How we have transformed every manager’s least favourite task

Reviewing their team’s computer access is one of those tasks all managers dread. The traditional approach is important in locking down internal threats. However, doing the job properly requires managers to spend long hours trawling through files, looking at systems their staff access, and deciding whether to approve or revoke access. Not the most exciting chore, and one that most managers have neither the knowledge or the tools to complete effectively.

It’s understandable that since it is such a thankless task, line managers often don’t give it the importance it deserves. Many fail to understand the importance of access reviews and the potential consequences should they make a mistake. After all, why should it matter if employees have access to things, especially if they’ve had it for a while?

This is the issue that idax addresses: how can you provide information that managers need to make quick and informed decisions, and what systems do you need to make sure those managers stay engaged through the process? Coupled with that, how do you use modern analytics to identify where intervention is needed, and make effective use of everyone’s time?

Internal security is often not taken seriously and there is a widespread lack of understanding from the boardroom down on where the risks lie. An estimated 90% of tech crimes are committed by employees; and most data breaches are simply about access and opportunity. 75% of employees say that they have access to data they shouldn’t, and 25% of employees would be willing to sell company data to a competitor for less than $8,000.

With insider threat posing such a significant risk, it is clear that reviewing access rights is crucial for a company’s security, but not only is the typical process tedious and time-consuming, it’s also largely ineffective.

Firstly, the manager is faced with a complicated spreadsheet full of data about access rights for their staff. The names are opaque, the process lacks context, and this makes it difficult for the manager to understand what to do. And if there is anything that seems unusual, there has typically been no way to simply question the access without taking it away completely.

12% of all entitlements that are taken away in a review are re-requested soon afterwards – something that can make managers question whether the exercise is an efficient use of their time. Furthermore, when it costs a company an average of $18 per transaction faccess, this can quickly become not only a time consuming and dull task, but also very expensive.

Here at idax, we have created a solution that provides relevant information to the manager for people with risks they need to address. Idax instantly analyses access rights, highlighting which employees have unusual rights compared to their peers. These are the employees that are in the position to cause the most damage to the business – whether maliciously or accidentally. Critically, our solution gives managers the option to take charge of the process, and question access rights, potentially avoiding the risk of cyber breaches.

By improving the user interface and user experience, we have made managers more likely to engage proactively with the process. Idax Version 3 encourages managers to take an active role in the security of the company’s data. This is why idax prioritises an engaging user interface (UI) in the version 3 update. With an intuitive, state-of-the-art UI, idax motivates managers to really engage with the software, empowering their journey towards a more secure and wholly trusted environment.

Why the UI is such a critical part of any security product

There are countless reasons why a cyber breach might take place and break through a company’s existing defences. A weak firewall, poor passwords, and phishing scams are usually pinned as the reason. However, there is one area that is equally as critical and yet often overlooked: insider threat.

Insider threat is now looking worse than ever before, with an estimated 90% of tech crimes being committed by employees. Most data breaches are simply about access and opportunity. 75% of employees say that they have access to data they shouldn’t, and 25% of employees are willing to sell data to a competitor for less than $8,000.

So it is clear that a strong solution is needed and that we need it now. A large-scale culture shift may be the only way to truly combat insider threats. Everyone in the organisation needs to be made to feel that cyber security is their own responsibility – from the CEO to the worker on the shop floor. But without the right tools and information, there’s no clear path for companies to choose.

Implementing a solution to analyse the employees that are most likely to become threats in terms of access rights is a step in the right direction. For example, idax looks at what your staff have access to and tells you which of those access rights are unusual compared to the rest of the organisation and their peers.

However, you can throw all the analytics as you want at a solution like this, but if people aren’t engaging and using the results to make good, informed decisions, there’s really no point at all.

This is one of the reasons why the user experience (UX) and the user interface (UI) are one of the most important factors to consider when encouraging people to engage with the solution. A strong UI is not there just to look nice and be aesthetically pleasing. The UI of your identity analytics platform is a critical component for getting people engaged with security.

Traditionally, anything security-related has been taken care of by a specialist team – whether that is an IT team or a security team. In theses cases, it doesn’t matter what the UI looks like, or if anyone else other than the security team could understand and use it, as they would be the only people within the whole organisation engaging with it.

More and more organisations now are moving away from having just the security team deal with all things security, and are instead putting line managers in charge of access rights. This often involves the line manager having to deal with a highly complicated, confusing spreadsheet of access details, with no context or explanation about what in the list refers to what data, and what files are required for a role.

Idax looks at battling just this with the launch of our new version 3 update. By prioritising the user experience with an intuitive, state-of-the-art UI, we are encouraging companies to put the user experience at the forefront of cyber security and start their journey towards a safer and wholey trusted environment.

Ultimately, organisations will move towards a fundamentally different culture of security. Each and every employee will be given the responsibility of self-certifying their own access rights, using an engaging UI that everyone can use.

In the long run, idax is helping companies become part of the security revolution that will soon be upon us. Getting everyone in a company to self-certificate their own access rights – with oversight and ultimate approval from line managers – will ultimately eliminate any internal threat whatsoever. However, this will take time. Creating a UI that line managers already intuitively know how to use, just from the way it looks, is the first step in kick-starting the culture change towards internal security.

New EU regulations on cyber and access

http://www.europarl.europa.eu/news/en/news-room/content/20151207IPR06449/html/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity

The EU is clearly to be applauded for this new piece of regulation that not only recognises key vulnerabilities, but also the interconnectedness of elements that all use the web. Apart from the obvious – it’s a good thing – for security professionals I think there are 3 key takeaways::

  1. Clearly TalkTalk has convinced anyone in Government that still needed convincing that something needs to be done on cyber and access risk. We had the Chancellor announcing £1.9bn of new funding for cyber in the autumn statement. We’ve also had new “viability statements” coming into force to asking for the Board’s views on the management of risk to be formally reported to shareholders. And from the EU, what looks like the start of a fair bit of new regulation. I know some of these things have been in the works for a while, but it’s clear – Government is getting involved, and all companies will face increasing workloads on security and access control to meet the new standards.
  1. By linking Amazon and Ebay in with critical infrastructure the EU are showing they recognise that breaches form a continuum and access to banking details and essential services are not completely separate things. Losing personal information is distressing, but losing control of a train would be tragic. Of course critical infrastructure doesn’t have to use the internet, but when contractors are being pushed on price and their components need to talk to each other, the internet is the only viable choice. Remember that in the world of modern automation, a train isn’t necessarily an entity, it could be a collection of components (engine, wheels, brakes) that all communicate with each other via the net.
  1. There’s also a recognition that all the security in the world won’t protect you if your employees are giving away the crown jewels. It’s often not malicious, but staff don’t take as much care with data as they should. Which is why measuring and enforcing “least privilege” is one of the most effective and cost effective steps a company can take. In case anyone is in any doubt Intermedia’s 2015 Insider Risk Report, reported 32% of IT professionals have given out their login and password to other employees, with 31% saying they would take data from their company if it could positively benefit them.

At Idax, we’re noticing changes already. Senior management want to understand their vulnerability and a quick access rights reviews has immediate benefits. One thing that we’ve done quite a bit is quick reviews of access rights. Using our analytics, we can tell within a few hours who the staff with unusual access are, which is an easy first step on the route to obtaining least privilege and staying there. What’s clear is that any company embarking on a programme to address access risk will not only be one step ahead of the hackers, but get an early start on new legislation too.

 

 

Carphone data breach: 2.4m records hacked.

Once again 2015 proves to be the year of the data breach. Or maybe 2.4 million Dixons Carphone records going missing is just an example of the new normal. But then again none of this is new, and data breaches and loss of critical data has been with us for as long as data has. So here’s a bit of historical perspective.

When I started as a consultant back in the 1980s one of the first assignments I worked on was for the old Dixons group. They had found out that at least one competitor had been getting hold of their prize data assets – at that time it was a Sales Report that had all their product lines, what was the cost of each item, the retail price, how many they sold and in which shop they sold them. Remember, in the 80’s retailers did not have good customer information and this Sales Report was the crown jewels.

Of course, it was printed on paper and bound before being distributed, but some things never change. In the end the breach turned out to be an insider who was selling monthly Sales Reports on. As a junior consultant my job was to compile a list of everyone who got the report. But the thing that really struck in my mind was that the majority of people who received the report didn’t really use it. It was more an indication of how important they were. So really a chronic lack of least privilege discipline leading to serious data breaches – nothing new under the sun.

A recent report from the Ponemon Institute reports that 71% of staff think they have access to company data they should probably not see. So what’s the answer? Well at idax towers we believe that traditional manager reviews are failing. What we and an increasingly large numbers of clients think is that manager intervention supported by analytic context and insight is the answer. Of course Dixons in the 1980s had an excuse for data breaches. They didn’t have the tools to enforce least privilege. But in the 2010s there’s really no excuse.

Ashley Madison Data Breach

The Ashley Madison Data Breach again highlights insider threats:

2015 must surely now be officially designated as the year of the data breach. With the news that client data at Ashley Madison, the dating site, compromised there must be a lot of very worried people wondering where their lost data will turn up.

http://www.theguardian.com/technology/2015/jul/21/hacked-infidelity-site-ashley-madison-free-profile-deletion

There are many interesting issues with this data breach story – why was data not encrypted? Why was there only single factor authentication to the site? And most importantly why did subscribers need to pay to have their details removed? Of course, also running through the story is a massive dose of schadenfreude – the pleasure we feel that that the subscribers misfortune is in some senses justifiable given what they were up to; the hack then becomes a real Robin Hood crime. But just imagine for a moment that it was your medical or financial records and the story is a little darker.

As a regular data breach watcher there was one thing that struck me about this that was unusual. The first was that Ashley Madison were owning up to the fact that it was an insider “I’ve got their profile right in front of me” said their CEO. In the past it’s always more convenient to portray the threat as being external. Companies prefer the idea of the evil genius hacker, to the trusted employee gone rogue. In this case it seems to have been a temporary or contractor who had access. But you have to ask – why did they have access and who was checking it?

Here at Idax we hold the view that managers are capable of managing their staff’s access but they need a little help from analytics to do so. Did the Ashley Madison contractor really have the least privilege required to do their job. If that least privilege enabled them to dump the entire database, there’s a bigger problem. But as we’ve seen over the last couple of years, a lot of companies have poor controls over internal access, don’t do recertification well, and onboard new staff by asking them what they think they need.

Estimates from the Open Source Foundation indicate that the average cost of a data breach is $5.5m per organisation at an average of $194 per compromised record. One suspects that in the case of Ashley Madison the cost may be their whole business model. Against that cost, why wouldn’t you use all the tools at your disposal – analytic and operational – to safeguard your most important asset, your customers’ data?

As a follow up, Read this interesting point of view from another provider, Sailpoint, here

Since this blog was originally posted, Sailpoint Technologies have published an interesting white paper entitled the “7 Tenets of Successful IAM” –  read this here

 

 

Cloud based directory services – a panacea?

I was talking to someone at InfoSec a few weeks ago about cloud based directory services.  We were discussing some of the challenges associated with Identity Access Management and whether those would be more or less prevalent using a cloud-based solution.  They said that the great thing about having a cloud-based directory services solution is that it’s a clean environment and hence would not suffer from ‘legacy’ issues such as inappropriate access rights or rights accumulated over time.

So is a cloud based directory services solution a panacea for IAM?  Let’s look at some of the challenges:

  • Multiple entitlement stores – at idax we think it is important to have a consolidated view of user entitlements and so commend the idea of bringing together federated access rights from modern-day cloud services into a centralised repository.  idax supports one or many stores and have helped clients to rationalise their disparate entitlements store into a single view, and so a single store fits well into our vision.
  • New joiners & movers – we often find organisations who still grant access to new starters based on the access rights of someone they will be working with rather than based on the role they will be doing.  We also find a correlation between the amount of time a person has been at an organisation and the number of access rights they have which suggests they have accumulated rights over time which should have been revoked.  This problem will not go away with a cloud based solution, although clearly migrating to a suite of new cloud based services may provide an opportunity to clean up some of the legacy  entitlements. idax allows you to identify which access rights a person should have when they join or move within an organisation.  Many of these decisions can be automated with no need for manual approval.  idax then integrates with your existing provisioning solution, or has built in workflow to track any manual provisioning which may need to take place.
  • Role-based access – organisations have long struggled with role-based access rights.  As the number of people, applications and access rights increases, the problem gets exponentially more difficult.  We think this is likely to continue with cloud-based solutions as the problem of figuring out what access a particular person should have does not get any easier.  idax looks at the existing access rights within an organisation and establishes profiles to determine who should have access to what.  Furthermore, we do it right out-of-the-box; there is no need for a large analysis exercise to establish profiles and set up rules and typically, once the data is loaded, idax can get answers in hours rather than months.
  • Principle of least privilege – due to some of the challenges outlined above, the principle of least privilege has also historically been a difficult thing to achieve in practise.  Again, we believe that in a cloud-based environment, the same challenges will not only persist, but the risks of not doing it will be exacerbated.  One of the great advantages infrastructure as a service and software as a service brings is that it becomes much easier for organisations to provide access to their systems from different devices and locations.  This very flexibility means that organisations should be much more confident that people only have access to the systems they need to have access to in order to do their job.

In summary, we think cloud based directory services are an excellent tool for helping manage entitlements in a cloud based application architecture.  However, after a brief respite due largely to moving to new applications and demising old ones, organisations will find the challenges of identity and access management do not get any easier.  Further, because of the increase in the number of end-points where a piece of software can be used, the challenges become even more important ones to solve.

At idax we believe identity analytics is the way forward.  If you would like to learn more, please get in touch.

Idax Software v2.0 launch at Infosec 2015

So  the last minute – “post implementation, I’ll just do one more check” – testing is finished. Our stand is up with all our artwork and we’re all really excited about InfoSec 2015 which starts tomorrow.

To be honest what I most enjoy about trade shows is the client contact. There’s nothing like real-time feedback from clients and potential clients, and hopefully some validation too. That’s the thing about being part of a small company and being passionate about what we do – I just love listening to peoples real life issues and talking to them about how Idax can address them. Corny, but true – that’s why we’re here.

So come and see us on stand K71 if you’re at Olympia this week. I promise you that in addition to some great software we have a few other surprises in store.

http://www.infosecurityeurope.com/Olympia

Idax launch identity analytics version 2.0

We’re all very excited here at Idax towers about the launch of version 2.0 of Idax’s identity analytics engine next month. Codename Version “Euclid” we’ll be launching it at Infosec 2015 and really looking forward to showing friends new and old around it.Read More

Improving Access Reviews – 5 things you should consider when you sit down to do your quarterly reviews

Most managers in most big companies will be familiar with periodic access reviews. Once a quarter an email arrives telling you to review all staff access. You have an hour before your next meeting to review 10 team members, each of whom have access to about 50 systems and none of the systems has a name you recognise. Your heart sinks; it’s a time consuming task and you have no evidence that what you’re doing is correct or even useful. Well, based on Idax’s research you’re right – about 15% of all reviewed access rights are removed and the effectiveness is no better than random. So what should you do?Read More

Fast Scalable Analytics – The future of Identity Management

Fast Scalable Analytics – The future of Identity Management. The last few years have seen technology platforms proliferate and with that has come increasing insider access threats. It’s becoming obvious that Identity Management (IAM) tools that were fit for purpose a decade ago are now struggling to manage the complexity and scale of access.

Those in a corporation, will be familiar with regular access reviews. An email arrives with a long list of staff, an even longer list of privileges, and a thinly veiled threat to take the review very seriously indeed. What is missing is any contextual information that might allow for a good decision. At heart this betrays a misconception about IAM risk. But this is also where analytics can deliver dramatic benefits.Read More