Tuesday, August 28

Own the Burden

Chris Parkerson of RSA raises an excellent point about the expectations that organizations put on employees regarding data protection. He asks "Is it really possible to expect employees to be educated enough about such policies to always do the right thing?" And he goes on to make the point that "well intentioned employees in many cases are under pressure to complete projects in record time and with minimum resources. The consequence of this dynamic is employees will prioritize getting a critical project completed above adhering to company security policies."

I think he's right. It's not an issue of having bad-guy employees. It's that productive employees have too much going on to be constantly thinking about security policies. Some employees may even think that policies are important for audits, but don't really need to be followed day-to-day. Ask your co-workers and friends and I'd bet you'll find a few people who think along those lines. If you've ever worked on a software integration project, I bet at some point you encountered a permissions error and elected to just give the user admin rights to get things working. Of course you eventually went back and revoked those rights, right?

So what can an organization do to protect themselves short of mass employee hypnosis? Own the burden. Put the right security controls in place and continue to balance employee education with effective IT controls. And, of course, run regular audits and real-time monitoring on those controls. Create a culture of compliance. Automate the process of security and most employees won't fight it. They'll probably like it better if they don't have the option to subvert security because there will be no pressure to do so by coworkers or deadlines.

Monday, August 27

Compliance: More of an Art than a Science

I just read an article titled Perfect HIPAA security impossible, experts say. It covers a few healthcare companies' different approaches to HIPAA compliance. The main premise is summarized by Barry Runyon of Gartner:

[Companies] need to take a risk-based approach to HIPAA compliance that takes into account their individual circumstances and resources, he said. "Tailor the HIPAA security rule to your organization so you don't break the bank… It comes down to being able to prove you've taken due diligence," he said, adding that documenting the reasons why a HIPAA provision can't be implemented usually is sufficient for auditing purposes.
Whenever I hear from experts on industry regulations, it sounds as if compliance is more of an art than a science. I find that very interesting. When we think of an audit, we tend to think of accountants reconciling numbers in a ledger. ...and everything needs to match up. But in IT security, that conceptualization doesn't ring true. So, be careful about searching for the perfect compliance checklist. And be careful about consultants who have a proven formula. This is an iterative process that requires corporate lifestyle changes. Toward the end of the article, there's also a nice example of how identity management solutions can be an enabler for compliance.

Friday, August 17

Policing the Power of Identity

I borrowed the title of this post from NetVision's visionary CEO. You may start hearing it more from us in months to come. I previously discussed some of the steps involved in an identity audit project life cycle and I also discussed the value of living a lifestyle of compliance. Now, adding to those concepts, I'm going to attempt to boil it down to a few real-world customer challenges.

The Internal Threat
Most of us have seen the stats that tell us that much of the risk associated with organizational information technology breaches comes from inside the firewall. And a huge portion of that internal threat comes from our privileged users. These are the very people to whom we have purposely granted elevated rights. They are system administrators, DBAs and application owners. Most are not bad people. I believe that the number of incidents is high among this group of people not because there's a high rate of criminals in the group -- it's driven more by mere convenience or opportunity. Anybody that has access to multiple system databases will occasionally come across a batch of data that looks interesting. And since we're allowed to access that database, why not look around? It's not only not-a-crime, but we have been specifically granted access by management to view that information. When it comes to information about people -- like salary data, net worth, health info and other juicy information, sometimes it's just too tempting not to look. ...and maybe too tempting not to share. ...and if for work purposes, some or all of that data is downloaded to non-production systems or even a personal laptop, it becomes very difficult to protect the data because the non-production environments are not secured as well as the production systems. They often use default or shared passwords, limited access control, etc.. As a consultant, I was often restricted from access to my customers' production systems but few thought twice about giving me access to the non-production systems. And many of my customers used production data in the development or testing systems.

Identity Audit Business Drivers
Identity audits seem to be driven by two forces: compliance & risk management (security). Compliance may be driven by governmental or external regulations or it may be internal policies. And even if there are no compliance requirements, the goal of identity audit is often just to to mitigate risk (which is ultimately the driver behind the regulations). Over the past decade, I have experienced the emergence of Identity Management as its own industry and organizations have sought out and realized the business benefits promised by Identity Management systems. What has been left unanswered is whether the identity controls being put in place are doing what they're supposed to do. When asked to provide proof of this by IT auditors, IdM system owners have limited options. If they're lucky, they can provide a report of the logs created by the IdM system itself, but that doesn't include actions that occur outside of the IdM system. They may be able to pull logs from individual systems, but the job of cross-referencing and correlating data across logs or finding specific incidents becomes extremely daunting. So, the challenge presented to identity audit solutions is ultimately to reduce organizational risk (and thereby achieve compliance) by providing state-based reporting and real-time monitoring of identity systems.

Internal Affairs for IT
In tackling the identity audit issue, the first place to look is often the privileged user community. The identity audit solution really does two things: (1) protects the organization against the internal threat and (2) protects the privileged users in the event of a system breach against unwarranted investigation. By tracking events like new user creation and group membership changes, you're able to see who, what, when, where and how -- which means that the post-event forensic work becomes an extremely simple process. And you can go further by reversing changes that occur against policy. This means that policy compliance is not only reported upon automatically, but it can be enforced via automation as well. The identity audit solution becomes an internal affairs system for the organization protecting it against the misuse of properly granted permissions. And in turn, it facilitates the investigation and sometimes even prevention of a breach event.

Identity Auditing is about verifying that the IT controls in place are actually achieving the goal of the security policies that they intended to enforce. Often, the biggest threat in IT related to identity and access control comes from internal users with privileged access. Identity Audit solutions can reduce organizational risk and help achieve compliance by policing the power of identity through system reporting and real-time monitoring.

Friday, August 3

Internet InSecurity

I stumbled across this today

and thought it was pretty cool idea. Use a 3-minute video to educate employees on the dangers lurking in their inbox and reduce your enterprise risk. Nice and simple. And free.

Then, this evening I saw this

IRS employees giving out usernames and passwords to someone who called them on the phone and didn't even attempt to identify themselves. Why worry about password hacking techniques when all you need to do is call up Jerry or Sally at the IRS and ask them to change their password so that you can use their account? Well, at least the IRS doesn't have any sensitive information in its systems. (pardon the sarcasm)

And I remembered this

People don't even bother to look for the security mechanism (SSL icon or the HTTPS in the URL) when it's present so they can conduct their Internet banking.

And I recalled the old adage

We made it foolproof and they produced better fools.

We really have to take users out of the equation and make the security mechanisms invisible. Or make it impossible for them to accomplish a task without taking proper precaution -- like maybe build a browser that doesn't accept any form input unless the site uses SSL with a trusted certificate so the user doesn't need to think about that stuff. Of course, even that won't stop the old phone-call-password-change gag.

It makes you wonder about all the work being done on the identity metasystem for a secure Internet. Putting users in charge of their own information sounds dangerous. Are Jerry and Sally going to take their secure infocard with SSN and credit card info and send it to any site that asks for it? After all, why create more than one card? - that sounds like work.

As a society, we seem to have a massive mental block related to digital security. Maybe we need public service announcements on TV and radio about digital identity theft and secure password management. I think it'll be another decade before the Internet security issue is really figured out for the masses. Unfortunately, it may take that long for general knowledge about computer security to infiltrate society and for the security technology to meet people half-way with making security transparent.

Wednesday, August 1

Livin La Vida Compliant

I just read a compelling white paper that I found on the IT Compliance Institute site. The theory behind the paper complements what I wrote in March of 2006 about the Identity Management Project Continuum:

Implementing IdM is not a single project. Nor is it even a few stand-alone projects. I call it a continuum.
I also mentioned others who called Identity Management a lifestyle. Compliance should be thought of in the same way. When a company aligns IT with good security practices and lives it on a daily basis, compliance happens by default. If you try to shift an entire organization into information security compliance to meet a particular audit or react to a breach, you're going to have your work cut out for you. And you're going to feel like a mouse in a wheel never quite catching up to where you want to be.

The paper encourages organizations to "adopt a culture of continuous risk management". It's worth a read for organizations who want to understand how to achieve some level of compliance -- or maybe just to minimize their overall level of risk.

In Dave Kearns' Network World newsletter today, he mentions an old truism that you should "make the cost of pilfering an asset higher than its value while keeping the cost of protecting the asset lower than the cost of replacing it." There's some truth to that -- it's a juggling act. Luckily, good security practices span across assets making the cost of security minimal on a per-asset basis. But, I think Dave's point fits nicely with the ideas above. Getting your organization into a culture of compliance will enable you to balance cost with risk and make your long-term security costs more predictable. And when regulations and compliance rules change, you'll be ready.