How to be compliant with Intelligent IAM

Posted by Steve Morin -Director, Product Management on Thu, May 19, 2016

A great deal of time and effort can be saved during management reviews and audits by using an Intelligent IAM solution to provide reports, including filtering and drill-down capabilities, trend information, and data visualization tools. These not only give managers a high-level view of progress toward goals (such as eliminating orphaned accounts and policy violations), but also they can show auditors that efforts have been made  to address  high-risk  issues, such  as monitoring access to the most sensitive data stores and controlling the entitlements  given  to privileged users. Here are a few other ways that using an Intelligent IAM solution can impact your goal of true compliance:

Continuous Improvement of Provisioning and Governance

Most users of Intelligent IAM solutions focus on the immediate benefits provided by continuous monitoring, rapid response to immediate threats, and tools to analyze risks, patterns, and trends.  But organizations shouldn't overlook the importance of strengthening their investment in existing IAM systems.increase_efficiencies_small.png

Intelligent IAM can support the continuous improvement of account provisioning, governance, and other IAM processes. By providing visibility to key areas of access risk, organizations can immediately respond and take action by either doing a microcertification to fully inspect suspect access or take a deprovisioning action against a known violation. While having a fixed schedule for access reviews is important to ensure compliance, enabling continuous reviews as and when risks become visible ensures best practice governance that continuously improves and enables a more efficient provisioning and compliance process.

Reducing over-provisioning and under-provisioning

Over-provisioning and under-provisioning are occupational hazards for everyone who defines and manages roles. Over­ provisioning creates security vulnerabilities by granting unnecessary entitlements to a role. Often this comes about when a single individual with unique needs requests new access levels or entitlements that are then assigned to the role rather than to the individual, and the entitlements are mistakenly given to everyone in that role. This potenreduce_cost_small.pngtially leads to everyone in the role being over-provisioned creating an access risk and circumvents a Least Privilege Model, which should be a best practice.

Under-provisioning occurs when an entitlement that’s genuinely needed for a role isn't assigned, forcing all or most people in the role to request that entitlement on an exception basis. This is a drag on the productivity of the employees and of the managers and resource owners who must repetitively review and approve their ad-hoc requests.

Intelligent IAM helps people who define and manage roles reduce over-provisioning and under-provisioning. With a few clicks, they can determine the following:

  • Which entitlements are rarely or never used by current members of a role, so those entitlements can be removed from the role
  • Which entitlements are frequently or always requested by members in a role , so those entitlement s can be added to  the role
  • Which individuals have excessive entitlements compared with others in the role, so the behavior of those individuals can be examined and the individuals can be assigned to more appropriate roles

Activity related information, such as last login and last transactions executed, also provides insight into whether rights are really needed. For example, if a resource hasn't been accessed for three months, there's a strong chance it's not required for that individual or others in the same role.

Closing the Governance Gap with Continuous Monitoring

Organizations have blind spots when it comes to violations of security and privacy rules. Account provisioning systems provide users with appropriate access to corporate resources when they join a company or change roles. However, changes and exceptions to rules and roles over time introduce excessive rights for individuals, leading to policy violations and access-related vulnerabilities. In many organizations, access permissions are gracompliance_governance_small.pngnted outside of approved provisioning processes. An example would be when application or database administrators grant access rights based on direct requests from a user.

Organizations should run periodic certifications asking managers to verify that existing access rights for their subordinates are necessary and appropriate. Unfortunately, busy managers often treat these as "rubber stamp" exercises. They don’t take the time to review each entitlement and consider its implications. In many cases, they lack the knowledge and tools to identify policy violations. In other cases, the sheer volume that needs to be reviewed is so overwhelming, reviewers are not thoroughly reviewing access during the certification review.

An Intelligent IAM solution can address these problems by providing not only the prevention on the front end but also continuous monitoring of identity and access-related data and events throughout the life of the user. Violations can be identified as soon as they occur (see Figure 3-2). Changes made outside approved provisioning processes can be flagged and reviewed. Data can be correlated to pinpoint Segregation of Duties (SoD) violations and other complex policy violations before they can be exploited.

Preventing Policreduce_threat_surface_small.pngy Violations at the Point of Origin

Even with an advanced account provisioning system, managers and resource owners find it very difficult to identify SoD and other policy violations.

An Intelligent IAM solution can be integrated with a provisioning system to flag potential policy violations at the time an access request is being reviewed. It can also give the reviewing manager or resource owner tools to drill down and look at the recipient's current entitlements and those of his or her peers, to determine if the request is necessary and appropriate. It's far less work to prevent a policy violation at the point of origin than to find it during a large-scale certification (or through a security breach).

In the near future, intelligent IAM solutions may be able to improve provisioning decisions by supplying recommendations based on real-time risk scoring. This would allow decisions to be made based on the risk profile of the enterprise, users, applications, and resource at the time of provisioning.

One example of such "intelligent provisioning" would be to set up three workflows so that


  • Low-risk access requests (as determined by the organization in the IAM solution) are granted automatically without requiring the attention of a manager.
  • Medium-risk requests are sent by the provisioning system to a manager for approval.
  • High-risk requests require approval by a manager and escalation to a higher level executive for final approval.


With changing policies, regulations, access, and more, it is hard to keep up with the trillions of relationships that happen within an organization on any given day.  With an Intelligent IAM solution, adapting to these advancements is considerably more effective and straightforward. By allowing managers to have increased visibility of the tasks, goals, and issues at hand, an Intelligent IAM Solution allows for both better efficiency and productivity within the company. By enabling continuous reviews, an intelligent solution guarantees that high-risk situations can be monitored and corrected using immediate precautions. This solution helps reassure that all audits are successfully organized by providing reports, including filtering and drill-down capabilities, trend information, and data visualization tools. Not only will an Intelligent IAM solution help you pass your audit but it will put your organization on the path to true compliance.

Want to learn more about how intelligence can impact your organizations approach to compliance? Download our new eBook Improving IAM with Intelligence for more information or schedule a demo to see Access Insight 9 at work. 

Tags: access compliance, access rights, Access Insight, access risk, compliance

Why Deleting Security Groups Doesn't Have to be Scary

Posted by Ashley Sims - Marketing Manager on Thu, May 12, 2016


A few months ago our very own Chris "Sully" Sullivan, GM- Analytics/Intelligence, delivered a speech to the Gartner Identity and Access Management Summit to a group of IAM ninjas in London. Confession - I love hearing Sully speak. I always learn something and I love seeing the crowd as they learn these things along with me. However, at this event I was actually more surprised than usual at the response that he got when he asked the simple question "how many people here delete security groups?"


You might as well have asked them if they would be willing to donate a kidney to a stranger or forgot their cell phone at home that morning. Needless to say, most everyone sort of looked at Sully like he was crazy which was exactly what he was going for.


The reason, he explained, that no one deletes these groups is because they can't tell what is in them. Can you imagine deleting a group because you thought no one needed it and it turns out that you just shut off your CEO's access to an application that he/she uses daily? Not a good look for the security team.


Sully's point for the presentation was that now, with access intelligence, you no longer need to be afraid of deleting these groups and cleaning up your network because you can finally drill down into these security groups and understand exactly what is at stake. The primary reason companies are loath to delete security groups in Active Directory is because they simply don’t understand the complexity of access such as how access is granted, nested entitlements, and direct versus indirect assignment of access.


All businesses, regardless of industry, are faced with an exploding universe of identities, devices and data that employees require to do their job. The expanded use of mobile and cloud devices, along with non-employee and transitional employee access means that risk management and compliance is extending far beyond traditional enterprise limits. This can equate to trillions of access relationships that put your company at risk. How are you supposed to see into all of these relationships and understand the risks they pose?


With actionable intelligence through Access Insight 9.0 you get a comprehensive and continuous view and analysis of these trillions of relationships between identities, access rights, policies, resources, and activities. Our analytics engine pulls in these large amounts of identity and access data and stores them in its proprietary in-memory access analytics engine. The "engine" correlates relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current and historical perspective in lines of business, governance, operations and applications.


For example, our Access Explorer builds every Active Directory Group out in a spider diagram so that you can see AI_Spider.pngwhose access is connected and where your privileged accounts are linked to. 


Not only can you drill down into these details but our analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. This gives you the ability to personalize policies for your organization and with any change in these policies you can be immediately notified at any signal of dishonest or malicious behavior. Imagine having a solution that would automatically alert you and require a micro-certification when an account had access to do more than you believe it should?


It's time to start using all of this collected data to our advantage. It's time to start looking at our access relationships and prioritizing the risks our organization faces. Weather you have an Identity and AI9_Access_Risk__300x2506.jpgAccess Management solution or are working within your Active Directory, Access Insight can put your data to work for you.


Want to see how this looks within your organization? Request a demo of our Access Insight solution and see how actionable intelligence can help prioritize risk and transform your organization's security.


Tags: access rights, Access Insight, access risk, intelligent IAM, identity and access governance, Identity & access management, intelligent identity and access governance, intelligent identity and access management

How Intelligence Enhances Your Cyber Security

Posted by Emily Turner- Product Owner, Access Insight on Thu, May 05, 2016

If you are reading this blog, you most likely understand the benefits of adding identity and access management (IAM) solutions to your business. However, what if you could make that solution better, faster, and help you become proactive instead of reactive? You can! Just add intelligence.

Adding intelligence to your IAM solution can turn complex data into actionable information and find trouble spots, as well as high risk areas. It can compare across roles and with peers, as well as investigate high-risk individuals, groups, and situations. 

Adding Intelligence

By connecting with an organization's applications and collecting information, IIAM solutions continuously monitor information about identities and collect data related to resources (including applications, databases, and files), access rights, access policies, and user activities such as creating accounts and logging on to applications.

This information, which may amount to gigabytes or terabytes of data, is organized in a data warehouse, as seen in Figure 1. Identity and Access Intelligence (IAI) is applied and analyzes the identity and access data using advanced analytic tools to perform data mining, statistical analysis, data visualization, and predictive analytics.

1.pngFigure 1: Data Dissemination capabilities when using IAM 

These data analysis tools aren't generic. They draw on IAM­ specific policies, rules, and risk indicators to provide information of immediate value to IAM administrators, analysts, compliance officers, and incident responders.

An Intelligent IAM solution provides the following:

  • Reports and graphics showing IAM activities and risk factors
  • Notifications and alerts about policy violations and suspicious event Can we show alert screen?
  • "Micro-certifications" triggered by questionable activities and events
  • Automatic remediation , such as removing entitlements and disabling administrator accounts obtained without approval
  • Risk scores that can be shared with provisioning systems and other applications (for example, a score that can be used to determine if special approvals are needed for a provisioning request)
  • Ad-hoc reports and analyses, created by analysts to explore specific issues and risks

These capabilities allow Intelligent IAM solutions to help organizations overcome the governance gap, the complexity gap, and the context gap.

Rapid Response: Turn Complex Data into Actionable Information

An Intelligent IAM solution should not only be able to monitor key data continuously, but also it should provide a flexible range of options for rapid response and remediation. In most cases, the appropriate  option  is a notification  or alert  to a  staff member who  can investigate  and  determine whether  or not the alert represents an issue that requires follow-up. 

In other cases, a specific action should be triggered, such as a micro-certification, or even automatic remediation. In all cases, the solution should not only provide notification of a possible violation or issue, but also it should provide related data, and  if possible recommended actions to make it easier to address the situation. The solution can also improve security analysis and risk management.

                                              Finding Trouble Spots and High Risk Areas

Privg_accts.pngAn Intelligent IAM solution can pinpoint trouble spots, weak points, and quickly answer key questions such as the following: 

  • Which accounts have the most privileged entitlements and haven't reset a password in hundreds of days?
  • Which individuals have the highest number of access rights when compared to peers?
  • Which business units have the most orphan accounts?

An Intelligent IAM solution can provide answers to questions in seconds, helping security and IAM analysts to:

  • Quickly detect potential indicators of attacks and security breaches (for example, a user account receives privileged access directly to a target application)
  • Focus their efforts on high-risk situations (f or example, accounts with many privileged entitlements that haven’t reset their passwords in over 90 days -check out Figure 2-3)

 Comparisons across Roles and with Peers

An IAM solution can correlate data to compare users with others in the same role, or with any individual in the organization who might provide a useful benchmark. Analysts, business managers, and resource owners can answer questions like “Does John Smith have more access rights than other financial analysts?" and "How do the access rights available to John Smith compare with those of Jane Jones and William Brown?"

These comparisons are extremely useful for assessing new access requests from individuals, for identifying excessive rights that accumulate when people move through different positions, and for highlighting outliers that may indicate a process problem or a misbehaving user.

Comparisons with peers also have the advantage of giving enterprises a way to identify elevated access (and risk) with­ out the expense of a major initiative to define and manage roles.

Investigating High-Risk Individuals, Groups, and Situations

With an intelligent IAM solution, you can investigate and analyze high-risk individuals, groups, and situations, as well as compliance violations. This process makes it easier to answer questions like the following:

  • Are there domain administrator accounts whose pass­ words have never been changed?
  • Which non-sales systems has this salesperson been accessing?orphaned_accounts.png
  • Is anybody accessing patient medical information with­ out a genuine "need to know"?
  • Which accounts with at least five entitlements haven't been used in more than 30 days?
  • Does this account have a suspicious number of privileged entitlements?
  • Should part-time employees receive all the access rights they are routinely granted?
  • Do contractors continue to access resources after their projects end?
  • Are system administrators routinely assigned rights they don't need to perform their jobs?
  • Does this business unit have an abnormal number of accounts with unnecessary entitlements (that is, access rights that have never been used)?


IAM_dummies_300x250.pngCan your Identity and Access Management solution do all of this? With Access Insight 9.0 it can! Access Insight 9.0 is Courion’s newest intelligence tool works with Courion’s IAM solution, another vendor’s or even when no IAM solution is present to help you make sense of your complex access relationships. 

Want more information on how intelligence improves IAM? Download our eBook “Intelligent IAM for Dummies” or schedule a demoof Access Insight 9.0 for your orgaization and learn how you can get the most out of your complex data. 


Tags: Access Insight, IAM, access risk, intelligent IAM, IIAM

What's New in Access Insight 9.0?

Posted by Emily Turner- Product Owner, Access Insight on Tue, May 03, 2016


Businesses in all industries need to manage the exploding universe of identities, devices and data employees require to do their jobs. To help make sense of the trillions of relationships, today Courion releases Access Insight 9.0.

Access Insight identifies the risk associated with any misalignment between users and their access within your organization and drives provisioning and governance controls to manage that risk. Specifically designed to answer the critical questions “Who has access to what resources?” and “Have they been given the right level of access?” Access Insight provides IT security, compliance, business and risk professionals with the data and tools they need to successfully deal with these complex challenges.

How does Access Insight 9.0 Work?

Access Insight provides a comprehensive, continuous view and analysis of the trillions of relationships between orphaned_accounts.pngidentities, access rights, policies, resources and activities across a multitude of enterprise systems and resources. Access Insight:

  • Works with Courion’s industry-leading portfolio of IAM solutions, or in conjunction with other IAM solutions to identify potential risks to the business, so you can quickly modify access as needed.
  • Is platform agnostic, and integrates with virtually any data source and commonly used IAM and/or security management application (e.g., SIEM, DLP, AD and others).
  • Enables you to easily configure policies that align with your organization’s corporate and regulatory policies – alerting you to intentional or unintentional violations.

The Access Analytics Engine

Access Insight 9.0 boasts a new analytics engine based on the Privg_accts.pngtechnology Courion acquired from Bay 31 in 2015. This engine enables companies to analyze complex data at significant scale with incredible speed. Access Insight pulls large amounts of identity and access data in continuously, and stores this in its proprietary in-memory access analytics engine. The “engine” correlates identity and access relationships to identify and prioritize risks, surfacing all deeply nested relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current or historical perspective in lines of business, governance, operations and applications.

How it Works:

  • A business-friendly dashboard offers a variety of graphical displays and interactive interfaces, so that an organization’s access-related risks and risk levels can be easily viewed by line of-business managers and authorized users.
  • The access analytics engine continuously gathers and synchronizes an organization’s IAM and IAG information from multiple sources to compile a complete picture of an organization’s identities, access rights, resources and activity.
  • Automated data collection increases operational efficiency and reduces operational costs by eliminating labor-intensive IAM processes and drawn out efforts to demonstrate compliance.
  • Continuous governance and automated policy management provides the ability to automatically evaluate and act upon risks associated with users’ access and activities in accordance with an organization’s corporate controls and government regulations, enabling you to proactively create and enforce policies.access_explorer.png
  • Automated notifications alert you to changes and non-adherence to your organization’s corporate and regulatory policies; notify you of any conflicts and enable the swift assessment of risk level so appropriate action can be taken immediately allowing you to continuously maintain compliance.
  • Remediation controls automatically identify and remediate improper access, including intentional and malicious changes to user access that could harm your organization, as well as unintended changes to access.
  • Access analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. Changes in normal access activity patterns may be a signal of dishonest or malicious behavior. Quickly identify unused or obsolete access entitlements.
  • Drill-down capability allows you to further investigate details for potential threats and resolve risks immediately.

To learn more about Access Insight 9.0, view our datasheetor request a demo with one of our solutions consultants.

Tags: Access Insight, access risk, intelligent IAM, IIAM, intelligent identity and access management

What’s IN your Environment?

Posted by Vikram Chellappa - Sales Engineer on Tue, Dec 02, 2014

Vikram ChellappaA theme that is echoed over and over again in Identity and Access Management is that organizations do not have a comprehensive view of what is actually ‘in’ their environment.

For example, quite often they are unable to reliably answer fundamental questions such as

• Who has access to what?

• Are there active, but abandoned accounts?mystery box

• Are there ungoverned privileged accounts?

• Do people have more access than they should when compared to what their peers have?

• Are there unused entitlements and if so what are those?

This is only a small subset of the questions that organizations strive to answer, and uncovering such information often highlights inefficient and sometimes even broken processes, for example:

• Contractor accounts are not disabled correctly. This may lead to active but abandoned accounts

• Administrators grant administrative privileges directly in target systems, circumventing a request approval process. This may lead to un-governed privileged accounts.

• Employees perform different job functions over the course of their tenure in the organization and access may not have been revoked appropriately. This may lead to people having excessive access when compared to what their peers have.

Over the past decade, many organizations have employed some level of automation. In traditional IAM automation may help streamline certain processes, but it does not provide a continuous and comprehensive solution to address and mitigate all access risk issues.  It is essential to realize that while automation can be a boon to organizations, automating inaccurate and broken processes can be a bane.

The key is to adopt an approach that combines strong fundamental IAM capabilities and access intelligence. Organizations must not only understand ‘what’ is in their environment and remediate policy violations, but also identify inefficient and broken processes and employ strong fundamental IAM strategies to appropriately address those. Yes, this is a shift from the traditional approach but it will only enable organizations to focus on the most important areas and mitigate risk quickly and effectively.

Tags: privileged, process, Access Insight, access, IAM, administrator, Vikram, access intelligence, identity, management, Chellappa, abandoned

Unmanaged & Unused Service Accounts: Your Unseen Access Risk Problem

Posted by Josh Green on Tue, Sep 30, 2014

Josh GreenWe all have skeletons in our IT closets that we'd rather forget about. In nearly every organization’s network, there is a legacy application or old piece of infrastructure that is bound to reach the end of its useful life at some point, yet plans for removal of obsolete technology typically do not exist. What we often fail to consider, however, is the fate of our service accounts associated with these aging applications and infrastructure. Unmanaged or unused service accounts represent a qualified, and in the case of Target Corporation, hugely quantifiable, risk to any organization. Continuous intelligence-based pattern recognition and monitoring using an identity and access analytics product like Courion Access Insight is the easiest and most effective way to mitigate such risk.Service Accounts and more

Service accounts are accounts on a system that are intended to be used by software in order to gain access to and interact with other software. Correspondingly, It is common practice that passwords for such service accounts are not frequently changed so that the loss of this interconnectivity can be avoided. These accounts are also frequently highly privileged, allowing a large number of activities to be integrated between systems.

How is this a risk if the accounts aren't meant for humans?

The Target breach was no more complicated than the hacks often seen on the news when someone has altered the message displayed on a road construction sign: an attacker finds or knows of a default service account and password that exists on the system and exploits it to gain access.

The Target breach was only slightly more complicated: attackers were aware of a service account laid down automatically by the installation of BMC software. The attackers were able to leverage that service account to elevate the privileges of a new account they created for themselves on the network, and the rest is history. The attack cost Target an estimated $2.2 billion, and highlighted that some common IT practices may not be "best" practices at all.

How can this threat be managed? How does one even identify a service account?

When the service accounts have been purposefully created, identification of these accounts can be straightforward. Naming conventions within your IAM system can be applied that mark an account as a service account. However, too often, there's no such obvious clue. This is where the pattern and trend recognition provided by an identity and access intelligence solution like Access Insight becomes key. The intelligence engine acts like a detective. It uses the circumstantial evidence about an account's activity and history to determine its purpose. The engine analyzes things like password reset history, login history, privilege patterns, ownership, and more to determine accounts that may be service accounts and which may represent a high risk of compromise.

We have quarterly compliance reviews, surely that will catch the risks, right?

Modern access governance is critical, but there are some gaps that modern attackers have learned to exploit. The biggest gap is speed. The typical organization will perform compliance reviews quarterly. These compliance reviews are great for looking back in time and reviewing what has happened, but they're not timely enough to catch an attacker red-handed.

As an analogy, consider the robbery of a bank vault­. If it is discovered three months later, the knowledge of what happened doesn't really help much. But if an alarm sounds right away and summons the police, this will help. Similarly, Access Insight gives you the tools to sound that alarm immediately, so you can understand what is happening within your network so you can take steps to remediate it at that moment, not in three months when the hacker is long gone with your data.

The next biggest gap is complexity. Large organizations can suffer from data overload. A compliance review may or may not catch every single service account risk in the organization which may be hidden somewhere amongst the thousands of pages of mundane, normal accounts. They're easy to overlook, and hard to find after the fact. Access Insight uses built-in algorithms combined with risk weighting you tailor to your network. This provides you with a color-coded, prioritized view of your organization's risk.

How fast can the problem be tackled?

To assist with this problem, Courion now offers a Access Insight risk heat mapcomplimentary quick scan evaluation of access risk which leverages Access Insight, to help organizations gauge whether they have an ungoverned or unmanaged service account problem. This quick scan can often be completed in a single day and provides a prioritized view of where remedial action is needed most. Of course, fully deploying Access Insight on your network, regardless of what IAM suite you have installed, will give you the visibility, or insight, you really need through continuous monitoring to find and fix access-related risk, now and on an ongoing basis, not just at a point in time.

Tags: Josh, Access Insight, access, risk, Green, account, service

When the Lines Separating Employees, Contractors and Customers Blur

Posted by Nick Berents on Mon, Jul 07, 2014

Nick Berents

I recently met with a Courion customer, one of the largest accountable care organizations in the US. This customer is based outside of Orlando, Florida, so naturally the topic of Disney came up. Over the past year Disney has figured out a way to use technology to distribute guests more evenly throughout the parks via their "Fastpass+" system. The end result is higher customer satisfaction by reducing wait times and increased revenue because now – you guessed it – vacationers can spend more time in the gift shops and restaurants.

Disney is able to accomplish this by setting up profiles that track your ride preferences in addition to your purchases. Vacationers can go through Disney's website portal, which is personalized based on their preferences, to make ride selections, dining reservations, and plans with others who also have profiles on the portal.

This was a massive investment and IT project for Disney. Naturally, it got me wondering, do they segregate this portal from their corporate networks? Are their employees also customers, and do they co-mingle their profiles? What about contractors they hire? Do they have access to the networks and are they constantly being monitored? Do they set up profiles on the portal as well? Remember that the Target data breach came about as a result of third party HVAC vendor’s access being compromised.

I then asked the Courion customer what he looks for in an identity and access intelligence system like Access Insight®. This is when the conversation got serious. He made it clear where Access Insight fits in.

"What if someone has what appears to be a safe access, but they happen to be an expert programmer? Once they're in your system they may start to make some movement that would cause your security people to ask questions like, 'Why has a person who should only have certain access suddenly be asking for access here, here, and here?' Those are the types of movements that really are suspicious and in some of the security breaches we've read about, only after the fact they say, 'Oh wow, if we had seen how somebody started to move along the access chain quickly at two in the morning, we would've been able to call this out.'"

"That's what Access Insight does. It alerts that there is movement that should not be, and we have a team on call 24 x 7 to monitor for alerts like that. It helps us understand if the movement is a natural course of action or a natural workflow. Or is this something that we need to wake some people up right now and stop and then investigate in the morning? Access Insight affords us the opportunity to see that."

He also acknowledged that most companies have very intricate infrastructure systems, and their IT departments are very well-schooled in protecting their environment. They receive penetration challenges every single day and they swat them back quickly. But what differentiates Access Insight is it sees someone who has been given permission to come in under the guise of a role that fits the job profile, but suddenly that person starts traversing the network because they have an extra skill or access that you don't know about. Access Insight keeps monitoring the people with permissions so that any activity that takes place out of the normal parameters you would expect to see, sends off an alert for your security team to stop, investigate, and take action if necessary.

This is something all organizations, from our Orlando-based customer to Disney, need to consider as the news of insider threats continues to rise. Knowing how sensitive company information is being accessed, at what time and for what purpose is also key. Having this insight will ensure that insiders, nefarious or naïve, don't get a data breach fast pass.

Tags: Access Insight, access, analytics, Berents, Identity and access intelligence, Nick, security, IT

Register Now & Tune in on Wednesday June 25, 11:00 CET

Posted by Marc Lee - Director of EMEA Sales on Tue, Jun 03, 2014

Marc LeeWhether you call it Identity Analytics, Access Analytics or Identity and Access Intelligence, it seems that more and more respected analysts and journalists are now urging organizations to implement solutions like Access Insight to better reduce the risk that comes about with having orphan accounts, users with access rights beyond what is needed, or ungoverned privileged accounts lingering in the enterprise.

On that note, Martin Kuppinger, Principal Analyst for KuppingerCole, a global analyst company headquartered in Europe, will lead a webinar on Wednesday June 25 at 11:00 a.m. CET that looks at the broadening range of cyber-attacks and the risk associated with user identities and access. He will advise organizations to broaden their management beyond traditional provisioning and governance with identity intelligence and analytics.KuppingerCole

Our own Kurt Johnson, Vice President of Strategy and Corporate Development, will also be participating and will dive into the details on how to implement an intelligence-focused IAM strategy so you can better identify vulnerabilities and improve preventive and detective controls.

Kurt will demonstrate how Access Insight can scan and evaluate your IT infrastructure for risk within hours, categorize and prioritize these risks, and help you create a comprehensive remediation plan.

Please register now and tune in!

Tags: intelligence, Webinar, lee, register, Martin, Access Insight, access, analytics, risk, identity, marc, KuppingerCole, Kuppinger

A Cure for Access Risk - Just What the Doctor Ordered

Posted by Nick Berents on Mon, May 12, 2014

Nick BerentsEver hear of the “good old days” when doctors made house calls? The doctor would visit your home in person and diagnose what was wrong, and then take the necessary steps to cure what ailed you.

IT security executives are busier than ever, and it is becoming increasingly difficult for them to make sense of all the headlines about data breaches or insiders doing damage with inappropriate access.

While there are a wide array of solutions that can address specific individual aspects of security threat, we find customers often turn to Courion to request the IT security equivalent of a house call to help them diagnose what might ail their enterprise. They are seeking a prescription to reduce their risk.

They instinctively know that inside threats increase the risk of a breach, but they may not have the context, tools or time seek out the access rights in the network that are open to abuse. But what if there was a low cost way to diagnose potential insider access problems? What if you could run a simple diagnostic to determine where you are vulnerable?Doctors bag

Courion recently launched an assessment solution that can help identify that potential risk. The Access Risk Assessment is a professional service offering that leverages Courion’s Identity and Access Intelligence analytics (IAI) solution, Access Insight, to diagnose access risk in your organization and prescribe a cure: an actionable remediation plan to reduce that risk.

The Access Risk Assessment provides immediate actionable insight into such risks as orphan accounts; abandoned accounts; privileged accounts; and unnecessary entitlements.

Consider what a major multinational retailer found out in their assessment. They identified over 1,000 abandoned contractor accounts that needed to be terminated. They also found accounts for 130 terminated employees that needed to be de-provisioned. Not only that, they discovered 14,000 inactive user groups and determined that there were multiple users with access in excess of roles via hidden nested entitlements.

What about your organization? Do you have the kind of insight you need to take action right away? This is what a senior VP at a major financial services organization had to say: “I was amazed by the insight the Courion Access Risk Assessment provided in such a short time. The assessment revealed elevated privileges that we were unaware of, and we uncovered administrator accounts that had been created, but never used. We were able to take quick action to eliminate this access risk.”

So how are you feeling about your access risk these days? If you don’t think you have a good handle on it, remember, some doctors still make house calls.

Tags: privileged, Access Insight, access, analytics, Berents, entitlement, Identity and access intelligence, Nick, risk, abandoned, account, orphan, Access Risk Assessment

10 Years of Retail Data Breaches: Will Consumers Revolt?

Posted by Jim Speredelozzi - Senior Manager, Inside Sales on Mon, Mar 24, 2014

Jim SperedelozziHouston, do we have a problem?”

Are the retail and payment card industries facing a catastrophic collapse in consumer confidence? With the 24/7 news cycle constantly reporting breaches at the largest retail firms, involving hundreds of thousands of customer’s data: it’s hard to argue otherwise. The news that Target’s CIO recently “resigned” shortly after Target disclosed the loss of 40 million or more credit card numbers just illustrates how serious the problem is.

Now, it seems like breaches are happening more often and many involve the brick and mortar store’s point of sales system. While the increase may be partially explained by disclosure laws and aggressive news outlets, that’s cold comfort for companies already struggling to compete with the convenience and price advantages of online-only firms like

What happens to the retail industry when consumers’ perception shifts to one where shopping online is safer than shopping at retail stores? The answer must have Jeff Bezos smiling, but it also must have him asking his CISO – are we at risk?Disgruntled shopper

With that, in mind, let’s review some top retail breach disclosures involving payment card data from the past 10 years, with links:

2005: DSW Shoes loses 1.4 million customer’s credit card numbers.

2006: OfficeMax loses 200,000 debit card numbers with PINs.

2007: TJX – the grand-daddy of all retail data breaches, 100 million+ accounts stolen.

2008: Forever 21 discloses a three-year long data breach and 100,000 credit card numbers stolen.

2009: Mitsubishi parts ways with 52,000 customer accounts and credit card data.

Of note: from 2005 to 2009, according to, there were 50 retail breach disclosures related to either a hack, an insider abusing access or other credit card fraud such as POS skimming devices. From 2010 to 2013 there were 260, a 5X increase.

2010: Proving small retail shops are not immune; Bear and Wine Hobby in Woburn, MA had 35,000 credit card numbers compromised.

2011: Proving the world’s largest companies and brands are not immune, Sony was hacked and thieves got away with the data of more than 100 million users, including over 12 thousand unencrypted credit card numbers.

2012: Hactivist group “The Consortium” exfiltrates 40 Million plain text credit card numbers from porn site operator Digital Playground (don’t worry, that link goes to a news story).

2013: Double feature? Target is stunned by a Black Friday attack that nets hackers more than 40 million card numbers from more than 100 million consumers while high end retailer Niemen Marcus is hit at the same time.

2014: While not yet confirmed, it appears Sears may have been breached in an attack that appears similar to the Target and Niemen Marcus incidents. Meanwhile, HR employees at The Home Depot were caught stealing employee data from 20,000 individuals (abusing legitimate access) and using that data to open up fraudulent credit card accounts.

In regards to 2014, it’s still only March!Breach problems?
Are we learning a lesson?

If you invest the time to read about these breaches, some common themes emerge:

1. Companies with locked down perimeters still leave their organizations vulnerable to illegitimate use of legitimate access

2. Attacks often go unnoticed for months and years and organizations typically don’t understand the full scope of their breach even years after they are disclosed

3. Hackers are becoming more organized and sophisticated every year

    So what can be done?

    Of course, Courion and other IAM solution providers have some good ideas. Start by shifting resources into securing and monitoring the “new” perimeter: user access. As Chris Sullivan points out in “Inside Out Thinking”, if 50% of your risk is from the insider threat or “access as the new perimeter”, then consider why 50% of your IT budget is not focused there. As further confirmation, Kurt Johnson’s post on “Intelligent Intelligence” cites the Verizon Data-Breach Report’s statistics that of 76% of breaches leverage user access in some way.  

    Once you have that budget shifted, start by using it on end user education. The people you let into your network (employees, contractors and customers) are often the soft underbelly of your security program. Most of them don’t want to be, but they may lack the knowledge or sophistication needed to be an IT security asset. Don’t assume they know what phishing, malware or password best practices mean to your ability to protect critical resources.

    Next, review your core IAM program. Is it just a tool to make IT more efficient or does it provide the intelligence to help spot attacks as they are happening? As an example, are you reviewing or recertifying access entitlements every six months, or do you have the capability to look for problem access on a continuous basis and require managers to review access as it becomes risky?

    Finally, make sure you have a 24x7 monitoring capability – just like you do for your perimeter – that will alert you to attacks as they happen. And when you see these attacks – shut off the offending access immediately.

    You can ask questions later, but you don’t want to be on the “top 10 breaches” list next year.

    Tags: intelligence, Speredelozzi, insider threat, employee, Access Insight, analytics, breach, intelligent IAM, malware, jim, education