Thursday, October 30

Productivity was the big motivator

If you clicked the link to this page from the article titled Ease your identity management issues in IT World Canada, I wanted to provide a quick pointer to some of the content I *think* you might be interested in.

The link occurs in the line:
And while user productivity was the "big motivator" behind identity management strategies several years ago...
So, I think the writer may have read one of my previous posts which said:
Provisioning has typically been about increased efficiency and reduced cost. But, it's time to extend the ROI into security and compliance as well.
I expanded on the theme in a later post and then discussed the topic in an article on eBizQ.

You might notice that my ultimate conclusion is a little different than the one in the article. Here's the full paragraph from the IT World Canada article:
And while user productivity was the "big motivator" behind identity management strategies several years ago, it has now assumed a back seat as the rough economy has brought to the fore the need to reduce help desk and security administrative staff by automating previously manual user access processes, said Shohan. “People at least pay lip service to the idea of regulatory compliance and improving security, although I suspect in many cases, they… are really more interested in ROI and access termination,” he said.
So, it sounds like they're saying that the initial drivers for IAM were user-productivity and that has shifted to operational cost savings. In contrast, I would say that the initial driver was operational cost savings, it later included user-productivity, and now the shift is toward greater security and compliance / audit-ability.

In a completely separate post, I also talk about the difference between enabling end-user productivity in some SSO solutions and enabling security in others. ...perhaps that was the motivation for the link?

Either way, thanks to IT World Canada for the link!

Monday, October 27

More Insider Threat Data

RSA recently released their latest data on Insider security.

Some interesting results:

53% of respondents feel they NEED to work around security policies to get their jobs done.

37% of respondents have stumbled into areas of the network to which they SHOULDN'T have access.

50% of U.S. respondents switched roles and still had access to UNNECESSARY accounts/resources.

And that's with most respondents understanding security policies and having been given training about the importance of following security practices.

The last time I wrote about an RSA survey pointing out that employees feel they NEED to work around security controls to get their jobs done, the number was at 35%. So, it's either gotten worse or it varies from crowd to crowd (likely the latter).

Get the full survey report here

Ian's Managed Identity Services Survey

Ian Yip has posted his Managed Identity Services survey results. Good stuff. Thanks Ian!

I would've identified the top two benefits of a managed solution as:
  • Lower Cost
  • Fewer Skills/Knowledge Required
    (Hiring, Training, Employee Turnover, etc.)
The respondents confirmed those, but reversed the order. To them, the fact that a managed solution eliminates the need to find and keep people with the right knowledge/skills is more important than the fact that a managed solution costs less. (That's my own analysis of question 13 after combining a few of the answers.)

Another interesting point is from question 12 - biggest barrier to outsourcing IdM. If you take away the top two concerns by leaving infrastructure and data on-site and limiting external access to sensitive data, the top concern is cost - which was also identified as one of the top benefits. So is there confusion about whether outsourcing cost more or less? Or is it listed as a barrier to changing the way things are done today (as in, I need to find budget)?

Check out the results for yourself to do more digging.

Thursday, October 23

Effects of the Economy on InfoSec

Should we start talking about how the economy will affect IT and Info-Security? Spending has slowed for many of the people that I've talked to. I don't think things are dyer quite yet as software companies are still hiring for pre-sales help. But, customer budgets have gotten smaller. And some are predicting that cost-cutting solutions will likely be king.

But how do organizations reconcile the need for security with cost-cutting? Security solutions are not always about cutting obvious costs. There's often a focus on reducing the potential cost of a breach or failed audit. What about operational costs?

Perhaps now is the time for service-based solutions? Identity-as-a-Service or Audit-as-a-Service? There's a pretty clear argument that allowing someone else to manage a complex infrastructure will save cost vs. trying to build expertise and manage it yourself. ...more on this very soon. But, what do you all think? Should we be buying the duct tape and plastic sheets to brace for a coming storm? How has this economy affected IT security buying decisions?

Sunday, October 5

Litmus Test for Metadirectory vs. Virtual Directory

No, I don't want to re-open a debate. Just floating someone else's idea...

I already mentioned some of the things I overheard at DIDW 2008 and the panel titled Lessons From Successful Virtual Directory Deployments. I was looking at my notes today and wanted to float an idea that one of the panelists offered (I think it was Divya Sundaram of Motorola). He said (paraphrased):
If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).
Is that a good general litmus test for the Metadirectory vs. Virtual Directory debate?

As I've said numerous times, I can think of clear use-cases for both scenarios. But this might be a good general rule of thumb. BTW - the panel seemed to unanymously agree that both capabilties are useful and should be part of the toolbox.

Friday, October 3

Better data from Active Directory for your SIEM

If you Have or are Planning to Have:
  • A SIEM solution (ArcSight ESM, RSA enVision, Novell Sentinel, IBM TCIM)
  • An enterprise Log Management solution (LogLogic, TriGeo, SenSage)
And your employees log on to:
  • Microsoft Active Directory / Windows
  • Novell eDirectory / NetWare
And you're unhappy with the solution's ability to:
  • Get complete information from the directory or file system
  • Filter which information is collected
  • Generate highly relevant alerts based on filtered event data and custom policies
  • Collect event data directly from the source (independent of system logs)
  • Apply decisions or alerts based on WHO is performing the action
  • Report on ANY combination of objects and attributes in the directory
  • Report on who is opening or modifying files, folders, or file system permissions

THEN ...Please give us a call.

I recently wrote a paper discussing how we (NetVision) extend the ability of SIEM or log management solutions by getting better, more reliable, and more relevant information directly from what is arguably your most critical source (the network directory). The paper isn't publicly available (it's not that kind of paper). So, let us know and we'll pass it along or we can save you the trouble of reading and just explain it.

85% of Security Breaches are Opportunistic

I've talked before about security breaches being crimes of opportunity. I've given presentations and webinars discussing the Insider Threat and talking about security breaches. And I always mention that I don't think the concern should be that people are bad. I don't think that employees are out-to-get their companies.

I didn't want to paint a picture of bad guys huddled in a dark room trying to figure out how to breach the company's security. Sure, that happens too. But, I don't think that's the real Insider Threat. Some of those attacks may have an element of insider advantage, but the big number of security breaches that I attribute to insiders are more opportunistic. It's administrators who have been given explicit access to sensitive information and stumble across it in their daily routine. And it happens all the time.

According to a new Data Breach Report by Verizon Business,

85% of security breaches are opportunistic.

I always thought the percentage of insider breaches that are opportunistic would be high. But, of the breaches covered in this report,

18% were caused by insiders.

I believe that number to be much higher. This report is based on breaches that were not only reported, but brought to Verizon Business for help. Nobody calls a forensics team when an admin opens up an HR doc containing a co-worker's salary. Or when an admin creates a new account and grants full system rights in order to get a new application up and running. I would consider both scenarios to be a security breach, but neither would appear in this report (or other reports). Those breaches are generally not reported and quite often not even noticed.

Does your environment have a mechanism that enables you to even see that kind of activity? Most do not. ...which leads me to the last stat I'll share from the report:

87% of breaches in this study were considered
avoidable through reasonable controls

...and I would argue that the same is true for the unreported, opportunistic, insider-threat type of breaches that are likely unrepresented in this research.