Welcome!

Microservices Expo Authors: Elizabeth White, Pat Romanski, Carmen Gonzalez, Liz McMillan, Sematext Blog

Related Topics: Agile Computing, Java IoT, Industrial IoT, Microservices Expo, IoT User Interface, Recurring Revenue, Cloud Security

Agile Computing: Article

Five Steps Toward Achieving Better Compliance with Identity Analytics

Automation is the key to increasing the effectiveness and reducing the cost of compliance

Identity management just isn't what it used to be. Gone are the days when knowing who had access to what was simply enough. In today's world of increasing government and industry regulation; networked communications and collaboration; and pervasive mobility, the requirements have fundamentally changed. Effective identity management and access governance requires insight into not only what employees are doing with their access to systems and applications, but also how well an organization is managing and securing that access.

Such a comprehensive understanding of an organization's access matrix is essential to reducing the risks that employees, partners, customers, and even malicious third parties can introduce. It is also critical to efforts to comply with regulations that mandate access controls. In fact, without it companies have no way to provide meaningful evidence to auditors explaining how and why they assign access.

The need to perform the numerous complex tasks that comprise identity management - such as certifying access, enforcing security policy, and remediating policy violations - is compounded by the reliance on slow, error-prone manual processes to handle them. These issues, coupled with the lack of a comprehensive, cohesive approach to compliance and auditing, make it nearly impossible to address the challenge in an effective and cost-efficient manner.

As a result, enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful. Most struggle with satisfying stringent compliance mandates to perform access reviews of users with access rights to thousands of business applications and target platforms, and making it a sustainable and repeatable exercise. Adding to the challenge is the fact that organizations are faced with implementing identity compliance policies within short windows and often with limited resources.

To keep pace in an increasingly competitive business landscape, obtaining quick compliance results and establishing reliable and sustainable control processes through automated compliance has become critical. However, establishing robust, organization-wide automated compliance is by no means a flip-of-the-switch endeavor, and businesses oftentimes implement inadequate and disparate policy procedures that leave key areas of the organization exposed to security threats. In order to implement identity compliance that meets today's rigorous standards while maintaining company productivity, identity analytics solutions can help improve all of the elements of an effective compliance program.

Security Compliance
Organizations that are looking to implement automated, analytics-powered compliance programs need to recognize certain truisms when it comes to ensuring secure access to systems and applications. Security compliance is a substantive and procedural undertaking that is only as effective as the processes that track and automate it. Factors such as the latency of audit and remediation efforts and the rate of change within an organization go a long way toward determining the effectiveness of a compliance effort.

That said, compliance programs must also be flexible. The general guidelines for achieving secure access to applications and systems may seem firm on the surface, but the processes that underlie compliance efforts vary greatly from one organization to the next. What's more, every security control must be designed to accommodate loopholes and exceptions necessary to accommodate business efficiency and productivity. For instance, compliance programs must allow for variation to access controls during emergencies such as severe weather, natural disasters, or even economic turmoil.

Additionally, certification of access controls cannot be an IT-only decision. It needs to be a collaborative process that involves business stakeholders and is embedded in an organization's culture. In exchange for the visibility into applications and systems they receive, those business stakeholders need to understand and accept the inherent risks. But ultimately, IT has to be responsible for providing and mitigating the necessary controls and for remediating any negative audit findings.

Unfortunately, because the collaboration that occurs around access control today is largely email-driven, most organizations have only been able to successfully audit a handful of applications or systems. In fact, according to Verizon's 2012 data breach report, 96 percent of the companies subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS) - which governs any company that processes, stores or transmits credit card data - that were breached during 2011 were not compliant with PCI DSS guidelines.

Growing Complexity
One of the reasons enterprises are so challenged by identity management is the unprecedented complexity they face today. With applications and data residing in so many locales - on premise, in the cloud, at a hosting provider's site, etc. - and users relying upon ever-growing sets of tools, IT security teams struggle to keep up with the need to apply access control across systems and geographies. It was difficult enough to track several pages of segregation of duties controls for a single application; tracking controls across the increasingly heterogeneous landscape of systems today is geometrically more complicated.

Cloud-based apps, in particular, introduce a layer of complexity that can result in the business finding itself disconnected if it loses visibility into the related access control data. Along those lines, one of the most common audit issues organizations encounter is a failure to maintain the same level of security controls over their virtual environments as they have over their physical ones.

Dovetailing with the challenges cloud computing introduces is the explosive growth of mobile apps for use in the workplace, a phenomenon that has further fragmented access control processes. As organizations develop their authorizations for mobile apps, they largely are doing so separately from their existing app-authorization systems, which compounds the challenges. According to an August 2011 survey by enterprise mobility vendor Partnerpedia, 58 percent of organizations are creating mobile apps stores, leading to much more complex implementations of certification reviews and controls.

What's more, it's not just the systems that have grown in complexity. Employees have become a much more dynamic enterprise asset, causing organizations to adjust their access controls to reflect the matrices of roles that have resulted from the challenges of trying to classify access. A perfect instance of this is in the health care sector, with drug companies featuring multiple teams across the globe conducting trials and contributing research. Maintaining the privacy and confidentiality of data in this dynamic workgroup setting is a prime example of how the problem of access has evolved.

Five Steps for Leveraging Identity Analytics
Despite these numerous challenges, which collectively can prevent an organization from achieving its identity management objectives, there are ways to ensure that access control efforts can keep up with today's complex business landscape. Specifically, organizations can turn to fast-maturing identity analytics solutions to help them get a handle on this daunting business problem.

Following are five key steps organizations can take by leveraging identity analytics technology that will assist them in achieving robust identity compliance and remaining in compliance moving forward:

1. Become risk aware
While large chunks of IT budgets in recent years have been spent on regulatory compliance, many people still don't feel any safer. The ultimate cautionary tale can be found in the stories of two global financial firms. Despite the focus both companies no doubt had on complying with regulations like Sarbanes-Oxley, auditors at both firms failed to remediate excessive access violations by trusted trading employees, resulting in more than $9 billion in unexpected - and potentially crippling - losses combined.

By adopting an automated system that would enable weighted risk to be tied directly to systems access, organizations can significantly reduce their potential exposure to such embarrassing fiascos.

2. Control privileged access
Access to privileged accounts, such as root, system administration and those with elevated privileges, poses a huge threat to enterprises. These are the most powerful system accounts that, naturally, bring the greatest potential for fraud. Because they don't actually belong to users and are instead often shared by multiple administrators, they're notoriously difficult to secure. In an economy like the one we've experienced the past few years, there are more disgruntled workers, meaning an even greater emphasis should be placed on having an automated system to control privileged access.

As if that's not enough, control of privileged accounts is key to efforts to comply with everything from Sarbanes-Oxley to the PCI DSS to the Health Insurance Portability and Accountability Act (HIPAA), which typically translates to it being at the top of lists of auditors' findings. Moreover, most business partners today want to know that there are sufficient controls placed on privileged accounts as part of their SAS 70 reviews.

Given the clear sensitivity and importance of privileged access, it's imperative that organizations adopt a circumspect approach that enables passwords to be issued for limited periods of use in order to reduce potential exposure.

3. Automate remediation
Today's largest enterprises must contend with tens of thousands of employees accessing hundreds of systems, resulting in a cacophony of controls that audit groups can't possibly hope to manage. It's simply too big of a job for humans to address in a limited number of hours per day. That's where an automated identity analytics solution can help.

By setting up a workflow-based system that can automate the simpler remediation, auditors can instead focus their efforts on the findings that pose the greatest risk. Even then, however, exceptions must be accommodated; for instance, in those moments when emergency privileged access must be granted, it's critical that the system be able to automatically undo that privileged access once the emergency has abated.

4. Reduce the potential for audit violations
As much as it may sound like advice from Yogi Berra, the best way to prevent audit violations is to stop them from happening. The easiest way to do that is to perform the proper due diligence when access is being requested. That's the time when an enterprise needs to check for any common audit problems so that they can be addressed prior to a violation occurring.

When a user requests access that could be considered excessive, if the organization has adopted a system that flags that access, it can automatically collaborate with a business owner to approve or deny the request. Similarly, if a request for access results in a violation of either the segregation of duties or the rule of least privilege, then the system can flag this and provide visibility into the potential risk introduced by the request.

5. Take a platform approach to identity management
Merely having identity analytics technology in place doesn't guarantee that an organization will meet its compliance objectives. But for those enterprises wanting to increase their compliance success rate, having an identity analytics module that's part of a larger identity management platform greatly improves the odds. Like many other categories of software, identity analytics - and compliance in general - benefits from the tight integration of a platform approach.

This truism was further validated by a recent Aberdeen Group study in which companies that adopted fragmented identity and access systems were compared with those that acquired integrated systems from a single vendor. The findings? The companies that adopted pre-integrated systems experienced 35 percent fewer audit violations and reduced their identity analytics costs by 48 percent. They also reported improved end-user productivity, reduced risk and enhanced agility.

Conclusion
It's clear that the growing complexity organizations face has upped the ante when it comes to compliance with identity access controls. That increasingly complex landscape calls for better tools that enable enterprises not only to effectively administer access to applications and systems, but also to understand how they're managing that access.

Automation is the key to increasing the effectiveness and reducing the cost of compliance. Automation streamlines compliance-related processes, reducing the need for resources while at the same time lowering the risk of manual error that can lead to audit failure. More important, automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.

A software solution, such as identity analytics, that automates access control can play a critical role in achieving effective compliance and lowering the related costs. In these turbulent economic times, organizations can't afford to ignore this increasingly important - and complex - part of their security paradigm.

More Stories By Vadim Lander

Vadim Lander is Oracle's Chief Identity Strategist responsible for direction and architecture of Oracle's Identity Management portfolio. He has more than 20 years of experience in the IT industry. Previous to Oracle, he served as Senior Vice President and Chief Security Architect at CA, where he advised the company on key technology trends and helped guide its strategic direction in security management. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO and was instrumental in the definition and development of the company’s identity and access management products.

Vadim holds a BS in computer science from Northeastern University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
More and more companies are looking to microservices as an architectural pattern for breaking apart applications into more manageable pieces so that agile teams can deliver new features quicker and more effectively. What this pattern has done more than anything to date is spark organizational transformations, setting the foundation for future application development. In practice, however, there are a number of considerations to make that go beyond simply “build, ship, and run,” which changes how...
Without lifecycle traceability and visibility across the tool chain, stakeholders from Planning-to-Ops have limited insight and answers to who, what, when, why and how across the DevOps lifecycle. This impacts the ability to deliver high quality software at the needed velocity to drive positive business outcomes. In his general session at @DevOpsSummit at 19th Cloud Expo, Phil Hombledal, Solution Architect at CollabNet, discussed how customers are able to achieve a level of transparency that e...
Between 2005 and 2020, data volumes will grow by a factor of 300 – enough data to stack CDs from the earth to the moon 162 times. This has come to be known as the ‘big data’ phenomenon. Unfortunately, traditional approaches to handling, storing and analyzing data aren’t adequate at this scale: they’re too costly, slow and physically cumbersome to keep up. Fortunately, in response a new breed of technology has emerged that is cheaper, faster and more scalable. Yet, in meeting these new needs they...
@DevOpsSummit taking place June 6-8, 2017 at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @DevOpsSummit at Cloud Expo New York Call for Papers is now open.
In his session at 19th Cloud Expo, Claude Remillard, Principal Program Manager in Developer Division at Microsoft, contrasted how his team used config as code and immutable patterns for continuous delivery of microservices and apps to the cloud. He showed how the immutable patterns helps developers do away with most of the complexity of config as code-enabling scenarios such as rollback, zero downtime upgrades with far greater simplicity. He also demoed building immutable pipelines in the cloud ...
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
In IT, we sometimes coin terms for things before we know exactly what they are and how they’ll be used. The resulting terms may capture a common set of aspirations and goals – as “cloud” did broadly for on-demand, self-service, and flexible computing. But such a term can also lump together diverse and even competing practices, technologies, and priorities to the point where important distinctions are glossed over and lost.
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
Monitoring of Docker environments is challenging. Why? Because each container typically runs a single process, has its own environment, utilizes virtual networks, or has various methods of managing storage. Traditional monitoring solutions take metrics from each server and applications they run. These servers and applications running on them are typically very static, with very long uptimes. Docker deployments are different: a set of containers may run many applications, all sharing the resource...
Join Impiger for their featured webinar: ‘Cloud Computing: A Roadmap to Modern Software Delivery’ on November 10, 2016, at 12:00 pm CST. Very few companies have not experienced some impact to their IT delivery due to the evolution of cloud computing. This webinar is not about deciding whether you should entertain moving some or all of your IT to the cloud, but rather, a detailed look under the hood to help IT professionals understand how cloud adoption has evolved and what trends will impact th...
Without lifecycle traceability and visibility across the tool chain, stakeholders from Planning-to-Ops have limited insight and answers to who, what, when, why and how across the DevOps lifecycle. This impacts the ability to deliver high quality software at the needed velocity to drive positive business outcomes. In his session at @DevOpsSummit 19th Cloud Expo, Eric Robertson, General Manager at CollabNet, showed how customers are able to achieve a level of transparency that enables everyone fro...
Internet of @ThingsExpo, taking place June 6-8, 2017 at the Javits Center in New York City, New York, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo New York Call for Papers is now open.
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
"Dice has been around for the last 20 years. We have been helping tech professionals find new jobs and career opportunities," explained Manish Dixit, VP of Product and Engineering at Dice, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Rapid innovation, changing business landscapes, and new IT demands force businesses to make changes quickly. In the eyes of many, containers are at the brink of becoming a pervasive technology in enterprise IT to accelerate application delivery. In this presentation, attendees learned about the: The transformation of IT to a DevOps, microservices, and container-based architecture What are containers and how DevOps practices can operate in a container-based environment A demonstration of how ...
Application transformation and DevOps practices are two sides of the same coin. Enterprises that want to capture value faster, need to deliver value faster – time value of money principle. To do that enterprises need to build cloud-native apps as microservices by empowering teams to build, ship, and run in production. In his session at @DevOpsSummit at 19th Cloud Expo, Neil Gehani, senior product manager at HPE, discussed what every business should plan for how to structure their teams to delive...
As we enter the final week before the 19th International Cloud Expo | @ThingsExpo in Santa Clara, CA, it's time for me to reflect on six big topics that will be important during the show. Hybrid Cloud This general-purpose term seems to provide a comfort zone for many enterprise IT managers. It sounds reassuring to be able to work with one of the major public-cloud providers like AWS or Microsoft Azure while still maintaining an on-site presence.
Much of the value of DevOps comes from a (renewed) focus on measurement, sharing, and continuous feedback loops. In increasingly complex DevOps workflows and environments, and especially in larger, regulated, or more crystallized organizations, these core concepts become even more critical. In his session at @DevOpsSummit at 18th Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, showed how, by focusing on 'metrics that matter,' you can provide objective, transparent, and meaningful f...
Logs are continuous digital records of events generated by all components of your software stack – and they’re everywhere – your networks, servers, applications, containers and cloud infrastructure just to name a few. The data logs provide are like an X-ray for your IT infrastructure. Without logs, this lack of visibility creates operational challenges for managing modern applications that drive today’s digital businesses.