Click here to close now.




















Welcome!

Microservices Expo Authors: AppDynamics Blog, Lori MacVittie, Trevor Parsons, Mike Kavis, Liz McMillan

Related Topics: Agile Computing, Java IoT, Industrial IoT, Microservices Expo, IoT User Interface, Recurring Revenue, Cloud Security

Agile Computing: Article

Five Steps Toward Achieving Better Compliance with Identity Analytics

Automation is the key to increasing the effectiveness and reducing the cost of compliance

Identity management just isn't what it used to be. Gone are the days when knowing who had access to what was simply enough. In today's world of increasing government and industry regulation; networked communications and collaboration; and pervasive mobility, the requirements have fundamentally changed. Effective identity management and access governance requires insight into not only what employees are doing with their access to systems and applications, but also how well an organization is managing and securing that access.

Such a comprehensive understanding of an organization's access matrix is essential to reducing the risks that employees, partners, customers, and even malicious third parties can introduce. It is also critical to efforts to comply with regulations that mandate access controls. In fact, without it companies have no way to provide meaningful evidence to auditors explaining how and why they assign access.

The need to perform the numerous complex tasks that comprise identity management - such as certifying access, enforcing security policy, and remediating policy violations - is compounded by the reliance on slow, error-prone manual processes to handle them. These issues, coupled with the lack of a comprehensive, cohesive approach to compliance and auditing, make it nearly impossible to address the challenge in an effective and cost-efficient manner.

As a result, enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful. Most struggle with satisfying stringent compliance mandates to perform access reviews of users with access rights to thousands of business applications and target platforms, and making it a sustainable and repeatable exercise. Adding to the challenge is the fact that organizations are faced with implementing identity compliance policies within short windows and often with limited resources.

To keep pace in an increasingly competitive business landscape, obtaining quick compliance results and establishing reliable and sustainable control processes through automated compliance has become critical. However, establishing robust, organization-wide automated compliance is by no means a flip-of-the-switch endeavor, and businesses oftentimes implement inadequate and disparate policy procedures that leave key areas of the organization exposed to security threats. In order to implement identity compliance that meets today's rigorous standards while maintaining company productivity, identity analytics solutions can help improve all of the elements of an effective compliance program.

Security Compliance
Organizations that are looking to implement automated, analytics-powered compliance programs need to recognize certain truisms when it comes to ensuring secure access to systems and applications. Security compliance is a substantive and procedural undertaking that is only as effective as the processes that track and automate it. Factors such as the latency of audit and remediation efforts and the rate of change within an organization go a long way toward determining the effectiveness of a compliance effort.

That said, compliance programs must also be flexible. The general guidelines for achieving secure access to applications and systems may seem firm on the surface, but the processes that underlie compliance efforts vary greatly from one organization to the next. What's more, every security control must be designed to accommodate loopholes and exceptions necessary to accommodate business efficiency and productivity. For instance, compliance programs must allow for variation to access controls during emergencies such as severe weather, natural disasters, or even economic turmoil.

Additionally, certification of access controls cannot be an IT-only decision. It needs to be a collaborative process that involves business stakeholders and is embedded in an organization's culture. In exchange for the visibility into applications and systems they receive, those business stakeholders need to understand and accept the inherent risks. But ultimately, IT has to be responsible for providing and mitigating the necessary controls and for remediating any negative audit findings.

Unfortunately, because the collaboration that occurs around access control today is largely email-driven, most organizations have only been able to successfully audit a handful of applications or systems. In fact, according to Verizon's 2012 data breach report, 96 percent of the companies subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS) - which governs any company that processes, stores or transmits credit card data - that were breached during 2011 were not compliant with PCI DSS guidelines.

Growing Complexity
One of the reasons enterprises are so challenged by identity management is the unprecedented complexity they face today. With applications and data residing in so many locales - on premise, in the cloud, at a hosting provider's site, etc. - and users relying upon ever-growing sets of tools, IT security teams struggle to keep up with the need to apply access control across systems and geographies. It was difficult enough to track several pages of segregation of duties controls for a single application; tracking controls across the increasingly heterogeneous landscape of systems today is geometrically more complicated.

Cloud-based apps, in particular, introduce a layer of complexity that can result in the business finding itself disconnected if it loses visibility into the related access control data. Along those lines, one of the most common audit issues organizations encounter is a failure to maintain the same level of security controls over their virtual environments as they have over their physical ones.

Dovetailing with the challenges cloud computing introduces is the explosive growth of mobile apps for use in the workplace, a phenomenon that has further fragmented access control processes. As organizations develop their authorizations for mobile apps, they largely are doing so separately from their existing app-authorization systems, which compounds the challenges. According to an August 2011 survey by enterprise mobility vendor Partnerpedia, 58 percent of organizations are creating mobile apps stores, leading to much more complex implementations of certification reviews and controls.

What's more, it's not just the systems that have grown in complexity. Employees have become a much more dynamic enterprise asset, causing organizations to adjust their access controls to reflect the matrices of roles that have resulted from the challenges of trying to classify access. A perfect instance of this is in the health care sector, with drug companies featuring multiple teams across the globe conducting trials and contributing research. Maintaining the privacy and confidentiality of data in this dynamic workgroup setting is a prime example of how the problem of access has evolved.

Five Steps for Leveraging Identity Analytics
Despite these numerous challenges, which collectively can prevent an organization from achieving its identity management objectives, there are ways to ensure that access control efforts can keep up with today's complex business landscape. Specifically, organizations can turn to fast-maturing identity analytics solutions to help them get a handle on this daunting business problem.

Following are five key steps organizations can take by leveraging identity analytics technology that will assist them in achieving robust identity compliance and remaining in compliance moving forward:

1. Become risk aware
While large chunks of IT budgets in recent years have been spent on regulatory compliance, many people still don't feel any safer. The ultimate cautionary tale can be found in the stories of two global financial firms. Despite the focus both companies no doubt had on complying with regulations like Sarbanes-Oxley, auditors at both firms failed to remediate excessive access violations by trusted trading employees, resulting in more than $9 billion in unexpected - and potentially crippling - losses combined.

By adopting an automated system that would enable weighted risk to be tied directly to systems access, organizations can significantly reduce their potential exposure to such embarrassing fiascos.

2. Control privileged access
Access to privileged accounts, such as root, system administration and those with elevated privileges, poses a huge threat to enterprises. These are the most powerful system accounts that, naturally, bring the greatest potential for fraud. Because they don't actually belong to users and are instead often shared by multiple administrators, they're notoriously difficult to secure. In an economy like the one we've experienced the past few years, there are more disgruntled workers, meaning an even greater emphasis should be placed on having an automated system to control privileged access.

As if that's not enough, control of privileged accounts is key to efforts to comply with everything from Sarbanes-Oxley to the PCI DSS to the Health Insurance Portability and Accountability Act (HIPAA), which typically translates to it being at the top of lists of auditors' findings. Moreover, most business partners today want to know that there are sufficient controls placed on privileged accounts as part of their SAS 70 reviews.

Given the clear sensitivity and importance of privileged access, it's imperative that organizations adopt a circumspect approach that enables passwords to be issued for limited periods of use in order to reduce potential exposure.

3. Automate remediation
Today's largest enterprises must contend with tens of thousands of employees accessing hundreds of systems, resulting in a cacophony of controls that audit groups can't possibly hope to manage. It's simply too big of a job for humans to address in a limited number of hours per day. That's where an automated identity analytics solution can help.

By setting up a workflow-based system that can automate the simpler remediation, auditors can instead focus their efforts on the findings that pose the greatest risk. Even then, however, exceptions must be accommodated; for instance, in those moments when emergency privileged access must be granted, it's critical that the system be able to automatically undo that privileged access once the emergency has abated.

4. Reduce the potential for audit violations
As much as it may sound like advice from Yogi Berra, the best way to prevent audit violations is to stop them from happening. The easiest way to do that is to perform the proper due diligence when access is being requested. That's the time when an enterprise needs to check for any common audit problems so that they can be addressed prior to a violation occurring.

When a user requests access that could be considered excessive, if the organization has adopted a system that flags that access, it can automatically collaborate with a business owner to approve or deny the request. Similarly, if a request for access results in a violation of either the segregation of duties or the rule of least privilege, then the system can flag this and provide visibility into the potential risk introduced by the request.

5. Take a platform approach to identity management
Merely having identity analytics technology in place doesn't guarantee that an organization will meet its compliance objectives. But for those enterprises wanting to increase their compliance success rate, having an identity analytics module that's part of a larger identity management platform greatly improves the odds. Like many other categories of software, identity analytics - and compliance in general - benefits from the tight integration of a platform approach.

This truism was further validated by a recent Aberdeen Group study in which companies that adopted fragmented identity and access systems were compared with those that acquired integrated systems from a single vendor. The findings? The companies that adopted pre-integrated systems experienced 35 percent fewer audit violations and reduced their identity analytics costs by 48 percent. They also reported improved end-user productivity, reduced risk and enhanced agility.

Conclusion
It's clear that the growing complexity organizations face has upped the ante when it comes to compliance with identity access controls. That increasingly complex landscape calls for better tools that enable enterprises not only to effectively administer access to applications and systems, but also to understand how they're managing that access.

Automation is the key to increasing the effectiveness and reducing the cost of compliance. Automation streamlines compliance-related processes, reducing the need for resources while at the same time lowering the risk of manual error that can lead to audit failure. More important, automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.

A software solution, such as identity analytics, that automates access control can play a critical role in achieving effective compliance and lowering the related costs. In these turbulent economic times, organizations can't afford to ignore this increasingly important - and complex - part of their security paradigm.

More Stories By Vadim Lander

Vadim Lander is Oracle's Chief Identity Strategist responsible for direction and architecture of Oracle's Identity Management portfolio. He has more than 20 years of experience in the IT industry. Previous to Oracle, he served as Senior Vice President and Chief Security Architect at CA, where he advised the company on key technology trends and helped guide its strategic direction in security management. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO and was instrumental in the definition and development of the company’s identity and access management products.

Vadim holds a BS in computer science from Northeastern University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
The Internet of Things. Cloud. Big Data. Real-Time Analytics. To those who do not quite understand what these phrases mean (and let’s be honest, that’s likely to be a large portion of the world), words like “IoT” and “Big Data” are just buzzwords. The truth is, the Internet of Things encompasses much more than jargon and predictions of connected devices. According to Parker Trewin, Senior Director of Content and Communications of Aria Systems, “IoT is big news because it ups the ante: Reach out ...
At DevOps Summit NY there’s been a whole lot of talk about not just DevOps, but containers, IoT, and microservices. Sessions focused not just on the cultural shift needed to grow at scale with a DevOps approach, but also made sure to include the network ”plumbing” needed to ensure success as applications decompose into the microservice architectures enabling rapid growth and support for the Internet of (Every)Things.
Auto-scaling environments, micro-service architectures and globally-distributed teams are just three common examples of why organizations today need automation and interoperability more than ever. But is interoperability something we simply start doing, or does it require a reexamination of our processes? And can we really improve our processes without first making interoperability a requirement for how we choose our tools?
Our guest on the podcast this week is Adrian Cockcroft, Technology Fellow at Battery Ventures. We discuss what makes Docker and Netflix highly successful, especially through their use of well-designed IT architecture and DevOps.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
This week, I joined SOASTA as Senior Vice President of Performance Analytics. Given my background in cloud computing and distributed systems operations — you may have read my blogs on CNET or GigaOm — this may surprise you, but I want to explain why this is the perfect time to take on this opportunity with this team. In fact, that’s probably the best way to break this down. To explain why I’d leave the world of infrastructure and code for the world of data and analytics, let’s explore the timing...
Digital Transformation is the ultimate goal of cloud computing and related initiatives. The phrase is certainly not a precise one, and as subject to hand-waving and distortion as any high-falutin' terminology in the world of information technology. Yet it is an excellent choice of words to describe what enterprise IT—and by extension, organizations in general—should be working to achieve. Digital Transformation means: handling all the data types being found and created in the organizat...
Alibaba, the world’s largest ecommerce provider, has pumped over a $1 billion into its subsidiary, Aliya, a cloud services provider. This is perhaps one of the biggest moments in the global Cloud Wars that signals the entry of China into the main arena. Here is why this matters. The cloud industry worldwide is being propelled into fast growth by tremendous demand for cloud computing services. Cloud, which is highly scalable and offers low investment and high computational capabilities to end us...
Public Cloud IaaS started its life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in adop...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin,...
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with ...
JavaScript is primarily a client-based dynamic scripting language most commonly used within web browsers as client-side scripts to interact with the user, browser, and communicate asynchronously to servers. If you have been part of any web-based development, odds are you have worked with JavaScript in one form or another. In this article, I'll focus on the aspects of JavaScript that are relevant within the Node.js environment.
One of the ways to increase scalability of services – and applications – is to go “stateless.” The reasons for this are many, but in general by eliminating the mapping between a single client and a single app or service instance you eliminate the need for resources to manage state in the app (overhead) and improve the distributability (I can make up words if I want) of requests across a pool of instances. The latter occurs because sessions don’t need to hang out and consume resources that could ...
Rapid innovation, changing business landscapes, and new IT demands force businesses to make changes quickly. The DevOps approach is a way to increase business agility through collaboration, communication, and integration across different teams in the IT organization. In his session at DevOps Summit, Chris Van Tuin, Chief Technologist for the Western US at Red Hat, will discuss: The acceleration of application delivery for the business with DevOps
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Opening Keynote at 16th Cloud Expo, S...
Software is eating the world. The more it eats, the bigger the mountain of data and wealth of valuable insights to digest and act on. Forward facing customer-centric IT organizations, leaders and professionals are looking to answer questions like how much revenue was lost today from platinum users not converting because they experienced poor mobile app performance. This requires a single, real-time pane of glass for end-to-end analytics covering business, customer, and IT operational data.
Approved this February by the Internet Engineering Task Force (IETF), HTTP/2 is the first major update to HTTP since 1999, when HTTP/1.1 was standardized. Designed with performance in mind, one of the biggest goals of HTTP/2 implementation is to decrease latency while maintaining a high-level compatibility with HTTP/1.1. Though not all testing activities will be impacted by the new protocol, it's important for testers to be aware of any changes moving forward.
"ProfitBricks was founded in 2010 and we are the painless cloud - and we are also the Infrastructure as a Service 2.0 company," noted Achim Weiss, Chief Executive Officer and Co-Founder of ProfitBricks, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
You often hear the two titles of "DevOps" and "Immutable Infrastructure" used independently. In his session at DevOps Summit, John Willis, Technical Evangelist for Docker, covered the union between the two topics and why this is important. He provided an overview of Immutable Infrastructure then showed how an Immutable Continuous Delivery pipeline can be applied as a best practice for "DevOps." He ended the session with some interesting case study examples.