Identity Management Analytics: What access?

What do you need Access to? Some weeks ago, I was discussing identity management analytics with a friend. He doesn’t work in IT, but he’s really bright and has held some pretty senior positions along the way. “Why don’t you just ask people what they need to have access to“ he said. Spluttering over my curry, I trotted out the usual – it’s more complicated than that; you can do that in small companies, but not in big ones; what about if people lie. But in reality, current processes and controls don’t really work that well, tools are woefully inadequate and I’m sure many manager just ask their staff “so what do you need to have access to“. On the basis that this isn’t a great solution, what is the radical, game changing, answer.

In the last two years the reporting of data loss, regulatory breaches, and rogue trader activity has grown significantly. As a result, firms are stepping up their efforts to protect data and resources. But as boards and risk committees sign off ever increasing budgets what they may not realize is that they are sanctioning over reliance on manual processes, external auditors and consultants and embedding the shortcomings of manual processes into the organisation. Staff at the coal face are overrun trying to interpret the information they already have whilst new data arrives daily. And the one thing that’s certain is that working harder is not going to solve anything.

Though organisations are different distances along the journey, most fall into three categories. Reactors respond to immediate threats but don’t manage risk at a strategic level. Guardians improve processes and have more pervasive control systems, but the costs outweigh any perceived risk benefit, and real risks go unaddressed. Only Leaders have the deep analysis coupled with the right tools to manage risk in a cost effective way. Ensuring that firms avoid this cycle of audit, remediation and control failure is critical if firms are to gain real confidence that assets are protected.

So what should firms do if they want to be leaders? The first thing is to really understand what assets staff have access to and identify control failures and potential regulatory failures before they happen. To do this you need to have tools that analyse:

  • Identity and role: What systems allow users access to and how this matches peers.
  • Control and Process: Identifying gaps and how efficiency can reduce cost and risk.
  • Usage: The context in which staff access systems and how that changes risk.
  • Location: How usage of systems and data align with regulation and legislation.

When a firm can do that in a repeatable, sustainable, automated and predictive way it is on the way to really having confidence that it has control over what access it is handing out and the risks that poses.

Risk Management: Mo Farah wasn’t a Poisson

As we continue to bask in the post Olympic glow of national achievement and the “2012 effect“ it seems strange to remember the dim dark days at the start of the games when team GB went a whole 3 days without winning a gold medal. As the press shrieked that we were heading for disaster, unable to meet our target of 20 golds despite massive investment, I asked myself what parallels were there with risk management and what really were Mo Farah’s chances?

Well, as we all now know, actually pretty good. Of course only an idiot would assume that winning 29 medals over 16 days should equate to 2 every day with Sundays off, but even so, how likely should a medal-less day be. Well if you assume a Poisson distribution – commonly used for estimating event frequency – and take an average of 1.8 golds a day, the chance of a day with no medals is 16%. The chances of a super Saturday were actually 7%.

The bad news is that, as you can see from the chart the Poisson doesn’t quite fit what actually happened. The good news is that a day without any golds was actually more likely at 38% of all Olympic days. The least likely (below 5) was a single gold day, which only happened once. The last day of the boxing since you ask.

So why does any of this matter? Because it shows we are very bad at estimating how frequently things happen even when its quite straightforward. We assume that events are evenly distributed and get confused when they’re not. Not much of a problem with gold medals, but quite a big problem when you’re tying to understand access rights, detect fraud, and regulate access to our highly valuable systems and data. And that goes double for those trying to write the regulation.

We assume that because failures are relatively unlikely they are also uniformly infrequent. Having spent the best part of a decade working on access control, risk and regulation, its clear to me that an approach that defines controls by exception management, otherwise known as – the boss checks my work – will perform splendidly with “frequent but not disastrous“ but does nothing to stop the “very infrequent but quite awful“.

So a strange lesson from the Olympics is that risk management and regulation is going to consistently fail until we stop managing with our intuition, educate ourselves about understanding big data and start really using automatic analysis to predict and analyse.

So next time you ask yourself how can I protect myself from those with inappropriate access to systems and data, think automation and analysis and that way maybe the Olympic legacy can be more robust access security as well as more kids playing sport..

Famous film stars, data breaches

Famous film stars, data breaches and why CEOs should be worried

So the latest not-so-surprising story concerning data breaches is that, in addition to containing pictures of ladies in underwear and pictures of famous film stars, the internet also contains pictures of famous film stars in their underwear.

Jennifer Lawrence

I don’t mean to trivialise the impact of private pictures splashed all over the web. It’s clearly unpleasant, morally indefensible and probably illegal, but plenty of others have discussed the data breaches themselves at length. At Idax we are more interested in the lessons to be learned about the breaches of internal security rather than speculating on external threats.

When the story broke, commentators focused on the “how“. The favoured theory was an evil genius who hacked into the main iCloud computer. Presumably someone halfway between Kim Dotcom and Ernst Stavro Blofeld working from an evil lair in a hollowed out volcano. I have little experience of evil hacker geniuses, but if they exist, I suspect they are more motivated to steal credit card details from the many than private pictures from the few.

The second theory was that our protagonists had guessed or otherwise obtained the email addresses and passwords for iCloud accounts – a “phishing“ attack. Given that a lot of celebrity details are in the public domain and most people are chronically bad at setting passwords, this is pretty credible. Spoiler alert: When asked for your date of birth you don’t have to use your real date of birth; the one that’s also on your Facebook page.

But let’s suppose for a moment that there was no evil genius and no phishing attack, how else might the caper have been done. Simple as it may sound, I’d get myself a job as an iCloud database administrator and then wait until I could steal the pictures.

Now I have no inside knowledge of what goes on at Apple and my approach may sound too obvious. Apple may be the exemplar of corporate governance and security as they are in many other things. But at Idax our experience is that the corporation is nowhere near as secure as your CEO would like to think, and data breaches mostly occur when staff routinely have access to resources that have nothing to do with their job and are either historical or just plain wrong. In a corporation of any size keeping track of access rights is a major headache.

In this context coercion, collusion and avarice are great motivators, especially when the disgruntled developer routinely has uncontrolled access to production data.

So, we may never find out how the images got onto the web and only a cynic would point out that it’s in everyone’s interest to perpetuate the story of the complex con, rather than the corporate cock up. But clearly protecting your corporate data from both internal and external threats has to be a priority for all organisations.

I’ll leave you with a last thought. Under EU data protection legislation a company can be fined up to 10% of global revenue for losing personal data. So if it’s conceivable that you might lose all your customer files if a laptop was inadvertently left a train or a DBA sent a file to his home email, maybe you should look into how you manage internal identity management.

Mark Rodbert is CEO of Idax Software, the identity management analytics company.