Fast Scalable Analytics – The future of Identity Management

Fast Scalable Analytics – The future of Identity Management. The last few years have seen technology platforms proliferate and with that has come increasing insider access threats. It’s becoming obvious that Identity Management (IAM) tools that were fit for purpose a decade ago are now struggling to manage the complexity and scale of access.

Those in a corporation, will be familiar with regular access reviews. An email arrives with a long list of staff, an even longer list of privileges, and a thinly veiled threat to take the review very seriously indeed. What is missing is any contextual information that might allow for a good decision. At heart this betrays a misconception about IAM risk. But this is also where analytics can deliver dramatic benefits.Read More

Data Theft, Breaches – IAM

BBC News LogoData theft, breaches and what that has to do with IAM

Mark Ward from the BBC has published an interesting article concerning data theft and breaches; The PWC report it references also has some useful data on insider threats and the part that Access Control has to play. .

Controlling insider staff access is unsexy, but absolutely critical. As with the leak of celebrity images from iCloud see our article on the Naked Ladies (which is giving us some interesting hits on our analytics!) – I would always favour internal theft against external hack as an explanation.

It never fails to astonish us how big companies struggle with this. Of course millions of access points needs an analytic, big data, Identity and Access Management approach because all the evidence suggests that just getting managers to work harder doesn’t work. At idax we’ve been preaching this approach for years now and are building a case history of dramatic governance improvements. The evidence sugges ts that managers supported by analytics is clearly the way forward for IAM.

What the PWC report seems to suggest is that that expecting your managers to spend their time – a scarce and expensive resource at the best of times – to regularly review the Access Rights of their staff may not actually be protecting you.

Our experience is that with the proliferation of technology – mobile, unstructured data, active directory – managers are rarely qualified to conduct full reviewsand are too busy doing their “real” job after all, generally they will have have no incentive, time or point of reference input to do the job justice.

Yes, a system of regular departmental reviews used to be enough for the Auditors, but increasingly they are also questioning the value of a process that seems to deliver more audit points than control.

The answer is one we’ve been promoting at idax for some time now:

  • Use analytics to understand the geography of access – who has access to what.
  • Use those same techniques to identify the access right that present a low risk to the organisation for lower priority reviews
  • Support reviews of high risk items with contextual risk analysis that gives managers a sporting chance of making a good decision.

If this can also be coupled with decision support in real-time at the point in the process at whi ch access rights are granted you can make a real contribution to reducing risk across the organisation rather than just ticking boxes.




Cost and Scale of Data Breaches Increase

Info Security LogoGreat Article here by Tara Seals in Infosecurity Magazine – Number 9 on her list – “Cost and Scale of Data Breaches” – is a much underrated risk and is indeed set to increase dramatically:

As cyber-criminals get smarter and the pace of communications accelerates, organizations are being forced to continually adapt and rapidly respond to a shifting threat landscape. The Information Security Forum (ISF) is taking a view to 24 months out, predicting that ever-faster internet speeds, tech rejectionists and even human death will all be hallmarks of the future security reality.

Threat Horizon 2017, the latest in a series of the ISF’s annual Threat Horizon reports, identifies nine specific emergent threats that encapsulate the imminent dangers that the ISF considers the most prominent. They all have the capacity to transmit their impact through cyber-space at break-neck speeds, particularly as the use of the internet spreads beyond the estimated 50 percent of the literate population who are already connected, the organization noted in its report.

The threats are:

  1. Increased Connectivity Speeds Present Issues in Organizational Response Time
  2. Criminal Organizations Become More Structured and Sophisticated
  3. Widespread Social Unrest Breaks Out, Led by ’Tech Rejectionists’
  4. Dependence on Critical Infrastructure Becomes Dangerous
  5. Malicious Agents Weaponize Systemic Vulnerabilities
  6. Legacy Technology Crumbles
  7. Disruption to Digital Systems Leads to Verifiable Human Deaths
  8. Global Consolidation of Organizations Endangers Competition and Security
  9. Cost and Scale of Data Breaches Increases Dramatically

“The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations,“ said Steve Durbin, managing director of the ISF. “Although cyber-space offers opportunities for leading organizations, this environment is uncertain and potentially dangerous.“ He added, “We predict that many organizations will struggle to cope as the pace of change intensifies. Consequently, at least until a conscious decision is taken to the contrary, these nine threats should appear on the radar of every organization.“

For instance, regarding the first point, it’s clear that reasonably-priced gigabit connectivity will become widely available to supply the growing demands of devices and users, signifying a dramatic leap forward, increasing both data volume and velocity. In an interview, Durbin laid out some of the risk scenarios for super-charged connectivity.

“As billions of devices are connected, there will be more data that must be managed,“ he explained. “Conventional malicious use will increase rapidly, resulting in cascading failures between sectors. This will enable new and previously impracticable avenues for destructive activity online, increasing financial and reputational liabilities and overwhelming traditional defenses. When combined with the steady growth of processing power and storage, this increased connectivity will allow malicious actors to launch new attacks that will be both lucrative and difficult to detect. Businesses will struggle to keep up with these attacks.“

Also, as connectivity gets faster and more mission-critical functions are moved online and to the cloud, ISF predicts that the disruption of digital systems in transport and medical services will lead to verifiable deaths. Organizations should thus assess the exposure to and liabilities of cyber-physical systems, and revise corporate communication and crisis response mechanisms accordingly.

Related to the hyperconnectivity issue, increasing network scale, helped along by global consolidation, presents another emerging threat. As the pending Comcast-Time Warner Cable and AT&T-DirecTV mega-mergers demonstrate, broadband companies are interested in getting larger. Companies of all sizes will have fewer options for connectivity, which could give network operators undue influence (and create a known number of “super-vectors“ for criminals to attack).

To address this threat, organizations need to first identify and assess risks related to dependence on the suppliers for which there are few alternatives; engage in dialogue and exchange information with governments to assess the extent to which markets remain either competitive or closed; invest in expanding and diversifying the suppliers of critical services; and, where diversification proves difficult, focus instead on embedding resilience in information security strategies.

“Network operators should be ever-mindful of the challenges that consolidation brings to the industry, and should proactively engage in dialogue with governments and regulators whilst continuing to operate in a transparent fashion with customers,“ Durbin said. “This will be challenging and may bring them into conflict with government security agencies, as we have seen with Apple and Google, in terms of providing access to government agencies to core products, but will be essential as they are a provider of core infrastructure service which continues to grow in importance. Maintaining an objective stance will be difficult, but essential, to preserve the trust of the end user.“

Despite lightning-fast broadband, the report predicts that “tech rejectionists” will disrupt local economies in response to record levels of socio-economic inequality, leading to widespread, global, social unrest.

“Discontent will be driven by uncertainty and confusion and inflamed by job losses and displacement due to globalization and automation,“ Durbin said. “Rejectionists will dismiss the benefits of technology-enabled globalization, pointing instead at the social and economic costs shouldered by those who are not among the economic elite. The resulting chaos will disrupt businesses and supply chains, and force countries to reconsider the balance between technological progress and long-established social and economic equilibriums.“

Famous film stars, data breaches

Famous film stars, data breaches and why CEOs should be worried

So the latest not-so-surprising story concerning data breaches is that, in addition to containing pictures of ladies in underwear and pictures of famous film stars, the internet also contains pictures of famous film stars in their underwear.

Jennifer Lawrence

I don’t mean to trivialise the impact of private pictures splashed all over the web. It’s clearly unpleasant, morally indefensible and probably illegal, but plenty of others have discussed the data breaches themselves at length. At Idax we are more interested in the lessons to be learned about the breaches of internal security rather than speculating on external threats.

When the story broke, commentators focused on the “how“. The favoured theory was an evil genius who hacked into the main iCloud computer. Presumably someone halfway between Kim Dotcom and Ernst Stavro Blofeld working from an evil lair in a hollowed out volcano. I have little experience of evil hacker geniuses, but if they exist, I suspect they are more motivated to steal credit card details from the many than private pictures from the few.

The second theory was that our protagonists had guessed or otherwise obtained the email addresses and passwords for iCloud accounts – a “phishing“ attack. Given that a lot of celebrity details are in the public domain and most people are chronically bad at setting passwords, this is pretty credible. Spoiler alert: When asked for your date of birth you don’t have to use your real date of birth; the one that’s also on your Facebook page.

But let’s suppose for a moment that there was no evil genius and no phishing attack, how else might the caper have been done. Simple as it may sound, I’d get myself a job as an iCloud database administrator and then wait until I could steal the pictures.

Now I have no inside knowledge of what goes on at Apple and my approach may sound too obvious. Apple may be the exemplar of corporate governance and security as they are in many other things. But at Idax our experience is that the corporation is nowhere near as secure as your CEO would like to think, and data breaches mostly occur when staff routinely have access to resources that have nothing to do with their job and are either historical or just plain wrong. In a corporation of any size keeping track of access rights is a major headache.

In this context coercion, collusion and avarice are great motivators, especially when the disgruntled developer routinely has uncontrolled access to production data.

So, we may never find out how the images got onto the web and only a cynic would point out that it’s in everyone’s interest to perpetuate the story of the complex con, rather than the corporate cock up. But clearly protecting your corporate data from both internal and external threats has to be a priority for all organisations.

I’ll leave you with a last thought. Under EU data protection legislation a company can be fined up to 10% of global revenue for losing personal data. So if it’s conceivable that you might lose all your customer files if a laptop was inadvertently left a train or a DBA sent a file to his home email, maybe you should look into how you manage internal identity management.

Mark Rodbert is CEO of Idax Software, the identity management analytics company.