Once again 2015 proves to be the year of the data breach. Or maybe 2.4 million Dixons Carphone records going missing is just an example of the new normal. But then again none of this is new, and data breaches and loss of critical data has been with us for as long as data has. So here’s a bit of historical perspective.
When I started as a consultant back in the 1980s one of the first assignments I worked on was for the old Dixons group. They had found out that at least one competitor had been getting hold of their prize data assets – at that time it was a Sales Report that had all their product lines, what was the cost of each item, the retail price, how many they sold and in which shop they sold them. Remember, in the 80’s retailers did not have good customer information and this Sales Report was the crown jewels.
Of course, it was printed on paper and bound before being distributed, but some things never change. In the end the breach turned out to be an insider who was selling monthly Sales Reports on. As a junior consultant my job was to compile a list of everyone who got the report. But the thing that really struck in my mind was that the majority of people who received the report didn’t really use it. It was more an indication of how important they were. So really a chronic lack of least privilege discipline leading to serious data breaches – nothing new under the sun.
A recent report from the Ponemon Institute reports that 71% of staff think they have access to company data they should probably not see. So what’s the answer? Well at idax towers we believe that traditional manager reviews are failing. What we and an increasingly large numbers of clients think is that manager intervention supported by analytic context and insight is the answer. Of course Dixons in the 1980s had an excuse for data breaches. They didn’t have the tools to enforce least privilege. But in the 2010s there’s really no excuse.
The Ashley Madison Data Breach again highlights insider threats:
2015 must surely now be officially designated as the year of the data breach. With the news that client data at Ashley Madison, the dating site, compromised there must be a lot of very worried people wondering where their lost data will turn up.
There are many interesting issues with this data breach story – why was data not encrypted? Why was there only single factor authentication to the site? And most importantly why did subscribers need to pay to have their details removed? Of course, also running through the story is a massive dose of schadenfreude – the pleasure we feel that that the subscribers misfortune is in some senses justifiable given what they were up to; the hack then becomes a real Robin Hood crime. But just imagine for a moment that it was your medical or financial records and the story is a little darker.
As a regular data breach watcher there was one thing that struck me about this that was unusual. The first was that Ashley Madison were owning up to the fact that it was an insider “I’ve got their profile right in front of me“ said their CEO. In the past it’s always more convenient to portray the threat as being external. Companies prefer the idea of the evil genius hacker, to the trusted employee gone rogue. In this case it seems to have been a temporary or contractor who had access. But you have to ask – why did they have access and who was checking it?
Here at Idax we hold the view that managers are capable of managing their staff’s access but they need a little help from analytics to do so. Did the Ashley Madison contractor really have the least privilege required to do their job. If that least privilege enabled them to dump the entire database, there’s a bigger problem. But as we’ve seen over the last couple of years, a lot of companies have poor controls over internal access, don’t do recertification well, and onboard new staff by asking them what they think they need.
Estimates from the Open Source Foundation indicate that the average cost of a data breach is $5.5m per organisation at an average of $194 per compromised record. One suspects that in the case of Ashley Madison the cost may be their whole business model. Against that cost, why wouldn’t you use all the tools at your disposal – analytic and operational – to safeguard your most important asset, your customers’ data?
As a follow up, Read this interesting point of view from another provider, Sailpoint, here
Since this blog was originally posted, Sailpoint Technologies have published an interesting white paper entitled the “7 Tenets of Successful IAM” – read this here
I was talking to someone at InfoSec a few weeks ago about cloud based directory services. We were discussing some of the challenges associated with Identity Access Management and whether those would be more or less prevalent using a cloud-based solution. They said that the great thing about having a cloud-based directory services solution is that it’s a clean environment and hence would not suffer from ‘legacy’ issues such as inappropriate access rights or rights accumulated over time.
So is a cloud based directory services solution a panacea for IAM? Let’s look at some of the challenges:
- Multiple entitlement stores – at idax we think it is important to have a consolidated view of user entitlements and so commend the idea of bringing together federated access rights from modern-day cloud services into a centralised repository. idax supports one or many stores and have helped clients to rationalise their disparate entitlements store into a single view, and so a single store fits well into our vision.
- New joiners & movers – we often find organisations who still grant access to new starters based on the access rights of someone they will be working with rather than based on the role they will be doing. We also find a correlation between the amount of time a person has been at an organisation and the number of access rights they have which suggests they have accumulated rights over time which should have been revoked. This problem will not go away with a cloud based solution, although clearly migrating to a suite of new cloud based services may provide an opportunity to clean up some of the legacy entitlements. idax allows you to identify which access rights a person should have when they join or move within an organisation. Many of these decisions can be automated with no need for manual approval. idax then integrates with your existing provisioning solution, or has built in workflow to track any manual provisioning which may need to take place.
- Role-based access – organisations have long struggled with role-based access rights. As the number of people, applications and access rights increases, the problem gets exponentially more difficult. We think this is likely to continue with cloud-based solutions as the problem of figuring out what access a particular person should have does not get any easier. idax looks at the existing access rights within an organisation and establishes profiles to determine who should have access to what. Furthermore, we do it right out-of-the-box; there is no need for a large analysis exercise to establish profiles and set up rules and typically, once the data is loaded, idax can get answers in hours rather than months.
- Principle of least privilege – due to some of the challenges outlined above, the principle of least privilege has also historically been a difficult thing to achieve in practise. Again, we believe that in a cloud-based environment, the same challenges will not only persist, but the risks of not doing it will be exacerbated. One of the great advantages infrastructure as a service and software as a service brings is that it becomes much easier for organisations to provide access to their systems from different devices and locations. This very flexibility means that organisations should be much more confident that people only have access to the systems they need to have access to in order to do their job.
In summary, we think cloud based directory services are an excellent tool for helping manage entitlements in a cloud based application architecture. However, after a brief respite due largely to moving to new applications and demising old ones, organisations will find the challenges of identity and access management do not get any easier. Further, because of the increase in the number of end-points where a piece of software can be used, the challenges become even more important ones to solve.
At idax we believe identity analytics is the way forward. If you would like to learn more, please get in touch.
So the last minute – “post implementation, I’ll just do one more check” – testing is finished. Our stand is up with all our artwork and we’re all really excited about InfoSec 2015 which starts tomorrow.
To be honest what I most enjoy about trade shows is the client contact. There’s nothing like real-time feedback from clients and potential clients, and hopefully some validation too. That’s the thing about being part of a small company and being passionate about what we do – I just love listening to peoples real life issues and talking to them about how Idax can address them. Corny, but true – that’s why we’re here.
So come and see us on stand K71 if you’re at Olympia this week. I promise you that in addition to some great software we have a few other surprises in store.
We’re all very excited here at Idax towers about the launch of version 2.0 of Idax’s identity analytics engine next month. Codename Version “Euclid” we’ll be launching it at Infosec 2015 and really looking forward to showing friends new and old around it.Read More
Most managers in most big companies will be familiar with periodic access reviews. Once a quarter an email arrives telling you to review all staff access. You have an hour before your next meeting to review 10 team members, each of whom have access to about 50 systems and none of the systems has a name you recognise. Your heart sinks; it’s a time consuming task and you have no evidence that what you’re doing is correct or even useful. Well, based on Idax’s research you’re right – about 15% of all reviewed access rights are removed and the effectiveness is no better than random. So what should you do?Read More