Access denied

A panel of four industry aficionados discuss how organisations can protect themselves in this new age of security dangers, as well as how identity Access Management (IAM) can play a crucial role.

“The vast majority of threats come from within the organisation, and the damage done by an internal attack significantly outweighs external threats”
-Joe Baguley

BM. IAM has evolved significantly in recent years in line with the threat environment. What security advantages does a strong ID and access management solution offer?
Paul Heiden. When it comes to information security companies basically need to care about two issues: Ensuring continuity which is making sure people can work; control access to prevent unwanted access. Identity management helps to control the process of user management that determines, first, which users are to access your information and, second, consolidates user information that will help to provide and revoke their access. Many of the available solutions synchronise user data over systems. A really useful solution, on the other hand, would help organisations to start controlling access in a more structural (i.e. preventive) manner. This type of solution, generally referred to as 'Enterprise Authorisation Management' solutions, enables organisations to prevent and tackle threats that come from unauthorized access; provide business with impact analysis of changes like reorganisations or acquisitions on access; and reduce the total costs for compliance.

Robert Grapes: The security benefits are (in no particular order) are:

• Being able to uniquely identify individuals and their access to systems in support of audit and forensic evidence efforts.
• Being able to apply security policy consistently across devices, operating systems and applications.
• Being able to abstract individual permissions into common roles in order to constrain what an individual can do and simplify the management effort.
• Being able to assign groups to resources and individuals in order to constrain what an individual can see.
• Being able to apply the appropriate level of authentication and authorisation depending on the resource being accessed
• Being able to provision, 'reprovision' and 'deprovision' rights and access rapidly

Kurt Johnson. The bottom line for most businesses today is that they want to ensure that the right people have the right access to the right resources and are doing the right things with it. This includes setting up access in line with policy, managing changes as user's jobs change, and turning access off when they leave. IAM delivers on that principle, giving companies the assurance that only authorised individuals have the appropriate level of access to mission-critical systems, which reduces the potential that sensitive data, or other corporate assets, are compromised and fall into the wrong hands.

Joe Baguley. Standards have also evolved significantly, and the strongest IAM solutions are those that use these standards to secure the widest range of systems, applications, and platforms. For example, Microsoft Active Directory is considered an extremely secure and scalable directory service because it uses the Kerberos standard for authentication. The best IAM solution today would not attempt to duplicate this capability on a non-Windows system; rather, it would extend the existing data in Active Directory to systems that do not natively benefit from this standard.

BM. In what ways has the changing nature of the threats driven the industry's response?
JB. The vast majority of threats come from within the organisation, and the damage done by an internal attack significantly outweighs external threats. In response, vendors are developing advanced technologies to address the entire scope of the identity lifecycle. If an organisation uses a consolidated policy and consistent practices to control provisioning, re-provisioning, and de-provisioning across all systems and applications, many of the internal security holes can be plugged. It is also possible to improve security by centralising authentication and role-based authorisation as well as expanding it to weaker systems

KJ. It used to be that everyone was worried primarily about outsiders hacking their way into the organisation. While that's still a major concern, customers are also become increasingly concerned about the threat posed by insiders acting in ways they shouldn't, whether it's malicious or unintended. Organisations need more than just strong password policies and other traditional approaches to security; they must also be able to monitor and manage the access rights and activity of users.

We believe that coupling identity and access management solutions with data loss prevention (DLP) and security incident and event management (SIEM) solutions will be essential if managers are to be able to respond quickly when they uncover activities which are inconsistent with security policy or industry best practices. For example, when a DLP tool locates sensitive data, quickly determining who has access to that data and what role they play in the organisation is essential to determining the appropriate course of action. Finally, the emergence of industry-specific mandates and government regulations has meant that companies require integrated compliance management and reporting capabilities so they can demonstrate they are addressing these areas of concern.

PH. Until recently, the answer to unauthorised access was primarily compliance driven. Tooling like VAAU (now SUN now Oracle perhaps), Eurekify (now CA), Aveksa or Sailpoint were specifically designed to support the detective controls that are part of the yearly audit effort. Significant fraud cases, like the one at Société Générale, clearly showed the shortcomings of this type of solutions. Instead of controlling and adjusting your access rights when things have gone wrong, it makes more sense to prevent unauthorised access in the first place. Not only because of the direct damages involved, but also because even the slightest rumour of fraud may seriously endanger the company's position in nowadays very nervous markets.

RG. The threats have changed because of the industry's response. As we bolster our defenses and introduce new technology the attackers look for new weaknesses. The security of our systems is a continually evolving effort and we will be challenged to maintain our security as new architectures and operating environments evolve like virtualisation and cloud computing.

BM. Effective access governance ensures that users have access rights only to information resources needed to do their job and appropriate to their role within the organisation, and that these access rights do not violate compliance regulations. How is the industry responding to help companies to achieve sustainable, effective access governance?
RG. The effort towards the creation of a single authoritative source of role information is being supported by several solution vendors. In the past, and still today, most products include their own RBAC mechanisms. By delivering role management tools it will be possible for applications to externalise their RBAC policy decisions and afford the deploying organisation significant reductions in administrative overhead.

PH. By introducing the concept of Enterprise Authorisation Management, organisations are now able to make the crucial step from detective controls (often referred to as attestation or recertification) to preventive controls. This ability provides short-term relief, as it ensures that users will not get incompatible access rights and will not get access to sensitive information, unless all relevant conditions are fulfilled. But there is also a long-term value. Preventive controls are really the foundation to optimise the processes that determine access to information:

• On an operational level, EAM simply makes people work immediately instead of waiting for days to get required access.
• On a tactical level, EAM helps to efficiently and effectively define policies, predict impact and to implement and enforce these in days instead of weeks.
• On a strategic level, EAM allows IT departments to become responsive to business requirements: adopting acquisitions or reorganisations or making new business applications available - this all becomes a matter of days instead of months.

JB. The industry is responding in many ways. First, organisations are being encouraged to delegate elevated privilege access as opposed to issuing the 'keys to the kingdom' to any administrator who might need them. Second, the industry is recommending that an audit and forensics-ready logging capability should be added to that delegation. And third, the industry is advising that access be based on well-established and controlled roles that are held in a centralised directory, as opposed to being created ad-hoc across the enterprise. By following these practices, the principles of access governance can be supported.

KJ. Access governance involves the process and collaboration necessary for the proper definition of access policy and defining which roles that access applies to. We have always felt that it was essential to incorporate policy, such as segregation of duties, within the IAM architecture. This is why we created a connector that enables us to define policy and evaluate proposed provisioning activity in the context of policy. We've also enabled policy to be described in business terms which can then map to IT enforcement of that policy.

Role management is an essential component of access governance, since it provides the best way to align the organisation's hierarchy with IT accounts and access rights. Properly defined roles ensure that user access rights are consistent with policy, which improves security and reduces provisioning time and effort. Another benefit of role management is that changes in business needs can be quickly reflected in changes to business roles, which then rapidly translate into changes in access rights.

BM. In today's highly regulated business environment, auditing and compliance is becoming increasingly important, especially when the consequences of non-compliance could result in jail time. How should companies go about ensuring continuous and sustainable compliance while at the same time reducing audit costs?
PH. Most tooling currently available has really been designed to automate parts of the audit effort. These tools help to execute detective controls, and to find and remediate violations - very comparable to taking inventory in a warehouse. This tooling for recertification or attestation may contribute to reducing the direct costs related to compliance, but are not a structural solution. Taking inventory well does help the auditor, but does not prevent violations from happening.

Preventive control is the sole effective contribution to compliance. It will change to emphasis in audit from taking inventory towards the proof of control. With preventive controls in place, you can always explain why a certain user has certain access rights: it is the result of the rules being preventively enforced.

RG. Companies should look for commonality across all of the compliance legislation that they fall under to reduce duplication of effort and perhaps competing approaches. They should work with their audit teams to understand what is to be measured and how it is to be measured to ensure the appropriate controls and mechanisms are in place. To sustain their efforts they should look to automate whatever they can and do so with security in mind.

JB. The key to a successful and cost-effective audit is to ensure that organisations can easily gather required information from the fewest number of places. For example, if the information and access logs in 1000 Unix servers can be consolidated into Active Directory, a single auditing tool -optimised for used with Active Directory - can quickly and accurately gather all of the necessary data to prove both Unix and Windows compliance. The bottom line is: if you want to make your compliance efforts simple and cost-effective, you must reduce the number of places to audit, as well as automate data collection.

KJ. The best way to do this is to provide managers with the user experience to validate and attest, on either a scheduled or ad hoc basis, that the access rights of the users within their purview are consistent with the requirements of their job functions and enterprise policy. The ability to quickly and easily compile a report on-demand, using a point-and-click interface, ensures a high degree of compliance, while at the same time, greatly reducing the time, effort - and therefore, the cost - of providing this information to the organisation.

BM. How are your products and services aiding organisations with IAM?
KJ. Courion has been recognised by both Gartner and Burton Group as a leading provider of IAM solutions to organisations of all sizes worldwide. We provide our customers with a very flexible, integrated suite of products that were developed internally, not as the result of cobbling together a bunch of acquisitions. These include role management, user provisioning, password management, or compliance reporting. One outcome of our 'start-anywhere' approach is that Courion has developed a reputation for flexibility that allows our customers to address their most pressing point of pain. Our Connector Framework architecture now supports more than 160 separate enterprise connectors to a very heterogeneous range of systems, including operating systems, networks, directories, databases, middleware, and enterprise applications. We also offer the capability to connect to custom applications. Finally, since Courion is 100 percent dedicated to IAM, our professional services expertise is second to none.

PH. Organisations that use BHOLD are 'in control'. They prevent violations, they prevent fraud, and they prevent disaster. BHOLD provides software for organisations in each maturity phase, from detective to preventive control to responsive information management and helps organisations to control access rights, decrease total costs for compliance and reduce risks. BHOLD has been pioneering this area for more than 10 years and is considered by analysts the most mature and well developed player in the field of EAM.

RG. Cloakware's Password Authority delivers secure Privileged Account Management, as a sub-category of an overall IAM project, for the elimination of hard-coded passwords known by developers and the elimination of shared account passwords known by administrators

JB. The Quest One Identity Solution empowers organisations to simplify identity and access management by reducing the number of identities and directories that must be managed. It strengthens user authentication and authorisation. as well as automates administration tasks. Quest One does all of this without requiring additional infrastructure or expensive, cumbersome identity synchronisation technologies. Whenever possible, Quest One bases authentication, authorisation, administration, and compliance on an organisation's existing investment in Active Directory. And those systems that cannot participate as 'full citizens' in Active Directory are augmented with Active Directory-enabled functionality such as single sign-on and role-based authorisation.

The panel:
Paul Heiden is the founder of BHOLD
Robert Grapes is Chief Technologist for Cloakware's Datacenter Solutions business.
Kurt Johnson is Vice President of Corporate Development at Courion
Joe Baguley is European CTO at Quest Software