Monday, June 11


I mentioned previously that 70% of electronic attacks originate inside the firewall. And 90% of attacks are perpetrated by technical employees with privileged access. These are FBI/Computer Security Institute stats. I don't have a link to the original source, but I've seen it quoted in numerous places across the web and by numerous organizations. I believe the original data should be at, but I didn't have luck getting that site to load.

This isn't just stats from a survey. This is real world. Even from our common experience, we know that Joe from accounting and Sally from Marketing aren't cracking the DBA password and writing the database information out to a private FTP server for sale on the black market. It's the DBA who already has access that realizes how easy it would be and figures what the heck. While at RSA, I talked to customers about the shift from perimeter-centric security to information-centric security. I primarily focused on authentication of users, access control to information and data protection via encryption technologies. My next move focuses on the same threat, but from a different angle.

NetVision is a company that's been around 12 years and has a strong legacy position in the Novell Netware solutions arena providing audit, reporting and monitoring of Netware environments. In 2003, when Novell purchased SUSE, the writing was on the wall. Netware may not be the operating system of the future. NetVision made the natural move and began to support eDirectory and SUSE Linux. Now, NetVision supports Active Directory environments as well.

So we now have the ability to provide audit, reporting and monitoring of Windows, Netware and SUSE Linux environments to ensure that organizational security objectives are being met. How does that relate back to the threat mentioned above? Well, in the identity management arena, your privileged users are the domain admins, enterprise admins and super users. If you're one of those privileged users and you want to hide your tracks, you can just create a new user, grant elevated rights, logon as that user to perform some actions, then remove the user from the system. In many environments, there's no way to prevent that or even know it's happening. NetVision can enforce security policies even amongst the system administrators. We can intercept an attempt to skirt the security policy, reverse the changes and send alerts to appropriate parties. And we can provide a nice audit trail of what changes were made, when and by whom. NetVision is solely focused on the identity space. Primarily, we're looking at data in AD or eDirectory, but also File Systems, Event Logs and more. What we're not looking at is Firewall or IDS logs -- we're not trying to be a solution that would consume logs from every device on the network. And that gives us a leg up when it comes to drilling down on identity information.

I think we're in a very important space and we're presented with a unique opportunity to bring identity management to the next level with regard to integrated policy enforcement. I know that sounds a bit theatrical, but I'm excited to be ahead of the curve on this one. I don't know the stats, but most companies are running Windows/AD or Novell. And some have started to implement IdM to the extent that user account creation and/or modifications are automated -- maybe they even keep an audit trail, but there's still a big need out there for the ability to provide reports on whether or not we're in compliance with our intended policies. And it's even better if we can prevent or reverse an attempt to purposely subvert policy. And we can. Ask for it wherever quality identity solutions are sold.

No comments: