Why Deleting Security Groups Doesn't Have to be Scary

Posted by Ashley Sims - Marketing Manager on Thu, May 12, 2016


A few months ago our very own Chris "Sully" Sullivan, GM- Analytics/Intelligence, delivered a speech to the Gartner Identity and Access Management Summit to a group of IAM ninjas in London. Confession - I love hearing Sully speak. I always learn something and I love seeing the crowd as they learn these things along with me. However, at this event I was actually more surprised than usual at the response that he got when he asked the simple question "how many people here delete security groups?"


You might as well have asked them if they would be willing to donate a kidney to a stranger or forgot their cell phone at home that morning. Needless to say, most everyone sort of looked at Sully like he was crazy which was exactly what he was going for.


The reason, he explained, that no one deletes these groups is because they can't tell what is in them. Can you imagine deleting a group because you thought no one needed it and it turns out that you just shut off your CEO's access to an application that he/she uses daily? Not a good look for the security team.


Sully's point for the presentation was that now, with access intelligence, you no longer need to be afraid of deleting these groups and cleaning up your network because you can finally drill down into these security groups and understand exactly what is at stake. The primary reason companies are loath to delete security groups in Active Directory is because they simply don’t understand the complexity of access such as how access is granted, nested entitlements, and direct versus indirect assignment of access.


All businesses, regardless of industry, are faced with an exploding universe of identities, devices and data that employees require to do their job. The expanded use of mobile and cloud devices, along with non-employee and transitional employee access means that risk management and compliance is extending far beyond traditional enterprise limits. This can equate to trillions of access relationships that put your company at risk. How are you supposed to see into all of these relationships and understand the risks they pose?


With actionable intelligence through Access Insight 9.0 you get a comprehensive and continuous view and analysis of these trillions of relationships between identities, access rights, policies, resources, and activities. Our analytics engine pulls in these large amounts of identity and access data and stores them in its proprietary in-memory access analytics engine. The "engine" correlates relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current and historical perspective in lines of business, governance, operations and applications.


For example, our Access Explorer builds every Active Directory Group out in a spider diagram so that you can see AI_Spider.pngwhose access is connected and where your privileged accounts are linked to. 


Not only can you drill down into these details but our analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. This gives you the ability to personalize policies for your organization and with any change in these policies you can be immediately notified at any signal of dishonest or malicious behavior. Imagine having a solution that would automatically alert you and require a micro-certification when an account had access to do more than you believe it should?


It's time to start using all of this collected data to our advantage. It's time to start looking at our access relationships and prioritizing the risks our organization faces. Weather you have an Identity and AI9_Access_Risk__300x2506.jpgAccess Management solution or are working within your Active Directory, Access Insight can put your data to work for you.


Want to see how this looks within your organization? Request a demo of our Access Insight solution and see how actionable intelligence can help prioritize risk and transform your organization's security.


Tags: access rights, Access Insight, access risk, intelligent IAM, identity and access governance, Identity & access management, intelligent identity and access governance, intelligent identity and access management

Checklist for a Vulnerability and Risk Management Solution

Posted by Felicia Thomas on Thu, Mar 10, 2016

Tags: access rights, access risk, identity and access management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

What is Vulnerability and Access Risk Management?

Posted by Felicia Thomas on Thu, Mar 03, 2016

Threat intelligence is a company’s worst nightmare which pushes cyber security and risk management to the top of the list for standard operating procedures (SOP). Traditional risk management is a thing of the past, and corporations have begun investing in top-notch security solutions for their various databases. Although no solution will ever be 100% capable of preventing attacks, there are solutions that can help provide roadblocks to deter these occurrences. With proper detection solutions, a company becomes proactive—rather than reactive—to fight against vulnerabilities that exist in their systems.

Large organizations are riddled with increasing threats to their system infrastructures and customer data. TheiStock_000065499107_Full.jpg vast majority have moved into protecting these assets with Identity and Access Risk Management (IAM). An emphasis on compliant provisioning of users, identifying management of roles, the maintenance of compliant roles, and processes to manage segregation of duties (SoD) are the focuses of this type of management tool. However, in some cases, the traditional IAM solution is not enough protection against threats.

Many large corporations want an automated, rules-driven solution that can provide quick remediation around network access controls. However, before an attack occurs and remediation can begin, there is the challenge of anomalous activity detection from the infrastructure level. To help with this detection, many companies have instituted consistent monitoring by scanning the system for potential threats to safeguard their infrastructures.

Dynamic provisioning capabilities through IAM, and the proper protection to deter attacks from the infrastructure level with vulnerability management, can position a corporation to achieve the best level of protection possible. This introduces the concept of the acronym VARM – Vulnerability and Access Risk Management. It’s not just the first line of defense; it’s a complete, end-to-end solution that will break the “kill chain” from system threats within the enterprise.


Want to learn more about Vulnerability and Access Risk Management and how it can help your organization?VARM_600x315.png Download our new eBook and learn: 


  • How Vulnerability and Access Risk Management really works
  • VARM's impact on governance and remediation 
  • Tools to remediate vulnerabilities 
  • Prioritization for reducing risk 
  • Check list for a VARM solution 

Tags: access risk management suite, IAM, access risk, intelligent IAM, identity and access management, Access Risk Management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

The Hacker Who Stole Christmas

Posted by Joaquin Ruiz on Thu, Dec 17, 2015


Tags: IAM, Courion, cyber security, IAG, identity and access governance, identity and access management, Identity & access management, retail cyber security, IIAM

Intelligent IAM for Risk Assessment

Posted by Steve Morin -Director, Product Management on Thu, Aug 20, 2015

Welcome to the last installment of our 3-part series exploring how intelligence improves identity and access management, or IAM. In part 1 we looked at how intelligence improves the provisioning portion of IAM. In part 2 we took a look at how intelligence improved the governance portion of IAM. In this segment we look beyond just provisioning and governance to address how intelligent IAM can help to reduce the top 5 most common elements of risk: identity, resources, rights, policy, and activity. 

1. Identity: In part 2 of our series, we discussed how human resources were the most dynamic risk facing security teams today. The reason behind this is that you are constantly managing changing identities. Who are you? What is your role? What do you need access to? These are questions constantly being asked by our system and can equate to hundreds or even thousands of access requests a year. 

describe the image
With intelligent IAM, all roles are built into the system along with the basic applications that they need access to. For example, when a marketing manager was hired, they would be led through the system to request access to their email account, marketing file share folder, and marketing automation software because those are typical of their role and inside their peer group. All requests that fall within the boundaries of their peer group they would be automatically approved for. However, if they wanted access to, say the sales folder, they would have to request special access. This solution gives the user guidelines rather than the all too common shopping cart approach where they are requesting items that they don’t really need and creating a backlog of requests while the approver decides if they really need that access.

2. Resources: With so many business applications, servers, mobile devices, etc. do you know which assets are critical and must be protected? Do you know which seemingly innocuous applications tie back to a server that needs to be protected?

Governance certifications exist to monitor access to the most sensitive information, applications, and servers. Intelligent IAM governance will not only monitor your most sensitive data, but will send up a flag, or an alert, when a high risk event takes place. When accounts are created outside of the provisioning system or high risk applications are granted outside of a role or peer group they will be flagged as a "critical risk". 

3. Rights: Who really needs access to what? Before intelligent IAM all provisioning and governance had to be audited to make sure that the right people had the right access to the right things. The issue was that those rights were always changing. Some applications are not as high risk and can be audited on an annual or semi-annual basis. However, there are other applications that are highly critical and must be assessed on a monthly or weekly basis. Doing this manually for all employees would be impossible. 207H

By using intelligence, your IAM system can review rights as needed and ask for re-certification for sensitive applications. For example: an email account can be automatically re-certified each month as long as the employee isn't terminated. However, the payroll system may need a monthly manual re-certification to make sure that only the right people have access.

4. Policy: What business rules must be enforced in your company? What segregation of duties do you rely on? This is another risk taken care of, somewhat automatically, by the assignment of roles within the organization. Segregation of Duties is an easy addition, especially when set initially. Managers should not be able to both post and approve their own time cards, nor should they be able to place and approve a purchase order. Governance certification and approvals as well as segregation of duty assignments will help to mitigate this risk rather easily.

time 273857 12805. Activity: Who is doing what? And when? Visibility into all of your applications and systems is an extremely difficult task and without an automated system is basically impossible. Much like with the alerts sent by your high risk resources, you can use intelligent IAM to see what your users are doing with real time monitoring and be alerted to any inconsistencies. This real time look into your system shows you what is happening with approvals as well as risk assessment and can take away the need for annual or semi-annual auditing. With an automated system you will be able to see sensitive updates monthly, weekly, or as needed instead of having to wait 6 to 12 months for an audit.

While the idea of an Identity and Analytics system is not new, we believe that the use of intelligence in IAM is revolutionizing the industry. With the use of real-time data and information backed automation systems, you are able to have visibility into your system at any time rather than waiting for an audit. Your decisions will be made based on the most accurate and up to date information.

Want to know more about how Intelligent Identity and Access Management can help you mitigate risk in your organization? Download our eBook, Improving Identity and Access with Intelligence, and learn about: 

- What is Intelligent IAM? 

- Intelligence for Provisioning

- Intelligence for Governance

- Intelligence for Risk 

- And More! 

         describe the image        


Tags: risk management, intelligence, cybersecurity, security risk, cyber risk, IAM, cyber security, risk, intelligent IAM, identity, identity and access management, IAI, Identity & access management

Internships: Risk vs. Reward

Posted by Tommy Duncan - Regional Sales Manager on Thu, Aug 06, 2015
Internship Statistic

By now, you’ve surely seen the signs, the sales, and the sad faces that signal the start of a new school year. While this may mean the end of summer as you know it, it also means the end of hundreds of thousands of summer internships. Did you know that 84% of college students plan on completing an internship before graduating? This means that – more than likely – you will have your fair share of interns coming and going from your organization each year. 

Don’t get me wrong; interns are great! They no longer serve just to grab your morning coffee. Interns today are integral members of your team and bring a fresh perspective, not to mention extra brainpower, to your projects. However, just as with all types of employees, they also bring their own set of risks, and you need to be prepared.

Privileged Access

It’s hard enough to know, even as a new full-time employee, what applications you need to access. Imagine being an intern and wondering what these applications are, what they do, and which ones you need. The task is daunting to say the least. The key to helping new interns, and all new employees, with understanding what applications they need can be solved by having an IAM solution that will guide them through the provisioning phase.

With an intelligent IAM solution, your new interns will be guided through the system and will be shown applications that they have been pre-approved for based on their role. If these interns need more privileged access based on their projects, they can request that access and a request will be sent to their manager for approval. With an intelligent provisioning solution, you save your interns time by showing them what applications they need while you cut down on the risk of privileged access from interns being granted access to critical applications.

Millennial/Creative Risk

I am not a millennial, but I do understand their attraction to the newest and best of everything. Who doesn’t want to be up-to-date on the newest trends? For example, do you know what kik, snapchat, yikyak, and listicle are? Neither did I, until our newest marketing intern taught us all about these new and innovative social media platforms. While interns are bringing in fresh knowledge and new applications for your company to take advantage of, you need to be aware of the risks they pose. Just like with BYOD risks, opening up your network to new social media sites, content applications, or other software can leave it vulnerable to attacks.

In order to make sure that you’re getting the best of both worlds, new information and a secure connection, make sure that you instill in your newest team members a culture of 

Summer Interns

security. Through training videos, in-person demonstrations, and/or an ongoing culture of security in your organization you will make them aware of practices such as not downloading anything without prior approval, checking with IT for your BYOD devices, and more. Not only will your organization profit from building your internal security team but you will be imparting a vital career skill into each of your interns.

End-of-Session Threats

Hopefully, by the end of their session you have turned your unseasoned interns into experienced professionals. What is the easiest way to make sure your intern’s access is terminated? You guessed it, an intelligent IAM system. The same system that provisions access for your team will make sure to monitor it for orphaned or misused accounts. This way you will receive an alert if your intern is accessing applications outside of their role or after an extended period of being unused. Either of these instances will alert you to either your intern, or a hacker, breaching your system and will alert you to the orphaned or hacked account. experienced professionals. Now as you say goodbye and send them back to school, make sure that you’re saying goodbye to their user accesses as well. Just as with any employee that leaves the company, your interns’ access rights also need to be terminated. Orphaned accounts are a major liability to your system and can be an easy target for hackers. Occasionally, not that any of your interns would do this, some ex-interns log back onto the system after their program is over and steal information. Terminating their access rights before they have a chance to log back in is the safest way to prevent file theft.

Interns reviewing security policies

Did I scare you away from the possibility of bringing in your fall interns? I hope not. As I said before, interns are great and can be hugely beneficial for your organization. These team members can be an integral part of your organization and should be accepted as such. However, keep in mind that they have their own inherent risks and need to be treated with the same security protocols as any other members of your team. Make sure you are building more than just interns; build strong, security-aware team members that will continue to excel long after they’ve finished their program.

Tags: privileged, insider threat, policies, Identity & access management, abandoned, tips, orphan accounts, sensitive information, internal breach, social media, intern, internships, internship

Assessing the Risk of Identity and Access, Part 2

Posted by Venkat Rajaji on Thu, Jun 18, 2015

Venkat Rajaji VP of Product Management & Marketing

In part one of this blog, we shared reasons why your security team may not be able to sleep at night: risks to your information technology infrastructure that may be caused by risk from identities and their access. We discussed the most common access risks—from the routine to those caused by changes in the business—and provided some reasons why you may want to look inside, and not just invest in perimeter security. If you haven’t yet read part one, you can do so here.

So now that we know what the risks are, let’s discuss ways to mitigate these access risks and gain visibility into your organization.

Identity and Access Management Controls

When we look at provisioning identities or certifying access for governance, it quickly becomes a rubber-stamping process. You want to make sure the right people have the right access but what if you don’t know what that person needs for his or her job? Do you reject or approve? Other than a slowdown in productivity, there is no bad outcome if you don’t approve access, but instead request additional sign-offs. After all, with hundreds of thousands of people and identities, access rights and roles, policies and regulations, actions, and resources, you have trillions of access relationships to manage.

In a survey conducted by Courion about the access risks that cause the most anxiety, number one on the list—at 46 percent—was privileged account access; that is, accounts such as those used by administrators that have increased levels of permission and elevated access to critical networks, systems, applications, or transactions. Other anxiety-causing access issues that accounted for 31 percent were unnecessary entitlements and abandoned or orphaned accounts. What this tells us is that over half of the anxiety in your organization is based on provisioning.

To effectively address this issue, we need to start looking at not just passing our audit at the end of the year but also at the true impact of risk created through increased or inaccurate access credentialing on an ongoing basis.

But what if with each request you received you also knew the perceived risk of approving or rejecting it? What if you could take a look at all of your credentials across your system and see who was the greatest risk? That’s where an intelligent or risk-aware identity and access management tool comes in.

With risk-aware IAM you have the ability to automate your provisioning process to keep your backlog at a minimum and still ensure that you are provisioning the correct access to your employees without just rubber-stamping an approval. With intelligence driving your provisioning and governance you can see risks long before you have an issue. Imagine if you were able to log in and see access credentials listed like this:

Risk Aware IAM Table

We need to understand these access risks on a scale from low risk to high. Provisioning today includes a request, a policy evaluation, and a quick approval or rejection of the request. At Courion, we see things differently. If the request is seen as a low risk item, then it gets passed through and fulfilled in our automated system.

Provisioning Tool

But for other access requests which may represent some risk, the access request will require an approval or both an approval and a micro certification.

This micro-certification, or risk-based certification review, provides holistic context around the information being examined, thus allowing an IS manager to make an informed decisions on whether a user’s access is suitable or not before granting access. By performing these narrowly focused, micro-certifications, organizations can reduce access risk in a smarter more efficient way on the front end of the request to guard against over- or under-privileged accounts

 Provisioning Stystem

Intelligent IAM is the next-level evolution of traditional IAM. Each process is led with intelligence with front end approvals and risk assessments that allow near real-time decisions that manage and mitigate risk to the company. According to Gartner, “By year-end 2020, identity analytics and intelligence tools will deliver direct business value in 60 percent of enterprises, up from less than 5 percent today.”

Through continuous monitoring and analytics applied to your provisioning and governance activities in real time, you are able to see the most up-to-date information thus allowing your company to truly make data-driven decisions. With intelligence driving policy, provisioning, and access decisions, you can mitigate risk in real time and have better visibility into your organization.

Are you looking for more visibility into your company’s identity and access risk? With a Quick Scan assessment of your organization’s access risk we can help you take a quick look into your security measures and provide you with a plan of what you can do to mitigate those risks. If you would like more information on what a Quick Scan can do for your company, contact us today at 1-866-COURION or at info@courion.com.  

Tags: venkat, risk, access intelligence, rajaji, Identity & access management

Increase IT Efficiency & Improve Security with Intelligence Enabled IAM

Posted by David Paparello - Solution Strategist on Mon, Oct 27, 2014

David PaparelloToo much to do, too few resources.”

This is a phrase that all too frequently comes up in the discussions that I have with IT staff in organizations around the globe. They feel never-ending pressure to improve security and service to the business, but usually with the same or fewer resources. This is a challenge that is especially glaring when trying to marry solid Identity and Access Management practices with current business processes.

For example, a security manager I spoke to at a large health organization was nearly brought to tears as he talked about the need to accurately track an ever-changing user population where the same person might move through multiple roles and through multiple access scenarios in the course of just a week. At another organization, a help desk manager I worked with wrestled daily with an avalanche of access requests from users who had no idea what access to request, and were seeking help from administrators who in turn had no idea what access users actually needed.

What’s often needed in these situations is an IAM program that is centered on incremental progress that can provide some instant relief while also generating the time and resources needed so that the program can subsequently be expanded into a comprehensive solution. The key is to know where to begin, and to aim for quick business value. Those quick wins will help free-up resources by simplifying and automating processes that typically suck-up valuable manpower and time. Each incremental win then makes it easier to maintain momentum and expand user buy-in within the organization.

To get started with an IAM program that supports this kind of continuous improvement, you should first understand your identity and access landscape. By leveraging intelligence, as with Courion’s Access Insight, you can get an immediate evaluation of Microsoft Active Directory, a key system for most organizations. Acess Insight dashboardThe dashboards included with Access Insight highlight potentially urgent security issues as well as IAM processes that may be broken. Access Insight integrates with the Access Assurance Suite or other IAM solutions so you can drill down to fix those broken processes and promptly disable access for terminations and properly manage non-employee access.

Another benefit of getting the big picture view of your identity and access landscape with Access Insight is to better understand who has access to what and to put automated processes in place to refresh that information at least daily. Even the most complex scenarios benefit greatly from putting rules in place that can automatically map access for 70-95% of the workforce. Allowances can be made for exceptions to be handled manually so that no one falls through the cracks.

With this real-time access information available as a foundation, you can then tackle any number of pain points. For example, most often, the onboarding and offboarding processes for user accounts cry out for attention. Offboarding, both planned and unplanned, is generally simple to address with an intelligence-enabled IAM solution such as the Courion Access Assurance Suite, alleviating security and/or audit concerns.

In addition, automating at least basic, birthright access for new hires can be both a quick win and a foundation for continuous improvement. Role-based access can be incrementally added to the new hire process. You can pick and choose where it’s worth investing effort, for example, where job turnover is high, or where access is very similar across a function. Implementing some roles into this process delivers a triple win – providing the right access (better security) at the right time (improved service) and reducing the number of access requests (boost IT efficiency).

Leveraging intelligence, you can start to cut down on the effort required to develop roles. Intelligence solutions such as Access Insight use analytics to attack the mountain of access data available to find those access patterns to suggest appropriate access for a user. Let the computer do the work!

If your help desk is struggling to keep up, there are several ways to alleviate the pressure while also enhancing security and providing better customer service. For example, a streamlined, centralized access request process provides these multiple benefits.

I often remember an IT manager I worked with at a manufacturing company whose request process included 140 different forms! It was a huge improvement when we helped his organization move to a simple, one-stop access request shopping solution that included a full audit trail and built-in approval process.

Access ProvisioningWith an Intelligent-enabled IAM solution such as the Courion Access Assurance Suite, the request process is enhanced, because it provides guidance to the user regarding what to request. This is done via intelligent modeling of user access, which suggests access options for users in similar roles. The Access Assurance Suite also provides ‘guard rails’ against the inadvertent provisioning of inappropriate access because it automatically checks for possible policy violations, such as Segregation of Duty, during the request process.AAS highlighting a SOD violation in 8 4 2nd

As fundamental as it may seem, a self-service password management solution is also of great benefit to users, IT and help desk staff. Password reset calls often account for 25% or more of help desk calls. Shifting those inbound requests to a self-service process will free up IT and help desk time to tackle more high value activities while allowing end users to avoid waiting on a phone to get a password reset.

Last on this list but not last in priority, is the recertification of user access. Access recertification is a best practice and, likely, a legal and audit requirement. With an intelligence-enabled IAM solution in place this effort can begin by assembling data that details ‘who has access to what’. You can then leverage that information to provide a business-friendly recertification process that does not tax IT resources with hours of assembling spreadsheets from a multitude of systems.

While periodic re-certifications are important and necessary, Intelligence also allows you to trigger automated ‘micro-certifications’ based on policies you define. For example, you may create a policy where a user who gets access to highly sensitive data outside the norm kicks off an access recertification process. This type of risk-aware micro-certification reduces the kind of access risk that exists where waiting six months for the next review could be dangerous. This has the added benefit of maintaining compliance continuously, thus expediting the next audit you face.Find access

Clearly, it’s possible to make significant progress in a relatively short time. The key is that these are not Band-Aid solutions, but the bricks that form a solid foundation for building a comprehensive, flexible and risk-aware IAM solution.

Tags: intelligence, Dave, identity and a, analytics, IAM, Active Directory, Identity and access intelligence, Identity & access management, monitoring, efficiency, Paparello

Making Traditional IAM More Intelligent: Deterrence & Detection

Posted by Brian Milas - CTO on Wed, Aug 06, 2014

Brian MilasNow that Cloud Identity Summit is over, I’m taking some time to reflect on the Intelligence workshop. In the workshop we looked at some of the IAM approaches used today and some of their limitations. Given that the bad guys are motivated and creative, we need to look to new techniques to detect and deter them. Applying analytics and Intelligence fundamentally changes the game from the traditional approaches.

Reports on data breaches illustrate the large contribution that hackers make to data breaches as compared to other methods such as lost laptop or lost media. As an example, check out:

– InformationIsBeautiful.net

– Ponemon’s 2014 report on the cost of data breaches, which states, “In most countries, the primary root cause of the data breach is a malicious insider or criminal attack.”

– Verizon Data Breach Investigations Report, which states,“ . . . 92% of the 100,000 incidents we’ve analyzed from the last ten years can be described in just nine basic patterns.”

– New York State Attorney General Data Breach Report, “Hacking attacks accounted for over 40 percent of data security breaches, between 2006 and 2013.”

Source: InformationisBeautiful.net

 So just how prevalent are data breaches? Consider these statistics:

– 20M

– 7.4M

– 900

– 1.3B

These numbers come from the aforementioned New York State Attorney General Report which analyzed data breaches:

– 20M: the population of New York City in July 2013

– 7.4M: the number of residents breached in 2013, that’s about 85% of the population

– 900: the number of breaches in 2013, about 2.5 per day or 8,000 records/breach.  BTW, the number has tripled since 2006

– $1.3B: the cost to the public and private citizens of these breaches

So what’s missing from today’s techniques? We see two (2) major challenges.

Deterrence: What can you do NOW in IAM to reduce the likelihood of a breach? Clean house and reduce the attack surface: get rid of abandoned accounts, make sure orphan accounts are properly managed, eliminate access that is not needed, keep Superuser administrator accounts to a minimum, manage to least privilege. For further confirmation of these suggestions, see the 2014 Verizon DBIR recommendations and the SANS 5 Security Control recommendations:

The 2014 Verizon Data Breach Incident Report recommends 4 identity and access management tactics to address insider and privilege misuse:

­– Know your data and who has access to it

– Review user accounts

– Watch for data exfiltration

– Publish audit results

And the SANS Institute, a leader in computer security training, offers version 5 of the organization’s Top 20 Critical Security Controls, which recommend several identity management processes:

– Controlled Use of Administrative Privileges

– Maintenance, Monitoring, and Analysis of Audit Logs

– Account Monitoring and Control

– Data Protection

Monitoring and Detection:  Cleaning your house (reducing the attack surface) is good, but you must detect when a “spill occurs”. By monitoring and taking actions on the anomalies, you’re able to start reducing the window available for exploit, so you need to be keeping constant watch with identity and access intelligence or analytics.

To get the big picture of access across everything (from person to data) you’ll need to understand and analyze relationships between different objects and systems . . . but this quickly becomes millions and billions of relationships in the typical organization. As Mark Diodati of Ping Identity talked about in his “Modern Identity” presentation, the difficult of managing identity and access increases with distance, which you can think of as “remoteness.”

The second challenge has to do with time, more specifically reaction time. Our ability to detect and react to a breach or vulnerability is moving slower than the adversary. Hence we’re have little (or no) time to act . . . we’re constantly “on our heels”.

Let’s look at a typical lifecycle with IAM. The frequency between “Assign” and “Review” may be months, quarters, or even longer:

Assign Access >> Time passes >> Things Change >> Review Access & Remediate

How do we increase the frequency of our detect/react cycle to better combat the adversary? By improving our capabilities around:

– Complexity

– Speed

We need to continually analyze and understand the complexity and monitor. “Monitor” can be done on the order of hours or minutes . . . allowing the “Review” steps to happen much more quickly.

Assign Access >> Monitor as Time Passes & Things Change >> Review Access & Remediate

The Insider and Privilege Misuse section of the Verizon DBIR summarizes the discovery timeline (figure 38).  Detection within days (34%) is good, but many took months (11%) or years (2%) to discover.Discovery Timeline 2014 Verizon DBIR

By applying Intelligence and Analytics, we can continually update and understand complexity, and then detect and act on things that we have been proactively looking for . . . increasing our speed and frequency. In addition, with all of the complex relationships analyzed and at hand, we’re free to slice, dice, drill down and apply forensics to identify the next/upcoming set of things to monitor . . . adding those into the category of complex items that we can:

Understand, and


Traditional approaches are an important part of providing security, speed, and value to the business  . . . but we can do better. As CIOs and CISOs, we are in an arms race with the bad guys, and in some ways it’s an arms race to keep up with the complexity of the business’s environment. Through the application of Analytics and Intelligence along with other approaches, we can understand and manage complexity and act on it more quickly, mitigating breaches quickly, or even better reducing risk and avoiding some them altogether.


Tags: intelligence, deterrence, monitor, analytics, IAM, Milas, breach, Brian, Identity & access management, detection

Extending IAM into the Cloud

Posted by Steve Resnick on Mon, Jul 21, 2014

describe the imageYour data is everywhere. And so are your applications. In the past, everything resided in the data center, but today they're stored in the cloud, by a partner (MSP), and even running on mobile devices.

Your customers, partners and employees are also everywhere. As a security professional, you need to ensure that the right people have access to the right data and are doing the right things with it. That's where Intelligent Identity Access Management comes in. But in the era of cloud-computing, who knows where the data physically resides? And with users and accounts spread around the globe, how can you ensure the data is being accessed by the right people, according to your policies? Again, that's where Intelligent Identity Access Management is crucial.

If your data were just centrally located and being accessed by individuals and devices that you manage, traditional IAM solutions work well. But that's probably not the case. You have data in internal and outsourced systems. Some of the outsourced systems may be wholly controlled by your contracts, while others may be shared among thousands of other organizations. And that data is being accessed by employees, partners and customers from their homes, phones and tablets, on planes trains and automobiles.

From a security perspective, it's imperative to provision, govern and monitor information access wherever that information resides and however it's being accessed, whether those are physically in your IT environment or in the cloud. So what are your options?

Options for Provisioning, Governance and Monitoring in the Cloud

Two obvious questions are "where's my IAM solution?" and "where's my data?" After all, both must reside somewhere and be secured. If we constrain the answers to those questions to "on premise" or "in the cloud", we have four options.

1. Host internally, manage internal applications

Traditional IAM solutions reside on IT managed hardware within an enterprise. They're typically located in a server room where they can be physically controlled by IT. They are configured to manage applications that also reside on servers physically controlled by IT. This is a largely closed system, with the administrative control and the application resources both co-located within IT. It makes security simpler, but in the era of cloud computing, is becoming increasingly rare.

2. Host internally, manage internal and cloud-based applications

As enterprise applications have migrated outside of the data center, the need to manage those applications has fallen to traditional IAM solutions. IAM vendors like Courion have evolved their suites to natively connect to cloud-based systems from an on premise administration point. Existing "connector libraries" have been extended to include connectors to cloud-based systems. These new connectors sit side-by-side with existing on premise connectors and reach out to cloud applications.

This evolution has been largely seamless, as the same architecture used for managing internal resources has been applied to external, cloud-based resources. The protocols change, like using SOAP over HTTP rather than files over SMB, or RESTful web services rather than SOAP, but the architecture and techniques survived.

3. Host in the cloud, manage internal and cloud-based applications

Just as enterprise applications are now hosted in the cloud, there is increasing interest in hosting security systems in the cloud. This enables enterprises to focus on their core competencies rather than security management and identity management, while at the same time optimizing CapEx for OpEx expenditures.

Early experiments are promising, with IAM solutions providing tunneling capabilities from cloud-based infrastructure. Tunneling can be through VPNs, reverse proxies or dedicated appliances. Over time, this will likely become the preferred deployment option.

4. Host in the cloud; manage cloud-based applications

If an enterprise has no data in house, then a pure cloud-based solution is ideal. Operating on Office 365 + SalesForce + ADP, a cloud-based IAM solution can effectively provision and govern cloud-based applications. This scenario eliminates the complexity and cost of network tunneling solutions since everything is natively in the cloud. Here, the protocols are rapidly standardizing on RESTFul web services, with common token-based security and federation. However, like the all-internal scenario, all-cloud environments are rare.

Hybrid – the viable solution

Of these options, only two are typically feasible, since most organizations have some data on premise and some in the cloud. There are exceptions, like a startup which is native-cloud or in certain government situations, but in general, a hybrid solution is required. Choosing between the 2nd and 3rd option described above, whether you host your IAM solution in the cloud or host it internally, comes down to a deployment choice.

Courion has customers who are doing each. Most run our IAM solution on premise, while some use deployment in the cloud. For cloud deployments, most choose private cloud infrastructure, while some go for public infrastructure. But the predominant approach, even in 2014, is to deploy on premise. This is chiefly because most data still resides locally, so most applications reside locally, tilting the equation to an internally hosted IAM solution. As more enterprise applications migrate to the cloud, the decision to host the Courion suite in the cloud will likely shift.

Unlike enterprise data however, people have already shifted to the cloud. Mobile devices, from phones to tablets, are the norm. Most organizations provide secure access to critical systems on a 7x24 basis, to individuals located on premise and on the go. So parts of your IAM infrastructure must be either in the cloud, or on the edge (DMZ).

Again, Courion solutions are well suited for this shift. The most common security transaction, other than login, is the humble Password Reset. This must be accessible from anywhere and must be very reliable. It's required from the road, at night, on weekends and 2 minutes before the big sales presentation. Courion customers have hosted their password reset infrastructure in the DMZ for exactly this purpose. In addition, the Courion suite is tooled with a clean interface so customers, partners and employees are met with a consumer-grade experience, accessible on their laptop, tablet or phone.

As your data and apps move to the cloud, so do your identity repositories and access control models, as mentioned earlier. Your IAM solution can span both, but it's still advantageous to consolidate identities and provide a more seamless and simple sign on experience for customers, partners and employees. Enter Ping Identity, another cloud app that integrates with Courion solutions. Just as we expanded to cloud apps as they entered the business, a strong partnership allows for seamless integration with Ping to offer federation and SSO capabilities.

Single Sign On (SSO) impacts the decision of where to deploy an IAM solution. While IAM can provision, govern and monitor access applications in cloud-based and on premise environments, SSO systems provide seamless application login and access to the user community. By coupling the flexibility of Courion's industry leading IAM solution with the SSO and federation capabilities of Ping, organizations can manage access across all of their applications. Because both products leverage a common structure with Active Directory, the result is great experience for the end user and a manageable system for IT.


As the computing world shifts to the cloud, with consumer-grade technology leading the enterprise, our customers, partners and employees expect great access to information. As security professionals, our job is to balance "great" access with "secure" access. We make choices every day in choosing the solutions we deploy and the infrastructure on which it resides. Courion is here to help.

Tags: intelligence, cloud, IAM in the cloud, Identity and access intelligence, identity and access management, Identity & access management, partnership, PING