Thursday, September 24

Provisioning to the Cloud

I posted recently about identity in the cloud. Many identity vendors are doing interesting things to get their solutions 'in the cloud' or available 'as a service'. It's a lot of buzz, but there's also some actual cost savings and operational efficiencies at the bottom of these efforts.

Today, Optimal IdM announced their cloud provisioning solution. Similar to what Identropy is doing with IC2, Optimal IdM's solution leverages existing provisioning solutions and acts as a connector to cloud applications.

This use case of acting as a connector for remote, unknown, complex, or varied systems is a perfect fit for virtual directory technology. MaXware released a similar connector for Salesforce in 2006 while I was still an employee. Perhaps they were ahead of their time? The virtual directory solution can be added to virtually (no pun intended) any environment and provide immediate connections up to numerous, complex cloud systems, thus saving cost and effort as compared to developing custom connectors.

Having said all those nice things about the virtual directory approach and once again encouraging IAM integrators to consider virtual directory solutions while whiteboarding on how to meet requirements, I should be fair and point out an alternate viewpoint. If you already have a provisioning solution from the likes of Courion, Novell, Oracle or IBM, and a requirement to provision to cloud applications, you owe it to yourself to take a close look at Identropy's IC2 offering before making any purchase decisions. That's exactly what it's designed to do.

Another interesting note - I spoke to someone from Arcot today (think secure token-less authentication) who informed me that all of their solutions for secure authentication are now available as a service. They already have one of the most widely deployed authentication-as-a-service solutions on the market, so it seems to be a natural migration to offer their other solutions from the cloud as well.

Who recently said there was no more innovation in the IAM space? The latest innovation in this space is in direct response to the market complaints that IAM is too complex. Once simplicity is realized, innovation will no doubt trend elsewhere. I call that a success in meeting customer demand.

Friday, September 18

Security Policy Annual Acknowledgement

Over the past few years, I've encountered a number of customers who were struggling with a compliance mandate requiring employees to annually acknowledge that they have read the organization's security policy, code of conduct, or other important policy. Coreblox recently outlined how you can enforce that annual acceptance using a Web Access Management solution. If you're employees regularly need to access web resources, this is a good way to force their attention as-needed. How have you solved the problem?

Thursday, September 10

Who Has Access? Free Reports

Do you have questions like:

Who has access to this file?
What does this user account or group have access to?

If so, take a look at this description of NetVision's latest - free reports that answer complex questions. Or to get started right away, go directly to the TryIt! edition product page.

It's nice to have something free to give away that is actually useful.

Two reports provided that every admin should care about are:

Direct User Assignments – report on all instances of permissions being assigned directly to user accounts (instead of via groups).

Explicit Deny Entries – report on all instances of explicitly denied permissions (these can cause headaches when trying to figure out why someone doesn't have expected permissions).

Friday, September 4

Crows Using Vending Machines and the Security Implications

As reported in the NY Times, researcher Josh Klein actually taught crows to buy their own food from vending machines. If you have 10 minutes, the TED presentation is definitely worth watching. Crows are way more intelligent than you would think.

And we think we can stop them with an inanimate pile of clothes stuffed with hay!

Of course, there's a lesson to be learned for information security practicioners. Your company's employees and system adminstrators will learn and adapt. They can see the scarecrow that you've put in place to ensure security. And they figure out how work around it.

Security company RSA in their Oct. 2008 survey reported that:
53% [of employees] have felt the need to work around IT security policies in order to get their work done.
Those are well-meaning employees just trying to do their best for the company.

A recent NetworkWorld article titled Inside a data leak audit provides a real-world example. It describes an organization that was seemingly doing everything right with regard to information security. But, a thorough audit revealed 11,000 potential leaks in two weeks. All the scarecrows you could imagine were hanging on posts all across the organization. They weren't enough.

Preventative security doesn't always get the job done. Many organizations would benefit from real-time audit and monitoring solutions. In addition to after-the-fact forensic and audit trail benefits, active monitoring can be a powerful deterrent and even enable real-time remediation.

Tuesday, September 1

The 'Soft' Insider Threat: More Data

There's a new IDC white paper sponsored by RSA:
Insider Risk Management: A Framework Approach to Internal Security (PDF)

It has some interesting data on the risk posed by insiders. Specifically, they look at the difference between risk from malicious attackers and the risk posed by unintentional breaches or well-intentioned employees (the 'Soft' Insider Threat).

Courion points out one of the most interesting data points:
"CXOs also revealed that the greatest financial impact to their organization was caused by risks related to out-of-date or excessive access rights"
I was surprised by that. I intuitively know that soft breaches occur far more often than malicious attacks. But, my intuition also tells me that malicious attacks probably cause far more extensive financial harm. The respondents of this survey tell us that inappropriate permissions lead to greater financial harm than malware, internal fraud, deliberate policy violations, and unauthorized access (among others).

You should look directly at the data. It does vary by country. In the U.S. (where the greatest financial losses were reported by respondents), internal fraud edges out excessive rights, but I'm still surprised to see the financial impact of each is almost equal. And keep closer watch on contractors and temporary employees!