Aujas US

An IDG Ventures Company

More than Password Resets – Identity and Access Management’s Real Value

Security with single sign-onYou’ve probably heard enough about the benefits that an Identity and Access Management (IAM) program can bring to you. Most of the benefits pitched to customers from various vendors revolve around specific features of the products, and are generalizations at best.

For example, password reset is available as a feature, and the obvious benefit is reduced helpdesk costs. Plain and simple!  There is, however, much more to the story.

When you go ahead with an IAM program, this is what you are really setting out to do:

Streamline processes

Setting up an IAM solution forces one to optimize and define processes that carry no ambiguity, because automation cannot be achieved when there is ambiguity. Don’t count on the partner who is on keen to migrate your existing processes into the IAM system without questioning the need or sense behind that process.

Example: Quite a few customers insist on having the employee’s manager approve the request first, and then send it to a secondary owner for a final approval. When questioned, the response often is, “We don’t trust our managers. They may approve just about anything that someone requests, so we need someone else take a look at it.” The question we then pose is, “Why have the manager approve something when you don’t trust his judgement?” Or “Have the manager approve requests, but educate the users about the responsibility they carry when they approve something.” You get the idea.

Streamline data across systems

This is an opportunity to bring consistency to how data values are treated by applications across the organization.

Example: The location for a person maybe “SFO” in one application, “California” in another, and “Calif.” in yet another application.

Traditionally, each application owner is used to operating in a silo, and comes up with a naming convention designed to suit the needs of the hour and the application. Standardizing the values across applications lets the organization take charge by bringing in the ability to centrally manage various aspects of user properties, rights, etc.

This change often sees the greatest amount of inertia, but is the one that truly lets organizations leverage their IAM investment. The solution isn’t to avoid standardization. The solution (and opportunity) is to strengthen change management.

Build a platform for future application development

Traditional application development models cater to embedding the authentication and authorization into the core of the application itself. With an IAM program- in place, you have the luxury and comfort of asking application developers to develop just the business logic in their application. All authentication and authorization related decisions can then be delegated to the IAM platform, resulting in

a)      Application developers focused on core business functionality

b)      Having a secure, and proven mechanism for authentication and authorization decisions

c)       Achieving a complete view of who can do what in which application

In a nut shell, most IAM programs are about implementing a vision. It is an opportunity to question what has been done for years, to optimize, streamline and strengthen the way the organization functions, and to discard the legacy that has ceased to provide value.

To quote Sara Gates, former VP of Identity Management for Sun Microsystems, “Identity Management is like putting brakes on your car. Why do cars have brakes?” Everyone says, ‘So they can stop.’ But the real reason cars have brakes is so they can go faster.”

When you are looking for the partner to steer you in the right direction when it comes to such an important topic, Aujas can help.  Call me and learn more about how we have delivered IAM projects to clients globally.

Advertisements

December 20, 2010 Posted by | identity and access management, Risk management | , , | Leave a comment

Wikileaks Fallout: DLP Helps But Doesn’t Solve, Analysts Say

by George V. Hulme, Contributing Writer
WikiLeaks and DLPData leak prevention technologies have a limited but important role in protecting enterprise data, analysts say. But can the technology prevent another WikiLeaks-like fiasco?

In the aftermath of the Wikileaks fiasco, enterprises are wondering what the breach of so many sensitive documents means, and if such an event could ever happen to them. One of the technologies vendors and solution providers are feverishly pushing as the answer is Data Leak Prevention (DLP) technology.

According to IDC, while sensitive information leaks were seen as the second greatest threat to enterprise security, only 31.4 percent of organizations had adopted DLP. At the time of the study, which was December 2009, only 14.5 percent of organizations had plans to purchase DLP. It’s probably a good hunch, considering what has become public on the Operation Aurora attacks and the more recent Wikileaks phenomenon, that many enterprises are giving DLP a much closer look today.

DLP is widely marketed as the way to stop confidential information from sliding out the door on notebooks, smartphones, iPods, portable storage, and many other devices. Or, as US Army intelligence analyst Private First Class Bradley Manning is alleged to have done: copy and walk away with reportedly 250,000 files designated (at the least) as classified — on a writable CD labeled as Lady Gaga music — from the Secret Internet Protocol Router Network (SIPRNet). SIPRNet is run by the US Department of Defense and the U.S. Department of State.

Would having DLP in place had prevented that leak? Analysts are doubtful. DLP technology is very good at protecting specific types of information, but not protecting all of the information generated and managed by an organization. “In this case, the content taken appears to have been a mass amount of information that Manning had legitimate access to,” says Rich Mogull, founder and analyst at the research firm Securosis. “DLP is not good at stopping this sort of incident, where a broad amount of data is taken.”

Experts also agreed that while DLP has its place in the enterprise, it would provide no definitive protection against similar attacks from trusted insiders. “There is no 100 percent solution to stop a motivated insider from stealing information,” says Mike Rothman, president and analyst at Securosis.

It’s useful to pause and define what we mean by DLP. According to Mogull, DLP, at a minimum, identifies, monitors and protects data in motion, at rest and in use through deep content analysis. The tools identify the content, monitor its usage and builds defenses around it. “There’s also an emerging class of DLP that I call DLP Lite. These are single channel solutions that only look at either the end point, or the network,” he says.

For the most part, experts agree, whether considering full-blown DLP or DLP Lite, the technology excels at stopping specific kinds of data from leaking when it shouldn’t — credit card data, engineering plans and details, health care forms. “For enterprises, compared to a government situation like Manning’s case, you can certainly do more to protect more data,” says Mogull.

But, experts caution, DLP can’t prevent many types of attacks on data from being successful. “There is a rumor that WikiLeaks has a trove of information on one of the major US banks. While we’re not sure what type of information it is, or how it is stored, if that information is reams of e-mails with free flowing conversations, DLP is not necessarily going to pick up on and stop that kind of breach,” Mogull explains.

That’s why it remains important that enterprises, in their own efforts to protect data leaks, not place too large an emphasis on DLP technology, and that DLP be used as an additional layer of defense to supplement other important defenses such as access control, encryption, segmentation, security event monitoring, among others. Most importantly, enterprises need to understand what information it is they want to most protect, and how that information normally flows throughout their organization.

“They need to understand the context of the data they use and want to protect – the why and how it traverses their network – as part of the normal course of using that data,” says Nick Selby managing director at security consultancy Trident Risk Management. “For DLP to work in the limited way it’s intended, organizations must know what normal looks like before they have any hope at stopping abnormal activity.”

Read more about data protection and governance by clicking on this site for the Aujas whitepaper http://www.aujas.com/whitepapers.html

December 20, 2010 Posted by | Data Leak Prevention, Enterprise Security | , , , | Leave a comment