Real vs. Regulatory Risk

Posted by Venkat Rajaji on Thu, Apr 28, 2016

Risk is a word you hear every day and it has become common place across the security industry. What is risk? What does it really mean? And why is it so important? Most importantly, how should we think about the impact of these risks and how we mitigate it?

Riisk is composed of: Impact x Likelihood. 

Impact- The damage caused by the risk, criticality of the assets, the actual data in the systems, the liability associated with an audit finding

Likelihood - The probability that an event will occur. When we think about likelihood we think about usage patterns, access levels for individuals and accounts,and exposure or vulnerability of such systems.


Within the context of Information Security there are two types of risk that companies face, real risk and regulatory risk.


Regulatory risk is associated with not being complaint with any number iStock_000026774677_Large_1.jpgof regulations. The penalty for this might be financial penalties, incarceration or a drop in stock prices if said issues are "material" enough to require reporting. For example, compliance within the healthcare industry with data privacy and HIPAA, companies within the Financial Services industry and SOX compliance, or retail organizations or anyone else accepting credit cards who must adhere to PCI compliance. What regulatory risk calls for is the implementation of a governance process for which to ensure compliance.


When you think about real risk, you're thinking about things like customer and consumer data, credit card information, employee data, SSNs, and access to processes like the recent Iranian nuclear processing  centrifuges that were hacked into and then stopped and started over and over until they blew up.  Here, governance process is not enough. This is now about protection and the impact is far greater than just a fine. Reputational damage, brand image, liability, and other major financial damages will impact the company.


Compliance regulations have helped and have forced companies to put in place governance processes to mitigate some risk. However, this drive for compliance has led to a lot of rubber stamping. Reason being, there is too much data and we don't know what is important and what is just another request. So the compliance checks themselves often don't do enough to protect the companies or their customers.


cyber-311111.jpgWe need the ability to really understand risk within the constricts of impact and likelihood. In order to satisfy both regulatory needs and to mitigate against real risk we need solutions that provide context for these risks. Context might be things like access levels, known vulnerabilities to systems, criticality of business systems and the data stored in those systems. This helps us better understand our enterprise risk.  Done correctly, this automation and intelligence also dramatically improves understanding of how you are actually doing and how that is changing over time (read actually managing this stuff), efficiency (read cost savings) and efficacy (real and regulatory risk reduction).


To manage both real and regulatory risk, you need to deter bad touches (inappropriate access) to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens, and ebook_Assessing_the_Risk.pngonce you do that, you better figure out how to remediate the issues really quickly. The Courion suite of solutions are designed to solve exactly this problem across both the physical (vulnerability management) and logical (access management) worlds.


Looking for more information on how to mitigate both real and regulatory risk? Download Assessing the Risk of Identity and Access to learn how to identify and remediate both your real and regulatory risk. 

Tags: risk management, security risk, cyber risk, risk

Intelligent IAM for Risk Assessment

Posted by Steve Morin -Director, Product Management on Thu, Aug 20, 2015

Welcome to the last installment of our 3-part series exploring how intelligence improves identity and access management, or IAM. In part 1 we looked at how intelligence improves the provisioning portion of IAM. In part 2 we took a look at how intelligence improved the governance portion of IAM. In this segment we look beyond just provisioning and governance to address how intelligent IAM can help to reduce the top 5 most common elements of risk: identity, resources, rights, policy, and activity. 

1. Identity: In part 2 of our series, we discussed how human resources were the most dynamic risk facing security teams today. The reason behind this is that you are constantly managing changing identities. Who are you? What is your role? What do you need access to? These are questions constantly being asked by our system and can equate to hundreds or even thousands of access requests a year. 

describe the image
With intelligent IAM, all roles are built into the system along with the basic applications that they need access to. For example, when a marketing manager was hired, they would be led through the system to request access to their email account, marketing file share folder, and marketing automation software because those are typical of their role and inside their peer group. All requests that fall within the boundaries of their peer group they would be automatically approved for. However, if they wanted access to, say the sales folder, they would have to request special access. This solution gives the user guidelines rather than the all too common shopping cart approach where they are requesting items that they don’t really need and creating a backlog of requests while the approver decides if they really need that access.

2. Resources: With so many business applications, servers, mobile devices, etc. do you know which assets are critical and must be protected? Do you know which seemingly innocuous applications tie back to a server that needs to be protected?

Governance certifications exist to monitor access to the most sensitive information, applications, and servers. Intelligent IAM governance will not only monitor your most sensitive data, but will send up a flag, or an alert, when a high risk event takes place. When accounts are created outside of the provisioning system or high risk applications are granted outside of a role or peer group they will be flagged as a "critical risk". 

3. Rights: Who really needs access to what? Before intelligent IAM all provisioning and governance had to be audited to make sure that the right people had the right access to the right things. The issue was that those rights were always changing. Some applications are not as high risk and can be audited on an annual or semi-annual basis. However, there are other applications that are highly critical and must be assessed on a monthly or weekly basis. Doing this manually for all employees would be impossible. 207H

By using intelligence, your IAM system can review rights as needed and ask for re-certification for sensitive applications. For example: an email account can be automatically re-certified each month as long as the employee isn't terminated. However, the payroll system may need a monthly manual re-certification to make sure that only the right people have access.

4. Policy: What business rules must be enforced in your company? What segregation of duties do you rely on? This is another risk taken care of, somewhat automatically, by the assignment of roles within the organization. Segregation of Duties is an easy addition, especially when set initially. Managers should not be able to both post and approve their own time cards, nor should they be able to place and approve a purchase order. Governance certification and approvals as well as segregation of duty assignments will help to mitigate this risk rather easily.

time 273857 12805. Activity: Who is doing what? And when? Visibility into all of your applications and systems is an extremely difficult task and without an automated system is basically impossible. Much like with the alerts sent by your high risk resources, you can use intelligent IAM to see what your users are doing with real time monitoring and be alerted to any inconsistencies. This real time look into your system shows you what is happening with approvals as well as risk assessment and can take away the need for annual or semi-annual auditing. With an automated system you will be able to see sensitive updates monthly, weekly, or as needed instead of having to wait 6 to 12 months for an audit.

While the idea of an Identity and Analytics system is not new, we believe that the use of intelligence in IAM is revolutionizing the industry. With the use of real-time data and information backed automation systems, you are able to have visibility into your system at any time rather than waiting for an audit. Your decisions will be made based on the most accurate and up to date information.

Want to know more about how Intelligent Identity and Access Management can help you mitigate risk in your organization? Download our eBook, Improving Identity and Access with Intelligence, and learn about: 

- What is Intelligent IAM? 

- Intelligence for Provisioning

- Intelligence for Governance

- Intelligence for Risk 

- And More! 

         describe the image        


Tags: risk management, intelligence, cybersecurity, security risk, cyber risk, IAM, cyber security, risk, intelligent IAM, identity, identity and access management, IAI, Identity & access management

CONVERGE 2013 – My, how things have changed!

Posted by Doug Mow on Mon, Jun 10, 2013

Doug MowLast month, we hosted our annual user conference, CONVERGE, in Atlanta. This year’s event, one of the most successful in our history, offered a range of activities, presentations and discussions.

The event kicked-off with an address by Courion founder and CEO Chris Zannetos, who spoke about how things have changed since the company’s inception 17 years ago. To make the point, Chris was joined onstage by the cicada, an insect that emerges from the earth every 17 years – guess that makes our cicada a teenager! Converge cicadaTogether they reveled in the advancements in technology that have transpired over the last 17 years, noting the corresponding, ever-increasing need for CIOs to focus on security and risk, which were central themes of the conference.

Richard Clarke, former national security advisor to three U.S. presidents, also addressed attendees on the topic of risk. Touching on his deep experience, Clarke educated the audience on the depth and severity of cyber risk that our public and private sectors face today, whether from cybercrime to hacktivism, espionage to warfare. His message was clear: the threat is real, and it is here today. Companies must be aware and they must be vigilant.

Clarke also met with CISOs, security executives, industry analysts, and business executives who exchanged views on the world of threat, the impact of SoMoClo, (social, mobile & cloud computing) on security, and the evolving role of today’s top security and IT executives. One imperative that emerged was the need for security executives to engage C-level executives using the language of business in order to effectively participate at the executive and board level.

After CONVERGE concluded, we reviewed attendee evaluation forms and noticed trends in those comments, which we plan to build on for next year’s CONVERGE to be held in New Orleans, the Big Easy. Slated for May 13-16, 2014, our customer conference will not only be bigger and better, but will be focused on the things security executives find most valuable:

  • Separate business and technical tracks offering a range of valuable content
  • Case studies featuring Courion customers
  • Hands-on workshops, including tips & techniques offered by Courion experts
  • Keynotes directly relevant to the challenges businesses face today
  • More ‘birds of a feather’ networking sessions

Of course, we’ll be sure to work in a surprise or two with the goal of making our 2014 event the best ever. If you have any suggestions or recommendations, we’d love to hear them!

Tags: Doug, risk management, Doug Mow, Richard Clarke, IAM, Courion, access risk, Access Risk Management, CONVERGE, CISO

Understanding Risk in Real-Time: Where will your next breach come from?

Posted by Kurt Johnson - VP Strategy on Fri, Jun 07, 2013

Kurt JohnsonWhile IT security is tasked to find access risk in their organization, much of the time they’re not sure what they’re looking for -- making this exercise continually frustrating and not terribly effective. 

According to Verizon’s 2013 Data Breach Investigation Report, three out of four intrusions exploit weak or stolen (but otherwise legitimate) credentials, and another 13 percent result from misuse of information from privileged users. This just validates what most organizations already know - they need better ways to detect the misuse of information systems, and fast. With data spread across multiple environments and the growing demand for accessing information via tablets and mobile, the threat of access risk is a major concern.

So what’s the answer? Harnessing the big data in trillions of access relationships, applying predictive analytics to reveal anomalous activity patterns and serving them up in graphical profiles -- giving organizations just what they need -- a real-time view into potential risk.

Check out this article on from Courion VP of Strategy & Corporate Development, Kurt Johnson, highlighting the need for real-time access intelligence as part of a risk-driven approach to identity and access management.

Tags: Kurt Johnson, risk management, IAM, Courion, access risk, risk, breach, access intelligence, big data, IAI

The CISO . . . an Accountant or a Chief Financial Officer?

Posted by Chris Zannetos - CEO on Thu, Jun 06, 2013

Chris Zannetos

As part of CONVERGE, Courion’s 11th annual customer conference held last month in Atlanta, we convened an Executive Forum of 20 CIOs, CTOs, and CISOs along with leading consultants and Courion executives to discuss key strategic issues. In addition to the requisite discussion of the impact of the Cloud and the Consumerization of IT, we discussed the evolving role of the senior IT security executive.

We have held this Executive Forum for several years now. Looking back now, I wish we’d had the foresight to capture these proceedings on video over the years to observe our evolution, much like the famous documentary, Seven Up! which chronicles the lives of fourteen British children in installments every seven years as they age and their world views evolve. If we had, not only would we have seen my hair fade to gray, we would also have seen a significant evolution in the perspective of what it takes for an information security executive to be truly successful.

As the discussion at CONVERGE progressed, I was reminded that the role of CISO is still in its adolescence, much like those British schoolchildren in the early documentaries. There are other organizational roles that have been around a bit longer that perhaps we in the information security world can learn from – like that of the Chief Financial Officer.

My CFO likes to tell the story of a meeting he had with financial auditors to discuss an accounting treatment for a particular transaction. After the review, a young audit associate stated, “Well, that is sort of in the gray area.”  My CFO’s response?  “My entire job is in the gray area!”

As you advance up the chain of command in a financial organization, you are called upon to adopt the more holistic view of a business executive. No longer can you optimize on just one variable  – you must understand the breadth of impact a decision may have on the business as a whole, not only today, but also in the future. Those who do not have the interest or the capacity to do so remain accountants, where the landscape is black and white. It’s a debit or a credit. Accounting rules and guidance dictate what you can and cannot do, and if an action is not addressed by the rules . . . you cannot do it.  While regulations may provide for it, there is no room for interpretation. To do so would disturb the balance of the universe.

In contrast, the CFO needs to focus on the business as an ongoing entity beyond the numbers. His job is to understand, communicate and help manage the financial health of the business.  And the numbers don’t always tell the story – in fact, they sometimes obscure it.

This is the same evolutionary leap that the information security executive must take. In the security world, many act and talk as if the world is black and white. Something is either secure, or it isn’t.

If there is a lesson we should learn from the last few years, it is that compliance does not equal security, and nothing can be 100% secure. A focus only on security obscures visibility of the vitally important issues – and is destined to fail. In Finance, it is the numbers versus the business health. In IT, it is “security” versus “the business risk.”

An IT Security “Accountant” believes he is responsible for ensuring that all is secure and that the business never suffers loss related to the company’s technology infrastructure. An IT Security “CFO” believes he is responsible for ensuring that the business understands the risks it is taking, aligning IT and security spending according to that risk appetite, and delivering the capability to quickly understand and respond when risk changes or an adverse event is realized.

Doing so elevates the Information Security Executive to a role where he is included in, and integral to, business discussions with C level executives. And judging by the conversation during our most recent Executive Forum, leading IT Security Executives are making this intellectual, and in some cases operational, leap. As a result, they are called more frequently into Board Meetings, their companies’ Audit Committees now include members with significant IT experience, and they integrate their work with Enterprise Risk Management efforts.

The opportunity is here today for you to elevate the work of the CISO. Move into the gray area and widen the lens from security to business risk management. Perhaps this is more of an imperative than an opportunity, because if, as a CISO, you do not follow the example of the CFO to become a business force, you may be relegated to the backroom and pulled out only at time of audit – just as an accountant is.

Tags: risk management, IAM, Courion, CZ, identity and access governance, security, Chris Zannetos, CONVERGE, CISO

Context is Everything

Posted by Chris Zannetos - CEO on Wed, Apr 17, 2013

Chris ZannetosIn last month’s XForce Annual Trend and Risk Report, IBM noted that
". . . few innovations have impacted the way the world communicates quite like social media; however, the mass interconnection and constant availability of individuals has introduced new vulnerabilities and caused a fundamental shift in intelligence gathering" by hackers. I can’t help but feel some sense of vindication, particularly when talking with my teenagers who I have been urging for years to limit the amount of personally identifiable information they share via social media.

In my recent blog "Are you Cyber Secure?," I wrote about how breaches at consumer websites, like recent hacks at LinkedIn, Evernote and Yahoo!, could let hackers access users’ accounts and use their personal information at other websites; or even worse, their place of business. As the IBM report highlights, even without breaches, information shared via social media can come back to haunt companies as well as individuals.

The XForce report noted that "social media repositories were leveraged for enhanced spear-phishing techniques." The RSA breach in 2011 was a prime example of social media-driven engineering as the first step of an advanced persistent threat attack. Taking the actions I suggested in my blog — managing passwords and personal information with risk in mind — is a good first step, however this hacking market trend requires companies and security vendors to step up their game.

  • For our customers, the imperative is the continuous and proactive education of staff on the footprints of phishing attempts. Every day we get phishing emails with more and more targeted context, making it hard to believe that these emails are anything other than legitimate. In response, IT organizations need to educate staff aggressively and in real time so they don’t inadvertently open the way for an attack.
  • For vendors, we need to take a page out of the financial service industry’s playbook and start delivering more sophisticated fraud detection-like monitoring capabilities. Banks have learned that they can identify a large percentage of fraud attempts by relentlessly applying context to transactions – context about the person, his or her history and historical activity patterns; context about people who fit a similar profile; context about past fraud patterns. We as industry solution providers need to do the same.

There is a lot of buzz in our industry about security intelligence; however, to date it has been anything but intelligent. The activity and traffic monitors such as SIEM and deep packet inspection products have been looking at streams of information flows without the context to make sense of them. This is a bit like analyzing a baseball game by looking only at the types of pitches and result (hit, walk, out) — without understanding who is pitching, who is up to bat, what their past patterns have been, the ballpark, or the weather. In other words, the "Moneyball" factor has been missing.

The call to arms for those of us in the vendor community is to start delivering context-rich monitoring. No matter how much education our customers provide to users, some phishing attacks will succeed and some breaches will occur that compromise user credentials.

We have to help our customers realize that what may look like a customer or partner or staff member, may not in fact be so. Just because it looks and quacks like a duck, doesn’t mean it is a duck. And only by adding context can we help our customers see that.

Tags: risk management, access risk, CZ, Passwords, data breach, risk, breach, access intelligence, Access Risk Management, data breaches, phishing, social media

How Access Insight Works – A Visual Tour

Posted by Chris Sullivan - VP Product Planning on Mon, Oct 01, 2012

describe the imageToday we announced how HCR ManorCare is using Courion Access Insight™ software to identify, quantify and manage potential risk of improper access to its systems and resources across 500 health care facilities in 32 states.

In this post, we’ll show you exactly how Access Insight works in any application environment, whether automated or not.

Access Insight analyzes risk associated with user access on a continuous basis, alerting customers to needle-in-the-haystack risks so busy security teams can prioritize remedial action. It portrays risks in graphical profiles – i.e., heat maps. Users can instantly drill down into the billions of data points behind those maps to focus on lines of business, specific data sets such as PHI (Personal Healthcare Information), or specific compliance areas such as PCI (Payment Card Industry) data security compliance. From there, they can weigh the risks to vital assets such as intellectual property and customer information and settle them instantly.

 You spot it, investigate it and settle it.

Screenshots (below) from another customer implementation will help us tell the story. Let’s go!

Where’s my risk?

So you’re a CIO or CISO, and you wonder, “Where is my company most at risk for information loss? How much? What type? What can we do about it?”

You log into the Access Insight portal:

describe the image

The screenshot on the left depicts risk by line of business. The one on the right is risk by a single application you’ve chosen.

Risk is a product of the impact of a potential breach and its likelihood. Impact grades are assigned for each application depending on factors such as the amount of customer information and potential financial loss associated with them. Likelihood is derived by considering the number, size and seriousness of threat vectors, e.g., the number of people with access, their access level, their activity, etc.

Whoa! One application bubble is drifting deeply into the critical area (upper right corner of the first heat map). You click on the bubble and learn what’s driving that risk:

describe the image

How big is my problem?

You see that orphan accounts and a variety of access issues are the problem. That’s good intelligence, but you need more. You specifically want to know, “How big is my unnecessary access risk problem?”

You click on the Unnecessary Access link and get a lot more information:

describe the image

The upper left window, “Access Rights in Excess of Role,” compares the entitlements people have versus what they should have based on the way you’ve defined their roles. In this window, you see the top 20 employees ranked by the number of rights they have beyond the number assigned for their role. You can further slice and dice this by line of business, location or application.

Note: this is far more informative than a chart of who has the most rights in an organization. This is about who has more access rights than they should. If you see a building maintenance person at the top of the list, that might be reason for concern, even if his or her total number of rights is far lower than an HR executive.

The upper right window, “Abandoned Accounts – Days Unused,” depicts accounts that have gone unused more than 500 days. The longest bar isn’t necessarily the riskiest; it just represents the longest duration. The bars are color coded to reflect a greater or lesser number of access rights (red is bad). You can mouse over any bar for more information.

The bottom window, “Excessive Rights when Compared to Peers,” is for companies that have not yet defined roles with designated sets of access rights. Access Insight calculates virtual roles by departments for you. The chart depicts who has access rights that outstrip their peers in their departments. That’s good information for you to know, and without Access Insight, you’d be hard-pressed to discover it. With Access Insight, it takes no effort. This functionality is embedded the day you turn it on.

Settle the risk

Okay, Mr. or Ms. CIO, you’ve identified risks and drilled down into exactly what’s driving them. Now it’s time to settle your risk. Have you noticed this icon on the previous screens?

describe the image

Click on the green cross badge in the “Abandoned Accounts - Days Unused” window above, and you get this remediation dashboard:

describe the image

Here in the table you see the five “offending” accounts, the relevant systems and all the information you might need to take corrective action. As you can see, this dashboard is revealed by selecting “Correct Access” on the dropdown menu to the left. To disable the accounts, simply click the “Settle Risk” button. You could have clicked “Review Access” to initiate a real-time re-certification cycle in our ComplianceCourier™ software. If you did that, the application owner could settle the risk right then and there, rather than waiting six to 12 months for the next scheduled cycle. This is real-time certification and compliance, something many organizations need today.

All of the dropdown options launch a business process. Actions like these are fully automated if you’re using the Courion Access Risk Management Suite or one of the IdM, ticketing or other systems we integrate with. You can alternatively enable the email function to send an automated message to the security team. With the “Correct Controls” option, you can adjust access parameters. For example, you might force accounts to be disabled after 90 days, or passwords to be reset every 60.

Adding on to Access Insight

Access Insight is easily extensible. One of our clients, for example, wanted to integrate access risk data and time data, making it easy for them to investigate this question: “How can we find out whether employees and contractors are improperly accessing files outside their clocked hours?”

describe the image

That’s easy enough. You simply snap in timecard information to the data already being tracked you can see what files are being accessed and when. Based on the information being accessed and the time, say someone accessed intellectual property data at 3 a.m., that might raise a red flag. The top left window, “Risk of Abnormal Activity for Fileshares,” tells the story. Again, it rates risks by impact and likelihood of a breach, with bubble size reflecting the amount of activity on the file set. The upper right window, “Abnormal Activity by User,” shows which users are conducting how much after-hours activity. In addition to analyzing this activity by user, you could slice and dice it by division, business unit, department or file share.

 Or you could look at the abnormal activity pattern over time:

describe the image

This chart displays the historical view for the past five months. Each bar represents the amount of activity, and the color represents the risk. Hmm, looks like we need to chat with Ravi M. about the week of Jan. 15th, when he was supposed to be skiing in Vail!

 So we’ve walked through the process of identifying risk, understanding the risk drivers and settling the risk. All of this intelligence is found in the dangerous gap between the provisioning of access rights and the time you certify they’re good – the IAM (identity and access management) gap.

Access Insight is constantly minding that gap by applying predictive analytics to the big data your organization produces around people, roles, rights and resources.

Any questions? Contact us for a closer look.

Tags: risk management, Access Insight, IAM, Courion, access risk, healthcare, access intelligence, identity and access management, Sully, Access Risk Management

What are your 2013 information security and risk management priorities?

Posted by Courion Corporation on Tue, Aug 28, 2012

describe the image

CISO Executive Network recently conducted a survey of its member CISOs on the topic of 2013 Information Security and Risk Management Priorities. 

They asked members to identify their top five projects or programs for 2013:
1.  Mobile Device Management and Protection  85%
2.  Enterprise Security Risk Management - GRC, Dashboard, Metrics, and Reporting  60%
3.  Data Governance  55%
4.  Identity and Access Management  47%
5.  Regulatory Compliance - Controls Implementation, Testing, Monitoring, and Auditing  45%

Then they asked members to identify the top five technologies they plan to evaluate and/or purchase in 2013:
1.  Mobile Device Management and Protection  58%
2.  Identity and Access Management  44%
3.  Data Loss Prevention  44%
4.  GRC - Dashboard and Reporting  38%
5.  Data Encryption  31%

Do these survey results align with your priorities? Let us know in the comments section below, or on Facebook or Twitter.


Tags: risk management, IAM, governance, access governance, information security, GRC

"Zucking up" Information Security

Posted by Chris Zannetos - CEO on Thu, Jun 07, 2012

Chris ZannetosAny parent of a teenager should read “Facebook threatens to 'Zuck up' the human race,” a recent article by entrepreneur-turned-author, Andrew Keen.  In his harsh critique of the age of social media, he argues that “[by] sabotaging what it really means to be human, Facebook is stealing the innocence of our inner lives... [Most] of all, Facebook is destroying our privacy as discrete individuals.” Ah-ha! I exclaimed to myself.  I’m not the only Luddite!  I’m not the only one worried about this.

But Keen just touches the tip of the iceberg as far as I am concerned.  As the CEO of an information risk management software company, my concern goes much further -- what will this oversharing mean to those who are trying to protect our energy infrastructure?  Our financial system?  Our credit worthiness?

He brushes against this by referencing a study by Jon Miller, the Director of the University of Michigan’s Institute for Social Research, and Aisha Sultan, a Fellow at the University of Michigan on “Facebook Parenting” in which they report the findings of a decades-long survey of 4,000 middle school children turned adults. Their conclusion:  “We've created a sense of normality about a world where what's private is public. The sense of being entitled to privacy has been devalued.”

When you most recently signed up for an on-line service, what sort of information did they ask from you to enable you to reset your password if you forgot it?  We have gone beyond Mother’s Maiden Name, haven’t we?  But let me ask you…isn’t it information that might be shared somewhere on the Internet?  Your first pet’s name?  The make and model of your first car?  Your father’s home town?   Your high school mascot?

It is not too hard to see this information being on your Facebook page, or the page of those who are your “friends.”  And it’s not just an issue of you posting that you are going on a wonderful vacation or are about to visit your child in college – giving local burglars a tipoff.  We continue to hear from the FBI and others that organized crime and terrorists have been doing long range planning, and are gathering information that may be used decades from now. Information like your pet’s name, your father’s  home town, and your high school mascot will be useful in the future.  As Miller and Sultan state, “there is no delete key for the Internet.”

We cannot expect Facebook or any other social media service to protect our privacy. That is our responsibility. Will there come to pass some miracle, ubiquitous technology to smooth our use of the multiple internet-based services we use, and at the same time strengthen the security of our personal information?  Perhaps.

But so long as we are as careless with our private information as we are today, we are the ones responsible for “Zucking up” our own privacy, and eventually the security of the systems on which we base our economic identity.

Tags: risk management, identity management, CZ, CEO, risk, information security, security

The IAM Gap - Part 2

Posted by Chris Zannetos - CEO on Mon, Jun 04, 2012

Chris ZannetosIn my last blog, I discussed how Identity & Access Management technologies help organizations ensure that the right people have the right access to the right resources, and are doing the right things with that access. To date, vendors have helped customers “get it right at the start” and “verify it later and fix it.”

Access Request and Provisioning enable customers to connect the assignment of appropriate access rights directly to the business actions which drive the need to create, modify or delete those access rights. Access Certification enables customers to identify later if access rights are misaligned with policy or regulations – which then can be fixed.

But there is a gap here. A huge gap. Certification cycles are typically run in 3, 6 or 12 month intervals. Why? Because that’s when auditors check on it. And because business people will not tolerate a daily, weekly or maybe even a monthly access certification review. And during that time between the provisioning action and the periodic access review, there are powerful business, technical, and human forces pushing against that alignment. 

People work around the system. People make mistakes. Managers, unclear what they are attesting to, rubber-stamp certification. Changes to the technology infrastructure result in a ripple effect of unintended and unknown access consequences (like nesting Active Directory groups). Credentials are compromised. The business changes in ways not expected by the provisioning system.  And yes, bad people, inside and outside of your organization, try to penetrate and exploit the infrastructure.

This puts the organization at great – and unknown – risk every day. This gap needs to be filled because, when it comes to access risk, ignorance is not bliss. Filling this gap will ensure that businesses don’t have to wait for the review cycle to fix problems – long after the negative consequences are felt. 

Initial attempts to address the IAM Gap have been crude and ineffective. Regardless of how pretty the knobs, dials and speedometers look on the dashboard, showing which user has access to what application or entitlement does not illustrate risk. Risk to an asset, or of a user, is dependent on the interaction of all elements of access:

  • Who the people are and what they are responsible for (Identity Context)
  • What the business policies and regulations are (Policy)
  • What access rights those people have (Rights)
  • What type of resource they are trying to access (Resource Context)
  • And what they are actually doing with their access (Activity)

Consider this – Just one or two or three elements give an incomplete and, at times, inaccurate view of risk.  If a marketing executive has access to a file share at corporate headquarters, is that high risk?  Okay, let’s start layering in more information:

  • What if we know that half of the finance department also has access to that file share?  (Well, they could be on the Investor Relations team and need that access)
  • What if we know more context about the resource…that there are credit card numbers on that file share? (OK, now we might see a bit more risk…but they could be on the eCommerce Oversight committee)
  • What if we know their activity – that a user accessed and copied a much larger batch of information from this file share than they ever have before…in the middle of the night?  (OK, now I’m getting very concerned)

 Hand coding some of this information – such as the “risk level” of an application – in an to attempt to incorporate other elements of access, creates a false sense of security at best -- and a dangerous delusion at worst. An application that has been hand-coded with a risk level would retain that risk level – even if an administrator nested an Active Directory Group containing thousands of members with the primary Group that was used to authorize access to that application. But the risk would have changed, wouldn’t it?

Customers need a dynamic and real-time system to bring together all elements of access – Identity Context, Policy, Rights, Resource Context and Activity – to enable customers to:

  • Identify and evaluate risk, as all of those elements change
  • Dig deep into the analytics to understand what is actually driving the risk so they can drive immediate remediation
  • Understand the trending of risk over time 
  • Predict future areas of risk to fix the fundamental business process issue and not just the symptom

And they need to see this every day. And they can...everyday. This is the promise of Identity & Access Intelligence.


Tags: risk management, IAM, governance, identity management, access governance, access risk, CZ, CEO, access intelligence, identity and access management, Access Risk Management