BLOG

New EU regulations on cyber and access

http://www.europarl.europa.eu/news/en/news-room/content/20151207IPR06449/html/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity

The EU is clearly to be applauded for this new piece of regulation that not only recognises key vulnerabilities, but also the interconnectedness of elements that all use the web. Apart from the obvious – it’s a good thing – for security professionals I think there are 3 key takeaways::

  1. Clearly TalkTalk has convinced anyone in Government that still needed convincing that something needs to be done on cyber and access risk. We had the Chancellor announcing £1.9bn of new funding for cyber in the autumn statement. We’ve also had new “viability statements” coming into force to asking for the Board’s views on the management of risk to be formally reported to shareholders. And from the EU, what looks like the start of a fair bit of new regulation. I know some of these things have been in the works for a while, but it’s clear – Government is getting involved, and all companies will face increasing workloads on security and access control to meet the new standards.
  1. By linking Amazon and Ebay in with critical infrastructure the EU are showing they recognise that breaches form a continuum and access to banking details and essential services are not completely separate things. Losing personal information is distressing, but losing control of a train would be tragic. Of course critical infrastructure doesn’t have to use the internet, but when contractors are being pushed on price and their components need to talk to each other, the internet is the only viable choice. Remember that in the world of modern automation, a train isn’t necessarily an entity, it could be a collection of components (engine, wheels, brakes) that all communicate with each other via the net.
  1. There’s also a recognition that all the security in the world won’t protect you if your employees are giving away the crown jewels. It’s often not malicious, but staff don’t take as much care with data as they should. Which is why measuring and enforcing “least privilege” is one of the most effective and cost effective steps a company can take. In case anyone is in any doubt Intermedia’s 2015 Insider Risk Report, reported 32% of IT professionals have given out their login and password to other employees, with 31% saying they would take data from their company if it could positively benefit them.

At Idax, we’re noticing changes already. Senior management want to understand their vulnerability and a quick access rights reviews has immediate benefits. One thing that we’ve done quite a bit is quick reviews of access rights. Using our analytics, we can tell within a few hours who the staff with unusual access are, which is an easy first step on the route to obtaining least privilege and staying there. What’s clear is that any company embarking on a programme to address access risk will not only be one step ahead of the hackers, but get an early start on new legislation too.

 

 

Carphone data breach: 2.4m records hacked.

Once again 2015 proves to be the year of the data breach. Or maybe 2.4 million Dixons Carphone records going missing is just an example of the new normal. But then again none of this is new, and data breaches and loss of critical data has been with us for as long as data has. So here’s a bit of historical perspective.

When I started as a consultant back in the 1980s one of the first assignments I worked on was for the old Dixons group. They had found out that at least one competitor had been getting hold of their prize data assets – at that time it was a Sales Report that had all their product lines, what was the cost of each item, the retail price, how many they sold and in which shop they sold them. Remember, in the 80’s retailers did not have good customer information and this Sales Report was the crown jewels.

Of course, it was printed on paper and bound before being distributed, but some things never change. In the end the breach turned out to be an insider who was selling monthly Sales Reports on. As a junior consultant my job was to compile a list of everyone who got the report. But the thing that really struck in my mind was that the majority of people who received the report didn’t really use it. It was more an indication of how important they were. So really a chronic lack of least privilege discipline leading to serious data breaches – nothing new under the sun.

A recent report from the Ponemon Institute reports that 71% of staff think they have access to company data they should probably not see. So what’s the answer? Well at idax towers we believe that traditional manager reviews are failing. What we and an increasingly large numbers of clients think is that manager intervention supported by analytic context and insight is the answer. Of course Dixons in the 1980s had an excuse for data breaches. They didn’t have the tools to enforce least privilege. But in the 2010s there’s really no excuse.

Ashley Madison Data Breach

The Ashley Madison Data Breach again highlights insider threats:

2015 must surely now be officially designated as the year of the data breach. With the news that client data at Ashley Madison, the dating site, compromised there must be a lot of very worried people wondering where their lost data will turn up.

http://www.theguardian.com/technology/2015/jul/21/hacked-infidelity-site-ashley-madison-free-profile-deletion

There are many interesting issues with this data breach story – why was data not encrypted? Why was there only single factor authentication to the site? And most importantly why did subscribers need to pay to have their details removed? Of course, also running through the story is a massive dose of schadenfreude – the pleasure we feel that that the subscribers misfortune is in some senses justifiable given what they were up to; the hack then becomes a real Robin Hood crime. But just imagine for a moment that it was your medical or financial records and the story is a little darker.

As a regular data breach watcher there was one thing that struck me about this that was unusual. The first was that Ashley Madison were owning up to the fact that it was an insider “I’ve got their profile right in front of me” said their CEO. In the past it’s always more convenient to portray the threat as being external. Companies prefer the idea of the evil genius hacker, to the trusted employee gone rogue. In this case it seems to have been a temporary or contractor who had access. But you have to ask – why did they have access and who was checking it?

Here at Idax we hold the view that managers are capable of managing their staff’s access but they need a little help from analytics to do so. Did the Ashley Madison contractor really have the least privilege required to do their job. If that least privilege enabled them to dump the entire database, there’s a bigger problem. But as we’ve seen over the last couple of years, a lot of companies have poor controls over internal access, don’t do recertification well, and onboard new staff by asking them what they think they need.

Estimates from the Open Source Foundation indicate that the average cost of a data breach is $5.5m per organisation at an average of $194 per compromised record. One suspects that in the case of Ashley Madison the cost may be their whole business model. Against that cost, why wouldn’t you use all the tools at your disposal – analytic and operational – to safeguard your most important asset, your customers’ data?

As a follow up, Read this interesting point of view from another provider, Sailpoint, here

Since this blog was originally posted, Sailpoint Technologies have published an interesting white paper entitled the “7 Tenets of Successful IAM” –  read this here

 

 

Cloud based directory services – a panacea?

I was talking to someone at InfoSec a few weeks ago about cloud based directory services.  We were discussing some of the challenges associated with Identity Access Management and whether those would be more or less prevalent using a cloud-based solution.  They said that the great thing about having a cloud-based directory services solution is that it’s a clean environment and hence would not suffer from ‘legacy’ issues such as inappropriate access rights or rights accumulated over time.

So is a cloud based directory services solution a panacea for IAM?  Let’s look at some of the challenges:

  • Multiple entitlement stores – at idax we think it is important to have a consolidated view of user entitlements and so commend the idea of bringing together federated access rights from modern-day cloud services into a centralised repository.  idax supports one or many stores and have helped clients to rationalise their disparate entitlements store into a single view, and so a single store fits well into our vision.
  • New joiners & movers – we often find organisations who still grant access to new starters based on the access rights of someone they will be working with rather than based on the role they will be doing.  We also find a correlation between the amount of time a person has been at an organisation and the number of access rights they have which suggests they have accumulated rights over time which should have been revoked.  This problem will not go away with a cloud based solution, although clearly migrating to a suite of new cloud based services may provide an opportunity to clean up some of the legacy  entitlements. idax allows you to identify which access rights a person should have when they join or move within an organisation.  Many of these decisions can be automated with no need for manual approval.  idax then integrates with your existing provisioning solution, or has built in workflow to track any manual provisioning which may need to take place.
  • Role-based access – organisations have long struggled with role-based access rights.  As the number of people, applications and access rights increases, the problem gets exponentially more difficult.  We think this is likely to continue with cloud-based solutions as the problem of figuring out what access a particular person should have does not get any easier.  idax looks at the existing access rights within an organisation and establishes profiles to determine who should have access to what.  Furthermore, we do it right out-of-the-box; there is no need for a large analysis exercise to establish profiles and set up rules and typically, once the data is loaded, idax can get answers in hours rather than months.
  • Principle of least privilege – due to some of the challenges outlined above, the principle of least privilege has also historically been a difficult thing to achieve in practise.  Again, we believe that in a cloud-based environment, the same challenges will not only persist, but the risks of not doing it will be exacerbated.  One of the great advantages infrastructure as a service and software as a service brings is that it becomes much easier for organisations to provide access to their systems from different devices and locations.  This very flexibility means that organisations should be much more confident that people only have access to the systems they need to have access to in order to do their job.

In summary, we think cloud based directory services are an excellent tool for helping manage entitlements in a cloud based application architecture.  However, after a brief respite due largely to moving to new applications and demising old ones, organisations will find the challenges of identity and access management do not get any easier.  Further, because of the increase in the number of end-points where a piece of software can be used, the challenges become even more important ones to solve.

At idax we believe identity analytics is the way forward.  If you would like to learn more, please get in touch.

Idax Software v2.0 launch at Infosec 2015

So  the last minute – “post implementation, I’ll just do one more check” – testing is finished. Our stand is up with all our artwork and we’re all really excited about InfoSec 2015 which starts tomorrow.

To be honest what I most enjoy about trade shows is the client contact. There’s nothing like real-time feedback from clients and potential clients, and hopefully some validation too. That’s the thing about being part of a small company and being passionate about what we do – I just love listening to peoples real life issues and talking to them about how Idax can address them. Corny, but true – that’s why we’re here.

So come and see us on stand K71 if you’re at Olympia this week. I promise you that in addition to some great software we have a few other surprises in store.

http://www.infosecurityeurope.com/Olympia

Improving Access Reviews – 5 things you should consider when you sit down to do your quarterly reviews

Most managers in most big companies will be familiar with periodic access reviews. Once a quarter an email arrives telling you to review all staff access. You have an hour before your next meeting to review 10 team members, each of whom have access to about 50 systems and none of the systems has a name you recognise. Your heart sinks; it’s a time consuming task and you have no evidence that what you’re doing is correct or even useful. Well, based on Idax’s research you’re right – about 15% of all reviewed access rights are removed and the effectiveness is no better than random. So what should you do?Read More

Fast Scalable Analytics – The future of Identity Management

Fast Scalable Analytics – The future of Identity Management. The last few years have seen technology platforms proliferate and with that has come increasing insider access threats. It’s becoming obvious that Identity Management (IAM) tools that were fit for purpose a decade ago are now struggling to manage the complexity and scale of access.

Those in a corporation, will be familiar with regular access reviews. An email arrives with a long list of staff, an even longer list of privileges, and a thinly veiled threat to take the review very seriously indeed. What is missing is any contextual information that might allow for a good decision. At heart this betrays a misconception about IAM risk. But this is also where analytics can deliver dramatic benefits.Read More

Machine Learning – is Amazon the answer.

Amazon Web Services Logo

 

A really great insight from Travis Greene on the launch of AWS Machine Learning cloud service and the impact it may have on IT Security.

I agree wholeheartedly with his commentary, but here are a few additional insights from work with our clients in the identity and access management space and the world of analytics. @idaxsoftware.

Read More

Data Theft, Breaches – IAM

BBC News LogoData theft, breaches and what that has to do with IAM

Mark Ward from the BBC has published an interesting article  concerning data theft and breaches; The PWC report it references also has some useful data on insider threats and the part that Access Control has to play.  .

Controlling insider staff access is unsexy, but absolutely critical. As with the leak of celebrity images from iCloud see our article on the Naked Ladies (which is giving us some interesting hits on our analytics!) – I would always favour internal theft against external hack as an explanation.

It never fails to astonish us how big companies struggle with this. Of course millions of access points needs an analytic, big data, Identity and Access Management approach because all the evidence suggests that just getting managers to work harder doesn’t work. At idax we’ve been preaching this approach for years now and are building a case history of dramatic governance improvements. The evidence sugges ts that  managers supported by analytics is clearly the way forward for IAM.

What the PWC report seems to suggest is that that expecting your managers to spend their time  – a scarce and expensive resource at the best of times – to regularly review the Access Rights of their staff may not actually be protecting you.

Our experience is that with the proliferation of technology – mobile, unstructured data, active directory – managers are rarely qualified to conduct full reviewsand are too busy doing their “real” job after all, generally they will have have no incentive, time or point of reference input to do the job justice.

Yes, a system of regular departmental reviews used to be enough for the Auditors, but increasingly they are also questioning the value of a process that seems to deliver more audit points than control.

The answer is one we’ve been promoting at idax for some time now:

  • Use analytics to understand the geography of access – who has access to what.
  • Use those same techniques to identify the access right that present a low risk to the organisation for lower priority reviews
  • Support reviews of high risk items with contextual risk analysis that gives managers a sporting chance of making a good decision.

If this can also be coupled with decision support in real-time at the point in the process at whi ch access rights are granted you can make a real contribution to reducing risk across the organisation rather than just ticking boxes.