Category Archives: Identity and Access

Information Risk Management Concerns in Merger & Acquisition – A Point of View

November 15, 2010 4:11 pm Leave a Comment

Integrating Risk, Compliance and Security Components into the Post-Merger Integration Process

M+AOver last few years, the Merger and Acquisition space has witnessed high growth. However, as experience shows,  getting a deal executed is only half the job done. Capturing the actual value in M&A comes from appropriate and timely post-merger integration of people, operations, processes, information systems, and culture.

Historic data indicates that most M&A deals failed to realize value due to ineffective post-merger integration. This has forced companies to look at post M&A integration activity as a program with set milestones. Companies today create separate integration teams with a Project Management Office and clear reporting structure. While companies look at retaining customers and key employees, integrating finance and IT functions, and addressing tax and other operational issues, they often fail to identify and address the risk and control environment. This can affect a company’s security and internal control environment.  Appropriately addressing security, risk and control issues can save time and compliance cost while minimizing business and legal risk for the combined entity.

Key Security, Risk and Control Challenges

1.       How to address compliance requirements and create an effective risk and control environment

When two companies merge, their separate compliance requirements need to be integrated. With different structures, processes, geographies and separate applicability, it becomes difficult to remain compliant, especially during post-merger integration.  Further, the risk profile of the merged entity might be different from the pre-merger entities, as there are significant changes in materiality, processes, supporting technology, and control owners.

Implications- Non compliance, ineffective and inefficient internal audit functions, lack of key risk and control owners, and a higher cost of compliance are some of the common implications.

2.       How to manage access rights for employees, customers, affiliates and third parties in an integrated environment

Mergers bring new users, applications and legacy systems to be integrated for simple, faster and secure access to data.  Therefore managing appropriate access to data is critical from both risk and compliance perspectives.  Inappropriate access to confidential data can lead to information leakage and loss in competitiveness along with non –compliance penalties.

Implications- Failure to manage access rights to business critical applications and data can lead to a) Unauthorized access to critical business data; b) No access to authorized users; c) Excess privileges to some/all users; d) Fewer privileges to authorized user; e) Operational ineffectiveness due to inappropriate access management.

3.       How to address privacy requirements of the combined entity

Two companies storing Personally Identifiable Information (PII) for employees, business partners and customers are managed through separate privacy programs, processes and systems. 

Implications- Disclosure of private information to unauthorized users can lead to regulatory and legal implications.

4.       How to manage business continuity during transition phase while integrating different IT systems, operations and people

Consolidating ERP, CRM, and other business, combining complex infrastructures of two organizations and changing how people access organization data and critical business applications warrants a robust and updated business continuity plan for recovery and continuity in the event of any disaster or malfunction of IT system or access infrastructure.

Implications- Unavailability of business critical applications preventing access to business data.

Next Week – Part 2 – Approach

Filed Under: Identity and Access, Risk management Tagged With: , , , ,

Converged Identity and Access Management – Final

November 8, 2010 11:28 am Leave a Comment

Final in the series “Converged Identity and Access Management”

ID and access managementThe IT infrastructure is the backbone of a converged solution, allowing key business data to be shared across systems. For example, a company’s physical security system typically does not have critical business data such as employee status, whereas the HR department’s IT system has such knowledge.

Converging physical security with IT security isn’t easy, but the extra effort it requires can be beneficial, especially for financial, healthcare, and defense organizations. Convergence affords organizations the opportunity to align security with overall business goals, streamline business processes such as provisioning and investigations, and centralize security operations and policies.

Developing common protocols for managing access to company assets and data enables more efficient provisioning and management. Different physical and logical security systems should leverage extendable interfaces of identity management solutions and thus stay in sync. The key benefit is that security personnel continue to use tools best suited to their jobs and HR personnel continue using HR tools. Converged security systems therefore allow users to improve Return on Investment (ROI).

Key Steps for Convergence

To bridge the organizational gap, the physical security department should work directly with the IT security team to identify:

  1. Authoritative sources of key data used to determine whether a person has permissions to use a resource or access an area.
  2. Compliance or audit needs.
  3. Any business or security concerns that are unique or are especially important to an organization.
  4. Various business processes such as on-boarding, off-boarding and the responsibilities of different systems.
  5. Policies for managing employees who doesn’t have any logical accounts, e.g., cleaning staff, caterers, etc.
  6. Privacy and security policies that clearly define what personal information is to be collected, how the information will be used, who can access the information, how the information will be protected, and how the individual will control its use and provide updates to the information over time.

Effective Convergence through Events Correlation

With converged access control, organizations can correlate disparate physical and IT security events. For example, it may not seem suspicious for an employee to use a computer. However, physical/logical correlation might ensure the employee is able to access logical resources, only after he has swiped his ID card at the entry door. Or, some of the logical resources can get locked for a user as soon as he leaves the premises by using his card at the door.

Conclusion

The convergence of Identity and Access control systems is helping enterprises better protect their intellectual property, monitor the access to restricted areas and comply with regulations. It improves the operational efficiency of existing physical security systems and resources. How organizations choose to implement this is should be aligned with their business strategy and security and compliance requirements.

Filed Under: Identity and Access, Risk management Tagged With: , , ,

Number of Breaches Going Up and Up!

November 8, 2010 10:25 am Leave a Comment

Identity TheftInformation management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In issue 17 of Risky Business, I posted this brief article and supporting statistics for you to read.  I was curious to see in one month how the data changed, I assumed it would go up, but by how much.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043
2010 Breach List (as of 10-5-10): Breaches: 533 Exposed: 13,517,866

2010 Breach List (as of 11-2-10): Breaches: 571 Exposed: 14,000,609

Filed Under: Identity and Access, Risk management, Vulnerability Management Tagged With: ,

Understanding the Need for Converged Access Control

November 4, 2010 12:01 pm Leave a Comment

Access managementAccording to a study conducted by Carnegie Mellon University – critical system disruptions, loss of information of customers and partners, loss of confidential intellectual property,  brute-force attacks, fraud, reputation risk, etc. were mostly attributed to actions by insiders.

The grave dangers of insider threats, arising from employees retaining their system and/or having physical access even after job termination, can be understood from a shocking incident that took place recently. A US-based Water Service Company auditor, who resigned from his post, sneaked into the company’s building and accessed a former coworker’s computer to transfer $9 million from the company’s fund to his personal account. 

Insider threats, in which the disgruntled employees or ex-employees, gain access to computer systems or networks of the enterprise, is one of the cases of improper Identity Management!

Proliferating Disconnected Identities – Root Cause for Mismanagement of Identities!

In most organizations, it is seen that logical and physical identities often see excessive increase in numbers, making it difficult for the organization to track and manage all the identities effectively. 

On the logical side, an employee may have one identity within the enterprise HR system, such as a SAP system. That identity typically consists of salary, benefits, insurance and other specific employee details. Then there is a logical identity, for the same employee, within the information technology department’s directory software – such as those from Microsoft, Novell, CA, Sun Microsystems, or Oracle. This directory controls the permissions for network, database and software applications for the logical identity. Within the organizations’ Intranets, databases and applications, the user may have still more identities, in the form of different user IDs and passwords or PINs he/she uses to log into each logical resource of organization. This employee will have at least one more identity: a physical credential of some sort used for access to organization infrastructure –workstations, buildings, floors, parking garages, warehouses, research lab etc.

Then, there are cases of merger or acquisitions of organizations which often results in more than one brand of Physical Access Control System (PACS) in the organization. In enterprises with more than one brand of PACS and several facilities or areas users must enter, a user may have more than one physical access credential—and therefore, more than one physical identity.

Unconverged identity management systems either result in error-prone manual interventions or security issues!

Next: The Need for Converging Identities

Filed Under: Identity and Access, Risk management Tagged With: , , ,

Stuxnet Accelerates Exponential Decay!

November 4, 2010 11:43 am 1 Comment

Exponential-decayOften, change within the technology arena is seen through the lens of Moore’s Law; computer power doubles every eighteen months.  Many predictions of the Law’s demise have come and gone.  As technology approaches the physical limitations inherent in Moore’s Law, innovation has accelerated.  Moore’s Law was convenient for expressing technology’s exponential growth.

However, the Law’s converse – exponential decay – has eclipsed the “Law” and is unrestrained.  The broader concept of exponential decay operates unreservedly.  Exponential decay spurs innovation, is unrestrained by the present, and arises from the half-life of earlier developments. 

Information Security solutions are following a similar construct: exponential decay.  The perimeter defense built to address external threats has degraded to also-ran status.  Expanding business needs and active circumventing the perimeter, rendering it less-and-less effective.

The progression of security threats, similarly, follows an exponential decay model.  Hacking has given way to monetization attacks and espionage; sophistication grows, barriers to entry decrease, and specialization rises.  Exponential decay, also, produces geometric increases in records and funds lost in breaches.

Stuxnet’s introduction to the world represents the next stage of exponential decay.  It epitomizes a militant threat capable of incapacitating industrial production.  However, such a sophisticated cyber capability encourages derivatives. 

Stuxnet’s independent mutation ability and intra-communication has profound considerations.  An enterprise (military, government, academic, industrial, etc.) should consider themself compromised, irrespectively, by some form of cyber-malice capable of harvesting or destroying value.  Intra-communication is difficult to detect.

One enterprise defense from mutation and intra-communication within the enterprise is layered protection (versus layered defense).  While the enterprise perimeter an anachronism, externally, it has value inside the enterprise.  Tightly controlling access by limiting access gives the protection and time to address such attacks. 

Emerging technologies that allow enterprise to build layered, trusted perimeters, a ring-within-rings, are the exponential decay’s response to these new threats.  Watch for DLP, SIEM, and GRC applications to add layered perimeter capabilities and tracking of intra-communication.  Include intra-communication monitoring within perimeters as a required feature in product selection or expansion.

Authored by Charles King, CISSP – King Information Security, LLC

Filed Under: Identity and Access, Risk management Tagged With: , ,

The Need for Converging Identities

November 4, 2010 11:31 am Leave a Comment

Access managementPart 2 in the Converged Identity and Access Management Series

One of the most important reasons for converging identities is that logical and physical identities multiply when they are disconnected; it’s time-consuming, expensive and inefficient to manage them. And this applies across the organizations domain – IT, physical security, business units and risk managers.

Another equally pressing issue is that security can be more easily compromised when physical and logical identities are separated. A physical identity may appear legitimate to a standalone PACS but it might no longer be trusted by the enterprise network. That’s what happens when an employee is terminated in the logical systems and that information isn’t immediately relayed to a PACS. If the enterprise has more than one PACs, and they are not integrated with each other, it may take several more steps to ensure all PACs block the ex-employee’s credentials.

Physical or logical credentials that are kept alive even after an employee has left an enterprise can be the cause for compliance gap and, at worst, can leave the virtual or physical door open for fraudulent attacks.  The federal government has acknowledged the importance of converging technologies and has been a significant driver for the development of these technologies. For example, in 2004, the Homeland Security Presidential Directive -12 (HSPD-12) was passed, requiring all federal government employees and agencies to use a converged physical and logical ID badge. Standards were created for how the badge is designed, what identity elements are present inside the card, and how the card is used for physical and logical access. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.

Filed Under: Identity and Access, Risk management Tagged With: , ,

Converged Identity and Access Management

November 3, 2010 4:35 pm 1 Comment

Access managementPart 3 in the Converged Identity and Access Management series

Converged IAM (Identity and Access Management) can be understood as a system which converges together disparate physical and logical access control system, to create a singular trusted identity and one credential to match rights and access them across the enterprise.

Converged IAM can’t exist without network connections – preferably automatic, software driven ones – between these logical and physical identity systems.

The most typical use-case right now involves the uses of a card reader integrated with an identity management or directory system such as Active Directory of LDAP. Users swipe the access card at the door and use that same access card to log on to network resources.

Logical identity integrations for a user usually begin with links between human resources systems, an IT network component and the enterprise directory. The directory software, such as Microsoft’s Active Directory or similar tools based on the Lightweight Directory Access Protocol (LDAP), ensures that any employee has the network, software and database access — the virtual provisions — they’ll require to do their work.

Many large enterprises already use identity management tools from vendors like IBM, Novell, Oracle and Sun, to provision users from the HR system into the directory. That process is fairly well-automated. The disconnection between logical and physical identity usually appears when it’s time to provision a user’s physical access rights—at the most basic, where and when that person is allowed to be within the enterprise. In many enterprises, this task is typically still manual: A phone call, email or fax from HR alerts the physical security department to put the new employee into the PACS and create an access badge for him.

Integrating the PACS with the enterprise directory enables enterprises to address the issue of disconnected physical and logical identities. Here the value for the organization is that integration allows them to have a better understanding of who has rights to their network and their physical facilities. It allows them to manage access rights and people’s responsibilities within the organization more efficiently.

Next: The Importance of IT in Convergence

Filed Under: Identity and Access, Risk management Tagged With: ,

Secure File Uploads – Risky?

November 3, 2010 4:07 pm 1 Comment

Risky file downloadsRecently we have had several inquiries into the risks surrounding uploading files.  Here’s some how you can think about this risk:

File uploads have become a critical feature in today’s application security. As the availability of human resources and systems continues to be critical to business operations, file upload usage will continue to escalate as will the features these devices offer. For example, to allow an end user to upload files to the websites such as social networking sites, web blogs, forums, e-banking sites, video blogs, or corporate support portals, gives the opportunity to the end user to efficiently share files with corporate employees. These all open the door for a malicious user to compromise your server.  These users are allowed to upload images, videos, avatars and many other types of files.

The more access controls provided to the end user, the greater the risk of having a vulnerable web application and the chance that such functionality will be abused from malicious users, to gain access to a specific website, or to compromise a server is very high.

It is, therefore, imperative that proper risk management be applied and security access controls, policies implemented to maximize the benefits while minimizing the risks associated with such features.

A list of best practices that should be enforced when file uploads is allowed on websites or any applications. These practices will help you securing file upload forms used in web applications. Few of the recommended practices include:
• Restrict the user to upload the files in a directory outside the server root.
• Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
• Create a list of accepted mime-types (map extensions from these mime types).
• Generate a random file name and add the previously generated extension.
• Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.

As seen above, there are many ways how a malicious user can bypass file upload form security. For this reason, when implementing a file upload form in a web application, one should make sure to follow correct security guidelines and test them properly. Enterprises that have been considering the use of file uploads in their environment should calculate the benefits that the technology can offer them and the additional risks that are incurred. Once benefits and risks are understood, businesses should utilize a governance framework to ensure that process and policy changes are implemented and understood, and that appropriate levels of security are applied to prevent data loss.

If you have additional questions regarding Secure Development Lifecycle contact Karl Kispert at karl.kispert@aujas.com.

Filed Under: Data Protection, Identity and Access, Risk management Tagged With: , , , , ,

Curbing Access Risk: Role Based Access Governance

October 13, 2010 10:55 am 1 Comment

Access risk until now was viewed as an intrinsic risk to which organizations could do little to prevent, but my recent findings made me realize that there is more to it than that it meets the eye. Access risk is defined as, “risks related to unauthorized or inappropriate access”. The Verizon Business 2010 research report reveals importance of curbing insider access risks and highlights that the percentage of breaches that involved insiders increased 26% over the previous year (48%)

While access risk continues to be a challenge, Organizations can curb this by taking few preventive measures as viewed by many industry experts.

  • Policy Enforcement: Can a person deliberately perform dreadful act if she/he has just right access?Excerpts from Wikipedia: “With the concept of Segregation of Duties, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function”. This gives me confidence that chances of single person being a threat go down drastically if access policy is defined and enforced properly.

  • Certification: Let us assume that, at one point of time every person in the organization has just the right access to resources needed to perform their work; can this status be maintained in current business scenario where delegation of task is a day to day phenomenon? Probably not, because managing changes in user access across the organization, like granting entitlements, revoking access, permission setting for a new role, is complicated for many organizations. Periodic review of entitlements not only provides insight of who is having what access, but also helps fine tune access policy. Policy is tuned so that fewer exceptions happen in the system in future

  • Role Lifecycle Management:In large organizations entitlements can go in tens of thousands, quarterly or biannually certification of entitlements could give managers nightmare. Number of roles in an organization would be much lesser than entitlements, defining roles and clubbing entitlements to business roles make more sense. Certifying roles rather than entitlements is less time consuming.

  • Violation Report: Having a dashboard with application specific reports like orphan account in a system and roles violating separation of duties will empower application owners to view and remediate policy violations.

To counter access risk, organizations need to reassess their processes to assign system resources and privileges to users, and adopt a complementary solution that addresses end-to-end access certification process across the organization.

Access Governance Platform has emerged as a solution which covers above mentioned preventive measures. With an Access Governance Platform organizations can more efficiently tackle access risk through a process that automates manual tasks and enforces responsibility. The platform provides the auditable evidence of compliance and creates an effective process for access delivery across the organization.

Access governance platform collects data from various sources like a central directory server, identity and access system, applications, files and folders, etc. Collected raw data is transformed through aggregation and correlation to make it concise.

The diagram below shows data and processes in an access governance platform.

An access governance platform provides dashboard for various categories of users (user, supervisor, admin, auditor etc.) and interface to perform certification, send reminder, change certification plan, define policy, raise request for access/resource, and take action on policy violations. In a nutshell, an access governance platform:

  • Automates the validation of user entitlements and roles, certification, monitoring, reporting and remediation
  • Gives enterprise-wide insight into user access and determines if the access is appropriate and compliant with policies
  • Facilitates complete lifecycle management for roles: Creation (using bottom up role mining), validation and enhancement.
  • Allows automation of managing access requests and changes

However, with a large volume of access change requests on a daily basis, can an access governance platform keep pace with the needs of the business and compliance? Current products in market provide flexibility to adopt centralized yet local deployment architecture. Organization may not be mature enough to leverage the entire functionality at one go. For example: To start with organizations may choose to deploy only compliance part for some applications, later deployment can be extended to cover other applications and role management aspects. Deployment approach and participation of users define success of an access governance solution deployment.

I would like to hear your thoughts!

Filed Under: Identity and Access
1 2