|By Vadim Lander||
|February 21, 2013 06:00 AM EST||
Identity management just isn't what it used to be. Gone are the days when knowing who had access to what was simply enough. In today's world of increasing government and industry regulation; networked communications and collaboration; and pervasive mobility, the requirements have fundamentally changed. Effective identity management and access governance requires insight into not only what employees are doing with their access to systems and applications, but also how well an organization is managing and securing that access.
Such a comprehensive understanding of an organization's access matrix is essential to reducing the risks that employees, partners, customers, and even malicious third parties can introduce. It is also critical to efforts to comply with regulations that mandate access controls. In fact, without it companies have no way to provide meaningful evidence to auditors explaining how and why they assign access.
The need to perform the numerous complex tasks that comprise identity management - such as certifying access, enforcing security policy, and remediating policy violations - is compounded by the reliance on slow, error-prone manual processes to handle them. These issues, coupled with the lack of a comprehensive, cohesive approach to compliance and auditing, make it nearly impossible to address the challenge in an effective and cost-efficient manner.
As a result, enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful. Most struggle with satisfying stringent compliance mandates to perform access reviews of users with access rights to thousands of business applications and target platforms, and making it a sustainable and repeatable exercise. Adding to the challenge is the fact that organizations are faced with implementing identity compliance policies within short windows and often with limited resources.
To keep pace in an increasingly competitive business landscape, obtaining quick compliance results and establishing reliable and sustainable control processes through automated compliance has become critical. However, establishing robust, organization-wide automated compliance is by no means a flip-of-the-switch endeavor, and businesses oftentimes implement inadequate and disparate policy procedures that leave key areas of the organization exposed to security threats. In order to implement identity compliance that meets today's rigorous standards while maintaining company productivity, identity analytics solutions can help improve all of the elements of an effective compliance program.
Organizations that are looking to implement automated, analytics-powered compliance programs need to recognize certain truisms when it comes to ensuring secure access to systems and applications. Security compliance is a substantive and procedural undertaking that is only as effective as the processes that track and automate it. Factors such as the latency of audit and remediation efforts and the rate of change within an organization go a long way toward determining the effectiveness of a compliance effort.
That said, compliance programs must also be flexible. The general guidelines for achieving secure access to applications and systems may seem firm on the surface, but the processes that underlie compliance efforts vary greatly from one organization to the next. What's more, every security control must be designed to accommodate loopholes and exceptions necessary to accommodate business efficiency and productivity. For instance, compliance programs must allow for variation to access controls during emergencies such as severe weather, natural disasters, or even economic turmoil.
Additionally, certification of access controls cannot be an IT-only decision. It needs to be a collaborative process that involves business stakeholders and is embedded in an organization's culture. In exchange for the visibility into applications and systems they receive, those business stakeholders need to understand and accept the inherent risks. But ultimately, IT has to be responsible for providing and mitigating the necessary controls and for remediating any negative audit findings.
Unfortunately, because the collaboration that occurs around access control today is largely email-driven, most organizations have only been able to successfully audit a handful of applications or systems. In fact, according to Verizon's 2012 data breach report, 96 percent of the companies subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS) - which governs any company that processes, stores or transmits credit card data - that were breached during 2011 were not compliant with PCI DSS guidelines.
One of the reasons enterprises are so challenged by identity management is the unprecedented complexity they face today. With applications and data residing in so many locales - on premise, in the cloud, at a hosting provider's site, etc. - and users relying upon ever-growing sets of tools, IT security teams struggle to keep up with the need to apply access control across systems and geographies. It was difficult enough to track several pages of segregation of duties controls for a single application; tracking controls across the increasingly heterogeneous landscape of systems today is geometrically more complicated.
Cloud-based apps, in particular, introduce a layer of complexity that can result in the business finding itself disconnected if it loses visibility into the related access control data. Along those lines, one of the most common audit issues organizations encounter is a failure to maintain the same level of security controls over their virtual environments as they have over their physical ones.
Dovetailing with the challenges cloud computing introduces is the explosive growth of mobile apps for use in the workplace, a phenomenon that has further fragmented access control processes. As organizations develop their authorizations for mobile apps, they largely are doing so separately from their existing app-authorization systems, which compounds the challenges. According to an August 2011 survey by enterprise mobility vendor Partnerpedia, 58 percent of organizations are creating mobile apps stores, leading to much more complex implementations of certification reviews and controls.
What's more, it's not just the systems that have grown in complexity. Employees have become a much more dynamic enterprise asset, causing organizations to adjust their access controls to reflect the matrices of roles that have resulted from the challenges of trying to classify access. A perfect instance of this is in the health care sector, with drug companies featuring multiple teams across the globe conducting trials and contributing research. Maintaining the privacy and confidentiality of data in this dynamic workgroup setting is a prime example of how the problem of access has evolved.
Five Steps for Leveraging Identity Analytics
Despite these numerous challenges, which collectively can prevent an organization from achieving its identity management objectives, there are ways to ensure that access control efforts can keep up with today's complex business landscape. Specifically, organizations can turn to fast-maturing identity analytics solutions to help them get a handle on this daunting business problem.
Following are five key steps organizations can take by leveraging identity analytics technology that will assist them in achieving robust identity compliance and remaining in compliance moving forward:
1. Become risk aware
While large chunks of IT budgets in recent years have been spent on regulatory compliance, many people still don't feel any safer. The ultimate cautionary tale can be found in the stories of two global financial firms. Despite the focus both companies no doubt had on complying with regulations like Sarbanes-Oxley, auditors at both firms failed to remediate excessive access violations by trusted trading employees, resulting in more than $9 billion in unexpected - and potentially crippling - losses combined.
By adopting an automated system that would enable weighted risk to be tied directly to systems access, organizations can significantly reduce their potential exposure to such embarrassing fiascos.
2. Control privileged access
Access to privileged accounts, such as root, system administration and those with elevated privileges, poses a huge threat to enterprises. These are the most powerful system accounts that, naturally, bring the greatest potential for fraud. Because they don't actually belong to users and are instead often shared by multiple administrators, they're notoriously difficult to secure. In an economy like the one we've experienced the past few years, there are more disgruntled workers, meaning an even greater emphasis should be placed on having an automated system to control privileged access.
As if that's not enough, control of privileged accounts is key to efforts to comply with everything from Sarbanes-Oxley to the PCI DSS to the Health Insurance Portability and Accountability Act (HIPAA), which typically translates to it being at the top of lists of auditors' findings. Moreover, most business partners today want to know that there are sufficient controls placed on privileged accounts as part of their SAS 70 reviews.
Given the clear sensitivity and importance of privileged access, it's imperative that organizations adopt a circumspect approach that enables passwords to be issued for limited periods of use in order to reduce potential exposure.
3. Automate remediation
Today's largest enterprises must contend with tens of thousands of employees accessing hundreds of systems, resulting in a cacophony of controls that audit groups can't possibly hope to manage. It's simply too big of a job for humans to address in a limited number of hours per day. That's where an automated identity analytics solution can help.
By setting up a workflow-based system that can automate the simpler remediation, auditors can instead focus their efforts on the findings that pose the greatest risk. Even then, however, exceptions must be accommodated; for instance, in those moments when emergency privileged access must be granted, it's critical that the system be able to automatically undo that privileged access once the emergency has abated.
4. Reduce the potential for audit violations
As much as it may sound like advice from Yogi Berra, the best way to prevent audit violations is to stop them from happening. The easiest way to do that is to perform the proper due diligence when access is being requested. That's the time when an enterprise needs to check for any common audit problems so that they can be addressed prior to a violation occurring.
When a user requests access that could be considered excessive, if the organization has adopted a system that flags that access, it can automatically collaborate with a business owner to approve or deny the request. Similarly, if a request for access results in a violation of either the segregation of duties or the rule of least privilege, then the system can flag this and provide visibility into the potential risk introduced by the request.
5. Take a platform approach to identity management
Merely having identity analytics technology in place doesn't guarantee that an organization will meet its compliance objectives. But for those enterprises wanting to increase their compliance success rate, having an identity analytics module that's part of a larger identity management platform greatly improves the odds. Like many other categories of software, identity analytics - and compliance in general - benefits from the tight integration of a platform approach.
This truism was further validated by a recent Aberdeen Group study in which companies that adopted fragmented identity and access systems were compared with those that acquired integrated systems from a single vendor. The findings? The companies that adopted pre-integrated systems experienced 35 percent fewer audit violations and reduced their identity analytics costs by 48 percent. They also reported improved end-user productivity, reduced risk and enhanced agility.
It's clear that the growing complexity organizations face has upped the ante when it comes to compliance with identity access controls. That increasingly complex landscape calls for better tools that enable enterprises not only to effectively administer access to applications and systems, but also to understand how they're managing that access.
Automation is the key to increasing the effectiveness and reducing the cost of compliance. Automation streamlines compliance-related processes, reducing the need for resources while at the same time lowering the risk of manual error that can lead to audit failure. More important, automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.
A software solution, such as identity analytics, that automates access control can play a critical role in achieving effective compliance and lowering the related costs. In these turbulent economic times, organizations can't afford to ignore this increasingly important - and complex - part of their security paradigm.
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
Jan. 21, 2017 07:30 AM EST Reads: 1,290
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, John Jelinek IV, a web developer at Linux Academy, will discuss why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers...
Jan. 21, 2017 07:15 AM EST Reads: 928
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex softw...
Jan. 21, 2017 06:45 AM EST Reads: 1,946
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes. In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, discussed the best practices that will ensure a successful smart city journey.
Jan. 21, 2017 06:00 AM EST Reads: 2,071
Technology vendors and analysts are eager to paint a rosy picture of how wonderful IoT is and why your deployment will be great with the use of their products and services. While it is easy to showcase successful IoT solutions, identifying IoT systems that missed the mark or failed can often provide more in the way of key lessons learned. In his session at @ThingsExpo, Peter Vanderminden, Principal Industry Analyst for IoT & Digital Supply Chain to Flatiron Strategies, will focus on how IoT depl...
Jan. 21, 2017 03:45 AM EST Reads: 1,988
Big Data, cloud, analytics, contextual information, wearable tech, sensors, mobility, and WebRTC: together, these advances have created a perfect storm of technologies that are disrupting and transforming classic communications models and ecosystems. In his session at @ThingsExpo, Erik Perotti, Senior Manager of New Ventures on Plantronics’ Innovation team, provided an overview of this technological shift, including associated business and consumer communications impacts, and opportunities it m...
Jan. 21, 2017 02:00 AM EST Reads: 5,819
Manufacturers are embracing the Industrial Internet the same way consumers are leveraging Fitbits – to improve overall health and wellness. Both can provide consistent measurement, visibility, and suggest performance improvements customized to help reach goals. Fitbit users can view real-time data and make adjustments to increase their activity. In his session at @ThingsExpo, Mark Bernardo Professional Services Leader, Americas, at GE Digital, discussed how leveraging the Industrial Internet and...
Jan. 21, 2017 01:30 AM EST Reads: 6,566
There will be new vendors providing applications, middleware, and connected devices to support the thriving IoT ecosystem. This essentially means that electronic device manufacturers will also be in the software business. Many will be new to building embedded software or robust software. This creates an increased importance on software quality, particularly within the Industrial Internet of Things where business-critical applications are becoming dependent on products controlled by software. Qua...
Jan. 21, 2017 01:15 AM EST Reads: 5,056
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
Jan. 21, 2017 01:15 AM EST Reads: 2,889
"Tintri was started in 2008 with the express purpose of building a storage appliance that is ideal for virtualized environments. We support a lot of different hypervisor platforms from VMware to OpenStack to Hyper-V," explained Dan Florea, Director of Product Management at Tintri, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jan. 21, 2017 01:15 AM EST Reads: 4,910
A critical component of any IoT project is what to do with all the data being generated. This data needs to be captured, processed, structured, and stored in a way to facilitate different kinds of queries. Traditional data warehouse and analytical systems are mature technologies that can be used to handle certain kinds of queries, but they are not always well suited to many problems, particularly when there is a need for real-time insights.
Jan. 21, 2017 12:15 AM EST Reads: 6,379
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Jan. 21, 2017 12:00 AM EST Reads: 4,715
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
Jan. 20, 2017 10:45 PM EST Reads: 935
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, discussed the importance of WebRTC and how it enables companies to focus o...
Jan. 20, 2017 08:45 PM EST Reads: 4,397
The Internet of Things can drive efficiency for airlines and airports. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Sudip Majumder, senior director of development at Oracle, discussed the technical details of the connected airline baggage and related social media solutions. These IoT applications will enhance travelers' journey experience and drive efficiency for the airlines and the airports.
Jan. 20, 2017 05:45 PM EST Reads: 2,106
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Jan. 20, 2017 05:15 PM EST Reads: 3,830
"LinearHub provides smart video conferencing, which is the Roundee service, and we archive all the video conferences and we also provide the transcript," stated Sunghyuk Kim, CEO of LinearHub, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Jan. 20, 2017 03:00 PM EST Reads: 1,667
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
Jan. 20, 2017 02:15 PM EST Reads: 655
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Jan. 20, 2017 01:30 PM EST Reads: 5,752
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Jan. 20, 2017 01:30 PM EST Reads: 5,261