Welcome!

Microservices Expo Authors: Derek Weeks, Mehdi Daoudi, Pat Romanski, Liz McMillan, Elizabeth White

Related Topics: Agile Computing, Java IoT, Industrial IoT, Microservices Expo, Machine Learning , Recurring Revenue, Cloud Security

Agile Computing: Article

Five Steps Toward Achieving Better Compliance with Identity Analytics

Automation is the key to increasing the effectiveness and reducing the cost of compliance

Identity management just isn't what it used to be. Gone are the days when knowing who had access to what was simply enough. In today's world of increasing government and industry regulation; networked communications and collaboration; and pervasive mobility, the requirements have fundamentally changed. Effective identity management and access governance requires insight into not only what employees are doing with their access to systems and applications, but also how well an organization is managing and securing that access.

Such a comprehensive understanding of an organization's access matrix is essential to reducing the risks that employees, partners, customers, and even malicious third parties can introduce. It is also critical to efforts to comply with regulations that mandate access controls. In fact, without it companies have no way to provide meaningful evidence to auditors explaining how and why they assign access.

The need to perform the numerous complex tasks that comprise identity management - such as certifying access, enforcing security policy, and remediating policy violations - is compounded by the reliance on slow, error-prone manual processes to handle them. These issues, coupled with the lack of a comprehensive, cohesive approach to compliance and auditing, make it nearly impossible to address the challenge in an effective and cost-efficient manner.

As a result, enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful. Most struggle with satisfying stringent compliance mandates to perform access reviews of users with access rights to thousands of business applications and target platforms, and making it a sustainable and repeatable exercise. Adding to the challenge is the fact that organizations are faced with implementing identity compliance policies within short windows and often with limited resources.

To keep pace in an increasingly competitive business landscape, obtaining quick compliance results and establishing reliable and sustainable control processes through automated compliance has become critical. However, establishing robust, organization-wide automated compliance is by no means a flip-of-the-switch endeavor, and businesses oftentimes implement inadequate and disparate policy procedures that leave key areas of the organization exposed to security threats. In order to implement identity compliance that meets today's rigorous standards while maintaining company productivity, identity analytics solutions can help improve all of the elements of an effective compliance program.

Security Compliance
Organizations that are looking to implement automated, analytics-powered compliance programs need to recognize certain truisms when it comes to ensuring secure access to systems and applications. Security compliance is a substantive and procedural undertaking that is only as effective as the processes that track and automate it. Factors such as the latency of audit and remediation efforts and the rate of change within an organization go a long way toward determining the effectiveness of a compliance effort.

That said, compliance programs must also be flexible. The general guidelines for achieving secure access to applications and systems may seem firm on the surface, but the processes that underlie compliance efforts vary greatly from one organization to the next. What's more, every security control must be designed to accommodate loopholes and exceptions necessary to accommodate business efficiency and productivity. For instance, compliance programs must allow for variation to access controls during emergencies such as severe weather, natural disasters, or even economic turmoil.

Additionally, certification of access controls cannot be an IT-only decision. It needs to be a collaborative process that involves business stakeholders and is embedded in an organization's culture. In exchange for the visibility into applications and systems they receive, those business stakeholders need to understand and accept the inherent risks. But ultimately, IT has to be responsible for providing and mitigating the necessary controls and for remediating any negative audit findings.

Unfortunately, because the collaboration that occurs around access control today is largely email-driven, most organizations have only been able to successfully audit a handful of applications or systems. In fact, according to Verizon's 2012 data breach report, 96 percent of the companies subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS) - which governs any company that processes, stores or transmits credit card data - that were breached during 2011 were not compliant with PCI DSS guidelines.

Growing Complexity
One of the reasons enterprises are so challenged by identity management is the unprecedented complexity they face today. With applications and data residing in so many locales - on premise, in the cloud, at a hosting provider's site, etc. - and users relying upon ever-growing sets of tools, IT security teams struggle to keep up with the need to apply access control across systems and geographies. It was difficult enough to track several pages of segregation of duties controls for a single application; tracking controls across the increasingly heterogeneous landscape of systems today is geometrically more complicated.

Cloud-based apps, in particular, introduce a layer of complexity that can result in the business finding itself disconnected if it loses visibility into the related access control data. Along those lines, one of the most common audit issues organizations encounter is a failure to maintain the same level of security controls over their virtual environments as they have over their physical ones.

Dovetailing with the challenges cloud computing introduces is the explosive growth of mobile apps for use in the workplace, a phenomenon that has further fragmented access control processes. As organizations develop their authorizations for mobile apps, they largely are doing so separately from their existing app-authorization systems, which compounds the challenges. According to an August 2011 survey by enterprise mobility vendor Partnerpedia, 58 percent of organizations are creating mobile apps stores, leading to much more complex implementations of certification reviews and controls.

What's more, it's not just the systems that have grown in complexity. Employees have become a much more dynamic enterprise asset, causing organizations to adjust their access controls to reflect the matrices of roles that have resulted from the challenges of trying to classify access. A perfect instance of this is in the health care sector, with drug companies featuring multiple teams across the globe conducting trials and contributing research. Maintaining the privacy and confidentiality of data in this dynamic workgroup setting is a prime example of how the problem of access has evolved.

Five Steps for Leveraging Identity Analytics
Despite these numerous challenges, which collectively can prevent an organization from achieving its identity management objectives, there are ways to ensure that access control efforts can keep up with today's complex business landscape. Specifically, organizations can turn to fast-maturing identity analytics solutions to help them get a handle on this daunting business problem.

Following are five key steps organizations can take by leveraging identity analytics technology that will assist them in achieving robust identity compliance and remaining in compliance moving forward:

1. Become risk aware
While large chunks of IT budgets in recent years have been spent on regulatory compliance, many people still don't feel any safer. The ultimate cautionary tale can be found in the stories of two global financial firms. Despite the focus both companies no doubt had on complying with regulations like Sarbanes-Oxley, auditors at both firms failed to remediate excessive access violations by trusted trading employees, resulting in more than $9 billion in unexpected - and potentially crippling - losses combined.

By adopting an automated system that would enable weighted risk to be tied directly to systems access, organizations can significantly reduce their potential exposure to such embarrassing fiascos.

2. Control privileged access
Access to privileged accounts, such as root, system administration and those with elevated privileges, poses a huge threat to enterprises. These are the most powerful system accounts that, naturally, bring the greatest potential for fraud. Because they don't actually belong to users and are instead often shared by multiple administrators, they're notoriously difficult to secure. In an economy like the one we've experienced the past few years, there are more disgruntled workers, meaning an even greater emphasis should be placed on having an automated system to control privileged access.

As if that's not enough, control of privileged accounts is key to efforts to comply with everything from Sarbanes-Oxley to the PCI DSS to the Health Insurance Portability and Accountability Act (HIPAA), which typically translates to it being at the top of lists of auditors' findings. Moreover, most business partners today want to know that there are sufficient controls placed on privileged accounts as part of their SAS 70 reviews.

Given the clear sensitivity and importance of privileged access, it's imperative that organizations adopt a circumspect approach that enables passwords to be issued for limited periods of use in order to reduce potential exposure.

3. Automate remediation
Today's largest enterprises must contend with tens of thousands of employees accessing hundreds of systems, resulting in a cacophony of controls that audit groups can't possibly hope to manage. It's simply too big of a job for humans to address in a limited number of hours per day. That's where an automated identity analytics solution can help.

By setting up a workflow-based system that can automate the simpler remediation, auditors can instead focus their efforts on the findings that pose the greatest risk. Even then, however, exceptions must be accommodated; for instance, in those moments when emergency privileged access must be granted, it's critical that the system be able to automatically undo that privileged access once the emergency has abated.

4. Reduce the potential for audit violations
As much as it may sound like advice from Yogi Berra, the best way to prevent audit violations is to stop them from happening. The easiest way to do that is to perform the proper due diligence when access is being requested. That's the time when an enterprise needs to check for any common audit problems so that they can be addressed prior to a violation occurring.

When a user requests access that could be considered excessive, if the organization has adopted a system that flags that access, it can automatically collaborate with a business owner to approve or deny the request. Similarly, if a request for access results in a violation of either the segregation of duties or the rule of least privilege, then the system can flag this and provide visibility into the potential risk introduced by the request.

5. Take a platform approach to identity management
Merely having identity analytics technology in place doesn't guarantee that an organization will meet its compliance objectives. But for those enterprises wanting to increase their compliance success rate, having an identity analytics module that's part of a larger identity management platform greatly improves the odds. Like many other categories of software, identity analytics - and compliance in general - benefits from the tight integration of a platform approach.

This truism was further validated by a recent Aberdeen Group study in which companies that adopted fragmented identity and access systems were compared with those that acquired integrated systems from a single vendor. The findings? The companies that adopted pre-integrated systems experienced 35 percent fewer audit violations and reduced their identity analytics costs by 48 percent. They also reported improved end-user productivity, reduced risk and enhanced agility.

Conclusion
It's clear that the growing complexity organizations face has upped the ante when it comes to compliance with identity access controls. That increasingly complex landscape calls for better tools that enable enterprises not only to effectively administer access to applications and systems, but also to understand how they're managing that access.

Automation is the key to increasing the effectiveness and reducing the cost of compliance. Automation streamlines compliance-related processes, reducing the need for resources while at the same time lowering the risk of manual error that can lead to audit failure. More important, automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.

A software solution, such as identity analytics, that automates access control can play a critical role in achieving effective compliance and lowering the related costs. In these turbulent economic times, organizations can't afford to ignore this increasingly important - and complex - part of their security paradigm.

More Stories By Vadim Lander

Vadim Lander is Oracle's Chief Identity Strategist responsible for direction and architecture of Oracle's Identity Management portfolio. He has more than 20 years of experience in the IT industry. Previous to Oracle, he served as Senior Vice President and Chief Security Architect at CA, where he advised the company on key technology trends and helped guide its strategic direction in security management. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO and was instrumental in the definition and development of the company’s identity and access management products.

Vadim holds a BS in computer science from Northeastern University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
We have Continuous Integration and we have Continuous Deployment, but what’s continuous across all of what we do is people. Even when tasks are automated, someone wrote the automation. So, Jayne Groll evangelizes about Continuous Everyone. Jayne is the CEO of the DevOps Institute and the author of Agile Service Management Guide. She talked about Continuous Everyone at the 2016 All Day DevOps conference. She describes it as "about people, culture, and collaboration mapped into your value streams....
In our first installment of this blog series, we went over the different types of applications migrated to the cloud and the benefits IT organizations hope to achieve by moving applications to the cloud. Unfortunately, IT can’t just press a button or even whip up a few lines of code to move applications to the cloud. Like any strategic move by IT, a cloud migration requires advanced planning.
Did you know that you can develop for mainframes in Java? Or that the testing and deployment can be automated across mobile to mainframe? In his session and demo at @DevOpsSummit at 21st Cloud Expo, Dana Boudreau, a Senior Director at CA Technologies, will discuss how increasingly teams are developing with agile methodologies, using modern development environments, and automating testing and deployments, mobile to mainframe.
“Why didn’t testing catch this” must become “How did this make it to testing?” Traditional quality teams are the crutch and excuse keeping organizations from making the necessary investment in people, process, and technology to accelerate test automation. Just like societies that did not build waterways because the labor to keep carrying the water was so cheap, we have created disincentives to automate. In her session at @DevOpsSummit at 20th Cloud Expo, Anne Hungate, President of Daring System...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
Most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes a lot of work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reduction in cost ...
Docker is on a roll. In the last few years, this container management service has become immensely popular in development, especially given the great fit with agile-based projects and continuous delivery. In this article, I want to take a brief look at how you can use Docker to accelerate and streamline the software development lifecycle (SDLC) process.
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
Cloud adoption is often driven by a desire to increase efficiency, boost agility and save money. All too often, however, the reality involves unpredictable cost spikes and lack of oversight due to resource limitations. In his session at 20th Cloud Expo, Joe Kinsella, CTO and Founder of CloudHealth Technologies, tackled the question: “How do you build a fully optimized cloud?” He will examine: Why TCO is critical to achieving cloud success – and why attendees should be thinking holistically ab...
DevOps is good for organizations. According to the soon to be released State of DevOps Report high-performing IT organizations are 2X more likely to exceed profitability, market share, and productivity goals. But how do they do it? How do they use DevOps to drive value and differentiate their companies? We recently sat down with Nicole Forsgren, CEO and Chief Scientist at DORA (DevOps Research and Assessment) and lead investigator for the State of DevOps Report, to discuss the role of measure...
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single-threaded, you can effectively identify hot spots in your serverless code. In his session at @DevOpsSummit at 21st Cloud Expo, Dave Martin, Product owner at CA Technologies, will give a live demonstration and code walkthrough, showing how ...
If you are part of the cloud development community, you certainly know about “serverless computing”, almost a misnomer. Because it implies there are no servers which is untrue. However the servers are hidden from the developers. This model eliminates operational complexity and increases developer productivity. We came from monolithic computing to client-server to services to microservices to serverless model. In other words, our systems have slowly “dissolved” from monolithic to function-by-func...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
IT organizations are moving to the cloud in hopes to approve efficiency, increase agility and save money. Migrating workloads might seem like a simple task, but what many businesses don’t realize is that application migration criteria differs across organizations, making it difficult for architects to arrive at an accurate TCO number. In his session at 21st Cloud Expo, Joe Kinsella, CTO of CloudHealth Technologies, will offer a systematic approach to understanding the TCO of a cloud application...
Many organizations are now looking to DevOps maturity models to gauge their DevOps adoption and compare their maturity to their peers. However, as enterprise organizations rush to adopt DevOps, moving past experimentation to embrace it at scale, they are in danger of falling into the trap that they have fallen into time and time again. Unfortunately, we've seen this movie before, and we know how it ends: badly.
API Security has finally entered our security zeitgeist. OWASP Top 10 2017 - RC1 recognized API Security as a first class citizen by adding it as number 10, or A-10 on its list of web application vulnerabilities. We believe this is just the start. The attack surface area offered by API is orders or magnitude larger than any other attack surface area. Consider the fact the APIs expose cloud services, internal databases, application and even legacy mainframes over the internet. What could go wrong...
With Cloud Foundry you can easily deploy and use apps utilizing websocket technology, but not everybody realizes that scaling them out is not that trivial. In his session at 21st Cloud Expo, Roman Swoszowski, CTO and VP, Cloud Foundry Services, at Grape Up, will show you an example of how to deal with this issue. He will demonstrate a cloud-native Spring Boot app running in Cloud Foundry and communicating with clients over websocket protocol that can be easily scaled horizontally and coordinate...
In his session at 20th Cloud Expo, Chris Carter, CEO of Approyo, discussed the basic set up and solution for an SAP solution in the cloud and what it means to the viability of your company. Chris Carter is CEO of Approyo. He works with business around the globe, to assist them in their journey to the usage of Big Data in the forms of Hadoop (Cloudera and Hortonwork's) and SAP HANA. At Approyo, we support firms who are looking for knowledge to grow through current business process, where even 1%...
The goal of Continuous Testing is to shift testing left to find defects earlier and release software faster. This can be achieved by integrating a set of open source functional and performance testing tools in the early stages of your software delivery lifecycle. There is one process that binds all application delivery stages together into one well-orchestrated machine: Continuous Testing. Continuous Testing is the conveyer belt between the Software Factory and production stages. Artifacts are m...
From manual human effort the world is slowly paving its way to a new space where most process are getting replaced with tools and systems to improve efficiency and bring down operational costs. Automation is the next big thing and low code platforms are fueling it in a significant way. The Automation era is here. We are in the fast pace of replacing manual human efforts with machines and processes. In the world of Information Technology too, we are linking disparate systems, softwares and tool...