Thursday, December 6

Gartner IAM Notes

In case you missed all the live tweeting by me and others, here are some notes from this week's Gartner IAM Summit:
  • There seemed to be a common theme that the primary driver for IAM projects has shifted from operational (early) to compliance (recent) to business enablement (now).
  • Communication to the business stakeholders is key. (not new, but as important as ever)
  • IAM and IAG seem to be converging.

(from Chris Howard’s keynote)

  • The CIO’s business goals are to increase business growth, attract new customers, and reduce cost.
  • The CIO’s IT goals are to deliver solutions, manage infrastructure, reduce cost of IT, and expand analytics.

(from Jeff Wheatman’s session on DG)

  • Despite increasing requirements, less than 10% of orgs will get above maturity level 1 by 2015.
  • Solutions that help identify ownership and accountability are very immature.

Customers will look at solutions that can:

  • 3. Prevent situations (most difficult & expensive)
  • 2. Alert & Notify upon high-risk situation
  • 1. Document & Accept risk (which is OK for many – least costly)

Unstructured data remains a very big problem.

(from Lori Rowland’s session on Selling IAM with Perry Carpenter and Tom Scholtz)

ROI is impossible to demonstrate. Business cases are based on:

  • Efficiency: Any perceived time savings
  • Effectiveness: Improved audit, tracking, regulatory
  • Enablement: enhance business opps, reduce friction, integrate networks, etc.

You must continuously show value to the business by communicating success and building credibility with regular, honest feedback. You can do this by stating goals clearly up front and tracking toward them. One great example was to send a survey to stakeholders on where their pain lies. Measure their pain (1-10). Track progress on pain level improvements to show progress and success.

Roughly 45% of attendees reported that IAM was sponsored by CIO and 45% by CISO. Two things everyone has in common as drivers: Time & Money.

Friday, November 30

Upcoming IAM Events from Gartner and OCG

I wanted to pass along two upcoming IAM events:

Gartner IAM

If you're not already planning to be at the Gartner IAM Summit next week, it may be too late for you. But I'll be there and would love to hear what you're up to in the world of IAM. I'm planning to cover the event and/or what I found there here on the blog. Specifically, I'll be looking for what's new in the IAM world (trends, new capabilities, etc.). Reach out if you'd like to meet up.

Oxford Computer Group's
Redmond Identity, Access, and Directory Knowledge Summit 2013

I'm excited about this one. I cut my teeth in the world of IAM on Microsoft solutions (AD, MMS 2.2, MIIS) and OCG was the firm that trained everyone on how to use those solutions. The world has, of course, evolved. But the first annual Redmond IAM Knowledge Summit should be a great one.

Full disclosure: STEALTHbits is a gold sponsor of the event along with my friends at Optimal IdM. And I will be speaking on Active Directory Unification, which is a hot topic this year and a key enabler for IAM projects. It'll be my first time on Microsoft's Redmond campus, so that should be interesting as well.

If you're planning to be at either event, look me up.

Tuesday, November 20

Game-Changing Sensitive Data Discovery

I've tried not to let my blog become a place where I push products made by my employer. It just doesn't feel right and I'd probably lose some portion of my audience. But I'm making an exception today because I think we have something really compelling to offer. Would you believe me if I said we have game-changing DLP data discovery?

How about a data discovery solution that costs zero to install? No infrastructure and no licensing. How about a solution that you can point at specific locations and choose specific criteria to look for? And get results back in minutes. How about a solution that profiles file shares according to risk so you can target your scans according to need. And if you find sensitive content, you can choose to unlock the details by using credits which are bundle-priced.

Game Changing. Not because it's the first or only solution that can find sensitive data (credit card info, national ID numbers, health information, financial docs, etc.) but because it's so accessible. Because you can find those answers minutes after downloading. And you can get a sense for your problem before you pay a dime. There's even free credits to let you test the waters for a while.

But don't take our word for it. Here are a few of my favorite quotes from early adopters: 
“You seem to have some pretty smart people there, because this stuff really works like magic!”

"StealthSEEK is a million times better than [competitor]."

"We're scanning a million files per day with no noticeable performance impacts."

"I love this thing."

StealthSEEK has already found numerous examples of system credentials, health information, financial docs, and other sensitive information that weren't known about.

If I've piqued your interest, give StealthSEEK a chance to find sensitive data in your environment. I'd love to hear what you think. If you can give me an interesting use-case, I can probably smuggle you a few extra free credits. Let me know.

Thursday, October 25

Active Directory Unification and Attribute Cleanup

I recently posted about Active Directory Unification. The main points were (1) that there is value in AD consolidation and (2) that there's a right way to do it to meet the intended goals.

Sander Berkouwer posted earlier this month on Active Directory attribute integrity. He makes the point that with all the tools Microsoft provides to enable tighter management of identities and access (FIM, ADFS, ADRMS, DAC), Active Directory Cleanup is more important than ever. Berkouwer writes:
"When these attributes are inconsistent, access to files, apps, partners and cloud functionality becomes inconsistent. If you think it won’t happen to you, think twice. During the first internal Microsoft deployment of Dynamic Access Control, attribute inconsistency was the first encountered problem."

Most people that I speak with jump into the benefits that cleanup will have on the AD Unification process. The reality is that the real value of cleanup is enabling the right functionality and access controls after the unification process is complete. (Of course, as I wrote, it's never really complete - it's not a onetime event.)

It's worth making the distinction.

Monday, October 15

Unstructured Data into Identity & Access Governance

I've written before about the gap in identity and access management solutions related to unstructured data.

When I define unstructured data to people in the Identity Management space, I think the key distinguishing characteristic is that there is no entitlement store with which an IAM or IAG solution can connect to gather entitlement information. 

On File Systems, for example, the entitlements are distributed across shares & folders, inherited through the file tree structure, applied through group memberships that may be many levels deep, and there's no common security model to make sense of it.

STEALTHbits has the best scanner in the industry (I've seen it go head-to-head in POC's) to gather users, groups, and permissions across unstructured data environments and the most flexible ability to perform analysis that (1) uncovers high-risk conditions (such as open file shares, unused permissions, admin snooping, and more), (2) identifies content owners, and (3) makes it very simple to consume information on entitlements (by user, by group, or by resource).

It's a gap in the identity management landscape and it's beginning to show up on customer agendas. Let us know if we can help. Now, here's a pretty picture:

STEALTHbits adds unstructured data into IAM and IAG solutions.

Thursday, September 27

Active Directory Unification

[This is a partial re-post of an entry on the STEALTHbits blog. I think it's relevant here and open for discussion on the concepts surrounding clean migrations and AD unification.]

It’s no secret that over the past decade, Active Directory has grown out of control across many organizations. It’s partly due to organizational mergers or disparate Active Directory domains that sprouted up over time, but you may find yourself looking at dozens or even hundreds of Active Directory domains and realize that it's time to consolidate. And it probably feels overpowering. But despite the effort in front of you, there’s an easy way and a right way.

Domain consolidation is not a simple task. Whether you're moving from one platform to another, trying to implement a new security model, or just consolidating domains for improved management and reduced cost, there are numerous steps, lots of unknowns and an overwhelming feeling that you might be missing something. Sound familiar?

According to Gartner analyst Andrew Walls, “The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc.

Walls goes on to discuss the politics, cost justification, and complexity of these projects noting that “An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their file shares, or access applications. No pressure.

Walls offers advice on how to avoid some of the pain. “You fight proliferation of AD at every turn and realize that consolidation is not a onetime event. The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified on the basis of operational requirements that a unified model cannot possibly support.

What does this mean for you? Well, the most significant take-away from Walls’ advise is that it’s not a onetime event. AD Unification is an ongoing effort. You don’t simply move objects from point-A to point-B and then pack it in for the day. The easy way fails to meet the core objectives of an improved security model, simplified management, reduced cost, and a common provisioning process (think integration with Identity Management solutions).

If you take everything from three source domains and simply move it all to a target domain, you haven’t achieved any of the objectives other than now having a single Active Directory. There’s a good chance that your security model will remain fragmented, management will become more difficult, and your user provisioning processes will require additional logic to accommodate for the new mess. On a positive note, if this model is your intent, there are numerous solutions on the market that will help.

STEALTHbits, of course, embraces the right way. “Control through Visibility” is about improving your security posture and your ability to manage IT by increasing your visibility into the critical infrastructure.

If you'd like to learn more about the solution, you can start by reading the rest of this blog entry or contact STEALTHbits.

Thursday, July 19

Data Protection ROI

I came across a couple of interesting articles today related to ROI around data protection. I recently wrote a whitepaper for STEALTHbits on the Cost Justification of Data Access Governance. It's often top of mind for security practitioners who know they need help but have trouble justifying the acquisition and implementation costs of related solutions. Here's today's links:

KuppingerCole -
The value of information – the reason for information security

Verizon Business Security -
Ask the Data: Do “hacktivists” do it differently?

Visit the STEALTHbits site for information on Access Governance related to unstructured data and to track down the paper on cost justification.

Friday, June 29

Filling the Gap in Identity and Access Governance

Identity and Access Management: Filling the Gap in Identity and Access Governance

Traditional identity solutions focus on access to applications, but that misses as much as 80 percent of corporate data.

We’ve entered the age of access governance. Organizations need to know who has access to what data and how they were granted that access. Identity and Access Governance (IAG) solutions address these issues while managing enterprise access. They provide visibility into access, policy and role management, and risk assessment—and they facilitate periodic entitlement reviews of access across numerous systems. Most enterprise IAG solutions are missing a key piece to the puzzle, though: unstructured data.

[Read the full article in TechNet Magazine]

Wednesday, May 23

Aveksa and Radical Changes to Identity Management

I don't generally like to discuss specific vendors - especially if I don't have a strong relationship with them. But I saw a press release last week that was titled Aveksa Radically Changes the Economics of Identity and Access Management. I have to admit that I probably grimaced and thought "radically changes... seriously? Are they kidding?" The release stated that they introduced a new product called Access Fulfillment Express that's going to break "the cycle of heavy investments". I sarcastically thought "Yeah, sure it is."

I know Aveksa to be good within their sweet spot - Access Governance across enterprise applications - but I didn't think of them as an influential player in Identity Management (provisioning) probably because I knew they integrated with most of the major IAM vendors for provisioning tasks. So, I was pretty skeptical that they'd be doing anything that "radically changes the economics" of an IAM project. That was, until today when I had an opportunity to speak with someone from Aveksa.

Consider my tune changed.

One of the most complicated parts of any IAM deployment traditionally has been the development of the connectors. The connectors establish the link to the target systems and define the rules by which data will be managed. There's a lot of work on both the business side and technical side to get the connectors working properly. The connector work often makes or breaks the entire IAM system.

So, what has Aveksa done to the connectors to improve upon them? Essentially, they've dumbed them down. If the connector is JUST a connector and doesn't have all that business logic built in, the process of deploying a connector becomes much easier. They called them Lightweight Adapters. It's analogous to a set of APIs that can carry out whatever commands are sent to them. And the commands, then, and business logic, is managed by the application.

IAM solutions originated as complex systems of connectors that later bolted on a UI to provide workflow. By starting with the UI as the real business value, Aveksa may have stumbled upon (or brilliantly planned?) a way to radically simplify deployment and management of IAM solutions.

NOTE: I haven't vetted Aveksa's approach in any detail. I haven't deployed the solution or even looked at the documentation, but I thought the shift in approach was worthy of discussion.

Thursday, May 10

Access Governance on Unstructured Data

Gartner research VP Earl Perkins posted a few days ago on the intersection of data and applications within IAG (Identity and Access Governance). I've certainly seen the same issues and we've been working with customers on these challenges quite a bit over the past six months. In fact, I authored a paper on the topic in April which is available in the STEALTHbits resource library titled Access Governance on Unstructured Data.

I hinted at the paper back in February and it was clear from the response I got that many are not willing to acknowledge a shift from the era of Identity Management to the era of Access Governance. But, I still see our current Access Governance efforts (as an industry) as analogous to what we did about a decade ago for Identity Management. Obviously, the industry remains dynamic and there's overlap but I think we have a pretty good handle on managing accounts while we're still working on the best ways to provide governance over access (whether to applications or data).

In my own phrasing (and ignoring structured and semi-structured data for the moment), the issue Earl addresses is, essentially that traditional IAM and IAG solutions are application-centric but a significant portion of enterprise data is unstructured (many estimates indicate that 80% of data is unstructured) rather than accessed and controlled via applications. IAG vendors are struggling with getting their arms around data as it sits out in the environment. And it's a hard problem.

I've been a part of two software vendors who addressed access rights to unstructured data. Neither company nailed it in the first attempt and there were challenges along the way. I've spoken with three large companies who tried to build in-house solutions for themselves. All failed and eventually sought commercial solutions. And I've spoken to IAG vendors who struggle with unstructured data solutions - even having tried popular brand name commercial solutions with unsatisfactory results. In my paper, I point out many of the challenges (platform coverage, geography, scalability, deployment, etc.) and how we've addressed them.

The one item that I'd differ on in Earl's post is that he mentions IAG vendors as looking to partner with SIEM and/or DLP solutions to address the issue. I don't think either is a good fit. SIEM is obviously event-driven and relies on logs. It may answer a piece of the question but it's not a direct fit. Even where it does provide value (who is doing what), it's data is limited to what shows up in logs, which isn't ideal for this scenario and doesn't generally enable context-based filtering.

And DLP may get much of the right information but the folks I've talked to describe it as overkill (too expensive and too difficult to deploy). Where DLP seems to shine is in the actual prevention (blocking action at the end-point or at the firewall). But for a quick, efficient scan of access rights and the ability to analyze high-risk conditions, I'm not sure you can bend DLP solutions to do what you need.

I'd love to discuss more with anyone interested. Let me know. I can also get you a copy of the paper. It's short and to-the-point, but is a good conversation starter.

Monday, April 9

Data Growth is Bringing Security and Ops Together

There was an interesting article posted last month in NetworkWorld by Jeff Vance applying the concept of hoarding to electronic data. My favorite quote (altered slightly) from the article is borrowed from Yogi Berra:
Nobody goes there anymore. It's too crowded.
Vance was talking about SharePoint. To paraphrase one point: as SharePoint becomes the de facto content management system for an organization, it's performance is impacted by data growth and increased usage. Vance also points out that firms like IDC and Gartner are predicting huge growth in the amount of data being stored by enterprises. And while storage costs have decreased (and may even be an enabler), data center space and management costs increase as data grows.

There's more in the article like the impact on search, legal fees, and HVAC costs but I'm sure you get the idea (and you could always go read the article yourself).

So, why do I bring this up? Lately I've been forced to think about the negative impact of data growth by the customers I'm speaking with about their unstructured data. Many are concerned with security, but operational concerns are also prevalent. Some ONLY care about the operational concerns. Since we have a scanner that can report on data and usage, it should also provide reports on unused content and disk utilization. Right? Well, I'm certainly not going to disagree with solving real-world business problems.

I find myself speaking two languages in the same product discussion: security and operations. And as data grows across SharePoint and File Systems, I expect to see more of the same. With audit as a third big driver, maybe I can coin an acronym here - SOA. It's never been used, has it?

BTW, We have a solution that's really good at scanning large scale unstructured data environments and performing endless analysis on the data to answer all sorts of questions. We're working with a few other vendors in the IAM/IAG space who see value in that capability and may have holes in their portfolios around unstructured data. So far, those partnerships have been driven mostly by security and audit. But since the customer organizations are also driven by operational concerns, we're also talking to storage platform vendors. If you have similar interest, let me know.

Tuesday, February 28

Rule-Based Log Correlation: An Alternative Approach

In an article at SYSCON Media, Gorka Sadowski writes about SIEM technologies and specifically about the complexity of event correlation.

Why Rule-Based Log Correlation Is Almost a Good Idea: The Future of SIEM

He points out that there are some challenges with static rule-based correlation. But, he calls it "the engine for the first generation of [SIEM]". That sounds about right. What scares me is that the future solutions to which Sadowski alludes look even more complicated. So, there may be a trade off to get the perceived increase in value.

I have an alternative solution that simplifies things for the SIEM. Over the past few years at NetVision, we've had a number of organizations interested in the NVMonitor solution (now called StealthINTERCEPT) because of its advanced filtering and from-the-source event collection. It doesn't rely on logs and enables a highly advanced ability to filter events as they happen eliminating the need for after-the-fact correlation.

For example, when looking at Active Directory Security Group events, you can return only changes to high-risk groups or changes to business-line groups that are not made by a specified subset of users (even if they may be a domain administrator). These events are pre-filtered and sent to the SIEM only when appropriate. It can also block events, btw, and send the event to the SIEM as an "attempt" rather than an actual event. And of course, it has it's own alerting and response mechanisms built in for real-time, contextual response.

Improved data collection on key source systems may be a better alternative to mathematic modeling from the event archive. Perhaps not in every case, but on core security infrastructure like Active Directory where rules are definable and today's challenge lies in the ability to implement, it's not only better, it's here today and already proven in production environments.

Tuesday, February 14

Finding & Closing Open File Shares

My team has been working on an advanced workflow for finding and closing down open file shares. I think we've really nailed it. At a few customer environments, we've scanned thousands of servers, performed the analysis to discover and prioritize high-risk file shares, and have the complete workflow to tighten the controls and/or shut them down as appropriate. If you have a need in this area, shoot me a note. I'd love to walk through it with you and see if we can help.

Monday, February 13

Is the era of Identity Management behind us?

From a forthcoming paper I'm working on:
The era of identity management is behind us. It’s not that we don’t still need it, but there are plenty of mature solutions on the market to help organizations manage user accounts across systems. Over the past decade, we built the core technologies, added features and workflow, and built numerous useful solutions on top of the platforms. It has all led to this. We’re now in the age of Access Governance.
What do you think? Am I overstating it? The point is simple. We've done a pretty good job figuring out how to help organizations centrally manage user accounts. The question has now shifted to management and audit of rights across the enterprise. It goes beyond the typical Identity Management sandbox. It's not just user accounts in various repositories. It's unstructured data. It's evaluating security policies in addition to share and folder permissions to figure out true file system effective rights. Or where user accounts are being used to run Windows services. Or where they have GPOs applied to them. This is the new frontier.

More to come.

Sunday, January 22

Access Governance Continuum

I've been pretty focused recently on Access Governance and specifically how large organizations can get their arms around the problem of access as it relates to unstructured data (mostly file systems and SharePoint). Most of the people I speak to who have responsibility for answering the related tough questions are simply overwhelmed by the sheer size and complexity of the challenge.

It led me to consider that there are a different set of tasks I'd recommend to those people than I might to someone who has a somewhat more mature access governance program. So, I started documenting an Access Governance Continuum; a maturity model of sorts that discusses how to tell where you stand and what the ideal next steps might be. A whitepaper is in the works, but essentially it looks something like this:

Confused > Planning > Cleaning > Maintaining

To illustrate a few examples:

In the Confused stage, you might want to run scans to identify open file shares. In the Planning stage, you'd be identifying data owners / custodians for those shares. In the Cleaning phase, you'd be working to clean up trouble spots and diving deeper based on what you've found. And in the Maintenance stage, you'd be automating some of the cleanup based on business rules.

This is all based on real-world projects, what has worked for the world's largest organizations, and how that knowledge translates to a mid-market need for pragmatic solutions.

...more to come.