Aujas US

An IDG Ventures Company

More than Password Resets – Identity and Access Management’s Real Value

Security with single sign-onYou’ve probably heard enough about the benefits that an Identity and Access Management (IAM) program can bring to you. Most of the benefits pitched to customers from various vendors revolve around specific features of the products, and are generalizations at best.

For example, password reset is available as a feature, and the obvious benefit is reduced helpdesk costs. Plain and simple!  There is, however, much more to the story.

When you go ahead with an IAM program, this is what you are really setting out to do:

Streamline processes

Setting up an IAM solution forces one to optimize and define processes that carry no ambiguity, because automation cannot be achieved when there is ambiguity. Don’t count on the partner who is on keen to migrate your existing processes into the IAM system without questioning the need or sense behind that process.

Example: Quite a few customers insist on having the employee’s manager approve the request first, and then send it to a secondary owner for a final approval. When questioned, the response often is, “We don’t trust our managers. They may approve just about anything that someone requests, so we need someone else take a look at it.” The question we then pose is, “Why have the manager approve something when you don’t trust his judgement?” Or “Have the manager approve requests, but educate the users about the responsibility they carry when they approve something.” You get the idea.

Streamline data across systems

This is an opportunity to bring consistency to how data values are treated by applications across the organization.

Example: The location for a person maybe “SFO” in one application, “California” in another, and “Calif.” in yet another application.

Traditionally, each application owner is used to operating in a silo, and comes up with a naming convention designed to suit the needs of the hour and the application. Standardizing the values across applications lets the organization take charge by bringing in the ability to centrally manage various aspects of user properties, rights, etc.

This change often sees the greatest amount of inertia, but is the one that truly lets organizations leverage their IAM investment. The solution isn’t to avoid standardization. The solution (and opportunity) is to strengthen change management.

Build a platform for future application development

Traditional application development models cater to embedding the authentication and authorization into the core of the application itself. With an IAM program- in place, you have the luxury and comfort of asking application developers to develop just the business logic in their application. All authentication and authorization related decisions can then be delegated to the IAM platform, resulting in

a)      Application developers focused on core business functionality

b)      Having a secure, and proven mechanism for authentication and authorization decisions

c)       Achieving a complete view of who can do what in which application

In a nut shell, most IAM programs are about implementing a vision. It is an opportunity to question what has been done for years, to optimize, streamline and strengthen the way the organization functions, and to discard the legacy that has ceased to provide value.

To quote Sara Gates, former VP of Identity Management for Sun Microsystems, “Identity Management is like putting brakes on your car. Why do cars have brakes?” Everyone says, ‘So they can stop.’ But the real reason cars have brakes is so they can go faster.”

When you are looking for the partner to steer you in the right direction when it comes to such an important topic, Aujas can help.  Call me and learn more about how we have delivered IAM projects to clients globally.

December 20, 2010 Posted by | identity and access management, Risk management | , , | Leave a comment

Wikileaks Fallout: DLP Helps But Doesn’t Solve, Analysts Say

by George V. Hulme, Contributing Writer
WikiLeaks and DLPData leak prevention technologies have a limited but important role in protecting enterprise data, analysts say. But can the technology prevent another WikiLeaks-like fiasco?

In the aftermath of the Wikileaks fiasco, enterprises are wondering what the breach of so many sensitive documents means, and if such an event could ever happen to them. One of the technologies vendors and solution providers are feverishly pushing as the answer is Data Leak Prevention (DLP) technology.

According to IDC, while sensitive information leaks were seen as the second greatest threat to enterprise security, only 31.4 percent of organizations had adopted DLP. At the time of the study, which was December 2009, only 14.5 percent of organizations had plans to purchase DLP. It’s probably a good hunch, considering what has become public on the Operation Aurora attacks and the more recent Wikileaks phenomenon, that many enterprises are giving DLP a much closer look today.

DLP is widely marketed as the way to stop confidential information from sliding out the door on notebooks, smartphones, iPods, portable storage, and many other devices. Or, as US Army intelligence analyst Private First Class Bradley Manning is alleged to have done: copy and walk away with reportedly 250,000 files designated (at the least) as classified — on a writable CD labeled as Lady Gaga music — from the Secret Internet Protocol Router Network (SIPRNet). SIPRNet is run by the US Department of Defense and the U.S. Department of State.

Would having DLP in place had prevented that leak? Analysts are doubtful. DLP technology is very good at protecting specific types of information, but not protecting all of the information generated and managed by an organization. “In this case, the content taken appears to have been a mass amount of information that Manning had legitimate access to,” says Rich Mogull, founder and analyst at the research firm Securosis. “DLP is not good at stopping this sort of incident, where a broad amount of data is taken.”

Experts also agreed that while DLP has its place in the enterprise, it would provide no definitive protection against similar attacks from trusted insiders. “There is no 100 percent solution to stop a motivated insider from stealing information,” says Mike Rothman, president and analyst at Securosis.

It’s useful to pause and define what we mean by DLP. According to Mogull, DLP, at a minimum, identifies, monitors and protects data in motion, at rest and in use through deep content analysis. The tools identify the content, monitor its usage and builds defenses around it. “There’s also an emerging class of DLP that I call DLP Lite. These are single channel solutions that only look at either the end point, or the network,” he says.

For the most part, experts agree, whether considering full-blown DLP or DLP Lite, the technology excels at stopping specific kinds of data from leaking when it shouldn’t — credit card data, engineering plans and details, health care forms. “For enterprises, compared to a government situation like Manning’s case, you can certainly do more to protect more data,” says Mogull.

But, experts caution, DLP can’t prevent many types of attacks on data from being successful. “There is a rumor that WikiLeaks has a trove of information on one of the major US banks. While we’re not sure what type of information it is, or how it is stored, if that information is reams of e-mails with free flowing conversations, DLP is not necessarily going to pick up on and stop that kind of breach,” Mogull explains.

That’s why it remains important that enterprises, in their own efforts to protect data leaks, not place too large an emphasis on DLP technology, and that DLP be used as an additional layer of defense to supplement other important defenses such as access control, encryption, segmentation, security event monitoring, among others. Most importantly, enterprises need to understand what information it is they want to most protect, and how that information normally flows throughout their organization.

“They need to understand the context of the data they use and want to protect – the why and how it traverses their network – as part of the normal course of using that data,” says Nick Selby managing director at security consultancy Trident Risk Management. “For DLP to work in the limited way it’s intended, organizations must know what normal looks like before they have any hope at stopping abnormal activity.”

Read more about data protection and governance by clicking on this site for the Aujas whitepaper

December 20, 2010 Posted by | Data Leak Prevention, Enterprise Security | , , , | Leave a comment

Single Sign-On – Choosing Practical over Paranoid Security

Security with single sign-onAs various business processes are automated in enterprises, a complex IT landscape is created. Multiple applications and platforms require different authentication checks before granting user access. Users need to sign on to multiple systems, each involving a different set of credentials. As a result, accessing systems gets increasingly complicated and frustrating for users and hampers their daily tasks.

Implementing a single sign-on (SSO) security functionality can significantly simplify systems access. SSO provides a unified mechanism to manage user authentication and implement business rules determining user access. As only one set of credentials are needed to access multiple systems, SSO improves usability, increases productivity and reduces helpdesk expenses, without compromising system security.

SSO also reduces human error, because the user logs in once and gains access to all systems without being prompted to log in again for each, a major component of systems failure.

Why is SSO relevant?

The need for SSO is accentuated by several issues enterprises face including:

  • Enforcing strong security and password policies at a central level
  • Multiple helpdesks
  • Need for helpdesks to engage in more value-adding tasks rather than be consumed by resetting passwords for users
  • Management of multiple platforms and application models
  • Risk of unsecured, unauthorized administrative and user accounts

SSO types you need to know

Two of the most important types of SSO are:

Enterprise SSO

Enterprise single sign-on (ESSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The ESSO automatically logs users in, and acts as a password filler where automatic login is not possible. Each desktop/laptop is given a token that handles the authentication.


Single sign-on for web-based applications and few supported proprietary closed source web applications. It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).

The main differences between ESSO and Web SSO approaches are given in the table below.

SSO comparison

ESSO can provide tangible benefits to an enterprise through:

  • Enhanced user productivity – users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords
  • Improved developer productivity – developers get a common authentication framework – developers don’t have to worry about authentication at all
  • Simplified IT administration – the administrative burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication
  • Reduced password fatigue from different user name and password combinations
  • Reduced IT costs due to fewer help desk calls about passwords
  • Improved security through reduced need for a user to handle and remember multiple sets of authentication information
  • Reduced time spent re-entering passwords for the same identity.
  • Integration with conventional authentication such as Windows username/password.
  • Centralized reporting for compliance adherence like ISO 27001, etc.

Clearly, SSO functionality is a practical approach to security management in an enterprise. Its detractors highlight that once a password is breached through SSO, then other systems become highly vulnerable. However, while weighing the pros and cons of the SSO approach, its benefits in the form of lesser maintenance and increased usability far outweigh the disadvantages. It can even ensure a better protection of the single password, with stronger policies in place, which may not be practically possible if there were multiple passwords to remember. SSO can be a suitable choice for most enterprises which are struggling with the burden of managing multiple accesses.

December 7, 2010 Posted by | identity and access management, IT security, Physical Security controls | , , , , | Leave a comment

HIMSS Survey of Security Pros Is Food for Thought

HIMSS security surveyThe Healthcare Information and Management Systems Society (HIMSS) in November published results of a survey that focused on key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. Though your company may not be in the healthcare industry, read the results discussed below, and think about how they might compare to your organization.

The 2010 HIMSS Security Survey included feedback from information technology and security professionals from healthcare provider organizations across the U.S. Here’s an overview of respondents’ input:

Maturity of Environment: Respondents characterized their environment at a middle rate of maturity.

Security Budget: Approximately half of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security.

Formal Security Position: Slightly more than half (53%) of respondents reported they have either a CSO/CISO or full-time staff in place to handle their organizations’ security functions.

Risk Analysis: Slightly more than half of respondents (59 %) who said that their organization conducts a formal risk analysis reported that this analysis is conducted annually.

Patient Data Access: Surveyed organizations most widely employ user-based and role-based controls to secure electronic patient information.

Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. Two thirds reported having a plan in place for responding to threats or incidents related to a security breach.

Security in a Networked Environment: Approximately 85% of respondents reported that their organization shares patient data in an electronic format.

Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign-on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Patient Identity: Half of respondents indicated that they validate patient identity by both requiring a government/facility-issued ID and checking the ID against information in the master patient index.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization.

December 7, 2010 Posted by | Identity Theft, IT security | , , , | Leave a comment