an intelligent or risk-aware identity and access management tool comes in.

With risk-aware IAM you have the ability to automate your provisioning process to keep your backlog at a minimum and still ensure that you are provisioning the correct access to your employees without just rubber-stamping an approval. With intelligence driving your provisioning and governance you can see risks long before you have an issue. Imagine if you were able to log in and see access credentials listed like this:

Risk Aware IAM Table

We need to understand these access risks on a scale from low risk to high. Provisioning today includes a request, a policy evaluation, and a quick approval or rejection of the request. At Courion, we see things differently. If the request is seen as a low risk item, then it gets passed through and fulfilled in our automated system.

Provisioning Tool

But for other access requests which may represent some risk, the access request will require an approval or both an approval and a micro certification.

This micro-certification, or risk-based certification review, provides holistic context around the information being examined, thus allowing an IS manager to make an informed decisions on whether a user’s access is suitable or not before granting access. By performing these narrowly focused, micro-certifications, organizations can reduce access risk in a smarter more efficient way on the front end of the request to guard against over- or under-privileged accounts

 Provisioning Stystem

Intelligent IAM is the next-level evolution of traditional IAM. Each process is led with intelligence with front end approvals and risk assessments that allow near real-time decisions that manage and mitigate risk to the company. According to Gartner, “By year-end 2020, identity analytics and intelligence tools will deliver direct business value in 60 percent of enterprises, up from less than 5 percent today.”

Through continuous monitoring and analytics applied to your provisioning and governance activities in real time, you are able to see the most up-to-date information thus allowing your company to truly make data-driven decisions. With intelligence driving policy, provisioning, and access decisions, you can mitigate risk in real time and have better visibility into your organization.

Are you looking for more visibility into your company’s identity and access risk? With a Quick Scan assessment of your organization’s access risk we can help you take a quick look into your security measures and provide you with a plan of what you can do to mitigate those risks. If you would like more information on what a Quick Scan can do for your company, contact us today at 1-866-COURION or at info@courion.com.  

Tags: venkat, risk, access intelligence, rajaji, Identity & access management

Assessing the Risk of Identity and Access

Posted by Venkat Rajaji on Wed, Jun 10, 2015

describe the imageHere at Courion, our mission is to help customers succeed in a world of open access and increasing threats. We want to make sure that the right people have the right access to the right resources and that they are doing the right things with those resources. The question becomes, how does an organization assess those threats and gauge the risk it faces from both internal and external forces? Moreover, how do you plan for that risk and put in place processes to help detect identify and manage the risk?

Most Common Risks

With an increasing number of computers and other devices and an increase in the ways in which users access resources, access rights and the monitoring and managing of complex user access rights becomes harder every day. The stresses and strains of access can come from all over but the most common offenders are:

• Routine changes such as hiring, promotions or transfers

• Business changes such as reorganizations, the addition of new products, or new partnerships

• Infrastructure changes such as mobility, cloud adaptation, system upgrades, or new application rollouts.

Routine vs Business vs Infrastructure Change

In addition to the stresses from business change, there are an increasing number of government regulations that require compliance, regardless of industry. From healthcare to banking, these regulations climb into the hundreds and assuring that you are fully compliant is more difficult than ever. This increase in regulations along with the increase in complexity of access rights makes identity and access governance a red hot priority.

What is Identity and Access Governance?

Identity and access governance tools establish an entire lifecycle process for identities in an organization, providing comprehensive governance of not just the identities but also their access requests. These lifecycles decisions are developed through real time intelligence and are informed by an organization’s processes. When we are preparing for an audit we have to ask questions we had never been asked before: Who has access to what? What does that access allow them to do? And why do they need that access? IGA helps to answer those questions up front to ensure that every identity has the right access, to the right things, at the right time.

When the internet was brand new, an organization had one room with only two to three people having access to resources. As a result, there was a pretty low risk of anyone hacking their way in. Now, our data centers are everywhere from a server room in a remote location to the cloud of everywhere-ness.

The result is that we have a broader and ever exploding attack surface and diversity of infrastructure. You’ve heard of the “Internet of Things” and these “things”, that is, Internet-enabled devices and resources, such as a building thermostat or a household appliance, have increased the attack surface tenfold.

Unfortunately, we also are faced with e a super sophisticated attacker ecosystem. Hackers are now working collaboratively, looking for weaknesses in your infrastructure and are armed with increasingly sophisticated and specialized tools and services. It may only take a hacker a few minutes to get into your system, but now they know that the payoff is worth waiting days or even months for the perfect time to strike.

The Issue of Compliance

If you look at the most recent Verizon PCI Compliance Report you will see that the average organizational compliance is at 93.7%. However, when you break that number down into the number of fully versus partially compliant firms, you will see that only 20% are ‘fully’ compliant. So if as organizations we collectively are compliant at 93.7%, then why have the total number of security incidents detected increased 48% since 2013? The answer is that we need more visibility into our systems. The top audit findings for the reasons behind these attacks are:

• Excessive access rights

• Excessive developers’ access to production systems and data

• Lack of removal of access following a transfer or termination

• Lack of sufficient segregation of duties

The biggest risk here is credentials. The number of stolen credentials is no surprise when you consider the number of transfers and terminations and accounts with excess access to sensitive systems that may remain active.

According to the Verizon Data Breach Investigations Report, 2015, when asked if their organization is able to detect if access credentials are misused or stolen, 42% of companies surveyed in the report said they are not confident in their ability.  Even worse, according to CSOOnline, 66% of board members are not confident of their companies’ ability to defend themselves against any cyberattack.  For those of us on the information security team, that shows a lack of boardroom trust in our capabilities.

Why do board members have so much trouble trusting our cybersecurity measures? Consider the fact that in 60% of cases, attackers are able to infiltrate the system within minutes and it typically takes information security around 225 days to find the breach. Just recently, the U.S. government Office of Personnel Management was hacked and more than 4 million current and former government employees may be affected. While investigators have known about the breach since April, they are still trying to determine what was hacked and what information was leaked since it could have been up to six months since the attackers initially gained access into the system.

Preparing for an Attack

This attack makes us think about the elements of an attack and where our federal government’s systems may have broken down. The elements of an attack are:

Data Breach Lifecycle

While we have anti-virus and anti-malware to fend off some of these attacks, and DLP and SIEM processes in place to fend off or detect others, we do not have the ability to fully defend against access targets and lateral movement once access is gained. What this means is that even though we are spending money, sometimes up to 85% of our budget on defending the perimeter, we have little to no security on the inside stopping hackers once they have penetrated our networks.

Are you ready for an attack on your system? Do you have a plan for internal and external breaches? Do you know your current risk? In part 2 of “Assessing the Risk of Identity and Access” we will discuss ways you can measure your perceived risk and ways to monitor your access rights to ensure true compliance.

Want to know your risk? Contact us today for an Access Risk Assessment of your system to identify your risks today.


Tags: venkat, access, governance, assessment, risk, breach, identity, rajaji, data

Join Us at CONVERGE in Vegas!

Posted by Venkat Rajaji on Thu, Mar 05, 2015

Venkat RajajiCONVERGE, our perennially popular annual customer conference, happens Tuesday May 19th to Thursday May 21st at the Cosmopolitan Hotel in Las Vegas. Click here to register and take advantage of a $150.00 discount if you sign-up before March 31st.

CONVERGE provides a great opportunity to mix and mingle with your peers and industry thought leaders. We’re bringing together noted authorities in identity governance and administration to share their expertise, and we’ll provide a peek into what’s new at Courion and in the field of security.

Need to earn (ISC)² Continuing Professional Education credits toward your CISSP or other professional certification? On Tuesday May 19th we are offeriConverge skylineng a full day dedicated to technical training and workshops, including a deep dive into the Courion Access Assurance Suite so you can fully exploit this market-leading IGA suite’s capabilities. Tech Tuesday at CONVERGE provides the ideal opportunity to earn those CPE credits and we’ll be happy to submit the needed paperwork.

Our conference theme, Know the Odds – Win with Risk Aware IAM is based on the notion that in this age of the Internet of Things, it’s essential to have concrete insight into your IAM infrastructure so you can better protect your company from access risks that may lead to a data breach. Courion’s intelligent IAM provisioning and governance solutions, powered by the award-winning identity analytics solution, Access Insight, provides the knowledge you need to see exactly where threats are hiding so you can identify, quantify, and reduce risk.

So come, join us in Vegas and register today!

To learn more, go http://www.courion.com/CONVERGE.

Venkat Rajaji is Vice President of Product Management & Marketing for Courion.

Tags: venkat, access, governance, identity, management, rajaji, CONVERGE, administration, conference