Real vs. Regulatory Risk

Posted by Venkat Rajaji on Thu, Apr 28, 2016

Risk is a word you hear every day and it has become common place across the security industry. What is risk? What does it really mean? And why is it so important? Most importantly, how should we think about the impact of these risks and how we mitigate it?


Riisk is composed of: Impact x Likelihood. 

Impact- The damage caused by the risk, criticality of the assets, the actual data in the systems, the liability associated with an audit finding

Likelihood - The probability that an event will occur. When we think about likelihood we think about usage patterns, access levels for individuals and accounts,and exposure or vulnerability of such systems.

 

Within the context of Information Security there are two types of risk that companies face, real risk and regulatory risk.

 

Regulatory risk is associated with not being complaint with any number iStock_000026774677_Large_1.jpgof regulations. The penalty for this might be financial penalties, incarceration or a drop in stock prices if said issues are "material" enough to require reporting. For example, compliance within the healthcare industry with data privacy and HIPAA, companies within the Financial Services industry and SOX compliance, or retail organizations or anyone else accepting credit cards who must adhere to PCI compliance. What regulatory risk calls for is the implementation of a governance process for which to ensure compliance.

 

When you think about real risk, you're thinking about things like customer and consumer data, credit card information, employee data, SSNs, and access to processes like the recent Iranian nuclear processing  centrifuges that were hacked into and then stopped and started over and over until they blew up.  Here, governance process is not enough. This is now about protection and the impact is far greater than just a fine. Reputational damage, brand image, liability, and other major financial damages will impact the company.

 

Compliance regulations have helped and have forced companies to put in place governance processes to mitigate some risk. However, this drive for compliance has led to a lot of rubber stamping. Reason being, there is too much data and we don't know what is important and what is just another request. So the compliance checks themselves often don't do enough to protect the companies or their customers.

 

cyber-311111.jpgWe need the ability to really understand risk within the constricts of impact and likelihood. In order to satisfy both regulatory needs and to mitigate against real risk we need solutions that provide context for these risks. Context might be things like access levels, known vulnerabilities to systems, criticality of business systems and the data stored in those systems. This helps us better understand our enterprise risk.  Done correctly, this automation and intelligence also dramatically improves understanding of how you are actually doing and how that is changing over time (read actually managing this stuff), efficiency (read cost savings) and efficacy (real and regulatory risk reduction).

 

To manage both real and regulatory risk, you need to deter bad touches (inappropriate access) to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens, and ebook_Assessing_the_Risk.pngonce you do that, you better figure out how to remediate the issues really quickly. The Courion suite of solutions are designed to solve exactly this problem across both the physical (vulnerability management) and logical (access management) worlds.

 

Looking for more information on how to mitigate both real and regulatory risk? Download Assessing the Risk of Identity and Access to learn how to identify and remediate both your real and regulatory risk. 

Tags: risk management, security risk, cyber risk, risk

Intelligent IAM for Risk Assessment

Posted by Steve Morin -Director, Product Management on Thu, Aug 20, 2015

Welcome to the last installment of our 3-part series exploring how intelligence improves identity and access management, or IAM. In part 1 we looked at how intelligence improves the provisioning portion of IAM. In part 2 we took a look at how intelligence improved the governance portion of IAM. In this segment we look beyond just provisioning and governance to address how intelligent IAM can help to reduce the top 5 most common elements of risk: identity, resources, rights, policy, and activity. 

1. Identity: In part 2 of our series, we discussed how human resources were the most dynamic risk facing security teams today. The reason behind this is that you are constantly managing changing identities. Who are you? What is your role? What do you need access to? These are questions constantly being asked by our system and can equate to hundreds or even thousands of access requests a year. 

describe the image
With intelligent IAM, all roles are built into the system along with the basic applications that they need access to. For example, when a marketing manager was hired, they would be led through the system to request access to their email account, marketing file share folder, and marketing automation software because those are typical of their role and inside their peer group. All requests that fall within the boundaries of their peer group they would be automatically approved for. However, if they wanted access to, say the sales folder, they would have to request special access. This solution gives the user guidelines rather than the all too common shopping cart approach where they are requesting items that they don’t really need and creating a backlog of requests while the approver decides if they really need that access.

2. Resources: With so many business applications, servers, mobile devices, etc. do you know which assets are critical and must be protected? Do you know which seemingly innocuous applications tie back to a server that needs to be protected?

Governance certifications exist to monitor access to the most sensitive information, applications, and servers. Intelligent IAM governance will not only monitor your most sensitive data, but will send up a flag, or an alert, when a high risk event takes place. When accounts are created outside of the provisioning system or high risk applications are granted outside of a role or peer group they will be flagged as a "critical risk". 


3. Rights: Who really needs access to what? Before intelligent IAM all provisioning and governance had to be audited to make sure that the right people had the right access to the right things. The issue was that those rights were always changing. Some applications are not as high risk and can be audited on an annual or semi-annual basis. However, there are other applications that are highly critical and must be assessed on a monthly or weekly basis. Doing this manually for all employees would be impossible. 207H

By using intelligence, your IAM system can review rights as needed and ask for re-certification for sensitive applications. For example: an email account can be automatically re-certified each month as long as the employee isn't terminated. However, the payroll system may need a monthly manual re-certification to make sure that only the right people have access.

4. Policy: What business rules must be enforced in your company? What segregation of duties do you rely on? This is another risk taken care of, somewhat automatically, by the assignment of roles within the organization. Segregation of Duties is an easy addition, especially when set initially. Managers should not be able to both post and approve their own time cards, nor should they be able to place and approve a purchase order. Governance certification and approvals as well as segregation of duty assignments will help to mitigate this risk rather easily.

time 273857 12805. Activity: Who is doing what? And when? Visibility into all of your applications and systems is an extremely difficult task and without an automated system is basically impossible. Much like with the alerts sent by your high risk resources, you can use intelligent IAM to see what your users are doing with real time monitoring and be alerted to any inconsistencies. This real time look into your system shows you what is happening with approvals as well as risk assessment and can take away the need for annual or semi-annual auditing. With an automated system you will be able to see sensitive updates monthly, weekly, or as needed instead of having to wait 6 to 12 months for an audit.


While the idea of an Identity and Analytics system is not new, we believe that the use of intelligence in IAM is revolutionizing the industry. With the use of real-time data and information backed automation systems, you are able to have visibility into your system at any time rather than waiting for an audit. Your decisions will be made based on the most accurate and up to date information.

Want to know more about how Intelligent Identity and Access Management can help you mitigate risk in your organization? Download our eBook, Improving Identity and Access with Intelligence, and learn about: 

- What is Intelligent IAM? 

- Intelligence for Provisioning

- Intelligence for Governance

- Intelligence for Risk 

- And More! 

         describe the image        


 
 

Tags: risk management, intelligence, cybersecurity, security risk, cyber risk, IAM, cyber security, risk, intelligent IAM, identity, identity and access management, IAI, Identity & access management