Author Archives: admin

Securing B2C Mobile Applications

January 21, 2012 11:18 am Leave a Comment

Introduction:

Last month, I met some major telecom companies and during these meetings, the business and security leaders discussed the challenges they face in their B2C mobility initiative. The concerns were around launching mobile applications for various mobile operating systems and platforms, deciding the right communication channels and of course security.

B2C mobile apps architecture involves mobile client apps, middleware applications and external integration services which make it complex. This is true for any company wanting to provide a mobile application to their consumers and not just telecom companies.

Key Security Risks

A B2C mobile apps has four major risk categories – mobile client app risk, middleware application risk, mobile applications interfaces risks and device lost / stolen case risks. Below are some major security risks for mobile applications:

    • Mobile Client App Security Risks
      1. A malicious user can perform reverse engineering attacks to get sensitive information on improper signed application.
      2. Weak cryptographic implementation for critical data storage on device’s local data storage can lead to fraudulent transactions.
    • Middleware Application Security risks
      1. In middleware applications where web services – HTTP, SOAP, REST – are used, an adversary may attempt to intercept request/response messages
      2. Insecure network communications channels may lead to tampering of middleware/interfaces parameters and/or database compromises.
    • Mobile Application Interfaces risks
      1. Mobile applications connect to the backend and database servers through various interfaces. Insecure interfaces may lead to data tampering, Denial of Services and message reply attacks.
      2. Improper data validations may lead to SQL injections, Cross site scripting attacks.
    • Device lost/stolen case risks
    1. In case of device lost/stolen, un-authorized user may misuse data on device

Securing the B2C Mobile Application

To secure your mobility initiative organizations should focus on security of the entire eco-system including:

  • Mobile client and server applications,
  • Middleware applications, its interfaces, web services,
  • Communication channels and
  • Local device data storage.

Securing only one or two components will not help secure the entire chain, since the chain is only as strong as your weakest link.

Top 10 suggestions to secure your B2C mobile application would be:

  1. Validate all trusted (local data storage or server data storage) and not trusted (invalid user inputs e.g., special characters) inputs in the mobile client application
  2. Encrypt request and response messages
  3. Use secure web services
  4. Use appropriate security controls for firmware and middleware applications
  5. Encrypt data storage on local handheld devices
  6. Employ a strong authentication mechanism
  7. Release proper signed mobile apps
  8. Remote data wipe configurations to prevent unauthorized access
  9. Session management
  10. Restricting access to the integration services and its configurations

Happy mobilizing!

Author

Mr. Suhas Desai,
Sr. Consultant – Mobile Security Practice
Aujas Risk Management Services

Filed Under: Mobile Security

Identity and Access Management: Before and After Scenario

December 21, 2011 10:38 am Leave a Comment

Scenario 1: Reduction in Access Management Related Helpdesk Calls

Introduction:

While Identity and Access management (IAM) projects can solve multiple problems, they can also become complex and time consuming. Most organizations struggle with the question, “To deploy or not to deploy”. Is there an ROI? Are there real benefits at the end of the tunnel? These are typical questions most CIOs ask.

Aujas has implemented large IAM projects for clients across industry verticals. In a series of articles, we plan to discuss what benefits a client can expect realistically. We will provide the “Before and After” view by discussing scenarios prior to IAM implementation and scenarios post implementation.

In this first article of the series, we are going to cover the aspect of Helpdesk calls related to access management.

Client Background:

The client is a country arm of a global financial services company with a large user base of over 10,000 and growing. The user base includes internal users, external users and contractors. Additionally, the organization works with more than 50,000 agents. The business operations are supported by over 30 business critical applications that are built on diverse and heterogeneous technology platforms, and managed by different business teams.

Before IAM:

One key problem the client had was of managing user identities across enterprise applications. While there were support teams for each of the application, there were no universal and common procedure followed for user requests to avail application access.

With this approach, although the process for requesting access was defined, the implementation lacked user ID standardization, strong password policies, escalation matrix, audit and compliance reports to name a few.

Users had to remember multiple sets of user IDs and passwords to login to applications. Because of this, there was a huge backlog in helpdesk calls for password reset, unlocking accounts and other such requests.

The Solution:

Aujas successfully implemented a leading IAM suite to address the client requirements. The solution included:

  • User Provisioning System: To streamline the business processes by defining a centralized control to manage identity records. The processes to provision access to business applications were refined to leverage the automated system. Access provisioning was aligned with roles and a self-service interface was setup to allow users to request application access and their approvers to grant or reject the request.
  • Access Management System: A comprehensive access management system comprising web access management and enterprise Single Sign-on (SSO) was setup. The access management system provided a unified and dynamic portal for users to see and access their currently approved applications. This system allowed users to access the web easily, thick client and terminal based applications in a safe manner without the hassle of remembering different passwords and policies, thereby drastically enhancing user experience. 

After IAM:

Even though the client saw many positive improvements, the biggest benefits were seen in the following two categories:

  • Productivity Increase: The key factor in productivity increase stemmed from the reduction in turn-around time for Access Provisioning. The turn-around time reduced from an average of 4 days to less than 15 minutes – a 99% decline.

    This led to an enormous productivity improvement for the client. With an average growth of user base at 30% (3000 employees), the 4 days saved per employee in access provisioning led to tremendous increase in productivity as the client saved over 12,000 man-days of effort annually.

  • Cost savings: Reduction in user account management related helpdesk calls from 5500 per month to 500 per month (90% reduction). On an average, a helpdesk call costs $10. Hence, the solution provided savings of $50,000 per month ($600,000 per annum).

    Additionally, the solution provided savings in lost productivity. Earlier the helpdesk received 100 account lockout tickets per day with an average turnaround time of 4 hours. The new solution allowed the client to eliminate almost all account lockout situations (90% reduction). Totally, around 13,000 man-days were saved which would have been wasted otherwise.

  Parameter

  Before IAM

  After IAM

Time saved per annum

Turnaround time for access provisioning

  4 days

  < 15 minutes

12,000 man-days

Account lockouts and passwords resets
  • 4 to 5 hours
  • 100+ accounts lockouts per day
  • Heavy involvement of a helpdesk team
  • Couple of minutes
  • Almost zero account lockouts per month
  • Users can reset and reclaim their access using self service

13,000 man-days

Conclusion:

There are definite benefits in terms of automating your access provisioning system. The primary benefits are around productivity increase and cost savings and these are only a few of them. We will cover other benefits like security, risk management and other productivity improvements as we go along in this series.

Author(s):

Mohit Vaish
Practice Head – IAM
Aujas Risk Management Services

Ms. Amitha Raju
Consultant – IAM Practice

Filed Under: Identity and Access

The Smooth Sailing Fallacy – CEO’s Watch-Out – Your ERP may be Insecure!

December 21, 2011 6:39 am Leave a Comment

An interesting and thought provoking observation was made by Richard Rumelt in McKinsey Quarterly. He says “There’s been a dramatic failure in management governance. And so our basic doctrines of how we manage things are in question and need revision.” At the heart of this failure is what I call the “smooth sailing” fallacy.

Here is what Rumelt says, “Back in the 1930s, the Graf Zeppelin and the Hindenburg were the largest aircraft that had ever flown. The Hindenburg was as big as the Titanic. Together these vehicles had made 620-odd successful flights when one evening the Hindenburg suddenly burst into flames and fell to the ground in New Jersey. That was May 1937.”

Years ago, I had a chance to chat with a guy who had actually flown over Europe in the Hindenburg. He had this wistful memory of it being a wonderful ride. He said, “It seemed so safe. It was smooth, not like the bumpy rides you get in airplanes today.” Well, the ride in the Hindenburg was smooth, until it exploded.

The risk that passengers took wasn’t related to the bumps in the ride or to its smoothness. If you had a modern econometrician on board, no matter how hard he studied those bumps and wiggles in the ride, he wouldn’t have been able to predict the disaster. The fallacy is the idea that you can predict disaster by looking at the bumps and wiggles in current results.”

To see the disaster coming, you had to have looked beyond the data about flight bumpiness—beyond the professionalism of the staff—and really think, “Does it make any sense to have people riding in a gondola, strapped to a giant sack of flammable hydrogen gas?” There’s just not a data series that lets you think about that.  The history of bumps and wiggles—and of GDP and prices—didn’t predict economic disaster. That is the fallacy most people fall into when they talk about security, Tail risk or Black Swan events.

If we apply this logic to any ERP – I find many ERP customers suffer from the smooth sailing fallacy.

  • “Well – we implemented SAP 10 years back, IBM is managing the support and we have no problems!”
  • “Our security incidents are insignificant.”
  • “Oh we have installed SAP GRC solutions but no one uses them! And so we are secure!”

This smooth-sailing fallacy in security arises when we mistake a measure for reality. Mature managers always look deeper than the numbers, deeper than the current measures. Others just focus on the metrics that are based on past reality. That’s how we get into trouble.

This lesson is fundamental: you cannot manage by just looking at the results.  You have to have a big picture view of security by applying constant changes in security issues, technology, protocols and metrics. That means your security policy which may be 3 years old is useless and you have no security in place. CEOs and CFOs will use the smooth sailing argument – Hey! We never had a security issue in the past 2 years? So why worry now?

You have to show them what Rumelt said about Hindenburg! A small design flaw can blow them out of business since the ERP system is the business backbone in many companies.

So it is important to focus on three things:

  1. Critically question your IT systems & the Security design – are they relevant? Are they bullet proof & future proof? Is there a hidden flaw?
  2. Hope is not a strategy! So create a Security Team to redesign the IT Security Framework based on a thorough and annual Risk Assessment (mere adherence to ISO 27001 or ITIL will not do!). Use professional help if needed.
  3. Execute your plans in a phased manner – first time right. Do not try to boil the ocean. Keep this as a continuous improvement process.

Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

Filed Under: SAP Security

High Performance SAP Security – Guard Your Business, Not Just Your SAP ERP

November 28, 2011 1:47 pm Leave a Comment

Businesses are now inseparable from their IT systems, computers, networks and data; companies are their ERP, which in turn enables most of their business processes. Accordingly, risk management, security and compliance are increasingly viewed as board level concerns.

Maintaining awareness of potential security incidents all the time, every day, is difficult, and knowing how to react to incidents is more difficult still. Your company needs to be ‘right’ all the time, but intruders only need to be ‘right’ once. Imagine an IP, Design, Customer Data, Financial data theft from your SAP system! It can lead to both a reputation loss and a loss of business.

Companies that run SAP ERP & their security teams should understand how vulnerable your SAP system is! Here are some facts that might shake you:

  1. In a typical SAP environment, data transferred between a client and the server is unencrypted. E.g. Any communication with the SAP server using a Desktop or mobile device or client app or portal transmits unencrypted data! It is a high risk area, “client to server un-encrypted communication”, and makes your entire SAP system highly vulnerable.
  2. To fix this gap, SAP has recently introduced “SNC Encryption module” in
    October 2011 and is a free release for the SAP clients. Through this
    small upgrade you can quickly fix one of the most vulnerable areas of
    your SAP system.  Point to note here is that this un-encrypted
    communication vulnerability existed for a long time in your SAP system
    and even now you are vulnerable without this fix.

SAP did two acquisitions to provide a Secure SAP system and these are recent events.

  1. SAP acquired MaxWare Identity Management solution in 2006. This is incorporated as SAP Netweaver Identity Management solution & sold with a licensing model.
  2. SAP acquired SECUDE (a Swiss SAP Information security company) software assets in March 2011. With this acquisition came Single Sign-On (Secure Log-In), ESSO – Enterprise SSO and SNC Encryption.

There is a lot to catch up and be compliant with these security solutions – to ensure a secure SAP environment. To bring you up-to-date on the SAP security and improve your SAP Security posture – you need a roadmap. 

The road map broadly should focus on a combination of business focus, scenario analysis and SAP security tools. The combined knowledge of your security experts and a purpose driven SAP security assessments, provide you with a world-class SAP security service at a low cost.

High Performance SAP Security road-map is developed with a three phased approach:

1. Assessment – This phase is designed to understand the ‘as-is’ risk profile of your organization, and how it fits with the business requirements of your enterprise. Based on this assessment you should tailor SAP Security design and controls to monitor and protect key business assets as well as the enabling IT of your enterprise.

2. Implementation – Deployment of controls processes and tools to put the right monitoring capability in place, and building of the right rule-sets to prioritize and escalate events in line with business priorities.

3. Ongoing Management –SAP Security process that works on intelligent escalation as required and continuous improvement of your risk management and security posture with a managed SAP Security service. A Security Management Portal should be built so that your company can drill down into the status of threats and remediation actions underway.

The benefits of a high performance SAP Security includes:

  • Business-focused security delivery model: guard your business, not just your SAP ERP
  • Improved security efficiency as a result of wider SAP Security situational awareness and Business asset aligned prioritization
  • SAP Security and compliance tools, dashboards that provide you with a view of your security posture and results of security improvement programs
  • Improved manageability and reduction in security operating costs
  • Reduced security ‘distraction factor’ so that you can focus on your core business objectives.

Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

Filed Under: Article

Aujas signs with Palamida to offer Intellectual Property and Security compliance services

October 5, 2011 8:49 am Leave a Comment

Software products today are the result of reuse of code from many sources, especially open source software. It is a good strategy, if you go by the principle “Why build when you can re-use?” There are definite benefits including faster time to market and lower costs. The only hitch is open source software comes with their own legal requirements, security issues and intellectual property content.

So it becomes mandatory to have a framework in place to ensure that the security and legal status of resulting applications are managed well. We are seeing an increased demand from our clients to help them understand the content in their software projects. Given that for a lot of applications, more than 50% of code is open source or third party code.

We are pleased to announce a partnership with Palamida, a leader in application security for open source software headquartered in San Francisco. The partnership will help Aujas deliver solutions to assist clients to manage the intellectual property content to their software products. Aujas will enhance our Secure Development life cycle (SDL) services with software composition analysis services, which will help in quickly identifying and track undocumented code, associated security vulnerabilities as well as intellectual property and compliance issues, enabling organizations to cost-effectively manage and secure mission critical applications and products. For more information click here.

Software security is one of the biggest risk in the industry today, and while the industry is definitely taking steps to address this issue, it is still too little given the scale of the issue. We are exploring innovative ways to address these risk and help clients with tackle this issue effectively with our SDL services. Our partnership with Palamida is one more step in this direction.

Filed Under: Announcement, Secure Development

Aujas wins NASSCOM EMERGE 50 2011 award and also Deloitte Technology Fast 50 India 2011 award

October 5, 2011 8:38 am Leave a Comment

Last week was a good week. First we got the news that Aujas has won the Deloitte Technology Fast 50 India 2011 award. And just as we were about to start the celebrations, we got the news that we are also a NASSCOM EMERGE 50 2011 winner. What better way to begin the new quarter?

The Technology Fast 50 is a global program run by Deloitte, one of the Big 4 and a leading professional services firm. It is a pre-eminent technology awards program which ranks India’s 50 fastest-growing technology companies based on percentage revenue growth over three years. Deloitte has been running this program for last 7 years and previous winners include Fastpipe, iCreate, 3i Infotech and others. This is the first year Aujas participated in the program.

The EMERGE 50 is a program by NASSCOM to celebrate the spirit of entrepreneurship in the emerging business and showcasing success at early growth stage. The objective of NASSCOM EMERGE 50 is to recognize, celebrate, mentor, and offer crucial growth assistance to the next batch of 50 emerging companies. This is the second consecutive year for us where we are part of EMERGE 50.

As Gerard Ekedal said, “Recognition is the greatest motivator.” It is true for people, it is true for employees and it is true for companies as well. The awards are a recognition of all the hard work that everyone at Aujas has put into building a great company. It motivates all of us at Aujas, to try harder and do more as we help our clients “Manage Information Risk and Enhance Value”

Any significant achievement is only possible when everyone involved contributes significantly to the cause. A big thank you to all of the wonderful team at Aujas who have worked so hard to get us here, as well as our supportive Board and investors IDG Ventures India. Working with the team over these last few years through challenging times and creating an entity with 120 people, 150 customers in 15 countries has been a great journey and a life affirming experience about focus, commitment and humility.

We would also like to thank all our clients who have partnered with us in this journey and have guided, supported and helped us. As mentioned earlier, it only motivates us to do more for you and stretch the extra mile.

The awards are a good encouragement on this long journey, but it is still a long road ahead. As a wise man once said, “Success is a journey and not a destination.”

Filed Under: Announcement

Outlook for Mobile payment adoption in India is Bright, but Security is still a big concern

July 6, 2011 2:02 pm Leave a Comment

Last month, I spoke at the Mobile Payment India 2011 – 3rd International Conference held at Taj Lands End, Mumbai. The conference was attended by nearly 200 attendees including mobile payment service providers, Banks, Telecom companies and regulators.

The primary focus was on the roadmap for M-Payment services roll-out for the huge consumer base in India. Leading payment service providers and banks came together to showcase their concrete and innovative mobile payment solutions.

In panel discussions on ‘Future of M-Payment in India and Service providers’ perspective’, lots of new ideas and perceptions were shared by leaders from Aadhaar, MTNL, Bharti Airtel, Reliance Communications and Axis Bank.  There were interesting discussions on exciting Mobile payment success stories and growth prospects in Indian market.

One of the key concerns was about Mobile payments standardization of policies, deployments, revenue models for service providers and banks, which are critical to make M-payment services a success. The second key concern was about security issues and risks in mobile payments eco-system.

Everyone agreed on security risks involved in this eco-system, but not too many sessions were there on how to mitigate these security risks. Surprisingly, the only one who spoke about Mobile security risks and mitigation was me.

My session was on Mitigating Security risks in Mobile Payment Applications”. It covered the concerns around major security risks in Mobile payments communications channels and payment application design flaws. The session focused on the trends in security risks and challenges involved and best practices to mitigate these security risks and challenges.

The outlook for Mobile payment in India seems bright, as long on companies take care of security. Secure Mobile payment applications would be main attentive feature to attract and build trust among mobile payments’ larger customer-base.

Filed Under: Announcement, Vulnerability Management

Amazon EC2 Failures Are a Wakeup Call for Cloud Customers

May 3, 2011 11:04 am Leave a Comment

Early in the morning of April 21, Amazon’s EC2 data center in Virginia crashed, bringing down with it several popular websites, small businesses and social networking providers.

The strange fact is that the outage still ensures that the 99.55% availability as defined in the SLA (Service Level Agreement) is not breached. Let us put aside the other aspects and focus on Cloud services and the new generation of programmers and business who use these services. Though the SLA leads to quite an interesting debate, we will leave that to the legal experts.

More often than not, when we discuss building applications in the Cloud, the basic assumption is that of 24×7 service availability. While Cloud service providers strive to live up to this expectation, the onus of designing a system resilient to failures is on the application architects.  On the other hand, SLA driven approaches are very reactive in nature. In pure sense, SLA’s are just a means of trust between the user and the service provider. The fact is that SLA’s can never repay for losses. It is up to an Architect and CIO to build systems that tolerates such risks (Cloud system failures, connectivity failures, SLA’s, etc).

With Cloud infrastructure, we end up building traditional systems that are so tightly coupled and hosted without taking advantages of the availability factor. These shortcomings maybe part and parcel of software world where functionality takes precedence over all other aspects, but such tolerance cannot be expected in the Cloud paradigm. A failure on part of the Cloud service provider will bring down the business and getting back the data becomes a nightmare when all the affected businesses are trying to do the same.

Accommodating and managing these factors are the business risks, which need to be identified. Businesses that do not envision these risks are sure to suffer large scale losses. The truth is that building such resilient systems is not very complex task. The basics of all software principles have remained same whether they are built for Cloud or enterprise-owned hardware. Mitigating as many risks as possible requires that several basic designs and business decisions be made – while considering the software provider – such as:

  • Loosely couple the application
  • Make sure the application follows “Separation of Concerns”
  • Distribute the applications
  • Backup application & user data
  • Setup DR sites with a different Cloud service provider

These decisions involve software that follows these basic designs and business decision managers who identify various service providers to mitigate such risks. Cloud service will enforce a thinking among the business managers that availability should not and cannot be taken for granted.

These failures will not stop the adoption to Cloud but will make the customers aware of the potential risks and mitigation plans. The Cloud failure will have serious impact on the CTO/ CIO and the operations head. In a non-Cloud model, a CIO’s role has been noted as very limited. The interaction of the CIO with a CTO in the everyday business is much less. These two executives need to work more closely to protect the business and reduce risk.

The best practices for the Cloud application builders are:

  • Build Cloud applications, not applications in the Cloud
  • Design fault tolerant systems, wherein nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component

The best practices are necessary for all the architects who build Cloud applications. Do not simply port a traditional application to the Cloud. They are architecturally different and will not take advantage of the underlying services – and most often – will result in failure.

Remember “Everything fails, all the time.” It is time to think and manage risks and not let the SLA stare at you when you are losing business. Be proactive; build Cloud-friendly applications.

The new world on Cloud looks more promising than ever. However, failures can make us realize that functionality without proper foundation and thought process can have serious repercussions. It is essential for every business to review their risks and redefine their new perimeter in the Cloud.

Filed Under: Cloud Security, Vulnerability Management

Phishers Target Social Media, Are you the Victim?

April 15, 2011 2:00 pm Leave a Comment

Social Media has been the buzz word recently. While I am writing this post, there are more than 500 million active users accessing Facebook and 50% of active users log on to Facebook at least once a day from their office, home , coffee-shop , school, or while on the move. Today most of the organizations have active presence over Linked In, Facebook or Twitter. Social Media has emerged as an effective marketing tool to engage with mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research Inc said, “Social media isn’t a choice anymore – it’s a business transformation tool”.

The advent of new means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using the Social Media as the prominent way to retrieve vital information from the users. They also make usage of specific social networking malwares for financial gains. Message or web links coming from immediate connections over Facebook or Twitter make users believe that they are genuine and nothing wrong clicking them. Scammers leverage on this fact and exploit human parameters like greed, trust, fear and curiosity etc. to conduct wide variety of phishing attacks. As per the latest Anti-Phishing Q2 2010 Report, there is definite rise observed in social networking phishing attacks. As the statistics illustrate, the attacks were accounted for nearly 3 percent of reported attacks in Q2 which was almost negligible in Q1 of 2010.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards tragedy affected people. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation

“Hey, I am your old college mate! Just joined your company, Why not reconnect? – http://biz.ty/23424

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

 The above websites could be asking for your net-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, malware / virus get downloaded on your systems and the system gets compromised. Many a times, scammers target one social networking site user account, compromise it using script and the same script gets propagated to his / her friends’ accounts. These are better known as self-replicating malwares which make usage of application vulnerabilities like Invalidated redirects, click jacking, and cross site request forgery etc. to spread across multiple user accounts. For mobile users, it becomes even worse as it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. The organizations need to look beyond traditional technology controls as the continuous education and awareness is the only solution to fight against phishing attacks.

An organization can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed / not allowed to discuss and disclose in social networking sites
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent website

As an employee, following best practices can be adopted to evade becoming prey of phishing attacks

  1. Never click on a link or a bookmark which is associated with financial transactions or asking for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about self or your organization.
  4. Report suspected links to internal security team as well as particular social networking sites so that they can work with the hosting provider to bring down the phish website

Both, the organization and its employees have to play their part to fight against phishing risks over Social Media.

Filed Under: Social Engineering

Curbing Access Risk: Role Based Access Governance

October 13, 2010 10:55 am Leave a Comment

 
Access risk until now was viewed as an intrinsic risk to which organizations could do little to prevent, but my recent findings made me realize that there is more to it than that it meets the eye. Access risk is defined as, “risks related to unauthorized or inappropriate access”. The Verizon Business 2010 research report reveals importance of curbing insider access risks and highlights that the percentage of breaches that involved insiders increased 26% over the previous year (48%).  

While access risk continues to be a challenge, Organizations can curb this by taking few preventive measures as viewed by many industry experts. 

  • Policy Enforcement: Can a person deliberately perform dreadful act if she/he has just right access? Excerpts from Wikipedia: “With the concept of Segregation of Duties, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function”. This gives me confidence that chances of single person being a threat go down drastically if access policy is defined and enforced properly.  

  • Certification: Let us assume that, at one point of time every person in the organization has just the right access to resources needed to perform their work; can this status be maintained in current business scenario where delegation of task is a day to day phenomenon? Probably not, because managing changes in user access across the organization, like granting entitlements, revoking access, permission setting for a new role, is complicated for many organizations. Periodic review of entitlements not only provides insight of who is having what access, but also helps fine tune access policy. Policy is tuned so that fewer exceptions happen in the system in future. 

    •  

  • Role Lifecycle Management:In large organizations entitlements can go in tens of thousands, quarterly or biannually certification of entitlements could give managers nightmare. Number of roles in an organization would be much lesser than entitlements, defining roles and clubbing entitlements to business roles make more sense. Certifying roles rather than entitlements is less time consuming.


  • Violation Report: Having a dashboard with application specific reports like orphan account in a system and roles violating separation of duties will empower application owners to view and remediate policy violations.


To counter access risk, organizations need to reassess their processes to assign system resources and privileges to users, and adopt a complementary solution that addresses end-to-end access certification process across the organization.

Access Governance Platform has emerged as a solution which covers above mentioned preventive measures. With an Access Governance Platform, organizations can more efficiently tackle access risk through a process that automates manual tasks and enforces responsibility. The platform provides the auditable evidence of compliance and creates an effective process for access delivery across the organization.

Access governance platform collects data from various sources like a central directory server, identity and access system, applications, files and folders, etc. Collected raw data is transformed through aggregation and correlation to make it concise.

The diagram below shows data and processes in an access governance platform.  

An access governance platform provides dashboard for various categories of users (user, supervisor, admin, auditor etc.) and interface to perform certification, send reminder, change certification plan, define policy, raise request for access/resource, and take action on policy violations. In a nutshell, an access governance platform:

  • Automates the validation of user entitlements and roles, certification, monitoring, reporting and remediation

  • Gives enterprise-wide insight into user access and determines if the access is appropriate and compliant with policies

  • Facilitates complete lifecycle management for roles: Creation (using bottom up role mining), validation and enhancement.

  • Allows automation of managing access requests and changes

However, with a large volume of access change requests on a daily basis, can an access governance platform keep pace with the needs of the business and compliance? Current products in market provide flexibility to adopt centralized yet local deployment architecture. Organization may not be mature enough to leverage the entire functionality at one go. For example: To start with organizations may choose to deploy only compliance part for some applications, later deployment can be extended to cover other applications and role management aspects. Deployment approach and participation of users define success of an access governance solution deployment.

I would like to hear your thoughts!

Filed Under: Identity and Access
1 2