Friday, August 17

Policing the Power of Identity

I borrowed the title of this post from NetVision's visionary CEO. You may start hearing it more from us in months to come. I previously discussed some of the steps involved in an identity audit project life cycle and I also discussed the value of living a lifestyle of compliance. Now, adding to those concepts, I'm going to attempt to boil it down to a few real-world customer challenges.

The Internal Threat
Most of us have seen the stats that tell us that much of the risk associated with organizational information technology breaches comes from inside the firewall. And a huge portion of that internal threat comes from our privileged users. These are the very people to whom we have purposely granted elevated rights. They are system administrators, DBAs and application owners. Most are not bad people. I believe that the number of incidents is high among this group of people not because there's a high rate of criminals in the group -- it's driven more by mere convenience or opportunity. Anybody that has access to multiple system databases will occasionally come across a batch of data that looks interesting. And since we're allowed to access that database, why not look around? It's not only not-a-crime, but we have been specifically granted access by management to view that information. When it comes to information about people -- like salary data, net worth, health info and other juicy information, sometimes it's just too tempting not to look. ...and maybe too tempting not to share. ...and if for work purposes, some or all of that data is downloaded to non-production systems or even a personal laptop, it becomes very difficult to protect the data because the non-production environments are not secured as well as the production systems. They often use default or shared passwords, limited access control, etc.. As a consultant, I was often restricted from access to my customers' production systems but few thought twice about giving me access to the non-production systems. And many of my customers used production data in the development or testing systems.

Identity Audit Business Drivers
Identity audits seem to be driven by two forces: compliance & risk management (security). Compliance may be driven by governmental or external regulations or it may be internal policies. And even if there are no compliance requirements, the goal of identity audit is often just to to mitigate risk (which is ultimately the driver behind the regulations). Over the past decade, I have experienced the emergence of Identity Management as its own industry and organizations have sought out and realized the business benefits promised by Identity Management systems. What has been left unanswered is whether the identity controls being put in place are doing what they're supposed to do. When asked to provide proof of this by IT auditors, IdM system owners have limited options. If they're lucky, they can provide a report of the logs created by the IdM system itself, but that doesn't include actions that occur outside of the IdM system. They may be able to pull logs from individual systems, but the job of cross-referencing and correlating data across logs or finding specific incidents becomes extremely daunting. So, the challenge presented to identity audit solutions is ultimately to reduce organizational risk (and thereby achieve compliance) by providing state-based reporting and real-time monitoring of identity systems.

Internal Affairs for IT
In tackling the identity audit issue, the first place to look is often the privileged user community. The identity audit solution really does two things: (1) protects the organization against the internal threat and (2) protects the privileged users in the event of a system breach against unwarranted investigation. By tracking events like new user creation and group membership changes, you're able to see who, what, when, where and how -- which means that the post-event forensic work becomes an extremely simple process. And you can go further by reversing changes that occur against policy. This means that policy compliance is not only reported upon automatically, but it can be enforced via automation as well. The identity audit solution becomes an internal affairs system for the organization protecting it against the misuse of properly granted permissions. And in turn, it facilitates the investigation and sometimes even prevention of a breach event.

Conclusion
Identity Auditing is about verifying that the IT controls in place are actually achieving the goal of the security policies that they intended to enforce. Often, the biggest threat in IT related to identity and access control comes from internal users with privileged access. Identity Audit solutions can reduce organizational risk and help achieve compliance by policing the power of identity through system reporting and real-time monitoring.

No comments: