Essential or Nice to Have?

When packing for a trip there are usually two categories of things to take– the essentials and the nice to haves.  It’s easy to understand why the essentials must go in.

iamaware™ is an   essential for every organization with one or more automated identity and access management (IAM)solutions.  In the past, if you looked for IAM usage, productivity reports and metrics around different solutions that collectively provided identity and access management functions, there was no single stop for delivery of this information.  And on the operational front, there were solutions that looked for stopped processes or log file errors.  But when it came to applying IAM specific intelligence to alert on gaps between expected results and actual results, especially acrossdifferent product sets, these tools drew a blank.  Going through different disparate sources, manually was the norm.  Until now.  With iamaware™ we address not only the need for an IAM specific dashboard but also most importantly a single console from where managers and administrators can holistically view their IAM systems in real time or over a period of time.

Let us look at a real life example as we try and understand what iamaware™ brings to the table. Company X has an automated identity and access provisioning solution implemented in the enterprise.  Daily feeds from HR and other source systems result in user account provisioning and policy based access setting on SOX audited platforms and applications, including the Active Directory.  Like all systems there are good days and not so good days! A monitoring solution may alert administrators when processes stop or failures are recorded in log files within individual solution sets.  However, there is no mechanism that proactively alerts administrators if there is a sudden change in the number of provisioning requests being processed or if there appears to be a sudden increase in the number of tickets generated around self-password resets.  The first time an anomaly is detected could well be when there is a management level escalation or on a user’s first day at work when login to resources is denied. Or worse still it could be when auditors poking through the system find a bunch of terminated users still assigned privileged accesses that were never removed.  Managers requiring reports on consolidated IAM metrics may have to pull reports from the different products and analyze and collate them manually.  And this is just on the identity provisioning front.  The list would grow exponentially if I were to add identity assurance, federation, single sign on, privileged identity management…You get the picture, right?  

This is where iamaware™ comes into the fray.  We designed it to view IAM not as a bunch of different products delivering silos of features, but as a single pane of glass from where you can view the entire solution, irrespective of the number of disparate, unintegrated products you might choose to throw into the mix.  We do not expect you to pledge allegiance to a single vendor or family of products to meet all your IAM needs.  We work with what you have to deliver what we know you need.  Essential or nice to have? Definitely an essential; one that absolutely needs to be packed into your suitcase when embarking on an IAM journey.

For more information check out : www.youtube.com/watch?v=5209Q4Y0YM4

We’d be happy to provide a live demonstration of iamaware™ in action.

 

Getting Past "The Way We Have Always Done It"

Change is hard.  There is no getting around it.    How often is adoption of a better way of doing things blocked because people do not want to step out of their comfort zone and would rather wait for a catastrophic event to jog them into action? Every one of us has at some time or the other taken the easier road, knowing that the other, possibly better option, requires more work and a level of risk that we are leery to take.

Information security offers some great illustrative examples of this attitude. 

An Information Security team was looking to roll out a multifactor authentication solution for a business critical application.  The goal was to have users (under certain high risk conditions) answer security questions or enter an authorization code sent to their cell phones.  Since the initiative was launched as a result of audit findings, the assumption was that it would be easy to push through.  Wrong assumption, as it turns out.  While everyone agreed on the vulnerability, any attempt to address it was strongly rebuffed.  The application administrators were adamant that they were too swamped dealing with day to day operations to find the bandwidth or resources to roll out anything new, even if it meant better security controls.  The business felt that users would be confused if they were asked to do anything more than entering a username and password.  The Information Security team was unable to translate the very real risks identified in the audit reports into something that got executive backing. Management did not want to upset the applecart, the application belonged to the organization’s largest revenue generation division; final outcome: everything remained in it’s far from ideal status quo until the threat was realized and the application was hacked.  At this point a huge amount of time and money was spent on finger pointing and tactical fixing!

Sound familiar?  To find out what kind of person you are, read the case study below and answer the questions that follow:

Customers commonly raise the following issues when discussing identity and access management solutions:

  • Disparate islands of  identity and access management solutions distributed within the organizational enterprise, each with its own silo of features and underlying technologies    

  • no mechanism to proactively identify issues in the infrastructure or applications; users have to call in before administrators become aware of inability to login, failed accesses etc.

  • solving issues requires  going to multiple documents, vendor websites, logging into different consoles and it all takes a lot of time and effort

  • business teams see these solutions as an overhead that slows everything down, rather than an enabler so getting additional resources or solutions is almost impossible

Solution ABC offers a collective dashboard view of the entire identity and access environment to allow for proactive management.  It is definitely the first of its kind and you are part of a team that is evaluating its value.

  1. As an operational administrator that manages the IAM infrastructure, would  you prefer to see IAM servers where CPU, memory and storage are maxing out

    1. Before they crash so you can address the problems?

    2. After the crash, so everyone acknowledges your ability to fight fires?

  2. As a security administrator would you like to:

    1. Be forewarned of a growing number of attacks on your web proxies?

    2. Bury your head in the sand and wait for the fateful call that you have been hacked?

  3. As a manager of these solutions would you rather:

    1. Have comprehensive reports that quantify the productivity of your teams?

    2. Set everyone scrambling through logs and audit trails and burn the midnight oil collating everything, when management requests justification? 

  4. In general do you think it’s better:

    1. To identify the need for additional servers and resources based on metrics and trends?

    2.  Wait till your solutions grind to a halt so it is amply clear that you need more resources?

If you selected a majority of Option “a”s you are the kind of person who typically looks for ways to solve problems proactively and you are not deterred by the lack of existing solutions or processes.  You will most likely recommend purchasing Solution ABC.

If you chose more of the Option “b”s, then you are more or a reactive person who likes to wait for problems to occur. You also enjoy the spotlight and pressure that comes when fighting fires.  Solution ABC would not be high on your radar of things to buy.

While it may seem reasonable to take the less disruptive approach now and again, it is important to avoid making a habit of it.  My consistent advice when faced with something new is to weigh the value/risk the solution brings against the weight of the problem set being addressed.  Make decisions based on strategic outcomes rather than pesky short term irritants. Anything new brings with it the need for education and new ways of doing things.  But if longer term it increases efficiency and optimizes people’s time then make the hard decision and go for change.

P.S: If you like the sound of Solution ABC, check out the following video: https://www.youtube.com/watch?v=5209Q4Y0YM4&ab_channel=PontisResearch,Inc.

The More You Spill The More They Know

During a typical work week, I cursorily glance at the news feeds on the social media sites where I have accounts.   The goal is to get a quick update on how colleagues, family and friends are doing and what new pictures or articles have been posted.  Come the holidays, I have more time on my hands, and often find myself trolling through the very same sites, checking out posts in far greater detail. 

A few days ago, while sipping my tea and  reviewing what my connections had to say, I noticed a very large number of links, with tantalizing offers “ Find Out WhatYour Name Really Means”, “How Creative are You”, “What Do Your Friends Think About You” ….   Needless to say I clicked on a few.  Every one of the apps that I drilled down to seemed way too nosy.  For example, why would you need to know my date of birth if you are telling me what my name means?  What is the relationship between how many children I have and what my friends think of me?  There wasn’t even an attempt at subtlety or obfuscation, if I chose not to provide a completely unrelated piece of information, I could not proceed.

So what is the objective?  Every time you take one of these quizzes and share results on Facebook or Twitter or wherever else, there is most likely a wealth of information about you and the people you share this information with being thrown into a data bank or multiple data banks distributed all around the globe.  With the advances in data analysis software, the earlier obstacles of cost and time are no longer significant; personal profiles coupled with behavioral patterns can be put together very quickly and are worth their weight in gold to advertisers and organizations looking to develop lists of potential customers.

I do not believe it’s possible to protect yourself from providing any information that helps identify you, or completely throttle the avalanche of targeted information sent your way.  So what are some of the things you can do to protect your identity and yourself in this inevitably changing landscape?

  1. Invest in a few good ad blockers and keep them updated.

  2. Make sure your malware and virus detection solutions are routinely patched and up to date. 

  3. If someone asks you for information that does not appear to relate to the task at hand, question the need for this information, and if you feel uncomfortable with their response, look for other options or providers.

  4. Avoid common passwords across your fun sites and sites where you have assets.

  5. Take reasonable precautions to avoid identity theft.

If you use social media sites to routinely communicate where you are, comment on posts you like, recommend vendors you like, expect to be profiled; the more information you share the greater the chances of being targeted for attention.  Expecting security and privacy controls to magically shroud you in an invisibility cloak is completely unrealistic.  At the end of the day, the responsibility for managing the balance between communication, convenience and security lies in each individual’s court.  So to all my readers my advice for 2016:  Share Wisely and Stay Vigilant

The Smart Approach to Compliance

Contrary to common belief, when it comes to the basic model of information security not much has changed in a very long time. In a nutshell, People (or programs initiated by people from a device) need access to Data (information) exposed via Applications hosted on Infrastructure connected via Networks. Information Security wrappers the environment and:

  • Ensures that People are who they say they are and have the authority to request the information they are asking for.
  • Protects the data both at rest and as it travels through the network.
  • Routinely monitors the environment including applications, infrastructure and the network for vulnerabilities and alerts appropriate individuals or systems when there is a problem.

An organization looking to address its regulatory and compliance gaps should start by looking at its security strategy and in the absence of one, spend some time developing it. Cutting corners and wading directly into solving tactical issues to meet auditors’ needs will more than likely result in lurching mindlessly through an ever changing morass of false alarms, contradicting advice from pundits and analysts and overall industry misinformation.  Is it any wonder that in such cases security teams start randomly throwing different products and solutions that address immediate problems, into an already wildly overflowing shopping cart?

A senior security manager in an organization told me that as part of an identity and access management initiative in his organization, he had purchasedsolutions for identity management, privileged identity management, web access management, and monitoring, pickingtools based on analyst recommendations on best of breed. He then spent the next few years, sorting through his technology arsenal, with countless resources and a lot of service dollars, in a futile attempt to integrate these technologies to give him a semblance of what he needed.  Needless to say requirements changed with passing time and he was always chasing a moving target.  Finally frustrated at the complete lack of delivery the entire program was canned.  The next attempt at a solution consisted of turning it all over to a group of third party cloud vendors. When I last got an update they were still there redefining the organization’s problem space to match their offerings, much to the dismay of the above mentioned security manager!  And believe me his story is just the latest in a long line of similar stories I get to hear. 

Technology vendors and consulting companies are aggressively competing with each other selling security offerings; in organizations where there is little to no oversight or overarching plan, divisions and departments end up buying disparate solutions to solve similar problems.  The net result is multiple technologies and tools getting deployed in the same environment, with overlapping functionality, stepping on each other’s toes and giving rise to a whole new set of issues. Buying different security solutions and hoping some combination of them will magically integrate and address gaps in compliance is misplaced optimism.

The point of this rant is simple – merely by taking a step back and starting with a strategy you can exponentially raise your chance of success. Working methodically through a plan you can optimally leverage your technology investments and solutions to meet more than just one tactical need. In the process you will save not just money on software and services but also get much closer to protecting your organizational assets and achieving compliance goals, all the while maintaining control of your journey.  And if that is not the ultimate goal, I need to get back to the roses I was tending earlier today.

FTC v Wyndham – Is Data Security a Fair Business Practice?

http://www.scmagazine.com/third-circuit-upholds-lower-court-decision-in-ftc-case-against-wyndham/article/434522/

A federal appeals court ruled on August 24, 2015 that the Federal Trade Commission has the authority to enforce cybersecurity standards. In FTC v. Wyndham, the agency sued Wyndham hotels after the company exposed financial data of hundreds of thousands of customers. The cornerstone of Wyndham’s case was that the FTC lacked authority to enforce security standards, but the court upheld FTC’s position. Wyndham lawyers then appealed to the U.S. Court of Appeals for the Third Circuit which in turn upheld the decision of the lower court.

For organizations still dragging their heels over improving their security posture, the addition of data security and consumer privacy to the FTC’s remit should be a warning signal.  It was interesting to read that in the initial complaint the FTC stated that Wyndham between 2008 and 2010 had:

§  failed to use readily available security measures, such as firewalls;

§  stored credit card information in clear text;

§  failed to implement reasonable information security procedures prior to connecting local computer networks to corporate-level networks;

§  failed to address known security vulnerabilities on servers;

§  left default user names and passwords for access to servers;

§  failed to require employees to use complex user IDs and passwords to access company servers;

§  failed to inventory computers to appropriately manage the network;

§  failed to maintain reasonable security measures to monitor unauthorized computer access;

§  failed to conduct security investigations

§  failed to reasonably limit third-party access to company networks and computers.

The list of failings that an organization can be dinged for has only grown since then.  Key reasons for this are the exponential growth of mobile and the increasing need to secure hybrid environments, with resources and applications being in data centers, internally hosted or in the cloud.  It’s easy to focus on one specific area but throw in the others and try and get a holistic view and all the models of the past are useless. 

The time has finally come for companies to take stock.  No longer are security controls and solutions “nice to haves” that can keep moving into next year’s budget.  The days when doing the bare minimum was enough are over.  Accountability is going to need more than a good PR/marketing department and knee jerk investments to mollify impacted users and the general public.

For those of you who have read my earlier ramblings, you might remember that a few months ago I stated that the true victims of a security breach were the users whose data was stolen.  At the time I hoped that someday there would be regulations enacted and enforced to make organizations far more accountable.  It seems to me that the court ruling a few weeks back is a start and we are slowly but surely getting there. Who says I am not an optimist..?

 

To Customize or Not to Customize?

I routinely get to work on requests from organizations looking to solve security problems. Usually they ask for “Security Swiss Army Knives” that deliver everything even remotely connected with the subject, out of the box or with minimal configuration, but NO customization. Customization has suddenly become the Big Bad Wolf in the security story.

My view on this subject is simple: No security product, irrespective of how omniscient the vendor might be, can meet every organizational requirement thrown at it. While default policies and configurable settings may "almost" meet most requirements, if you manage a mid-size to large organization, chances are you will need some tweaking to meet your needs and technical expectations.

A decade ago, I was the lead architect on an identity management solution for a manufacturing company with hundreds of thousands of users distributed across the globe. We had deployed an automated solution using a well-known, off the shelf product, and were rather triumphant at the level of success. Everyone was happy with how the solution worked.  As part of transitioning off the project we were asked to train a third party organization that was taking over day to day operational support. Someone within the third party organization suggested to our customer that the solution contained a large amount of customization and was therefore complex and difficult to support. In the flash of an eye, a technical guru from the product vendor and I were summoned to company headquarters to justify the extent of configuration and  customization. A few hours into the” justification workshop”   it became very clear to the organizational managers that what had been dubbed as “customization” was nothing more than organizational workflow sequences for user onboarding, approvals and implementation of application policies. Things got a lot better from then on and what started out as a very tense standoff became a congenial exchange of information.

When it comes to security solutions that impact people, applications, data stores, data itself and the underlying infrastructure on which everything runs, there is very rarely a one size fits all product solution that can meet an organization’s entire requirement set. Custom policies, workflows and extensions will most often be required to integrate with, and work seamlessly across, the environment. The only possible exceptions are organizations which allow the product vendors or vendor appointed consultants to drive their requirements; wherein “you tell me what your product does and I will decide whether I want that feature or not!”   In all the years I have worked in this business, I have yet to see one of those solutions scale and pan out well over the medium to long term.

Depending on the skills of the architect and the implementation team the amount of customization and the complexity of the solution can be kept in check. And that is really what differentiates an implementation that is perceived to be successful versus one that is seen to have gone wrong. Both will, in all likelihood, include fairly extensive configuration and customization. It’s the management of expectations, management of solution complexity and extent of support staff training that makes all the difference.  

So next time you hear someone tell you that they have just the product that can deliver every one of your well thought through security requirements with no customization, you can either go with the snake oil, ask for more details, or based on my advice look further for more realistic options.

Vinita Bhushan

When Business & Security Priorities Align Everybody Wins

There is a sudden uptick in webinars and discussion panels where C-level executives talk about their experience rolling out security strategies within their organizations. I decided to weigh in with some of the most common approaches I have seen organizations adopt:

  • Act when Something Happens

Some organizations clearly assume the reactive approach to security.  Even if they agree that this is not the ideal approach, their argument centers around the fact that security is not a priority, rather an overhead that does not in any meaningful way bolster the bottom line.  So security spending is strictly limited to being need based.  Obvious counter arguments exist; however one can only assume that an environment with minimal adherence to compliance standards, tight budgets and a distinct lack of security awareness is the root cause for this point of view.  Organizations that adopt this model are very low on the security maturity model ladder.

  • Best Practice Roadmap

In this case an organization looks to analysts or vendors to provide a “best practice” roadmap for its industry.  Armed with this roadmap, the organization’s current implementation is measured against recommendations, and gaps identified.  These gaps then proceed to be filled based on budgets, priorities determined by pundits, and the ability to justify security wants cogently.  This type of organization will possibly do better than the  first type; however the security strategy is driven by generic industry trends and focuses rather than by the organization’s own needs.  The general outcome here again tends to be unpredictable-hit or miss. 

  • Align with the Business

The key issue in the previous model is that the gap analysis is performed in a silo with a myopic security centric view.  Business goals and objectives are not taken into consideration when determining priorities.  Misaligned priorities often result in duplication rather than optimization. A far better option is one where there is synergy between business and security initiatives.  The security roadmap is aligned with the business roadmap ensuring that priorities stay in synch and any solution rolled out by the business is integrated with appropriate security controls and governance from the ground up.  Such an approach allows the organization to keep up with business trends while at the same time protecting its brand image and complying with security standards, optimally and cost effectively.

To illustrate the differences in the models let’s consider a common organizational requirement today and see how it plays out:

 The Digital Strategies (DS) business team of XYZ Corp (may belong to any industry vertical) identifies the need to offer its consumers easy access to its products and resources.  In order to achieve this objective the team decides to offer consumers an organizational portal from where they can access authorized content using a range of supported devices.  

If XYZ Corp has an “Act when something happens” outlook the DS team would develop the solution in isolation, with scant regard to security principles.  Everything would appear under control until a security incident occurred.  At this time retrofitting security controls would be unavoidably expensive, technically challenging and worst of all performed under extreme management pressure (resulting possibly from unwanted publicity and loss of brand credibility).  The outcome would not be ideal.  Finally the reorganization of all associated teams, (which almost always follows such a crisis), would only exacerbate the situation and add a dimension of organizational politics to the mix!

If XYZ Corp is a “Best Practice Roadmap” organization, much the same as above, the DS team would do its own design and development, decoupled with any initiatives being pursued by the Security team.  Its unlikely Security is working on what they need when they need it. Cross initiative recognition may only occur if one solution inadvertently breaks as a result of the other, the outcome being just as unpleasant and unproductive as in the “act when something happens” case.

Coming to the third model; here both the DS team and the Security team work collaboratively from the start.  The Security team understands the objectives of the DS initiatives and the resulting design includes features such as secure authentication, single sign on, authorization and data access to support the solution. From the DS side there is awareness of the catalog of available security services that could be leveraged rather than duplicated.  If gaps exist in security services required, the Security team can justify its needs and typically have a much smoother path to getting requisite resources and budgets allocated to the initiative.  I hardly need to explain why it is easier to get funding for mobile or single sign on security solutions when they are associated with a concrete business initiative that calls for them, than if they were independently lobbied for! 

If you consider security to be a journey, carrying a roadmap and a strategy to handle common challenges or obstacles goes a long way in being prepared and reducing risks from a security perspective. Aligning the security roadmap with your organization’s business initiatives and objectives makes the journey productive and worthwhile as well for the organization as a whole.  Isn’t that the whole point?

 

Vinita Bhushan

Securing Your Identity

 

One of the downsides of being a security consultant is that I can never stop noticing (and subconsciously assessing) the risks that people inadvertently expose themselves to as they go about their normal lives.

Here are some examples, from just the last few months:

I was at my financial institution, waiting in line.  A few feet away a bank employee and a customer were jointly filling out some sort of query on a credit card transaction.  I heard the customer’s first and last names, contact phone numbers, credit card type and number and a raft of other bits and pieces that put together would allow me to search for additional details from well-known sources, thereby allowing me to put together a complete profile of this person.  Did the customer recognize this?  Probably not! Should the bank employee have been a bit more sensitive to the issue and suggested a less public spot? Definitely, but that would need the bank employee to be aware of the potential issue.

At the gas station I regularly see receipts from previous purchases stuck in the machine’s receipt collector or floating on the ground.  While there are more sophisticated scams and easier methods to collate personal information, carelessly leaving receipts around is not a good practice.

On a long transatlantic flight very recently I had a ringside view of a passenger logging in to various secure sights using credentials he was reading off a file he had open on his laptop.  For ease of reading he had the font size on the file ramped up, so with very little effort it was possible to pick up site name, his user id for that site and password.  Despite not really focusing on what he was doing I noticed that he was reviewing a bunch of documents that were clearly marked “Confidential” ;  presumably containing information not meant for curious co- passengers.

On the positive side, it seems to me like there is a vast improvement in awareness of all things security related and the importance of identity protection.  However the issue is whether this awareness translates into people recognizing the problem holistically, and limiting the risks they take with their actions  or merely doing a few things here and there that in themselves are incomplete.

To illustrate my point:

I know someone who owns a shredder and assiduously shreds all junk mail or papers with her name and address.  This she told me keeps anyone going through her trash from picking up personal data.  But she is also an inveterate online shopper, loves the convenience it offers and blithely ignores all security warnings when accessing content on online websites.  Her rationale is that she needs to see everything displayed on a web page, before making a purchase!  She politely heard me out as I talked of malware and Trojans but I doubt anything changed with that conversation.

Another acquaintance told me he never uses his Facebook or other social media credentials when logging into websites, for fear his password will be stolen.  Even after I explained to him that social media logins do not provide passwords to the sites using them for authentication, he appeared unconvinced.  And yet this same individual has his passport number, date of issue, date of expiry and a few other choice bits and pieces from an identity perspective stored on his phone and only at my insistence did he finally put a password on it. 

And there are countless more stories I could tell you…

What we are talking about is synonymous with the home owner who leaves doors and windows open, with valuables in full view, and then laments their loss.  Identities have value and we need to secure them, even if it means sacrificing convenience. Every one of us is ultimately the owner of our identity and personal information.  Identity thieves and hackers are getting a hold of this information only when we leave it lying around, inadvertently share it in public places or entrust it with organizations that do not merit this responsibility. We need to take this responsibility seriously and even if it introduces an overhead, recognize that it is in our best interest to safeguard our identity.  When it comes to organizations that store our data we need to petition and raise our concerns within our communities and in our government to put in place standards and controls that protect personal information.  It’s no longer something we can glance at in the news or something that happens to others, the threat is now in our own backyard and we need to mitigate risks or pay the price.

Shared Identities Are Back!

The last few weeks, I have been immersed in the topic of privileged identity management (PIM).  One aspect of a typical PIM solution got me thinking. 

In the old days generic administrative accounts that could not be tied to users were anathema. They required identity and password sharing between multiple administrators and audit trails were useless when it came to identifying who actually performed a specific action. 

To address the generic/shared ID problem, best practice was to assign administrators a “standard” account for normal activities and “admin” variations with elevated privileges for everything else.  While everyone recognized there was a proliferation of identities resulting from this approach there were few options.  To work around the inconvenience of juggling multiple accounts,  administrators rarely (read never) used their “standard” accounts.  They just always stayed logged in with whichever  account had maximum privileges.  I distinctly remember a story from our days of penetration testing. My team and I were conducting a security evaluation at a large financial organization.  Soon after the project kickoff, an Active Directory administrator took a member of our team to his office to set up accounts that would allow hands on review of the security controls in place. Soon after he unlocked his desktop, he received a phone call.  Completely distracted by the content of the call he walked out of his office, leaving my colleague staring at a computer with an active session.  Given it was a penetration test, my colleague took this opportunity to check things out and it took just a few keystrokes to discover that this administrator was logged in with an account with very elevated privileges. The keys of the kingdom were left unguarded for many minutes.  We recorded the violation and presented it during the final presentation of findings. Interestingly, even though everyone agreed it was not ideal, the security folks were OK with calling this a medium lapse because in their opinion at least the audit trails could be used to make him accountable!

Today there are many security products that are designed to address the issues of privileged identity management and the wheel has turned again.  Most products offer the ability for administrators to check out accounts with elevated privileges, perform the activities they need to and then check them back in, at which point the passwords are automatically changed.  Additionally solutions can be configured such that administrators can single sign on with these elevated accounts to required target platforms or applications, thereby ensuring that they do not even need to see the passwords associated with the privileged accounts. The identity of the administrator checking out the account, the length of time for which the account was checked out and check in time are all audited as part of normal functionality.  Given this the assignment of an “admin” account per administrator adds little or no value and on the flip side contributes to the proliferation of identities that have to be managed.

So what’s best practice now? My recommendation,  if you are implementing a PIM solution, is to configure a shared pool of administrative accounts per target within your solution.  You can then set a consistent access policy that  applies to all accounts within this pool.  Administrators can login with a standard organizational account, only needing to  check out a privileged account from the shared pool when they need it.  If required the number of identities in the shared pool can be adjusted based on usage. Audit trails will ensure you know who checked out an account and the whole problem of accountability is addressed while still controlling the number of identities users have to juggle.  You might get some push back from the diehards who always want to leave things as they are, but it’s good to see that somethings are definitely getting better!

Losing Your Identity

With the Anthem breach at the forefront of everyone's mind, I have been thinking on who really loses the most when user data is stolen?  The media headlines call it the Zappos or Target or Home Depot, or JP Morgan or Sony or Anthem (wow this is a long list) breach, however who is the biggest loser?  For the breached organizations, the cost of offering identity protection services for twelve months for breached victims and performing some short term security fixes to mollify shareholders and the public, along with managing a few months of brand notoriety is often par for the course! Soon earnings go back to where they were; consumers have been shown to have short memories, and with attractive prices and easy to use websites they come right back.

The real loser in this breach is you or I, the person whose data was actually lifted during the breach.  If identity coupled with credit card information is sold, the data is worth four to five US dollars; but throw in healthcare information, which includes your social security number, primary physician info, medical records etc. and now you are talking of   hundreds of dollars per user record, with no time or location constraints for the data to be used and or misused. 

Despite being the victim, this is no time for a pity party.  You are ultimately responsible for protecting yourself.  Stolen user information can be used to open fraudulent bank accounts, make false health claims, take out loans, and commit crimes, to name just a few possibilities, with no time or geographic boundaries. More than the average Joe, you now need to keep an eagle eye on your bank and credit card accounts, watch for unaccounted withdrawals or purchases, set yourself up to be alerted on credit checks made on you, sign up for identity protection services and going forward stay vigilant for the unknown, because someone out there can assume your identity and do something completely unexpected.  Not to say this could not happen to anyone, but just like a smoker has a higher chance of lung cancer the odds are stacked a bit more heavily against you.

Given the slew of security breaches, I think it’s time consumer protection agencies start ramping up identity protection standards that organizations must sign up to  with regards to storage of user data.  Ease of use must be balanced by privacy considerations.  While a user may be signed into a website faster if their information is unencrypted, that should not drive organizations to store passwords in the clear. Just putting out terms and conditions that most of us never read does not absolve an organization of its responsibilities to us.  Also in the event of a breach organizations must be fined and the fines must be significant enough to be detriments to continuing callousness.

We as consumers must become more aware of the risks posed and recognize that our personal information is something valuable.  We need to make wise choices when sharing information, always keeping our security posture in mind. The next time you read of a sizeable hack, don’t imagine that the organization that has been breached is the victim; the true losers are we the consumers.  Unless we do something about it this trend is not going to get any better. We need to demand controls and better security, for after all what is at stake is our identity, and that is what makes us who we are.

Vinita Bhushan 

Pragmatism is the key to good security

When I started working in Information Security, standards in place primarily focused on Department of Defense considerations.  Mandatory Access Control (MAC) with policies built around data classification levels was the order of the day.  Fast forward to the present and now information security for commercial organizations is far more aligned with the principles of Discretionary Access Control (DAC), wherein accesses are largely managed by data owners.  While the swing to the DAC model is easily understood, what is important here is to figure out what guidelines should be provided to data owners and application teams when setting up security controls.

Unfortunately guidelines can range drastically between  paranoid and downright lax.  Oftentimes even two security consultants will find it hard to agree on what is acceptable security.  So here is a checklist I have put together for  securing a typical application or website; hopefully it will help you navigate through obviously murky waters and define your own level of "reasonable" security .

1. Identify who will access the application or website

Start by figuring out the types of users who will access the application or website and the data it manages.  Are they employees, consultants, consumers, business partners, vendors or distributors?  If your application is managed offsite, factor in managed service administrators.

2. Classify Application Criticality

Every organization has a hierarchy of criticality, when it comes to applications, websites and data.  Assign a security value to your application or website, from 1- 10 where “1” is least critical and “10” is most critical. For example an application that supports online sales of your organization’s primary product should definitely rank higher than one that provides consumers with general information about your organization.

3. Categorize User Groups and Accesses

For each group of users that need to access the application or website, identify the different types of accesses required. For example if it’s a website which exposes information about your organization's products, employees might be allowed to view and modify information on products yet to be released. Consumers may only be allowed to view access once the product is released, whereas distributors might need to view access and order samples just prior to release. This would suggest three categories of users, with different levels of access.

4. Define Access Controls & Access Control Policies

This step is very important for applications that are categorized as level 4 or above.  How will users be authenticated by the application or website? Once authenticated, how will authorization levels be determined?  Do mobile users pose a greater risk? Should geo location from where a user’s request originates affect data to be provided? Once the user is accessing the application or the website are appropriate fine grained controls in place to ensure appropriate access?

5. Define Audit & Monitoring Controls

How will you determine who accessed what and from where? Define policies for identifying anomalous behavior patterns and acting upon them.  Would you like alerts generated if a user with access to sensitive data, changes normal access hours?

6. Develop an Incident Management Plan

Despite the best controls, be pragmatic.  There is no guarantee that your application or website will not be breached.  Put together a plan for handling a security event, assessing losses and reacting appropriately.  Often tactical decisions made under time and management pressure result in greater exposure than the original incident itself.  Ensure that everyone responsible for administering the application or website is familiar with their role in handling the incident.

7. Augment Disaster Recovery Plan

Disasters can come in different shapes and forms.  A security incident could wipe out or corrupt your data sources and your website.  Ensure that your DR plan takes into account such a scenario and offers instructions for recovery in a timely manner. 

As I have said in almost every one of my posts, security is no longer just a checklist item.  The threat landscape is constantly evolving and you need to stay abreast of vulnerabilities.  So once you are done with everything above and have deployed it in all environments, add periodic security health checks to your operational todo list and then sit awhile and rest.  That is until the first alert comes your way!

Vinita Bhushan

Mobile Security - A whole new ball game?

Mobile applications are flooding the device marketplace and users are downloading them for infotainment, as well as personal and work related access to resources. In order to leverage this mobile wave, organizations are jumping on the bandwagon to get products and services out to market quickly. In everyone's great haste to get applications into App Stores it seems that security controls have fallen by the wayside. A Gartner post from September 15,2014 states that by 2015 a staggering 75% of mobile applications will fail the most basic security tests. See original post.

Risks introduced through mobile usage include:

  • Stolen devices

  • Malware

  • Device/Application vulnerabilities

  • Social engineering/user behavior

  • Phishing

  • Spam...to name just a few!

    In the midst of all this madness what should an organization do to ensure that it provides its employees and consumers the best possible mobile experience while at the same time managing the substantially increased risk to its brand IP and organizational data? Here are some suggestions:

1.    Start with developing a mobile security strategy that considers the different target audiences - consumers, other business and employees. If required develop three different strategies for the three different categories.

2.    Within each category define application risk levels based on target audience and content.

3.    Develop guidelines and standards for application development enforced through static and dynamic vulnerability scanning prior to deployment. Develop processes and controls for application testing and deployment.

4.    Implement strong authentication and authorization mechanisms that can be raised or lowered depending on risks posed by geo location, device, and type of transaction.

5.    Implement monitoring, keeping in mind that analytics are mandatory to sift through the vast amount of audit information that will typically be collected.

6.    And last but not least have an organization wide incident management plan to address situations which can occur despite all the governance and controls that are in place.

Its all pretty new and there are plenty of products that claim to solve the problem, however a holistic solution that begins with a strategy, incorporates people, processes and technology and most importantly allows for rapid changes as devices evolve and hackers get more sophisticated, has the greatest probability of success.

Vinita Bhushan

IAM for Consumers, Vendors and Partners

As a part of brand outreach and cloud initiatives, many of our clients are making available to their consumers, vendors and partners, applications that offer product information and services.  From a security perspective this requires them to either manage these users internally, or support federated access from external organizations. They also have to take into account the expectations of end users, who demand ease of use and general accessibility from multiple devices and locations.  In short, exposing applications to external users brings a unique set of security challenges that must be weighed against revenue opportunities and potential cost savings.

Over the years Pontis has built numerous solutions to effectively manage internal and external users for large organizations.  In the past the focus was always first on management of internal users to meet regulatory compliance needs, followed by external user management solutions; today the tables are turned.   Now we see the enabling of secure business models as the key driver for building an Identity, Access and Role Management framework. 

Consider the typical example of an organization which is looking to build an external user management solution:

The organization has a large number of end users, who need appropriate access to one or more applications which may be internal or cloud hosted. To manage administration loads, the organization may choose to allow its vendors and partners administer their own users, which entails the need to support a delegated administration model.  A small subset of applications may already have been made available to end users, using disparate approaches and technologies resulting in silos with inconsistent security standards and user experiences. Ensuring minimal impact to these applications as well as third party applications that are not within the control of the client brings in another multi-dimensional set of requirements.

External user management in the above example would, from a business perspective, look to break apart the silos, with a view to offering a consistent interface that would make available additional capabilities to end users and increase the revenue opportunity for the organization as a whole. External user management from a security perspective would be a critical component of managing the organization’s security posture by minimizing the risks of opening the previously internally managed resources and making them available to external users.

When brought in to work on these projects by our clients we, at Pontis, look at requirements from different levels.  Some of it is typical identity and access management; identifying who is requesting access, their associated authorization levels, and providing an auditable trail of what they did. But there are additional security considerations; users expect to access resources from a plethora of devices and from different locations with differing levels of security. With appropriate context and risk analysis systems in place, we help clients monitor access patterns and identify anomalies. For instance, a known end user logging in from a registered device may be presented a simple authentication challenge whereas the same user logging in from an unregistered mobile phone, or location well outside of their typical usage pattern would be presented with “step-up authentication”. The same would be done for a user requesting to perform a higher value transaction than is typical. The complexity of rules and policies and the number of controls to be supported is far greater than in traditional IAM solutions. Migration strategies and strategies to “white label” legacy or third party hosted applications to conform to the new model brings in its own set of challenges.   For it all to work seamlessly and as expected, processes must be clearly defined and thought through so they optimally leverage the sophisticated security technologies available in the marketplace.

In conclusion, deciding to open up traditional network perimeters and providing access to resources that were until now tightly controlled, requires addressing a new set of identity and access management challenges and a different security methodology to anything used up until now. By bringing in experienced consultants you can reduce the learning curve and some of the risk of making rookie mistakes; however the ultimate success of an external user management  project, like all security projects,  is totally reliant  on the vision of the organization and its readiness to invest in long term governance and well defined security controls.

Scott Swegles