By Kurt Johnson, Courion Corporation
Ever since the cloud sprung up to the top of every IT discussion, the issue of cloud security was right alongside it. Let’s face it, enterprise security has never been easy, and the rapidly expanding use of software in the cloud has added layers of complexity – and risk – to the job. More valuable intellectual property, personally identifiable information, medical records and customer data now sit in the cloud. Risk should not prevent this, but it’s a risk that needs to be managed.
With more data spread across multiple environments, accessed not only by employees but contractors, partners and customers alike, and accessed via more devices such as tablets and mobile, identity and access becomes an increasing concern. Who has access? Do they need this access? What are they doing with that access? All of these are critical for an effective security strategy. The cloud doesn’t change Identity and Access Management needs. We still need to ensure that the right people are getting the right level of access to cloud resources, and that they are doing the right things with that access. However, many cloud applications are purchased by the business units without IT’s knowledge. Identity and access administration become more ad hoc. Security is losing control, but not losing responsibility.
The IAM Gap
The cloud only puts a fine point on overall access risk as a growing concern. We’re confronting an expanding identity and access management gap (“IAM Gap”) that’s threatening the integrity of many organizations today.
Many organizations use provisioning systems to automate the setup, modification and disablement of accounts according to policy. Access certification provides a periodic, point-in-time look at who has access. Managers must attest that subordinates have the right access according to their responsibilities. But, what happens in between? New applications, new accounts, new policies and other changes are a daily event. The ad hoc nature of the cloud means new users and access could be happening without any visibility to IT. Identity and access should not be a once-a-year checkpoint.
The gap between provisioning and certification represents trillions of ever-changing relationships among identities, access rights and resources. It’s a danger zone that exposes the soft underbelly of your organization’s security. One wouldn’t expect to do a virus scan or intrusion detection analysis once every six months, so why should your organization stall on monitoring identities and access?
So, what should your organization do? Take a hard look at IAM programs and expand that to include the cloud. Update IAM guidelines and controls. Go beyond mere provisioning and certification to include intelligence and analytics. Define the policies of who should have what type of access, define appropriate use and get the line of businesses involved in the process.
Then, make sure cloud as well as on-premise applications are included. There should not be stove-piped strategies – one for cloud, one for on-premise. It should be an enterprise IAM strategy that incorporates both.
To incorporate the cloud in this strategy, start with an inventory of your cloud applications. Once the cloud applications have been identified they should be categorized by risk, much like any enterprise application. Define the appropriate identity and access controls to the appropriate risk levels. Low risk applications, like TripIt, should have acceptable use agreements and password policies. Too many end-users use the same passwords for personal applications as they do for enterprise applications. What happens when password breaches occur, such as those that happened with Evernote or LinkedIn? Medium risk applications, such as Box or ShareFile, should add automated provisioning and de-provisioning, access certification reviews, access policy reviews and exception monitoring. For high risk applications, such as Salesforce.com, higher level controls should be added which include user activity monitoring, privileged account monitoring, multi-factor authentication and identity and access intelligence so as to provide more real-time analysis and monitoring of access risk.
The strategy needs to address the gap not just on day one and through periodic point-in-time reviews, but with intelligence that provides a measure of real-time monitoring and which tracks user activity.
As the openness imperative and cloud movement raise the access risk management stakes, organizations need to:
- Identify where risk is and understand it
- Drive security controls to settle the risk
- Dynamically strengthen security controls based on risk status
- Spotlight risk in real-time
The solution is harnessing the Big Data in the trillions of access relationships – on the ground or in the cloud – to better understand what is really going on. Security staff are essentially looking for a needle in the haystack of data. Unfortunately, they don’t know what the needle looks like, so they have to look at all the hay and find something that looks different. What they really need to see are meaningful patterns. This is where predictive analytics come in – the same technology that an online retailer might use to better target product offers to you based on your recent buying behavior, for example.
Closing the IAM Gap with Real-Time Risk Aware Identity & Access Intelligence
You need to apply predictive analytics specifically to the big data around identity, rights, policies, activities and resources to reveal anomalous patterns of activity. From this, you gain access intelligence, and you can compare the patterns representing good behavior with anomalies. Consider a person with legitimate rights to a resource accessing a cloud-based CRM system and downloading the entire customer database from his home office at 2 a.m. on a Saturday night. This event might bear looking into, but you’d never even know it occurred with traditional controls because the person had legitimate access to the system. By identifying patterns or anomalies from “normal” – and displaying them in graphical heat maps – you have a view you haven’t seen before.
This kind of analysis closes the IAM Gap and provides a risk-driven approach to IAM. You understand and manage risk in real time, not every three to 12 months. You automate information security and identify patterns not discernible to the naked eye. With anomalies and patterns revealed, you prioritize your next security steps, strengthen controls in times of highest risk and continuously update threat definitions.
Here’s the key point: In this new approach, you assess risk from live data, not scenarios you’ve anticipated and coded into the system. Many security tools alert you to actions you’ve already defined as “bad.” But how do you see things you didn’t know were bad before? You need analytics to uncover patterns, serve them up to you and let you weigh whether they warrant further investigation. Real-time, predictive analytics put you ahead of the risk curve, harnessing existing company data to sound alarms before a loss – when the risk around an individual or resource spikes. In other words, you don’t know what you don’t know.
This kind of operational intelligence identifies, quantifies and settles access risks in time to avoid audit issues and real damage to your business. It’s interactive, real-time, scalable and self-learning. You have actionable, risk-prioritized insight.
Whether the applications you monitor are partly or solely in the cloud does not matter; you’re securing all your enterprise systems and resources wherever they reside. You are making sure risks are reduced before they become bonafide breaches. Bottom line, we need a new “perimeter:” one that truly understands who someone is, what they should access, what they are doing with that access and what patterns of behavior might represent threats to the organization. This way, you’re taking advantage of all the benefits of the cloud while opening your business to employees, customers and partners – all while getting ahead of risk.
Kurt Johnson is vice president of strategy and corporate development at Courion Corporation (www.courion.com).
# # #