Skip to main content

Hitachi ID Systems Blogs

Posts Tagged ‘Access Governance’

Is security suffering from analysis paralysis?

Monday, October 8th, 2012

It’s deja vu all over again.

Back in 2001 industry was hot about network monitoring and finding data. I
remember working on a project to aggregate data across different systems.
Here we are in 2012 it doesn’t seem like things have moved that much
ahead.

After speaking to attendees at Interop 2012, one of the main themes
was that we all have too much data generated by different logs, events and
systems. Finding a needle in a haystack seemed to be the problem. There is
no one denying the possibility of finding some value with a large
quantity of data, but is anyone questioning the reliability of this data?

Even my niece in high school science class would know the basics of solid
scientific research would require a consistent approach and repeatable
process. The integrity of the data is only as reliable as the integrity of
the process. Within identity and access management, there is ample
opportunity to create event and system data. What some vendors are
pitching today as the business intelligence of identity management is
nothing more than data aggregation based on fallible business process.

Having so much data analysis would require an employee with analytic
knowledge and background in the business process. How do we justify the
resource cost added on already overburdened IT resource to analyze data
that may not yield a valid result?

Uncovering the truth about risk

Thursday, February 16th, 2012

Recently I’ve been thinking about methods of identifying business risk. Why? Mainly it was a recent discussion I had about visibility been the reason for Identity and Access Governance.  The visibility we are talking about is the identification of risk. A problem facing organizations today is the difficulty to visualizing the risk we are facing. So in order to uncover the truth, I embark on a process of finding a more effective risk identification method.

Circling back to access governance and risk management, what would be a good approach to risk management. Perhaps taking the best practices from people (e.g. DoD) who might have a good understanding about risk management methodology (e.g. like identify, assess, plan, detect, and respond). The question is, what are we still missing in existing approach to risk identification. Many well publicized data security incidents occurred after regulations surrounding privacy and financial control had been put in place (e.g. Enron, TJX, Sony, Braclay, etc). By now shouldn’t we have already learned our lesson?

What are the challenges of risk management? How do we identify risk today? What is the missing approach that we seem to be failing at repetitively?

To answer that, I will use my personal experience as a reference. A while ago, I took few years to understand the business of manufacturing. Manufacturing business depends very much on the continuous operation while managing various physical limitations of critical resources. Critical resources like contract, time, space, machine, operator, material, skill, temperature, cash flow, etc. The lack of any one of critical resources can mean disruptions to normal business operations which ultimately shows up on the balance sheet.

It was critical for the manager to ensure timely acquisition of critical resources and minimize disruption during operating hours. Once it was understood that the business value was created based on continuous operation, then any disruptions to the business operation had significant impacts to the organization’s ability to create value. So based on what I’ve learned:

a. Find out what information/resource/operation is critical to business value

b. Determine the significance when the critical information/resource/operation was disrupted, deteriorated, destroyed, damaged, delayed, or disclosed.

c. Determine the impact based on recovery cost, mitigation cost, overhead cost, opportunity cost, and time to resume operation.

d. Minimize the impact by reduce cost of recovery, likelihood of impact, significance of impact, and time to resume operation.

Now we have some concept of what we trying to find, how do we identify access risk within organization. To find a criminal sometime you have to think like a criminal. Assuming the information is hidden, how would one approach the challenge with locating a hidden object. So instead of finding ways to uncover the truth through a series of data aggregation, correlation, and definition, let’s figure out how the truth can be hidden in the first place. What are the best ways to hide something and how would you do it without anyone knows about it?

1. Disguise : like a chameleon it is best to disguise oneself as part of the surrounding.

2. Disconnect : to uncover the truth one has to go through a process of establishing evidence, and what if part of the evidence trail is missing?

3. Distract : When you have a sea of evidence, how do you go about finding the truth hidden within layers of data.

4. Denial : the worst enemy of truth is denial. Believe in something is impossible can hinder acceptance of the truth.

5. Distort : When the information you looked for has been obfuscated.

These 5D’s can be considered as evidence of absence. The mere fact when something should be there but is not observable can be defined as evidence of risk.  The reason why I’ve approach the access risk problem this way is to provide an alternate approach to risk identification. Employees need information to do their work. Lack of access does equate to incapacity to perform their work. The action of providing necessary information to any employee would be an accepted operational risk. If all authorized access is an acceptable risk, then are we claiming that there is no risk remaining? Based on the past incidents, malicious acts are not part of what people do on a daily basis within the confines of what they are allowed to do.

Most of the approach we see today about risk identification seemed to be stating the fact that a room has four walls but not by determine the abnormality inferred by the absence of furniture in an empty room. The abundant and absence of behavior can both be construed as anomaly or unexpected behaviors.

If the approach still seemed puzzling, perhaps the following examples would help illustrate the point

1. The procurement manager suppose to find a set of vendors to negotiate for optimal price and quality. But when a procurement bid comes along, all we have is few vendors on the list with price way off from the best market price. So the lack of competitive bid failed to provide the company with optimal procurement value.

2. A trader on wall street who has a margin limit at 3million dollars. The managing director, who needed to keep an eye on the margin requirement of each trader, ignores the warning message when a trader’s position went over the limit of 3million dollars. The lack of director’s response to warning signals ultimately created a significant risk for the financial organization.

In summary, I would point out that instead of looking at security access control as a point in the process, perhaps try to look at it as a process. Instead of saying, user has been provisioned access permission with certain entitlement. Verify the user access, and make sure the access control has not been compromised. Furthermore, how about the presence of awareness, and timely response. To ensure adequate risk management framework, be certain that all parts of the risk management process is at work.

page top page top