Thursday, July 29

Next Generation Compliance: Expect Answers

As an industry, we've been getting much better with understanding access rights and enabling compliance with access-related regulatory requirements. I know there are nay-sayers out there who focus on the negative - what we haven't done well. But, overall, given the speed at which we've enabled access to sensitive information, it's pretty amazing that we have any control at all.

Having said that, one of the primary problems with our current solutions for tracking changes and enabling audit response is that we just can't make sense of all the data that's being collected. One of the findings in the SANS Log Management Survey for 2010 is that the top two challenges with log management are being able to search through the data and being able to interpret the results. That's no surprise given the mountains of data generated by log management solutions. But it's also alarming because that's the exact value proposition that those solutions are supposed to provide. It's like a car that does everything well except move from one place to another.

Failure: Mountains of Data with No Actionable Information
There's a better way. In this SC Magazine article titled Answers, Not Data: The Key to Access Security, David Rowe explains that next generation audit solutions need to focus on providing answers and enabling continuous audit rather than stubbornly latching on to quantity of data as the success indicator. Give it a read and please let me know what you think.

Tuesday, July 27

How to clean up years of permission bloat

Since joining NetVision a few years ago, I've spoken to countless organizations who are faced with clean up duty. For years, administrators have granted permissions, added group memberships, created countless new security groups, delegated rights in Active Directory and have been mostly in a reactive mode. That is, they grant permissions in response to some member of the business asking for new rights. Unfortunately, business managers have not had motivation to request that permissions be revoked when appropriate. So, in many cases, there are hundreds or thousands of security groups that nobody seems to know what they're for or how they should be used. And some big percentage of the user population has access to files/folders that they shouldn't.

In an ESJ article titled Coming Clean: Getting a Handle on Permissions and Group Memberships, NetVision CEO David Rowe discusses the challenge and explains how you can regain control over network access rights.