Category Archives: Identity and Access

Identity and Access Management: Before and After Scenario

December 21, 2011 10:38 am Leave a Comment

Scenario 1: Reduction in Access Management Related Helpdesk Calls

Introduction:

While Identity and Access management (IAM) projects can solve multiple problems, they can also become complex and time consuming. Most organizations struggle with the question, “To deploy or not to deploy”. Is there an ROI? Are there real benefits at the end of the tunnel? These are typical questions most CIOs ask.

Aujas has implemented large IAM projects for clients across industry verticals. In a series of articles, we plan to discuss what benefits a client can expect realistically. We will provide the “Before and After” view by discussing scenarios prior to IAM implementation and scenarios post implementation.

In this first article of the series, we are going to cover the aspect of Helpdesk calls related to access management.

Client Background:

The client is a country arm of a global financial services company with a large user base of over 10,000 and growing. The user base includes internal users, external users and contractors. Additionally, the organization works with more than 50,000 agents. The business operations are supported by over 30 business critical applications that are built on diverse and heterogeneous technology platforms, and managed by different business teams.

Before IAM:

One key problem the client had was of managing user identities across enterprise applications. While there were support teams for each of the application, there were no universal and common procedure followed for user requests to avail application access.

With this approach, although the process for requesting access was defined, the implementation lacked user ID standardization, strong password policies, escalation matrix, audit and compliance reports to name a few.

Users had to remember multiple sets of user IDs and passwords to login to applications. Because of this, there was a huge backlog in helpdesk calls for password reset, unlocking accounts and other such requests.

The Solution:

Aujas successfully implemented a leading IAM suite to address the client requirements. The solution included:

  • User Provisioning System: To streamline the business processes by defining a centralized control to manage identity records. The processes to provision access to business applications were refined to leverage the automated system. Access provisioning was aligned with roles and a self-service interface was setup to allow users to request application access and their approvers to grant or reject the request.
  • Access Management System: A comprehensive access management system comprising web access management and enterprise Single Sign-on (SSO) was setup. The access management system provided a unified and dynamic portal for users to see and access their currently approved applications. This system allowed users to access the web easily, thick client and terminal based applications in a safe manner without the hassle of remembering different passwords and policies, thereby drastically enhancing user experience. 

After IAM:

Even though the client saw many positive improvements, the biggest benefits were seen in the following two categories:

  • Productivity Increase: The key factor in productivity increase stemmed from the reduction in turn-around time for Access Provisioning. The turn-around time reduced from an average of 4 days to less than 15 minutes – a 99% decline.

    This led to an enormous productivity improvement for the client. With an average growth of user base at 30% (3000 employees), the 4 days saved per employee in access provisioning led to tremendous increase in productivity as the client saved over 12,000 man-days of effort annually.

  • Cost savings: Reduction in user account management related helpdesk calls from 5500 per month to 500 per month (90% reduction). On an average, a helpdesk call costs $10. Hence, the solution provided savings of $50,000 per month ($600,000 per annum).

    Additionally, the solution provided savings in lost productivity. Earlier the helpdesk received 100 account lockout tickets per day with an average turnaround time of 4 hours. The new solution allowed the client to eliminate almost all account lockout situations (90% reduction). Totally, around 13,000 man-days were saved which would have been wasted otherwise.

  Parameter

  Before IAM

  After IAM

Time saved per annum

Turnaround time for access provisioning

  4 days

  < 15 minutes

12,000 man-days

Account lockouts and passwords resets
  • 4 to 5 hours
  • 100+ accounts lockouts per day
  • Heavy involvement of a helpdesk team
  • Couple of minutes
  • Almost zero account lockouts per month
  • Users can reset and reclaim their access using self service

13,000 man-days

Conclusion:

There are definite benefits in terms of automating your access provisioning system. The primary benefits are around productivity increase and cost savings and these are only a few of them. We will cover other benefits like security, risk management and other productivity improvements as we go along in this series.

Author(s):

Mohit Vaish
Practice Head – IAM
Aujas Risk Management Services

Ms. Amitha Raju
Consultant – IAM Practice

Filed Under: Identity and Access

Managing Risk of Privileged Access and Activity Management

July 26, 2011 10:32 am Leave a Comment

Managing the risk of privileged accessThe Problem
As organizations continue to leverage IT systems to support their businesses, the requirement of managing privileged users is rapidly emerging. Privileged IDs are the in-built system accounts within applications, operating systems, and databases. Additionally, user accounts that are created for administration of systems are also privileged IDs.
These IDs have higher and generally unrestricted authority associated with them to allow efficient system maintenance. As a side effect, these IDs can also be used to make widespread changes to the business systems.

The Risk
Usually, these IDs, especially the ones that are in-built, are shared among the groups of administrators. This method of sharing highly powerful access can cause accountability concerns and non compliance with regulatory requirement, thereby significantly increasing the access risk.

Data can be stolen undetected or IT systems can be sabotaged by misusing the privileged access, since these IDs have access to systems from the backend and can bypass the control deployed for business users.

The rapidly emerging trends of cloud computing, consolidation of data centers, virtualization and hosted application services providers imply growing numbers of IT systems and privileged IDs. Any organization using significant number of IT systems like servers, network devices, desktops, or applications faces the requirement of managing privileged IDs.

Regulatory and government requirements for telecom, banking and IT verticals create an even greater need to address this requirement. Recent prominent and high profile security breaches in these verticals across the globe highlight the degree of access risk caused by inadequate privileged ID management.

What Not to Do
Limiting the privileges granted to these IDs will not mitigate the risk as it will render the useless IDs to perform its functions. Alternatively, some organizations aim to bring in accountability by assigning individual IDs to their administrators in order to eliminate sharing. This approach is helpful only for managing a small number of administrators managing few systems.

In-built IDs will still need to be shared even if administrators use their own individual IDs. To add to the complexity, some IT systems enforce a limit on the number of individual accounts that can be created to manage them. Moreover, the number of individual IDs grows multiplicatively with the increase in both the number of administrators and managed systems.

For example, an admin team of twenty managing a thousand systems can easily be dealing with more than 20,000 IDs. The cost and complexity of managing the lifecycle, enforcing password policies and access controls on so many individual IDs makes this approach suboptimal.

Mitigating the Risk
What is needed is a comprehensive and modular approach to privileged access and activity management. Privileged access and activity management is an identity management domain comprising of the same traditional building blocks of User Provisioning, Single Sign-on and Access Management, Role Management, Password Vault and SIEM tied together with robust solution design based on well thought of policies and procedures.

A good solution approach uses an iterative model to focus on each of these areas and improve them incrementally by understanding how it integrated with other building blocks. This approach allows for a modular solution which not only can solve immediate problems with least disruption and change to the existing practices, but also scale to meet the evolved requirements as the business and expectations grow.

Filed Under: Identity and Access, Risk management Tagged With: , , ,

Windows Azure: Build Secure Applications by Design

May 20, 2011 10:52 am Leave a Comment

Introduction to Azure

The Windows Azure Platform is a Microsoft cloud platform offering that enables customers to deploy applications and data into the cloud. Windows Azure Platform is classified as ‘platform-as-a-service’ and is part of Microsoft’s cloud computing strategy. It provides developers with on-demand computing and storage space to host, scale and manages web applications on the Internet through Microsoft datacenters. The platform provides a cloud operating system called Windows Azure that serves as a runtime for the applications and provides a set of services that allows development, management and hosting of applications off-premises.

Windows Azure has three core components: Compute, Storage and Fabric. As the names suggest, Compute provides a computation environment with Web role and Worker role, while Storage focuses on providing scalable storage (Blobs, Tables, Queue, and Drives) for large-scale needs. Fabric makes up the physical underpinnings of the Windows Azure platform similar to the network of interconnected nodes of servers, high-speed connections, and switches.

Conceptually, the repetitive pattern of nodes and connections suggests a woven or fabric-like nature. Compute and Storage components are part of the Fabric. It also provides high-level application models for intelligently managing the complete application lifecycle, including deployment, health monitoring, upgrades, and de-activation.

Microsoft Azure Security

Microsoft Azure

Consumers are responsible for application and data security with Microsoft Azure, which is under the PAAS model

Cloud security is an evolving world with new threats and challenges. A smart customer would look at all the necessary security risks and would handle all data in cloud with clear risk mitigation plans. Security in the Azure platform is of paramount importance and Microsoft has built security controls into the platform.

Cloud computing models and the security responsibility matrix are defined in the table at right.

Microsoft’s Azure Platform falls under the PAAS model. Microsoft has implemented and provided various security features such as:

  • Identity and Access Management at all levels
  • Isolation of data through separate physical containers
  • Encryption of data in the fabric through on demand
  • Run time security Full trust versus Partial trust
  • Security libraries for security

Though Microsoft has built-in security in its architecture with App fabric and SMAPI (Service Management API), companies that move to this platform must ensure the security of their independent applications. The application developers have to use the right tools and APIs to secure and deploy the application. 

There is no “Magic Wand for Security”

Azure has ensured security at various layers within its architecture and at various VM and its Fabric engine. This security will ensure the customers that data is not leaked outside of their VM. Though Azure has security innovations to aid application development and deployment, the responsibility of securing applications is left to customer.

This means if end-customers have to build applications that are secure by design and secure by default it is in the hands of the Azure application developers and architects. Security is not static and it’s a constant threat which has to be mitigated at all levels of the application and platform. Azure provides many security API’s that could be used to protect the data and access but it’s up to the end-customer to decide what is appropriate for the kind of data that needs protection.

As the chart above explains, the PAAS model requires security SME’s with core knowledge on the platform related security, with understanding of the Windows Azure runtime trust models and the security protections and responsibilities of each cloud layer. Companies need to build complex “Gatekeeper” based design with the help of design patterns such as control access context, advisor, interceptor, and web roles patterns.

The latest addition to the foundational technologies in the .Net framework is the Windows Identity Foundation (WIF). It enables Azure developers to offload the identity and authentication logic, providing a solid development mode based on separation of concerns pattern. A simple or traditional role-based access to advanced and sophisticated access control policies can be implemented with the help of WIF.         

When it comes to cloud-based solutions, it is more important for software designers and developers to anticipate threats at design time than is the case with traditional boxed-product software deployed on servers in a corporate datacenter. Designing secure applications in Azure is about choosing the right sets and understanding the responsibilities. A traditional model of application development will result in the same vulnerable application. But with better knowledge on Azure platform, it’s possible to build more secure applications in less time and with less effort.

Developers and designers also need to understand the basics of building applications on cloud:

  • Build cloud apps, not apps in the cloud
  • Design fault tolerant systems, nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component
  • Backup application & user data
  • Distribute applications

Conclusion

Computing solutions that use Windows Azure are very compelling to companies wishing to trim capital expenditures. However, security remains an important consideration. Security architects and developers need to understand the threats to the software developed for “the cloud” and use appropriate secure design and implementation practices to counter threats in the cloud environment.

The progression from classic client-server computing, to web-enabled applications, to applications hosted in the cloud, has changed the boundaries of applications and a striving need for compliance drives security. These boundary shifts and compliance requirements makes understanding the threats to Windows Azure-based software all the more important.

Filed Under: Cloud Security, Identity and Access, Risk management Tagged With: , ,

Phishers Target Social Media, Are You the Victim?

April 27, 2011 12:02 pm
Phishers target social media

Phishers are targeting social media. Your company and employees have to play their part to fight them.

Social media has been all the buzz recently. While I am writing this post, there are more than 500 million active users on Facebook, with 50% of them logging on at least once a day from their office, home, coffee-shop, school, or while mobile. Today many organizations have an active presence across LinkedIn, Facebook or Twitter. Social media has emerged as an effective marketing tool to engage with a mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research, Inc., said, “Social media isn’t a choice anymore – it is a business transformation tool”.

This new and growing means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using social media in a big way to retrieve vital information from users. They also use social networking malware for financial gains. Message or web links coming from immediate connections over Facebook or Twitter lead users to believe that they are genuine and there’s nothing wrong with clicking them. Scammers leverage on this fact and exploit human emotions such as greed, trust, fear, and curiosity to conduct phishing attacks. According to the latest Anti-Phishing Q2 2010 Report, there is a definite increase in social networking phishing attacks. While attacks were almost negligible in Q1 of 2010, they accounted for nearly 3 percent of reported attacks in Q2.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards people affected by tragedy. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD 

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation 

“Hey, I am your old college friend! Just joined your company; why not reconnect? - http://biz.ty/23424 

“I bumped into some of your old friends the other day; they wanted me to send you this - http://facebooklink

The above websites could be asking for your Internet-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, the malware or virus gets downloaded your system is compromised.

Often scammers target one social networking site user account, compromise it using script, and this script gets propagated to the user’s friends’ accounts. This is called self-replicating malware, and uses application vulnerabilities such as invalidated redirects, click jacking, and cross-site request forgery to spread across multiple user accounts. For mobile users, it becomes even worse because it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. Organizations need to look beyond traditional technology controls, and look to continuous education and awareness to fight phishing attacks.

Organizations can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed and not allowed to discuss and disclose in social networking sites.
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent websites.

As an employee, these best practices can help you avoid becoming prey of phishing attacks:

  1. Never click on a link or a bookmark which is associated with financial transactions or asks for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about yourself or your organization.
  4. Report suspected links to your internal security team and the social networking site so that they can work with the hosting provider to bring down the phish website.

Both the organization and its employees have to play their part to fight against phishing risks over social media.

Aujas can help your company manage risk from phishing threats with its industry-leading Phishing Diagnostic Solution. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

Filed Under: Identity and Access, Risk management, Social Engineering, Vulnerability Management Tagged With: , ,

Security Breaches Continue to Grow

January 31, 2011 1:55 pm Leave a Comment

Identity TheftWhat do Tulane University, South Carolina State Employee Insurance Program, National Guard Headquarters – Santa Fe NM, BlueCross/BlueShield –Michigan, Seacoast Radiology, and University of Connecticut -HuskyDirect.com have in common?  They were just a few of the companies that reported security breaches in January 2011.

Information management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In prior issues of Risky Business, I posted this brief article and supporting statistics about security breaches.  I was curious to see how the data changed.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org and refers to the number of total data breaches that were reported with an estimate of how many records were exposed:

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043

2010 Breach List: Breaches: 662 Exposed: 16,167,542

You must understand that the majority of the reported breaches do not reveal the actual number of exposed records so therefore the number is MUCH larger than what is listed here.

Your call to action is to ensure your Information Risk Management Program is as secure as you think it is and as secure as your stakeholders, customers, Board of Director’s believe it to be.  Aujas is helping organizations manage risk and enhance information value with practical, innovative solutions!

Filed Under: Data Protection, Identity and Access, Risk management Tagged With: , ,

More than Password Resets – Identity and Access Management’s Real Value

December 20, 2010 3:11 pm Leave a Comment

Security with single sign-onYou’ve probably heard enough about the benefits that an Identity and Access Management (IAM) program can bring to you. Most of the benefits pitched to customers from various vendors revolve around specific features of the products, and are generalizations at best.

For example, password reset is available as a feature, and the obvious benefit is reduced helpdesk costs. Plain and simple!  There is, however, much more to the story.

When you go ahead with an IAM program, this is what you are really setting out to do:

Streamline processes

Setting up an IAM solution forces one to optimize and define processes that carry no ambiguity, because automation cannot be achieved when there is ambiguity. Don’t count on the partner who is on keen to migrate your existing processes into the IAM system without questioning the need or sense behind that process.

Example: Quite a few customers insist on having the employee’s manager approve the request first, and then send it to a secondary owner for a final approval. When questioned, the response often is, “We don’t trust our managers. They may approve just about anything that someone requests, so we need someone else take a look at it.” The question we then pose is, “Why have the manager approve something when you don’t trust his judgement?” Or “Have the manager approve requests, but educate the users about the responsibility they carry when they approve something.” You get the idea.

Streamline data across systems

This is an opportunity to bring consistency to how data values are treated by applications across the organization.

Example: The location for a person maybe “SFO” in one application, “California” in another, and “Calif.” in yet another application.

Traditionally, each application owner is used to operating in a silo, and comes up with a naming convention designed to suit the needs of the hour and the application. Standardizing the values across applications lets the organization take charge by bringing in the ability to centrally manage various aspects of user properties, rights, etc.

This change often sees the greatest amount of inertia, but is the one that truly lets organizations leverage their IAM investment. The solution isn’t to avoid standardization. The solution (and opportunity) is to strengthen change management.

Build a platform for future application development

Traditional application development models cater to embedding the authentication and authorization into the core of the application itself. With an IAM program- in place, you have the luxury and comfort of asking application developers to develop just the business logic in their application. All authentication and authorization related decisions can then be delegated to the IAM platform, resulting in

a)      Application developers focused on core business functionality

b)      Having a secure, and proven mechanism for authentication and authorization decisions

c)       Achieving a complete view of who can do what in which application

In a nut shell, most IAM programs are about implementing a vision. It is an opportunity to question what has been done for years, to optimize, streamline and strengthen the way the organization functions, and to discard the legacy that has ceased to provide value.

To quote Sara Gates, former VP of Identity Management for Sun Microsystems, “Identity Management is like putting brakes on your car. Why do cars have brakes?” Everyone says, ‘So they can stop.’ But the real reason cars have brakes is so they can go faster.”

When you are looking for the partner to steer you in the right direction when it comes to such an important topic, Aujas can help.  Call me and learn more about how we have delivered IAM projects to clients globally.

Filed Under: Identity and Access, Risk management Tagged With: , ,

Single Sign-On – Choosing Practical over Paranoid Security

December 7, 2010 9:33 am Leave a Comment

Security with single sign-onAs various business processes are automated in enterprises, a complex IT landscape is created. Multiple applications and platforms require different authentication checks before granting user access. Users need to sign on to multiple systems, each involving a different set of credentials. As a result, accessing systems gets increasingly complicated and frustrating for users and hampers their daily tasks.

Implementing a single sign-on (SSO) security functionality can significantly simplify systems access. SSO provides a unified mechanism to manage user authentication and implement business rules determining user access. As only one set of credentials are needed to access multiple systems, SSO improves usability, increases productivity and reduces helpdesk expenses, without compromising system security.

SSO also reduces human error, because the user logs in once and gains access to all systems without being prompted to log in again for each, a major component of systems failure.

Why is SSO relevant?

The need for SSO is accentuated by several issues enterprises face including:

  • Enforcing strong security and password policies at a central level
  • Multiple helpdesks
  • Need for helpdesks to engage in more value-adding tasks rather than be consumed by resetting passwords for users
  • Management of multiple platforms and application models
  • Risk of unsecured, unauthorized administrative and user accounts

SSO types you need to know

Two of the most important types of SSO are:

Enterprise SSO

Enterprise single sign-on (ESSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The ESSO automatically logs users in, and acts as a password filler where automatic login is not possible. Each desktop/laptop is given a token that handles the authentication.

Web SSO

Single sign-on for web-based applications and few supported proprietary closed source web applications. It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).

The main differences between ESSO and Web SSO approaches are given in the table below.

SSO comparison

ESSO can provide tangible benefits to an enterprise through:

  • Enhanced user productivity - users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords
  • Improved developer productivity - developers get a common authentication framework – developers don’t have to worry about authentication at all
  • Simplified IT administration – the administrative burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication
  • Reduced password fatigue from different user name and password combinations
  • Reduced IT costs due to fewer help desk calls about passwords
  • Improved security through reduced need for a user to handle and remember multiple sets of authentication information
  • Reduced time spent re-entering passwords for the same identity.
  • Integration with conventional authentication such as Windows username/password.
  • Centralized reporting for compliance adherence like ISO 27001, etc.

Clearly, SSO functionality is a practical approach to security management in an enterprise. Its detractors highlight that once a password is breached through SSO, then other systems become highly vulnerable. However, while weighing the pros and cons of the SSO approach, its benefits in the form of lesser maintenance and increased usability far outweigh the disadvantages. It can even ensure a better protection of the single password, with stronger policies in place, which may not be practically possible if there were multiple passwords to remember. SSO can be a suitable choice for most enterprises which are struggling with the burden of managing multiple accesses.

Filed Under: Identity and Access, Physical Security, Risk management Tagged With: , , , ,

HIMSS Survey of Security Pros Is Food for Thought

December 7, 2010 9:08 am Leave a Comment

HIMSS security surveyThe Healthcare Information and Management Systems Society (HIMSS) in November published results of a survey that focused on key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. Though your company may not be in the healthcare industry, read the results discussed below, and think about how they might compare to your organization.

The 2010 HIMSS Security Survey included feedback from information technology and security professionals from healthcare provider organizations across the U.S. Here’s an overview of respondents’ input:

Maturity of Environment: Respondents characterized their environment at a middle rate of maturity.

Security Budget: Approximately half of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security.

Formal Security Position: Slightly more than half (53%) of respondents reported they have either a CSO/CISO or full-time staff in place to handle their organizations’ security functions.

Risk Analysis: Slightly more than half of respondents (59 %) who said that their organization conducts a formal risk analysis reported that this analysis is conducted annually.

Patient Data Access: Surveyed organizations most widely employ user-based and role-based controls to secure electronic patient information.

Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. Two thirds reported having a plan in place for responding to threats or incidents related to a security breach.

Security in a Networked Environment: Approximately 85% of respondents reported that their organization shares patient data in an electronic format.

Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign-on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Patient Identity: Half of respondents indicated that they validate patient identity by both requiring a government/facility-issued ID and checking the ID against information in the master patient index.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization.

Filed Under: Identity and Access, Risk management Tagged With: , , ,

Identity and Access Management – This must be your project, not your partners’!

November 22, 2010 3:26 pm Leave a Comment

Lessons Learned

Identity and Access RiskHaving been through numerous Identity and Access Management (IAM) implementations, we see two common denominators in terms of customer expectations that rear their ugly heads rather frequently:

  1. Let’s integrate everything that we have, and
  2. Let’s do it all at once

One can understand the excitement we all go through when we contemplate having a solution that allows us link so many applications, streamline processes with workflow automation and synchronize attributes across the board. While that excitement is infectious and contagious, the sound voice of reason must be heard and listened to.

It is natural for you to want to do as much as you can with a product, and it is human to want all of it done yesterday. Hence, the onus lies on the domain experts to work closely with customers (as partners, not vendors) and plan out a deployment that gives the customers the most results as soon as possible and additional benefits over subsequent phases.

The “good” partner helps the customer prioritize their needs and requirements, and establish plans to achieve those objectives over phases. Strong project management and planning are the keys to a successful IAM program. The products from various vendors are unlike those of 5 years ago, they are now mature, stable and scale exceptionally well, unless hacked to death to fulfil a few exotic requirements.

We cannot lose sight of the top benefits of having a robust IAM program toa company:

  1. IT systems and applications are constantly compliant with a variety of regulations, there are few gaps in access recertification
  2. Processes and access governance have been streamlined – business demands, business approves, and business gets – with minimal or no IT intervention
  3. Password reset is automated and secure, and helpdesk costs are under control
  4. Peace of mind

 

So next time you want to know whose side the “partner” is on, throw a plan too ambitious at them. While most will try to give you what you demand, you will know during the course of their approach whose interests they have in mind, yours or their own.  After all, it is your project and responsibility.

Filed Under: Identity and Access, Risk management Tagged With: , , ,

Information Risk Management Concerns in Merger & Acquisition – A Point of View

November 15, 2010 4:11 pm Leave a Comment

Integrating Risk, Compliance and Security Components into the Post-Merger Integration Process

M+AOver last few years, the Merger and Acquisition space has witnessed high growth. However, as experience shows,  getting a deal executed is only half the job done. Capturing the actual value in M&A comes from appropriate and timely post-merger integration of people, operations, processes, information systems, and culture.

Historic data indicates that most M&A deals failed to realize value due to ineffective post-merger integration. This has forced companies to look at post M&A integration activity as a program with set milestones. Companies today create separate integration teams with a Project Management Office and clear reporting structure. While companies look at retaining customers and key employees, integrating finance and IT functions, and addressing tax and other operational issues, they often fail to identify and address the risk and control environment. This can affect a company’s security and internal control environment.  Appropriately addressing security, risk and control issues can save time and compliance cost while minimizing business and legal risk for the combined entity.

Key Security, Risk and Control Challenges

1.       How to address compliance requirements and create an effective risk and control environment

When two companies merge, their separate compliance requirements need to be integrated. With different structures, processes, geographies and separate applicability, it becomes difficult to remain compliant, especially during post-merger integration.  Further, the risk profile of the merged entity might be different from the pre-merger entities, as there are significant changes in materiality, processes, supporting technology, and control owners.

Implications- Non compliance, ineffective and inefficient internal audit functions, lack of key risk and control owners, and a higher cost of compliance are some of the common implications.

2.       How to manage access rights for employees, customers, affiliates and third parties in an integrated environment

Mergers bring new users, applications and legacy systems to be integrated for simple, faster and secure access to data.  Therefore managing appropriate access to data is critical from both risk and compliance perspectives.  Inappropriate access to confidential data can lead to information leakage and loss in competitiveness along with non –compliance penalties.

Implications- Failure to manage access rights to business critical applications and data can lead to a) Unauthorized access to critical business data; b) No access to authorized users; c) Excess privileges to some/all users; d) Fewer privileges to authorized user; e) Operational ineffectiveness due to inappropriate access management.

3.       How to address privacy requirements of the combined entity

Two companies storing Personally Identifiable Information (PII) for employees, business partners and customers are managed through separate privacy programs, processes and systems. 

Implications- Disclosure of private information to unauthorized users can lead to regulatory and legal implications.

4.       How to manage business continuity during transition phase while integrating different IT systems, operations and people

Consolidating ERP, CRM, and other business, combining complex infrastructures of two organizations and changing how people access organization data and critical business applications warrants a robust and updated business continuity plan for recovery and continuity in the event of any disaster or malfunction of IT system or access infrastructure.

Implications- Unavailability of business critical applications preventing access to business data.

Next Week – Part 2 – Approach

Filed Under: Identity and Access, Risk management Tagged With: , , , ,
1 2