Identity

  • info
  • discussion
  • exploit
  • solution
  • references
IBM Security Privileged Identity Manager CVE-2016-0353 Information Disclosure Vulnerability

Bugtraq ID: 94543
Class: Design Error
CVE: CVE-2016-0353
Remote: Yes
Local: No
Published: Nov 24 2016 12:00AM
Updated: Nov 25 2016 09:04PM
Credit: The vendor reported the issue.
Vulnerable: IBM Security Privileged Identity Manager 2.0
Not Vulnerable:


SecurityFocus Vulnerabilities

Are Too Many Companies Putting Identity and Access at Unnecessary Risk in Their Move to the Cloud?

I was chatting with the CSO of a Fortune 500 company a couple of weeks ago and the topic came around to cloud services. Her company is famously cloud-averse.

“I know you guys don’t do cloud,” I began, “but are you moving to Office 365?”

“Probably. Eventually. I think we’re going to get dragged there whether we want to go or not,” she replied.

Identity Access Risks in CloudMicrosoft Office has long been the most popular business productivity software suite. Now the Redmond-based giant is aggressively promoting their cloud-based version, Office 365, to organizations of all sizes. The promise of Office 365 is better collaboration (do we really need to email 12Mb Word docs around all the time?), which should increase user productivity. In theory, creative employees can use it to collaborate anytime, anywhere, from any device.

For small businesses particularly, the lure of a few dollars each month for the cloud version instead of hundreds of dollars per employee for the desktop suite is a huge temptation and given the choice, they’ll just go with it. I would, skinflint that I am.

But larger organizations, such as the one run by the CSO I was chatting with, want to be more proactive about their cloud security. And she’s right to think that way; most Office 365 deployments result in user credentials (including C-level usernames and passwords) going to the cloud whether they mean to or not.

Don’t believe me? Let’s look at the three identity and access management models used by Office 365.

Cloud Identity Model – All your passwords belong to Microsoft.

The simplest Office365 identity model is the Cloud Identity Model, where user names and passwords are managed solely in the cloud with Office 365 creating a user identity. The user identity is stored in and verified by Azure Active Directory.

Synchronized Identity Model – Passwords hashed on-premises and in the cloud.

In the Synchronized Identity Model, an organization’s on-premises server manages user identity, while the user account and password hashes are synchronized to Azure AD. Users enter the same password on premises as they would in the cloud, with their password hashes verified by Azure Active Directory.

Federated Identity Model—The most secure, but still sees mobile user passwords.

The Federated Identity Model is the most secure method to access Office 365. It is similar to the Synchronized Identity Model but uses an on-premises identity provider to verify the user password hash. That means the password hash does not need to be synchronized to Azure Active Directory.

The Federated Identity model suffers from a mobile client password gap. Nearly all mobile email clients use the ActiveSync protocol. ActiveSync doesn’t support federation and transmits the user password to Azure AD. Azure AD sends the password back to the on-premises identity manager for verification over an encrypted tunnel, but is that good enough?

What’s the Threat Model Here, Anyway?

Here’s a short list of possible threat vectors you’d consider if you were doing a threat model assessment for any of cloud passwords management models (including the three above):

· Cloud breach

· Man-in-the-middle attack

· Rogue cloud employee

· Nation-state (subpoena)

· Accidental credential logging

· Phishing attack

Where possible, Microsoft has clearly done what it can to avoid seeing user passwords, but they still do. And there are plenty of examples of all of the above threats being realized. Whether or not these threat vectors fall into your assessment model is up to your organization.

Closing the Gap

Many organizations have decided that they are comfortable with this gap. No model is 100 percent secure, right? But a few CSOs want to close the gap before they make the switch. Right now, the way to do it is to intercept and proxy ActiveSync connections from the client to an on-premises proxy which then encrypts the passwords before they transit to Azure AD.

The final step is to implement adaptive multi-factor authentication (MFA). Adaptive MFA is risk-based authentication and can include certificate checks and context-aware, one-time passwords (OTP) via email.

Most organizations say they support MFA but when you drill down, they’re only providing it to select users (C-levels, hopefully, and IT, and a few others). MFA that covers only some users isn’t ideal, but it’s better than no MFA at all.

Cloud Should Be More Than Someone Else’s Computer

Getting back to the conversation with that CSO. Even though her organization is famously cloud-adverse, she knows they’re going to end up editing Word documents and PowerPoint files in the cloud. When they do, there will be no turning back. Her staff’s real challenge will be managing the risk before – and when - that happens.

view counter

David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.

Previous Columns by David Holmes:

Tags:


SecurityWeek RSS Feed

Symantec made its first major acquisition of the Blue Coat Systems era with a $ 2.3 billion acquisition of identity protection firm LifeLock.

The Symantec-LifeLock deal is expected to close in the first quarter of 2017; the antivirus software maker paid $ 24 a share for LifeLock, which is approximately 16 percent higher than LifeLock's closing stock price of $ 20.75. Rumors of the acquisition emerged last week with Bloomberg News reporting that Symantec, along with investment firms Permira and TPG Capital, were interested in bidding on LifeLock.

The LifeLock purchase comes just a few months after a major shakeup at Symantec. The security software giant purchased web and cloud security firm Blue Coat Systems for $ 4.65 billion in June; Blue Coat CEO Greg Clark was named as Symantec's chief executive, filling the voice left by former CEO Michael Brown, who resigned from Symantec in April.

However, the acquisition of LifeLock is a departure from Symantec's recent efforts to chart a new course beyond its legacy antivirus and consumer-focused businesses and focus on new opportunities in cloud security. Following the Blue Coat acquisition, Symantec outlined its "cloud generation" vision, which was carried over from Blue Coat's own strategy to increase its cloud security offerings and combine them with existing web and networking technology.

But in Symantec's second quarter 2017 earnings call earlier this month, Clark stated that although the consumer security business had been in decline, he felt there was still room to grow.

"We believe the market opportunity for protecting consumers is larger than what our current consumer products address today," Clark said. "As we move to further penetrate these opportunities, we expect the Consumer Security business to improve its growth trajectory as we move beyond the PC."

In a conference call Monday, Clark said LifeLock's technology will compliment Symantec's Norton consumer products and expand the scope of consumer security offerings.

"Consumers pay between 2x and 3x more for identify protection than they pay for endpoint malware protection," he said. "With this acquisition Symantec accelerates its Consumer Business' return to growth by offering a digital safety platform to protect information, devices, networks and identities of consumers."

LifeLock, which was founded in 2005, has established itself as one of the leading companies in the consumer identity protection market, but the company ran afoul of the U.S. Federal Trade Commission over the years. In 2010, the company paid $ 12 million to settle claims that it used false claims to promote its identity theft protection services. Under the 2010 settlement, LifeLock agreed to refrain from making deceptive marketing claims and promised to "take more stringent measures to safeguard the personal information they collect from customers," according to the FTC.

However, in 2015 LifeLock was forced to pay an additional $ 100 million to settle FTC contempt charges after the agency found that LifeLock had violated aspects of the 2010 settlement. Specifically, the FTC said LifeLock "failed to establish and maintain a comprehensive information security program to protect users' sensitive personal information including their social security, credit card and bank account numbers." In addition, the FTC found that LifeLock continued to engage in false advertising claims and failed to abide by the 2010 settlement's recordkeeping requirements. 

Next Steps

Learn how behavioral assessments can benefit threat detection

Read more on the most important endpoint security features for enterprises

Discover how data obfuscation techniques can protect information

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

The holiday season is a time to reflect on what is really important in life and what brings us all together. That, of course, is identity governance.

IBM Security’s Identity Governance and Intelligence solution will be celebrated at three major upcoming events: the 2016 Gartner IAM Summit, a webinar focused on health care and an analyst webinar in which IBM will host Forrester. At each of these events, IBM will showcase its identity and access management (IAM) portfolio, including real-world use cases, product demonstrations, interactions with the experts and more.

Identity Governance and Intelligence Stars at Gartner IAM Summit

From Nov. 29 to Dec. 1, Gartner will host IAM vendors, business partners and customers in Las Vegas for its annual IAM Summit, arguably the largest IAM event of the year. As a major sponsor of the event, IBM will have a booth and is set to host two speaking sessions by Jason Keenaghan, program director of IAM Offering Management, and Eric Maass, director of IAM Cloud Services Strategy.

The theme of the IBM booth is “Security Starts with People.” It will feature ongoing demonstrations of IBM Security’s IAM solutions, including IBM Security Identity Governance and Intelligence, as well as experts in each area to answer any questions attendees may have. Please stop by one of IBM’s sessions or visit us at booth No. 301. We look forward to seeing you there.

IBM Takes On Health Care

On Dec. 5, IBM will host a webinar focused on governance and health care titled “Safeguard Healthcare Identities and Data With Identity Governance and Intelligence.” Believe it or not, health care is one of the hardest hit industries from an information security perspective due to the difficulty of managing and governing identities with so many complex systems in place.

Join this webinar to learn about IBM’s success in the health care industry with IBM Security Identity Governance and Intelligence, including integration with Epic and other complex electronic medical record (EMR) systems.

Register for the Dec. 5 webinar on Safeguarding Healthcare Identities and Data

Dig Into IAM Trends

On Dec. 8, 2016, IBM is very proud to be hosting Andras Cser, vice president and principle analyst serving security and risk professionals at Forrester, for a webinar titled “Identity and Access Management: What Are the Trends? How Do You Solve Them?”

As the title suggests, Andras and IBM’s Jason Keenaghan will dig into the current trends in IAM and discuss how we can solve new issues as they arise. With a particular focus on identity governance and access management, and what promises to be a lively Q&A session at the end, this is one webinar you won’t want to miss.

Register for the Dec. 8 Webinar on trends in identity and access management


Security Intelligence

Remember when sushi was exotic? Has it been a while since you thought of it as cold dead fish? That was probably before it became popular enough to cause endangerment of species. Today, sushi might be a treat, but as Americans we no longer look at it as alien – we’ve come to appreciate the colors, textures and flavors shared by our Asian friends.

Over the last 26 days, I’ve had the privilege of traveling to 11 different cities in Australia and Asia, and I’ve had my share of exotic food (by American standards). But, aside from cultural experiences, Asian perspectives helped me learn to look at identity governance in a new light.

The conventional wisdom on identity governance

Identity Governance Isn’t Just for Compliance Anymore In my travels throughout North America and Europe, I’ve noticed that identity governance has dominated the Identity and Access Management landscape. Heavier regulations in North America and Europe have been the biggest driver of a compliance-driven approach to identity. 

The analyst firm Gartner merged the topics in its Magic Quadrant for Identity Governance and Administration (IGA), first released in late 2013. And Forrester released a Wave report for Identity Management and Governance (IMG) earlier this year, providing some consensus on the state of the biggest markets for governance.

Why Asia is different

Asia is still in the early days of considering identity governance – there is a shared sense of trust in employees to do the right thing even without strict guidelines. Asian multi-national companies, of course, have to demonstrate compliance to regulations such as Sarbanes Oxley when they operate in other jurisdictions. But for many companies, there is a real sense of insulation from regulations, and far less of a sense of urgency, as much of the focus remains on the provisioning part of IGA/IMG 

What is changing

That sense of trust without strong enforcement, however, is being tested by recent events. I happened to be in Manila when the news broke that Rizal Commercial Banking Corporation (RCBC) paid a 500 million peso (~$ 10.7M USD) fine to Philippine regulators, which was only half of the penalty for the role that the bank played in the 2016 Bangladesh Bank heist. In addition to the fines, the attack has cost the jobs of high-ranking members of the banks.

The FBI believes that insiders had a role to play in obtaining the credentials for payment transfers that were used to perpetrate the crime. And that has led to the realization that better management of credentials – minimizing rights through identity governance – is an important control in the fight against fraud.

In Japan, there was still a sense of shock that two Japanese men participated in an ATM heist that resulted in a loss of 1.4B yen ($ 13M USD) in May 2016. It is events like these that are changing the sense of isolation in Asia and introducing a realization that global interconnectedness means global vulnerabilities.

What we can learn

As the demand for identity governance in Asian companies grows, the key differentiator is that it’s going to come from a need to reduce risk. For North American and European companies, identity governance will still function primarily as a means to satisfy auditors and regulators for the foreseeable future, creating a false sense of security.

The challenge is that identity governance typically relies on business managers to certify access to sensitive systems. Those business managers neither understand, nor care much about risk, and while they rubber-stamp their attestations to satisfy auditors, there is little risk reduction occurring as a result. 

The Asian companies that I met with have little interest in a compliance charade, because that isn’t the challenge that they need to solve. They are interested in how identity governance can be used to enforce separation of duties, and discover and eliminate excessive entitlements. 

Like learning to appreciate different Asian perspectives in food, we could learn to shift the focus of identity governance from compliance to risk management.

view counter

Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.

Previous Columns by Travis Greene:

Tags:


SecurityWeek RSS Feed

Remember when sushi was exotic? Has it been a while since you thought of it as cold dead fish? That was probably before it became popular enough to cause endangerment of species. Today, sushi might be a treat, but as Americans we no longer look at it as alien – we’ve come to appreciate the colors, textures and flavors shared by our Asian friends.

Over the last 26 days, I’ve had the privilege of traveling to 11 different cities in Australia and Asia, and I’ve had my share of exotic food (by American standards). But, aside from cultural experiences, Asian perspectives helped me learn to look at identity governance in a new light.

The conventional wisdom on identity governance

Identity Governance Isn’t Just for Compliance Anymore In my travels throughout North America and Europe, I’ve noticed that identity governance has dominated the Identity and Access Management landscape. Heavier regulations in North America and Europe have been the biggest driver of a compliance-driven approach to identity. 

The analyst firm Gartner merged the topics in its Magic Quadrant for Identity Governance and Administration (IGA), first released in late 2013. And Forrester released a Wave report for Identity Management and Governance (IMG) earlier this year, providing some consensus on the state of the biggest markets for governance.

Why Asia is different

Asia is still in the early days of considering identity governance – there is a shared sense of trust in employees to do the right thing even without strict guidelines. Asian multi-national companies, of course, have to demonstrate compliance to regulations such as Sarbanes Oxley when they operate in other jurisdictions. But for many companies, there is a real sense of insulation from regulations, and far less of a sense of urgency, as much of the focus remains on the provisioning part of IGA/IMG 

What is changing

That sense of trust without strong enforcement, however, is being tested by recent events. I happened to be in Manila when the news broke that Rizal Commercial Banking Corporation (RCBC) paid a 500 million peso (~$ 10.7M USD) fine to Philippine regulators, which was only half of the penalty for the role that the bank played in the 2016 Bangladesh Bank heist. In addition to the fines, the attack has cost the jobs of high-ranking members of the banks.

The FBI believes that insiders had a role to play in obtaining the credentials for payment transfers that were used to perpetrate the crime. And that has led to the realization that better management of credentials – minimizing rights through identity governance – is an important control in the fight against fraud.

In Japan, there was still a sense of shock that two Japanese men participated in an ATM heist that resulted in a loss of 1.4B yen ($ 13M USD) in May 2016. It is events like these that are changing the sense of isolation in Asia and introducing a realization that global interconnectedness means global vulnerabilities.

What we can learn

As the demand for identity governance in Asian companies grows, the key differentiator is that it’s going to come from a need to reduce risk. For North American and European companies, identity governance will still function primarily as a means to satisfy auditors and regulators for the foreseeable future, creating a false sense of security.

The challenge is that identity governance typically relies on business managers to certify access to sensitive systems. Those business managers neither understand, nor care much about risk, and while they rubber-stamp their attestations to satisfy auditors, there is little risk reduction occurring as a result. 

The Asian companies that I met with have little interest in a compliance charade, because that isn’t the challenge that they need to solve. They are interested in how identity governance can be used to enforce separation of duties, and discover and eliminate excessive entitlements. 

Like learning to appreciate different Asian perspectives in food, we could learn to shift the focus of identity governance from compliance to risk management.

view counter

Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.

Previous Columns by Travis Greene:

Tags:


SecurityWeek RSS Feed

Promo Need to know to more about the role of biometrics, such as fingerprint, DNA, facial and iris recognition, in identity management? Sign up now for Biometrics 2016, three days of expert insight and discussion in the heart of London from 18 to 20 October 2016.

You can get more information and sign up at Biometrics 2016 but here is a summary of what to expect.

Attending as a delegate will give you unique access to an amazing group of more than 65 exceptional speakers from many different industries who will share insight, stimulate innovative thinking and provide practical solutions for identity management in the following areas:

  • Customer authentication
  • Mobility and payments
  • Information security and fraud
  • Law enforcement, forensics and military applications
  • Border control and travel
  • Privacy and data protection

In addition to large-scale government projects and its use in border control and law enforcement, the use of biometrics in mainstream customer-facing applications such as mobile payments come under the spotlight in dedicated session tracks including speakers from Santander and Mastercard.

An interactive format combines expert talks with panel discussions and Q&A sessions and plenty of time for additional networking during the refreshment breaks.

You can download the full programme here.

Free Exhibition and Seminar Programme

A free exhibition where you can meet with international suppliers and integrators of biometric solutions for identity management, authentication and security is co-located with the conference and open to visitors on 19 and 20 October. There is also a varied programme of free seminars at the exhibition, available on a first-come, first-served basis. Entry to the Exhibition is free but you need to sign up online for tickets.

More about Biometrics 2016

Privacy and data protection and the need to build consumer trust in why their biometric information is being collected and how it is handled, stored and potentially deleted continues to play a big role in the adoption of biometrics. This is particularly true in future growth areas that put biometrics at the heart of the consumer experience, for example travel, mobile payments and consumer electronics.

In a dedicated session, leading experts, including Pam Dixon, Executive Director of the World Privacy Forum, look at current thinking and highlight how the law needs to change to keep pace with technology.

Additional breakout sessions over the three days look at developments in the key vertical markets for biometrics with a strong focus on in financial services/mobile payments.

Isabelle Moeller, programme chair and CEO of the Biometrics Institute, says she is excited about the quality of this year’s programme: “We are once again delighted with the high calibre of speakers coming to London for Biometrics 2016. This event will give delegates a unique opportunity to learn from representatives of major international biometric implementations and projects and provides an outstanding opportunity to share, understand and discuss how biometrics can offer security and authentication solutions for their own projects.”

Sign up today here.

Sponsored: Boost business agility and insight with flash storage for analytics


The Register - Security

Seagate is trying to fight off a suit filed by employees whose personal information was lost when the storage giant was hit with a phishing attack.

The company is currently in the midst of a hearing over whether the aggrieved workers have grounds to sue their employer for negligence after someone in human resources was duped into handing over copies of employee W‑2 tax forms.

The suit [PDF], originally filed in July through the Northern California District Court, accuses the hard drive maker of negligence and unfair business practices stemming from the March 1, 2016 incident when a phishing attack lead to the W‑2 information on all Seagate employees, as well as family members and beneficiaries named in employee W‑2 forms.

The suit claims that the attackers have already begun using the information lifted in the breach. It asks that Seagate be required to pay out damages and fees to a nationwide class of Seagate employees and others named in the pilfered W‑2s.

"No one can know what else the cybercriminals will do with the employees' and third-party victims' personally identifiable information. However, the employees and third-party victims are now, and for the rest of their lives will be, at a heightened risk of identity theft," the suit alleges.

"Many employees and third-party victims have already suffered out-of-pocket costs attempting to rectify fraudulent tax returns and engaging services to monitor and protect their identity and credit."

The storage giant, however, disputes the claims and is trying to have the case thrown out of court.

This week, Seagate has entered into hearings on a motion that the case be dismissed on the grounds that it should not be held responsible for the actions of the criminals who carried out the phishing attacks.

"Plaintiffs seek to hold Seagate responsible for harm allegedly caused by third-party criminals," Seagate claims.

"But Plaintiffs cannot state a claim based solely on the allegation that an unfortunate, unforeseen event occurred. They must actually allege facts that show they are entitled to relief from Seagate."

Should Seagate's motion to have the suit thrown out fail, the case will continue toward a jury trial later this year. ®

Sponsored: Flash storage buyer's guide


The Register - Security


Laurène Hummer

Global Portfolio Marketing for IAM Security Services, IBM Security

Laurène Hummer leads the global portfolio marketing efforts for Identity and Access Management (IAM) Services at IBM. She enjoys speaking to industry trends, technology...

See All Posts

With the increase of insider threats, unauthorized access and mounting regulatory pressures, many security professionals are turning their focus to identity governance and intelligence. To learn more about this topic, we turned to one of IBM’s identity and access management specialists, Andy Taylor.

Taylor has more than 14 years of identity and access management experience, with a particular focus on access governance and privileged account management processes. Over the years, he has performed a variety of consulting roles with specialist IAM boutique firms as well as with the Big Four consulting groups.

Having consulted for, been a solution architect for and lead some of the largest client programs, Taylor is currently a senior managing consultant and governance expert for IBM Security.

Question: What are organizations that are investing in identity governance today hoping to achieve?

Taylor: Identity governance initially sought to simplify and automate processes for IT and audit’s benefit. It was about implementing a basic and often rudimentary access request portal or paper-based recertification process to address an audit point, for example.

Processes are now becoming highly complex, state-of-the-art in their design, required to be very tightly governed and, importantly, cost effective. This is due to today’s compliance, regulatory-driven and often mandated requirements.

There is new emphasis on demonstrable control, being able to evidence it in a sustainable manner, while addressing the needs of the ever-changing business landscape. These needs are generally supported by a plethora of vendor companies who provide out-of-the-box, relatively ready-to-run processes for whatever process or control you are seeking to address in any given market.

Do these goals change depending on the maturity of the organization?

Some smaller organizations are still taking initial steps toward setting the right foundations or are now starting to mature their governance program from previous initiatives. Their efforts are often born from migrating from paper- and email-based process or in-house legacy tool sets that are generally time consuming, costly to manage or provide insufficient evidence for audit purposes.

On the other end of the spectrum, there are global, industry-leading companies who are taking innovative approaches to performing certifications, detecting or actually wanting to prevent segregation of duties breaches on vast user populations or data sets in an almost real-time manner.

Why are access governance solution deployments getting increasingly more complex?

Organizations today are seeking to integrate a far wider set of capabilities within their IAM portfolio compared to yesteryear, such as analytical, contextual and behavioral processes. But these on their own still require foundational activities to be complete and to add any significant value.

These organizations are looking to extend the boundaries of traditional vendor IAM technologies, which generally require a lot of time and resource investment to set up. We are seeing requirements now for tool sets to be integrated with external data sources that already have robust custodian processes that are dynamically referenced by the IAM product workflow or process, thus allowing the owner or custodian to manage the content in their own applications or data source, rather than loading data into and training users on the new IAM tool set.

This data could be lists of different identities, such as licensed traders, or users technically or professionally qualified to use a specific application or service. This content could also be more diverse or very specific, such as lists of cost centers or departments permitted to use an application if contained within a SAP system, for example.

Where does this new complexity come from?

As an organization’s application estate grows ever wider to cover increasingly complex business processes and functions, the IAM tool set needs to be able to handle increasing user cases, processes and reporting requirements to demonstrate control.

Also, the traditional boundaries of access governance processes — employees, contractors or temporary workers — are now expanding to include users such as suppliers, business partners and other third parties, all of which can be found in disparate locations across the business or federated source.

But each of these user repositories still requires an organization to ensure the foundations are set in place, and that the data is clean, has integrity and has defined use cases for downstream processing. But above all, they require an owner who understands both the business and identity access governance uses.

Here’s an example of what can happen if these criteria aren’t met: The HR function changes a department name, say “product marketing” to “portfolio marketing.” The old name was used in a role-based access control (RBAC) model and now has disappeared. So the system revokes swathes of user access that had been based upon the department name!

What’s the most in-demand governance feature clients are asking you about at the moment?

Perhaps the governance process receiving the most focus at present is segregation of duties (SOD). An increasing number of companies are now seeing the value of how SOD augments and forms part of robust access request and certification processes.

The traditional examples of segregation of duties are found in the requirement to separate users who have the ability to raise an invoice from those who release payment on an invoice, or segregating front and middle office trading functions.

Without segregating these duties, you leave the door open to abuses, theft or breaches due to the inappropriate actions of insiders. This is becoming more and more relevant: The IBM Cyber Security Intelligence Index found that in 2015, 60 percent of attacks were carried out by insiders. This insider threat is now leading clients to take an organizationwide view for all business processes, covering hundreds or thousands of applications in the estate, rather than the historical single application-centric approach to address specific issues.

The granularity of control you can achieve with SOD is allowing clients to achieve a far tighter degree of control, which is especially important for organizations required to comply with financial regulations. Product tool sets are able to assist with the detective aspect of a SOD rule, some even at the preventative stage during an access request.

A growing trend is to attempt to prevent a breach in the first instance — after all, why let something happen, assuming a detective control will pick it up? Generally, the SOD rule is applied at its lowest level: the entitlement level. But for organizations with hundreds of thousands, if not millions, of entitlements, it’s possible to also do this at the role level. In that case, you must detect and manage entitlement conflicts inside roles, or else you’ll expose a huge gap!

It is possible to be innovative in this space. Rather than try to onboard hundreds of rules in the tool set, you can use a handful of rules to manage very large application and entitlement numbers that perform the traditional financial segregation, process separation and data segregation checks.

Some clients are using the IAM tool set to reference external data where permitted users are defined, managed and referenced by the SOD workflow. In every case, a well-thought-out strategy of checking at all levels will lead to better results and more control.

What about governance is in need of the most change? What’s currently not working?

Certification is where the biggest mind-shift changes are required. Historically, this process was about reviewing all users on all applications every 90 days or so via the presentation of entitlement data in its rawest form, the entitlement in IT terminology. We’d like to say those days are long gone, but this is still one of the most common approaches. In a busy workplace, spare a thought for the amount of time — and cost — reviewers are required to allocate to this task, making it more difficult to perform their own daily jobs.

There must be a smarter way to perform certifications?

There are some points to consider to improve certifications. The first is simply defining a risk-based framework to be used for recertification that can limit the scale of the effort but still address compliance concerns.

Yes, you can still review all users over time, but consider this approach to review only those applications that need to be reviewed in alignment with this rating, or better still, those users who may have sensitive or privileged access, perhaps the payments clerk, the user administrator or the trader in the front office with high trading limits. These types of roles warrant closer attention at a frequency aligned to the assets’ risk rating. This does not necessarily apply to the user who has read-only access to the corporate intranet site.

Another consideration is to include additional metadata in the recertification to assist the reviewer in narrowing down which entitlements to review. For example, last logon information allows the reviewer to clearly see the access hasn’t been used in a long period and base the decision upon that rather than each entitlement under review. Or you could leverage this information to define a policy rule in the tool set to manage inactive users. This keeps the application estate clean so inactive user accounts rarely appear in the certification. An RBAC recertification approach where you align the review to a role owner to review entitlements and membership can also help greatly, but it is worth noting that what effort you reduce on the line manager is now picked up by role owners.

So unless organizations look to change their approach, the poor old line manager performing the review, trying to understand unclear entitlement descriptions, may continue the historical rubber stamped “retain all access” decision-based approach, which adds no value at all and doesn’t control your identities or protect your data.

So, where does that leave the business user who is just trying to get access to the tools they need to do the job?

Robust ownership and process oversight in both the IAM delivery program and the business-as-usual operational structure must address user concerns during the program. This includes being clear on communications for the business objectives, outcomes and timelines, and the planning of extensive end user education and awareness campaigns.

If you involve end users in the program, particularly during testing phases, this should create an ecosystem suitable to deliver the best user experience — one that offers flexibility for the demands of the business and, even more importantly, demonstrates control.

For better access governance, look beyond roles to entitlements

Topics: Access Management, IBM, identity, Identity and Access Management (IAM), Identity Governance, Insider Threat


Security Intelligence


Nick Oropall

WW Market Segment Manager, IBM Security Identity Governance and Administration

Nick Oropall is the worldwide marketing manager for IBM Identity Governance and Intelligence. He frequently comments on IAM's impact on emerging security requirements, such as...

See All Posts

“Internal auditors are being asked by audit committees and senior managers to step outside their comfort zones. How are you addressing the fast-paced changes in technology, information security, risk management, governance and compliance?”

The lines above serve as MISTI’s introduction to the SuperStrategies conference, but they’re also an introduction to the direction of IT audit and information security. Once upon a time, these two areas were separate islands. That is no longer the case.

What Is Identity Governance?

Identity governance helps to answer the questions:

  • How can we verify who has access to what?
  • How can we understand if this is access that they actually need?

But there’s more to identity governance and intelligence. It has become a security control, a safeguard against insider threats and a means of effective communications between the business, IT and audit.

Worlds Colliding: Identity Governance and IT Security

It is critical to select the right identity governance and intelligence solution. It can help to identify who has access to what and whether they should have that access. Analytics can help optimize roles and user access while simultaneously helping to prioritize high risk access or users.

Gone are the days when identity and access management could be separate from IT security. The two are intertwined, and that makes communication critical. Identity governance and intelligence needs to be the solution that fosters communication between the audit and IT teams, as well as the solution that enables business managers to make the right access decisions.

Discover More at SuperStrategies 2016

The 2016 SuperStrategies agenda is designed to help internal audit executives better understand the challenges they are facing every day. Featured keynotes include Thierry Dessange, the VP of Technology Audit at Visa., and Robert King, CVP and chief audit executive at FedEx.

If you are interested in hearing more about how identity governance and intelligence brings security and compliance together, please come to MISTI SuperStrategies, which is taking place Sept. 27 to 29 in Las Vegas. Be sure to stop by IBM’s booth. We look forward to seeing you there!

For additional information on this topic, check out the on-demand webinar “How Identity Governance Can Help Protect Your Organization,” presented in July by MISTI and IBM.

Topics: Identity and Access Governance (IAG), Identity and Access Management (IAM), Identity Governance, Security Conferences


Security Intelligence