I spent a week in Boston recently, attending Courion’s Converge conference. This was the 10th annual customer (existing and future customers) meeting the now venerable Identity Management company has produced and as always it provided a great way to see what the implementers - the enterprise IT and security folks - were doing, thinking and planning.
The first thing I noticed was the company’s new catchphrase, “See risk in a whole new way,” which alluded to their newest product, Access Insight which they dub as an “Access Intelligence Engine.” There were also two major takeaways (among many) for me from the conference – one from Courion CEO Chris Zannetos and one from the company’s clients.
Zannetos called the theft of credentialing data from RSA a “transforming event.” Here was the company which was supposedly known for its access control devices yielding to a low-level phishing attack! But that wasn’t the only one, as he also alluded to the exposure of thousands of user email addresses when Verizon’s marketing management company was hacked. Verizon, you may be aware, publishes the annual “Data Breach Investigations Report”!
But the takeaway, for me, from his keynote was one phrase: it’s about “managing risk, not preventing loss,” because it echoes what I said just weeks before the event: “The reality is that you need a three-pronged approach to protect your data, determine if it’s been leaked and react promptly, efficiently and appropriately when the leak occurs.”
I’m thrilled that vendors realize that simply trying to prevent information leakage is a no-win situation. Sooner or later, thru accident or mischievousness, information will leak so you’d best get started now on managing the risk and lessening the impact.
The second takeaway, and it’s related to breaches and risk management, came from questions from the audience after my panel appearance (“Managing access to the Cloud and in the Cloud”) and during a workshop on what drives security change in the enterprise. Almost all of the high level IT and Information Security (IS) people present said that they weren’t interested in discussing “best practices” because they didn’t have time to study, plan or implement them. Instead, their time was fully taken up with reacting to the auditors. The only priority that their management had was to pass the audit – security audit, compliance audit, what have you.
As Courion’s blogger put it in their wrap up of the conference: “Meanwhile, attacks on enterprise data stores are becoming more numerous, varied and sophisticated. You’re being pulled in different directions by business users demanding access; board members expecting perfect defenses; auditors scrutinizing policy compliance; and CFOs weighing the return on your technology investments.”
That’s no way to run a business.
On the other hand, it’s no way to run an audit agency, either.
I was told that the auditors have to find problems in order to justify their fees – and to minimize their loss when an untoward event occurs. Business managers need to have a “signed off” audit so that when the untoward event occurs they can say they’d covered all the relevant bases. So, who is stuck in the middle? That’s right, it’s IT.
My colleague, Martin Kuppinger, exposed this problem without getting to the underlying cause when he wrote:
“Identity & Access Management is a perfect example of what happens when IT departments approach a basic problem with a too narrow focus. In the end, they wind up having to broaden both their scope and their financial commitment. And often, they find themselves operating multiple parallel solutions that are hard or impossible to integrate.”The “narrow focus” of which he speaks is, too often, a bullet point from an audit report. Multiple bullet points mean “multiple parallel solutions” because business’ priority is to remove those bullets ASAP, or sooner.
One example I overheard was of a company that scheduled quarterly audits. To overcome one of the auditor’s findings – with the proper planning, testing and staged rollout – would take six months. The CIO told the auditor this. Yet three months later, the same “problem” was flagged again, along with others of course. The CIO reiterated that there was a plan in place. So the auditor flagged THAT as a problem (i.e., taking too long to implement!).
So our commitment to audits to find problems is driving the IT agenda, and not for the good. It many ways this is akin to the practice (often found in the US) of “teaching to the test” in our public schools. This means that teachers, rather than exposing their students to logical processes and rational thought about their subjects, spent much time drilling the student on specifics that will be asked on national standardized tests. It’s considered that while this might raise scores slightly on the tests, it does little to educate the students.
In the same way, what I’ll call “securing to the audit” might get you closer to passing the next audit (remember, the auditor will find something new so you can rarely pass completely) but it doesn’t necessarily make you more secure.
This confirms what I said about Data Loss Prevention (DLP) apps (“Preventing, or surviving, data leaks”) a few weeks ago: “So with so much DLP software available, why is there still a problem with data loss/leakage – and why are organizations seemingly so surprised when it occurs?” One reason is that the auditors (as was said about the French Generals in the 20th century) are always fighting the last war – closing the gaps that were most recently discovered and exploited. There’s no attempt on their part to find future problems – and they leave you no time to do this on your own.
We, and the entities we work for, need to take a different approach. We must switch from reactive mode to proactive mode in securing the organization and implementing good Identity and Access Management practices. We need to, as Courion says, “see risk in a whole new way” and implement apps that allow us to manage those risks, known and unknown, for the betterment of the enterprise.
KuppingerCole has done a number of reports that could be helpful in this area:
We will continue to fine tune advisory notes about risk management, governance and security through IAM, and I’ll let you know about them as they become available.