Back in 2001 industry was hot about network monitoring and finding data. I
remember working on a project to aggregate data across different systems.
Here we are in 2012 it doesn’t seem like things have moved that much
ahead.

After speaking to attendees at Interop 2012, one of the main themes
was that we all have too much data generated by different logs, events and
systems. Finding a needle in a haystack seemed to be the problem. There is
no one denying the possibility of finding some value with a large
quantity of data, but is anyone questioning the reliability of this data?

Even my niece in high school science class would know the basics of solid
scientific research would require a consistent approach and repeatable
process. The integrity of the data is only as reliable as the integrity of
the process. Within identity and access management, there is ample
opportunity to create event and system data. What some vendors are
pitching today as the business intelligence of identity management is
nothing more than data aggregation based on fallible business process.

Having so much data analysis would require an employee with analytic
knowledge and background in the business process. How do we justify the
resource cost added on already overburdened IT resource to analyze data
that may not yield a valid result?

Based on a recent article in the SC Magazine apparently it does matter to
the head of IT. Whether one is aware of the security posture within the
enterprise or not. As soon as the data security has been compromised and
the news is on the front page, someone in the IT department seems to
always get the axe.

But should the IT department be held responsible for overall
information security?  Business requires reliable information
security to ensure company information is well protected. Lack of will or
means to protect company information assets won’t make business partners
comfortable.  Information security cannot come from the IT department
alone. When was the last time an IT department asked for a new privileged
access management solution and had it denied by the business? This is a
common story from IT managers at conferences.

At a recent event, I was having dinner with a group of seasoned security
professionals. We started to talk about what does IT Security mean for an
organization. Some spoke of security management that focuses on things
like the number of vulnerabilities found and remediated.  Others spoke
about how they kept hitting a plateau in terms of the number of
workstations patched with the latest Antivirus. But those remediations and
vulnerabilities wouldn’t matter to a business person unless they mattered
to the bottom line. One thing we found in common, businesses still have a
tendency to signoff on acknowledged risk until they are required to be
accountable for the security issue.

It is like driving a school bus with no adequate maintenance and
insurance. A school bus full of children (e.g. customers/employees
unaware of risk) who were assured by the bus operator that they’ve
done everything possible to ensure the safety and security of riders.
Meanwhile, the operator is rewarded by operating several bus routes
until one day a bus crashed, and many innocent lives are taken. It’s
not the bus operator’s intention to create any harm. As long as one
can get away making money without incurring cost to beat out the
competition, there will always be someone who is willing to turn a blind
eye.

Information security is similar in many ways. If you don’t update your
information security, sooner or later there will be an intruder roaming
around the network. It would simply be a matter of
time until your business operation faces the truth that many customer
records have been stolen or the intrusion showed up on the news.

Businesses tend to ignore information security when it doesn’t appear
relevant to the core business process. But the reality of the
matter is, many of business critical process today run on information
technology.

- Sending email to confirm order with your customer

- Finding delivery route using online map and GPS

- Receiving payment through wire transfer

- Process payrolls to your workers

- Online payment for your vendors

- Social network marketing

- Process and resource planning

- Research for purchasing supplies

- Processing customer order from ePOS

- VOIP or PBX/IP Telephone system for making sales call

Most likely some of your business operation has dependencies on information
technology. How much would it cost your company if your business operation
is disrupted for hours, days, weeks? Does it cost your company money if
you cannot deliver products to your customers on time? How much would it
cost your company if you couldn’t file your tax return on time? What would
it mean if your business just lost most of its customer records because of
weak application security?

via The Growth Trend in Data Storage – Information Management Online Article.

Storage is clearly an area of growth. As more companies needs to digitize their business operations and regulatory obligations require the electronically stored information to be archived. In general, need for more storage does not diminish.

As more data becomes centralized, you have to wonder what does the storage vendor do to help protect the data. An average consumer has more 16GB on their smart devices, 7GB from Gmail account, and 5 GB from Dropbox. Most important of all, that almost 30 GB of mobile data at the consumer level.

What does 30GB worth of mobile data mean for your company? Would that be an entire record of customer data? Or perhaps an entire collection of the IP properties from your next generation of research?

Assuming a company with employee size of 5,000 that could be equivalent of 150 TB worth of mobile data floating in and out of enterprise perimeter each day.

How much of this data is essential for the business operation. When businesses go out to buy their next generation of storage platform, are they also upgrading their existing security infrastructure to protect the need of business operation?

The topic of deprovisioning is familiar to me because this is part of what we do here at Hitachi-ID. I would phrase the problem with cloud access deprovisioning using two questions:

*  Who has access to the company cloud services?
*  What credential do they need to access the cloud service?

Deprovisioning is something not clearly tackled by “IAM as Service” solutions.  It is, however, important to those concerned about cloud security.

When considering deprovisioning in a cloud environment some of the things you may run into are:

*  Users accessing shared cloud storage service (e.g. amazon s3)
*  Companies building out their application on PaaS or IaaS
*  User accounts required to access these cloud services are administrative account and not something separated individually.
*  Sometimes all you need is a secret key to remotely manage some cloud servers.
*  Administrative account access to your Saleforce (or any SaaS) application.

There is sensitive account/key information that should be kept secured. How do you actually protect privileged access in the cloud? How
would you “deprovision” users from accessing privileged accounts/systems after termination?

I’ve listed some characteristics of identity infrastructure that could help identify risk:

* Integrated with many aspects of business process from request, registration, transfer, suspension, access, termination, and compliance assurance. What is the impact of business operation if the infrastructure you rely on for many aspects of business process should fail? What if your system should fail and no one can request new access or remove terminated employee?

*  Contained sensitive personal information or keys to unlock privileged access to sensitive data systems. How is the information being kept confidential and accessed only by the authorized personnel? What if you found your name on a report of a list of people to be terminated in a week?  How are the administrative account and password to sensitive data systems being kept confidential? What is the impact if the identity infrastructure can be leveraged to gain privileged access or disclose sensitive records?

* Developed many lines of custom code with no one left to manage once the original implementation project has completed. What is the contingency plan to improve the sustainability of your identity infrastructure?

* Depend heavily on AD. The challenge with such a model is enabling users accessing externally hosted applications. The model doesn’t work well because one would have to expose some part of AD.

Does your identity infrastructure today expose you to unnecessary risks? And are you aware of the adequate countermeasures?

Interesting article about student using their personal mobile device to replace traditional keys for physical access. As the article points out…

“The line between corporate-owned and personal devices is blurring, according to a recent survey by Information Systems Audit and Control Association. Two-thirds of employees between the ages of 18 and 34 in the survey said they use a personal device that they also use for work, ISACA found”

The world is quickly gravitating toward consumerization of IT. The traditional IT desktop provisioning process is quickly been replaced by “How do we enable employee access on their smart device?” and “How do we authenticate user on their smart device?”.

The finding does raise an interesting question, “What if the student lost their device?”. Or what if the student dropped their phone? What is the alternate method to regain access. Last thing anyone wants is to have a student to stay outside the dorm in a -30 degree Celsius temperature because he/she forgot the phone at the library.

For many, the term “Password Management” implies password issuance, reset, and synchronization. However, the term “Password Management” is an over simplification for credential life cycle management. And in this case, how do you recover your dorm access   at 12:30am in the morning with -30degree Celsius temperature.

The problem is not new, but seemed to have been overlooked by many. The solution is often fall back to the most accessible mean of communication (although the student may decide to throw a rock at his roommate’s window to have him/her open the door).

Most likely, what many people usually end up doing is calling someone for help. In this case, that someone you’re calling could be a computer that recognizes your voice signature on the other side of the phone to provide you with an access code for the next 30 minute.  And by the caller id or GPS coordinates, the system recognize the proximity location of the caller is located as a second form of authentication. The system could also lookup the student residency database to make sure the student actually staying at that particular dorm. Perhaps the system could also notify the Resident Assistant of the student floor to let the person assist the stranded student.

How would you design your strong authentication solution today?

Circling back to access governance and risk management, what would be a good approach to risk management. Perhaps taking the best practices from people (e.g. DoD) who might have a good understanding about risk management methodology (e.g. like identify, assess, plan, detect, and respond). The question is, what are we still missing in existing approach to risk identification. Many well publicized data security incidents occurred after regulations surrounding privacy and financial control had been put in place (e.g. Enron, TJX, Sony, Braclay, etc). By now shouldn’t we have already learned our lesson?

What are the challenges of risk management? How do we identify risk today? What is the missing approach that we seem to be failing at repetitively?

To answer that, I will use my personal experience as a reference. A while ago, I took few years to understand the business of manufacturing. Manufacturing business depends very much on the continuous operation while managing various physical limitations of critical resources. Critical resources like contract, time, space, machine, operator, material, skill, temperature, cash flow, etc. The lack of any one of critical resources can mean disruptions to normal business operations which ultimately shows up on the balance sheet.

It was critical for the manager to ensure timely acquisition of critical resources and minimize disruption during operating hours. Once it was understood that the business value was created based on continuous operation, then any disruptions to the business operation had significant impacts to the organization’s ability to create value. So based on what I’ve learned:

a. Find out what information/resource/operation is critical to business value

b. Determine the significance when the critical information/resource/operation was disrupted, deteriorated, destroyed, damaged, delayed, or disclosed.

c. Determine the impact based on recovery cost, mitigation cost, overhead cost, opportunity cost, and time to resume operation.

d. Minimize the impact by reduce cost of recovery, likelihood of impact, significance of impact, and time to resume operation.

Now we have some concept of what we trying to find, how do we identify access risk within organization. To find a criminal sometime you have to think like a criminal. Assuming the information is hidden, how would one approach the challenge with locating a hidden object. So instead of finding ways to uncover the truth through a series of data aggregation, correlation, and definition, let’s figure out how the truth can be hidden in the first place. What are the best ways to hide something and how would you do it without anyone knows about it?

1. Disguise : like a chameleon it is best to disguise oneself as part of the surrounding.

2. Disconnect : to uncover the truth one has to go through a process of establishing evidence, and what if part of the evidence trail is missing?

3. Distract : When you have a sea of evidence, how do you go about finding the truth hidden within layers of data.

4. Denial : the worst enemy of truth is denial. Believe in something is impossible can hinder acceptance of the truth.

5. Distort : When the information you looked for has been obfuscated.

These 5D’s can be considered as evidence of absence. The mere fact when something should be there but is not observable can be defined as evidence of risk.  The reason why I’ve approach the access risk problem this way is to provide an alternate approach to risk identification. Employees need information to do their work. Lack of access does equate to incapacity to perform their work. The action of providing necessary information to any employee would be an accepted operational risk. If all authorized access is an acceptable risk, then are we claiming that there is no risk remaining? Based on the past incidents, malicious acts are not part of what people do on a daily basis within the confines of what they are allowed to do.

Most of the approach we see today about risk identification seemed to be stating the fact that a room has four walls but not by determine the abnormality inferred by the absence of furniture in an empty room. The abundant and absence of behavior can both be construed as anomaly or unexpected behaviors.

If the approach still seemed puzzling, perhaps the following examples would help illustrate the point

1. The procurement manager suppose to find a set of vendors to negotiate for optimal price and quality. But when a procurement bid comes along, all we have is few vendors on the list with price way off from the best market price. So the lack of competitive bid failed to provide the company with optimal procurement value.

2. A trader on wall street who has a margin limit at 3million dollars. The managing director, who needed to keep an eye on the margin requirement of each trader, ignores the warning message when a trader’s position went over the limit of 3million dollars. The lack of director’s response to warning signals ultimately created a significant risk for the financial organization.

In summary, I would point out that instead of looking at security access control as a point in the process, perhaps try to look at it as a process. Instead of saying, user has been provisioned access permission with certain entitlement. Verify the user access, and make sure the access control has not been compromised. Furthermore, how about the presence of awareness, and timely response. To ensure adequate risk management framework, be certain that all parts of the risk management process is at work.

Recently, in another security conference, the same message about influencing cultural change been the primary objective of any CISO was re-iterated. So is there a gap between existing employee behavior vs expected secured corporate culture? Lets see if we can point out some difference between governance and culture today.

Governance : Employee should not disclose sensitive data information outside of the corporate network.

Culture : The only way I can handle my work load is if I bring my work home on my own personal device.

Governance : Employee should follow the information security guideline.

Culture : Security guideline can be re-evaluated when it comes to doctors and board room executives.

I once asked a very senior CISO, “what is information security governance?”. In his own words, “…governance is a framework that define plan and strategy to achieve balanced information security objectives.” However, with so many conflicts between security guidance vs organizational culture, what is the right governance  for a business?

Then this article (http://www.tlnt.com/2012/01/16/4-reasons-why-culture-is-more-important-thank-strategy/) pops into my browser. The key points are…

1. Culture is more important than strategy
2. Companies who align culture and strategy are more successful
3. Encouraging individual, cultural attributes are the keys
4. Maintaining a successful culture takes careful attention and hard work

Between what we have to do (compliance) and what we tend to behave (culture), the article left me with two questions :
a. How do we make corporate culture an integral part of security governance?
b. How will security helps transform business to be more successful?

There  is no definitive answer from me at the moment, though I do welcome any comment from anyone who read my blog.

Interesting news bits. Not many people realize what is a root certificate or what does it do on a day to day basis. Think of a root certificate as the master key to unlock all the bank safe in the world. That effectively is what happening when Trustwave a trusted Certificate provider on major browser platform decided to profit off the certificate that enables a company claims to be only using it for the purpose of ear dropping on their own employee.

Wasn’t that long ago when I had to remove the digiNotar from my trusted list of certificate provider from all of my browsers. Not long after that I have to remove the trust from “Trustwave”.

This news was interesting to me because many methods of exchange for authentication token is based on trust of certificate. The lack of trust of secure communication implies a broken exchange of authentication model going from Certificate authentication to SAML assertion exchange. How do service provider today validate against the rogue certificate provider? How would anyone know if any other certificate provider has been compromised either willingly or unwillingly.

It wasn’t that long ago when the world is trying to gravitate toward certificate authentication scheme as a mean to move away from password authentication. Then an incident   like this comes out severely break the chain of trust using certificate authentication. How many enterprise has implemented some type of certificate authentication and what would it cost for them to update the trusted certificate store.

As an observation, while the security industry is pushing towards for more advanced authentication,  each new method of authentication not only creates more identity silos and breaks business process around the use of these advanced authentications. Few years ago I looked at the requirement for advanced credential management platform, where at that time I did not see anyone come out with the capability to manage different forms of authentications in a consistent approach.

How would you update the credential stores? How about reset the password on the certificate store? How about encrypting the hard drive that storing the certificate store? What if you lost the encryption on the hard drive, how would you recover the encryption key? How do you manage the administrator access to the certificate store? Who is tracking the privileged user access to these credential stores?

Having yet another stronger authentication without address these processes first only incurs more problem downstream with more integration scripting, cost to maintain, and audit nightmares.