Webinar Recording
Understand Your Access Risks - Gain Insight Now
KuppingerCole Webinar recording
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
So good afternoon, ladies and gentlemen, welcome to our webinar. Understanding your access risks, gain insight, now, access intelligence, enabling insight at any time, not one year after when re certifying again, this webinar is supported by Corion the speakers today. My name is Matthias Reinwarth. I am senior Analyst that cooking a co and in the second part, Kurt Johnson, vice president of strategy and corporate development development at ion will join us before we start some housekeeping. And of course, some general information about keeping a co as an Analyst Analyst company, we are providing enterprise it research advisory services, decision support, and networking for it. Professionals. We do this through our research services, where we provide several types of documents, including our leadership compass documents, comparing market segments, advisory notes, looking at various topics, vendor reports, executive views, and et cetera. Through our advisory services, where we provide advisory to end user organizations and vendors, and through our events like webinars or seven seminars with the main event, being the EIC, the European identity in cloud conference, the next EIC will be held in Munich from the fifth to the 8th of May.
And we think it is a must attend event. They should miss the EIC 2015 with its large number of speakers and sessions in the areas of digital identity, cloud management and GRC. Please consider having a look at our agenda for this upcoming event, using the given URL, the guidelines for this webinar, us, the participants are muted centrally. So you don't have to take care of this. We are recording the webinar and with the recording and the Slidex going online on our website tomorrow, there will be a Q and a session at the end of the webinar, but you can enter your questions during the presentations at any time using the questions panel on the right side of the go to webinar software. And please do so so that we can start the Q and a session right away with a good set of your questions.
The agenda consists of three parts. The first part will be my Analyst view and introduction into the area of access intelligence in the context of a access governance and realtime security intelligence. And then Kurt Johnson from Korean will take over and talk about going beyond standard access governance from Korean's experience and expertise. And the third part will be the Q and a session as already mentioned. So now let's start with our first part and let's start with access governance, as it is usually deployed with organizations, and it is not a surprise access governance already has arrived in corporate. It it's around for some 10 years. So now, and all the major companies, especially those with special regulatory requirements use it and they complement it. They complement identity management and access management with access governance, and they do it for main reasons, being pro providing governance to achieve compliance through the regulatory requirements and to mitigate actually the access related risks.
The drivers and stakeholders for access governance are more than just it. They are almost anybody within the company and everybody who is connected to the company. And this includes the employees be they internal, external or vendors, partners communicating with the organization. Of course, the customers which want to make sure that their data is protected when it is stored within a company. Of course the management actually, they pay for that and they want to earn money for that. And especially also in the EU, the workers councils are, are strong stakeholders within a organization and the way they handle data, the drivers for access governance are the usual requirements as they are imposed on organizations. Like for example, the data protection laws, which makes sure that the data is only handled in the way that it should be audit, both internal and external. The corporate policies are important because the companies decide themselves to what they want to have, what kind of rules they want to impose on their data usage. Of course, the re regulatory requirements, especially for financial institutions or for institutions handling medical data and more and more and more also best practice coming into, into a view at that point for making sure that access governance is done in a way that it makes sense.
Why do we do it? It's actually something that all of us already know, but it has to be made sure that, that we know what we're doing this for. And it's of course, to prevent access related threats. So if somebody has legitimate access, he is able to execute actions which are not wanted, or are even criminal, or actually do harm to a company or an organization. This includes illegal transactions and fraud, which is the criminal part of the legal transactions, information leakage. Everybody has heard the news and the recent weeks, what can happen to a company. And this also includes reputational damage. And in this case that I'm talking about, of course it was an external attack, which makes this information leakage possible and public. At that point, we want to prevent loss and we want to make sure that the data we store is unchanged. So we want to prevent change the data.
Usually companies for that reason create an access governance system, which collect information from various systems. They include information from roles and entitlements. They include the entitle identities from the several identity management systems, or if they're lucky, just from one, if there's only one, the policies and the systems and applications, all this information comes into a system, which is the so-called access data warehouse, where we collect all assigned access information from many systems in one place. We add some role management, which makes sure that we have a one overall role model, which is used for assigning access and entitlements to users. We add a access request management system, which defines the processes to request and approved or access once it is approved, it has to be made sure that the access also recertified, and this is usually done on a, on a scheduled plan. So once a year or twice a year is the usual ertification schedule that is in place in many companies.
Once this information is available in the access warehouse, then of course, we also can make sure that we can check whether there are violations to the segregation of duties requirements. So we have sod management and enforcement. And one important part is once we detect that there are violations, we have to make sure that this it's also directly again, changed in the system. So we need integrated provisioning for removing unwanted access. Be it either from access, not being re-certified or being violations against the OD rules, some questions at that point. And maybe we can improve these processes, this classic access governance system. First of all. Yeah. Is it enough to be compliant once a year for every single access? Is this the way that we want to go every single access, even if it is not that important and the important one also just once a year, why not AMA always being compliant?
Why don't we want to make sure that audit can come at time any time and check. So wouldn't it be great to be permanently prepared for audit? So I'm now focusing on two main aspects, first of all, the risk aspect. So why not treat risk access differently, high risk access differently from low risk access. And the second part will be why not apply continuous analysis to access data and realtime activity data, because we usually have access to this data. We just have to make sure that it's, that it's fed into the right system, that the right mechanisms are used to make sure we understand what is happening in our systems. First, the risk aspect as mentioned access risk is not an it thing. This is, this is most important because inappropriate access is directly connected to business risk and business risk is the classic threefold thing called strategic risks, operational risks, and reputational risks.
Of course it has to make sure, make sure that policies are followed and changes are executed as defined in the underlying processes, but it's not only an it thing. Business risks require business expertise. And this includes also the, their expertise for approval re-certification and termination. So to allow people to have a right to again, allow them to have a right and yeah, to the right, if it is not necessary anymore, or if it is in violation of sots. So what we, what I want to look at just shortly, because I know that Kurt will look into this in more detail is how to assess risks. At that point, we want to make sure that there are risk categories. We understand that a risk can be high risk or low risk or access can be high risk or low risk. And we want to identify the risk probabilities, how probable is it to have a risk being actually happening as a, as a, as a threat to an organization.
So on this graphic to the right, we have on the X axis, the probability of occurrence and on the Y axis the risk level. So we understand that the things that we have to look at first would be the one in the, in the right upper corner, the red ones, because they are of high risk and they are highly probable. So these are the ones to prevent first. Not that we don't prevent the others, but this is the main focus. And on the high risk access, there should be some actions already taking. For example, we have to make sure that these access rights are re-certified more often and that there are stronger approval processes, maybe a four I or six I principle in place for to make sure that this access is applied only to people who really need it. And in general, if we do these changes to the risk assessment, we will get to an increase in the governance overall quality because we focus on what's really important.
The second part is a, the real time analysis. So what we are trying to, to focus on is trying to add real time analysis to access governance. So we want to have access to near realtime data. It's 2014, that should be possible and apply rules and patterns for the access analytics. So we have to define the rules and we actually have to apply them to understand what is actually happening. So it's a mixture of access data of what is happening right now and the, and the real time access we have to, we want to make sure that we can do ad hoc and all analysis that we understand what is happening just right now. If management comes and say, it's says, Hey, what is happening in this system? We should be able to tell them and dynamic triggered recertification is what I mentioned before. On the last slide, we have to understand that if it its right changes and it changes in the risk, or if there is a, in general, a movement within the associated risk, we want to make sure that we can immediately make sure that there's a recertification in place, not when it is scheduled.
Cause it's important to re certify it now. So we have immediate, actionable and target results. Media means now actionable means we know what to do and target is we know where the check. So we add two more boxes to our access governance picture. Here, we add access analytics and access intelligence. So we want to make sure that we have this mechanisms in place. We add access risk management and both together and in with the added information about real time activities lead to the possibility that we have notifications, for example, for it, but also for business to make sure that it's understood that there's something happening at the moment, which should not be the case. We can give overview over the overall access through dashboards for management, for people being in charge for understanding what's happening on the systems. We have actually results, actionable results, and we have the focus on the high risk access at first. So access intelligence is what we added in red. So we have a, a new quality of information within the access governance system.
So to, to sum it up, we have continuous analytics and automation. We have permanent monitoring of access and activities with page, make sure that we have a continuous analysis instead of the scheduled reports. Scheduled reports are fine. They should not be omitted through that, but continuous analysis as another quality to that. So we get proactive instead of reactive, we have an automated risk scoring, which makes sure that we have a rule-based risk assessment on the fly. And we understand what is to be recertified immediately. And we can understand which person which login ID has accumulated access, for example, which would be a result of a good defined analysis rule. And the third part is something that is sometimes with a bad connotation, but is required for, for organizations handling important data, financial data, medical data. We have to make sure that there's user activity monitoring that there is a, a constant stick scan, at least on a, on an overview level for deviations from expected user behavior.
If there's one person, one login in a team which does something completely different or more often than others, this should be something at least to have a look on. Maybe it may, it might be okay, but it has to be checked. So we have to apply continuously policies and controls. And once something is at least suspicious, make sure that the immediate notification is taking place. And if necessary remediation it's done as well. Of course, the question where should we place access intelligence in the organization? And actually I mentioned it before. It's a thing that has to happen both in the business because they know what is going on from the business side of things. They know how to re-certify a business access and they know and understand if there is an outlier with a substantial access deviation, if it is fine, or if it's not, and they can check and remediate sod violations because they understand business.
And we have to have the it team as well onboard the application owners, the service who have instant controls for detective breaches, for example, the provisioning processes, it accounts coming into existence without being provisioned through the usual process. So they do it directly in the, in the end system. Then this is something that should be prevented, detected and avoided. So revocation of abandoned or generic accounts is something that is very important. So, oops, this was too fast. Sorry for that. So we have to make sure that abandoned accounts accounts, which are no longer used or have no business owner associated with them should be, should be removed and have to make sure that no generic accounts are in place accounts, which have no owner at all.
As a short look at a, a new rather new development that we have observed is something that is quite similar to what we see in access governance and access intelligence at the moment, because there is a service that is coming up from different, from several vendors, they're moving towards integrated methods for realtime security intelligence. And this is achieved by, by combining various technologies and services. They, the main part is big data analytics. This is the reason why it's in the middle and it's red. This is software, which is able to handle lots of information. And we are talking about access information for a security system for overall information security system for a big organization. And we feed into these systems, the, the necessary data, which includes real time activity data. And in comparison to that historical data, which makes sure that we can compare whether the access which is happening right now is legitimate or not.
And we add existing data sources, for example, from existing theme systems. The interesting part is that we add services as well and services includes real time security information services that provide up to date information about, for example, newly detected security challenges, the, the zero day things that we read in the news every day that this information is fed into our big data system as well. So that we understand that we are actually just subject to this threat at the moment we add real time rules and patterns for analytics. And this is something that could be a service provided by a vendor and could be a subscription basis for the user, for the end user company. And as the last service, it could be people doing this analysis or for configuration of this big data analytics system. So we have also people on site, which make sure that the, that the rules and policies applied are, are accurate and, and current.
So the last part is, is the it GRC solution, which actually is the front end then for the, for the team, which is checking the information coming from this realtime security intelligence system, so that we make sure that information gets to the right places again, through visualization and dashboards and notifications. So realtime security intelligence is quite similar to what we see in access intelligence as well. So, or to put it the other way around access intelligence can be looked at as a subset of the generic, realtime security intelligence concepts. So, and with this short look at the biggest picture of realtime security intelligence, I want to hand over to Kurt of Korean, who will tell us in more detail how these realtime analytics and the risk based approach are applied to access data and activities. And I'm we looking forward to that?
Okay. So thank as Martinez kind of pointed out, you know, the need and the gap in the traditional governance. I really want to kind of, you know, explore that further and dive into more detail about how organizations can extend their existing identity and access management and governance capabilities by adding many of the things that Matthias had talked through before I get started. I just wanted to give you a quick overview on who Corion is. You know, our mission is about helping customers succeed in this world of open access and increasing threats. And, and really what I mean by that is that there's a business requirement today for organizations to provide access to a broader and richer set of data, more than ever before. And the business requirement to get this data in the hands of their employees, of their contractors, but also potentially even their customers through a widening variety of devices and the significant business benefits that this offers at at the same time, we recognize that providing this access comes with associated risk and how can we balance that need of providing this access with the same time as protecting our organizations?
And so it really is the business need today to ensure that we're providing the right people with the right access to the right variety of resources, information, and data, and that they're doing the right things with it. And, and Curion has been around for a number of years. We provide identity and access management software solutions traditionally around automating user provisioning, also automating the identity governance and the policies and the access certification process. But recently we've added to that. Our suite with a continuous monitoring and identity analytic capability is we solve as necessary to provide our customers with this kind of capability. And if you look at it, providing the right people with the right access to the right resources and doing the right things with that access sounds fairly straightforward and simple, but we know in reality, it's a very complex thing because there's so many in the stresses and strains of dealing with access on a day-to-day basis.
You know, we have those routine changes, the hiring, the transfers, the promotions, the terminations that require us to turn access on, to modify access and to turn access off. That takes on a multiplicative effect where we've got significant volume of this. When we have things such as business changes, including mergers and acquisitions or divestitures or layoffs. When on any given moment, we might have to turn on thousands of accounts or turn off thousands of accounts, you know, geographic expansion into new countries, signing on a new partner that we, we need to provide them the access volumes and significant volumes of access has been a significant administrative burden to many organizations. And then on top of that, we've also got infrastructure changes. We're rolling out more mobile devices that need to provide access to this data. We might be moving from a legacy on premise application to a new cloud based application, and we need to provide end user's access to that.
And again, turning on thousands of accounts on one system, turning off thousands of accounts on another system, all of these types of changes just demonstrate how complex it is. And that access is an ever changing thing within our organizations and the first foray and venture into identity and access management was aimed heavily at making lives easier for the administrators, because this was such a manual process, such an inefficient process took days or weeks to get people. The access may never have actually turned it off. That automation was a significant benefit to ease that efficiency. And so as we started down the road of identity and access management, dealing with these problems, all of a sudden we were introduced to the new stresses and strains that came as a result of audit. And I challenge anybody to see any duplication of any regulation on this slide.
And it's just a snapshot of the wide variety of different regulations our organizations are being forced to deal with, and whether they be very specific country, privacy laws, whether they be associated with things such as Sarbanes, Oxley, or HIPAA and healthcare in these states, dealing with things like PCI for cardholder information, one of the common threads and consistencies across these regulations is the need for organizations to demonstrate controls of what they have in place to ensure that the right access is in the hands of the right people. So what controls do they have in place to make sure that that access is appropriate? And it really, and introduce the whole concept of access certification reviews. And as Matthias pointed out, there was this need to check these things on a periodic basis and make sure the business managers, because it's not an it thing that of owning access that the business managers could formally sign off and certify that the access they were providing in their organizations was appropriate to the users who had access to that.
And really, if we look at these pieces, you know, the, the provisioning and the governance, they really were the controls we had in place of making sure that the right people had the right access. And as I mentioned before, provisioning was all about turning on access, changing access, and turning access off and automating that could ensure that these processes and policies were being followed. But if you look behind the scenes, the primary control in place is really an approval. And as long as some manager signed off and approved the fact that that user should get access, then we were pretty comfortable in setting that access up. But as audit came in, looking at these controls, this wasn't enough, and they really wanted to see what governance and reviews were in place. And as I mentioned, the periodic certification review was introduced. And at the same time that as well, relied on an approval or a certification.
And again, as long as the manager signed off saying, yes, Kurt access is, is appropriate for his job function, then audit was relatively happy and said, okay, that's, that's fine. If there's a manager assertion that that is close. But if we really think about it, what this relies upon is the fact that managers are carefully looking through everything and approving only the access requests that are appropriate. And most of the time we're making them approve everything. So their inbox can be just loaded with numerous different approval requests. And at the same time, when we're doing an access certification review, the concept is to look through all those users access and see if that access is appropriate. And I'm sure we're all a hundred percent confident that our managers are taking the time and diligence and effort of carefully reviewing each and every one of those line items and ensuring the fact that we don't have just the rubber stamping going on.
I mean, we're all confident in that, right? Well, in reality, we know darn well that managers may very well not be doing that. And we've seen cases where, you know, we had one customer of ours where they looked and saw that a manager went through their access certification review of over a hundred people in under three minutes. And at Curion, we actually, once we introduced our access certification product, the first request we got from end users and our customers was can you add a check all box to approve everything? Cuz we know managers are just going through this. And if these are the controls we have in place, what is the risk to our organization? And the risk is increasing. You know, this data is from the 2014 Verizon data breach report when they peeled the onion back and looked at the actual ways that hackers breached this data.
The number one form hacking was the use of stolen credentials. Over 50% of the hacking breaches leveraged stolen credentials as the source to gain access to that data significantly higher than the number two, which was back doors or commanded controls and not only a significant gap between one and two, but the use of stolen credentials has been rising significantly and faster every year. The other concerning details from the Verizon data breach report happened to look at how long it actually takes for a hack to occur. And this red line is the percent of the total breaches where the time to compromise by a hacker was days or less. And as you can see in almost 95% of the cases, hackers were able to get in and steal the data in under day in days, minutes or less yet the blue line there, the time for our organization to actually discover that the breach occurred and less than a quarter of the cases, was that able to be done in days or less.
And in over 60% of the cases, it was months or even years before that was protected. And in over 90% of the cases, it was not even detected by the organization itself. It was detected by law enforcement, the customer themselves, or some other outside force. So there's a gap is widening. And if we have more and more breaches being taken place quicker and quicker, we've got more breaches in total. Yet this gap is widening. It's a serious concern to our organizations. And if the number one cause of breaches is coming from the use of stolen credentials, do we really feel confident, comfortable in the fact that reviewing access once or twice a year is going to be appropriate? The, this is the Lockheed Martin threat kill chain here and looks at the life cycle of the typical breaches. And many of them follow this type of pattern where it starts off with some fishing attempt and some malware being introduced into the organization.
And from that malware, it launches the ability of taking on control of the system and command of the system to actually get in infiltrate the organization and then where the P and a P T comes in. The persistence of advanced persistent threats is the lateral movement. The hackers take their time to look through the organization to identify prime targets and data to then access those targets. And then once doing so elevating privileges to give them the ability of packaging up that information, exfiltrating that data and stealing it. And we've got controls and systems and tools in place to look at those early stages. Can we look for malware? Can we try to detect when somebody's trying to enter our systems? And we've also spent a good deal of time and technology on things, looking at identifying if something's being packaged up and being sent out of our organization, such as DLP data loss prevention, security incident, and event management.
Yet we've spent very little time and attention focused on this core area where the lateral movement and the accessing of targets occurs. And this again is where we might see somebody's access that is inappropriate or them doing different things in activity that looks malicious in the organization. Yet we're not looking at these things on a continuous basis. So understanding this really puts the spotlight on risk. We have vulnerabilities and threats to organization coming from stolen credentials, coming from people, misusing, elevating privileges. Yet we've been content to look at this once or twice a year in response to audit. Clearly we have to change our mindset and thinking and evolve our identity and access management programs to do this. We're not there yet. You know, Curion sponsored a survey where we looked out and asked over a thousand organizations about their identity and access management pro processes.
And one question we asked is, does your organization have the ability to detect if access credentials are misused or so, and as you can see in less than 30% of the cases, only 29% of the respondents agreed with that statement. In addition to that, you also can see that the 42% actually disagreed with that statement and another 30% or 29% didn't know. So we don't have a lot of visibility into what's going on. And the other concerning another interesting part from the data was we asked what are the things that are of most concern to you and some of the highest levels of risk in the organization and what jumped out significantly were those privileged accounts accounts with increased levels of permissions that provided elevated access to these systems and data unnecessary entitlements, where people had access that was outside of the scope of appropriateness or violated some policies such as segregation duties, abandoned accounts, people that had accounts that were just left out and inactive for long periods of time and also orphan accounts accounts that existed that didn't even exist for people.
These were some of the key areas of concern for them. And yet again, how can we stay on top of this when we're relying on once or twice a year access certification reviews, but we also need to understand that, you know, the systems themselves need to evolve above and beyond to truly address this. And it really is a big data issue. If you look at the traditional definition of big data, it's the three B volume, lots of data variety, lots of different types of that data and velocity that is ch changing rapidly and quickly across the organization. And I think that absolutely applies for the world of identity and access, where we've got identities, employees, contractors, business partners, and even customers that might mean hundreds of thousands or even millions of potential identities, who they are, what they do, what role they play in the organization, hundreds of policies governing what people should or should not have access to in the organization, the resources, the applications, the data, the portals, the systems that people are accessing, what their access rights are and what they're entitled to do and what their entitlements are within those systems.
And then the activity itself, what are they doing? And does those, does that activity follow patterns of normal behavior, or does it look like abnormal behavior or potentially malicious behavior pulling all of these different types of relationships of data together can potentially represent trillions of various relationships, clearly something that cannot be viewed with the human eye, clearly, something that just can't be relied upon to, for two dimensional reviews of people in their access. We need to be looking at this continuously to identify normal trends of behavior and quickly spot when activity or access is above and beyond what that normal is. This relies and requires a sense of continuous monitoring with rich analytics in order to provide this information. CIO recently had a magazine. Our CIO magazine recently had an article about how to present cybersecurity issues to the board and their advice was to use stories and visual aids and simple language.
So in many ways they're telling us that, you know, how presenting and communicating cybersecurity issues to our board is very much like talking to your five year old, lots of pictures, lots of good stories and put it in language they understand. And so understanding that we've got these trillions of potential relationships when Curion introduced our access insight product, which was the continuous monitoring analytic identity intelligence extension to our suite, we thought of just that, how do we put those in? And Matthias mentioned it before, you know, that risk is the risk level versus the probability of change. We use that same type of approach where we look at that vertical access being kind of the degree and of risk and the horizontal access being the potential of that. And again, spotting those things quickly and easily in the upper right hand corner that present risk, and then giving them the ability of drilling down to exceed exactly what are the sources of that risk.
Be it elevated credentials or unnecessary access or Orped accounts or privileged accounts. And from that, being able to drill down deeper to see, you know, for example, with abandoned accounts, how many days have these accounts been unused? How many of these accounts are out there? How many of these fit into various categories, such as privileged accounts that are not being used in abandoned in the organization and also to provide instantly and easily view into an individual's access. So you can see exactly what kind of access that individual has and where those privileges are coming from. Even if they're from nested group levels, three levels deep, so quickly spot these things in the sources of where this access is. And this screenshot here is actually an interactive ability to not only click on the users, but click on some of those groups and permissions to see everyone who has access to a potential privileged group or why it's nested three levels deep.
And if we removed it, do we really remove that privilege access? Or is it also being associated through some other connection, easy visualization, easy ability to see what's at fault, but also the notion that this is being looked at on a continuous basis in the organization. And some of the things that we're looking at are all about associating that risk. And we package this solution with content that our developers are working on the spot risks, such as weak credentials. And at the lowest, you know, we, we find a system that has the default password in place. It's an age password. It hasn't been changed in a long time, but what we find that that's occurring on a privileged system, well, that's a higher degree of risk and it's associated with the user. That's no longer with the organization and it's still having activity associated with it.
We can put this on the spectrum of what the risk and vulnerability to the organization truly is. Similarly for this privileged access classifying and identifying, discovering the privilege counts out there, being able to infer if accounts are privileged, our people are having privileged access and that we see all these people that we infer have privileged access. They all have the role of it administrator. Yet we see one person who's a sales manager with this privileged access. Why is that? Why does he not look like that peer group? We can start to monitor this assignment and making sure that privileged accounts are associated with active individuals and even monitor the activity on those accounts to identify and spot threats as they occur. Similarly for policy violations, such as segregation of duty, understanding what the toxic combinations of access are, being able to spot this as soon as those accounts are created, but also monitor when they're happening outside of the provisioning system and review these types of things immediately when they're occurring, not later on in the year during a certification review, all of these are just examples of some of the things that are critical and correspond back to those survey results, privilege users, the over credentialing of users, the abandoned accounts and orphan accounts that exist in the organization are just a handful of some of that content that we can monitor and analyze on a continuous basis.
And a great case study that demonstrates this came from one of our customers that had been using Coons provisioning and access certification products for years. And they went through their more recent audit for certification and across 87 key risk applications and tens of thousands of accounts on each of those systems found just five orphan accounts accounts that didn't belong to people anymore. And they were deliriously happy, no audit findings, cash, their audit, and literally had cause for celebration to see of hundreds of thousands accounts. So few not associated with individuals, they cleaned these accounts up and again, the auditors gave them glowing reports. When we went in with the risk analytics capability, it was somewhat telling in the fact that we identified that, you know, these accounts where the orphan accounts existed, or the systems that these orphan accounts existed on happened to be some of the highest risk applications to the organization, included money, transfer systems, wealth management systems, very sensitive data, very different or sensitive accounts to the organization in scanning all those different accounts.
We identified all those accounts that had privileged high level, super user type of access that essentially gave a user the rights to do almost anything in those accounts. And coincidentally, those five orphan accounts all had these highest levels of privileges associated with it. We also saw that the individuals that these accounts exist were created for were names that never existed in their human resources database. All of these accounts were created within a couple hours of one another. They were created natively in the application themselves and never went through the provisioning system, never had any approvals associated with them. And all of those accounts had a significant amount of user activity associated with them. So what turned out to be, cause for celebration in their certification review process and audit was actually a major vulnerability for a former administrator upon leaving the organization, went into the systems, created these accounts with high level privileges.
And then once leaving the organization, went back into these systems to do some very awful things. And so again, what looked like passing of the audit was indeed a significant vulnerability and threat to the organization and put a whole new spotlight on exactly what this data was showing. Imagine. However, had they been using a continuous monitoring capability looking at this, and this is the concept of what we call intelligent governance that all of a sudden a threat pops up and looking at that threat, we see, Hey, a new account was created outside of the provisioning system. Well that in and amongst itself is a high risk activity. But when we see it's associated with a high risk application, it raises that threat level even higher. When we see that the account in question actually has a significant amount of entitlements and privileges associated with it it's even higher risk.
And oh, by the way, it's for employee that we can't find anywhere in our HR system that represents high risk immediately pops up. All of a sudden another one occurs and another that this can immediately trigger a, what we call a micro certification, a real time certification that goes to the business manager with this context associated with it to say, Hey Kurt, do you know who this employee is or what this account is? And here's the information behind it, which made us sense that this looked like a vulnerability or a risk and have them take immediate action upon that as soon as it was identified and obviously for a high risk event like this, but also for things like segregation of duty conflicts or access that looks different than the peer group, all of these can provide a micro, immediate certification as opposed to waiting for the end of the year certification review.
That's what we call intelligence governance. We can also bring this earlier in the process of provisioning as well. That today the usual process is you get a request and that request is routed to a manager for them to evaluate whether that request looks within policy or not. And they go off and can approve that and have that kickoff, the fulfillment of those accounts, or if they reject it to prevent those accounts. But as we know, the most traditional process today is we send everything off for approval. And again, with this high volume of activities and requests going to a manager, it lends itself to the potential of rubber stamping and not looking at this very carefully. But imagine if instead we get that request and the system itself evaluates the risk of that request. And, you know, we can put a risk score on it to say, Hey, this looks like a low risk event.
This activity or request is the same request that everybody in that peer group is requesting why even send that off for approval, just fulfill it, send it up and notify the manager that it took place. But when we find a request that has a higher level of risk, higher level privileges, higher level application risk, then let's send that off to the approval with context, Hey, we're asking for your approval, cuz Kurt is requesting something that looks different than the rest of the people in that job function. And then have the manager approval reject that accordingly. But when we see something that tips the scale on risk, high level privileges, high level of risk associated with it, then we'll send that off for multiple approvers again with that context. So they can know whether to fulfill this request or reject this request. And again, by giving them less things to review with more context, we have better assurance than what they're actually looking at is taking the time to do that appropriately.
And then we can bring this to even role mining where the traditional role mining is looking at all accounts and all users and trying to build roles associated on that access with intelligence in real time monitoring, we can look at activity associated with that. Are people really using those accounts or are we just over provisioning them? We can infer roles based on commonality of access and peer groups and use all of these principles of the access they have, the entitlements they have and their job functions to infer and create virtual roles to make it easier for the organization. And this is what we mean by intelligence. And by providing this continuous monitoring and analytics, we can take all of these attacks that have deliberate intentions or even inadvertent intentions and providing the provisioning controls are still important, setting it up, modifying it disabling. It can reduce the amount of risk to our organization providing detective controls to do the governance certification reviews are still important to try to reduce that risk, even further, provide information back and deprovision access that looks outta sync.
But when we can add the notion of continuous and deep analytics to this, we can reduce that threat vector even more so. And by immediately providing that information back to do micro certifications, to determine if that access is appropriate. Even doing that at the point of the provisioning requests, we can shrink the number of vulnerabilities and threats to our organization even more. And this is what we mean by having intelligent identity and access management by adding continuous monitoring and analytics, to not only identify threats and risks to the organization, but as a feedback mechanism, back to provisioning and back to governance to do that better and by doing so, we can take ourselves to the next level. What started with provisioning led in the first phase of identity access management, based on higher fire relocation transactions doing automating the passwords and the user provisioning. We can enforce policies and have a consistent process, but we were forced into a governance led approach with cons, adding certification reviews, making it a business friendly experience that enable us to better pass our audits and again, having the consistency of the process, but with the increase in threats and data online, and number of users, we are moving into this intelligence led generation, which is evolutionary in the sense that it provides better decision making in real time to know what is the request being made?
What is the event we've identified and providing additional context to it that it gives us the ability of being revolutionary to see things that were impossible to see before through all of the data that we have available to us to make better decisions and identify anomalies, you know, from normal and even detecting what normal is. This is the area we need to move to. This is where we can get to and really kind of, you know, playing off of what Matthias said, had mentioned before. We need to look at a lot of the rules and patterns for these things and move to a sense that we provide continuous monitoring, automating of the analysis of the risk and adding the dimension of user activity to our analysis. So with that, I'll turn it back to Matthias the wrap up and to deal with some of the questions and answers that are or questions that are coming in Matthias.
Thank you very much, Kurt. That was very interesting, a great insight into your current experiences and yes, we are now at the question and answers part. Once again, I would like to ask the participants, we have a few minutes left to, to go into some questions. So you might want to type the, the questions into the questions panel of the go to webinar software. And while the questions are coming in, I want to start with one from your experience, Kurt, what is currently the main driver for actually adding this access intelligence to an existing IAM for your customers? What is actually making a company executive doing this thing? Because this scheduled re-certification might be enough for audits. What, what makes, what is the initial event that makes the company realize I need this additional levels of, of, of access intelligence within my company?
Yeah, so, you know, the, you know, we we've really just started to see, you know, since introducing this product and launching it late last year, we've really started to see, Hey, pretty significant increase in demand and the initial wave of customers implementing it. And, and the driver has come from, you know, primarily three areas. One is there are those advanced organizations that are really looking at this from the risk and threat level. You know, when we hear stories like target being compromised, because if a contractor in their pays a heating and ventilation air conditioning partner, that access was compromised to get access to their organization, there are some that just recognize they need more monitoring and more continuous analysis of this, you know, and, and they say, you know what? The provisioning and certification are fine, but we've got no way of looking at this between certification reviews and understanding more of this, that they really are looking at it from that threat level.
In addition to that, there are those that are just doing the, the other driver are those who are really trying to figure out where to prioritize their identity and access management implementations. You know, the traditional way was, well, let's start with the accounts that we've got the most of. So let's automate the provisioning of active directory and, you know, email and maybe one core business application. But by looking and doing some of these scans first, we can quickly go in and scan to see in the organization where maybe those vulnerabilities might be. You know, for example, we did a scan for one organization and it identified the fact that there was a significant amount of contractors that still had access, even though those people were no longer working within the organization. And, and this one organization had a process that after every 90 days, they would produce a report of contractors, send that off to the managers and say, who among these are no longer working with you, but clearly people were rubber stamping and not doing it.
And it showed a bunch of contractor accounts that were still active with a significant amount of privileges. So what they started with, as opposed to just setting up ad for new hires, they started with contractors to put an automatic expiration date into the provisioning process, to automatically notify managers when those accounts were being turned off. So they could either extend them or understand that they would be automatically turned off. So it was all about recognizing where in the organization they wanted to concentrate. And then the other driver that we hear a lot is I just wanna be better prepared for the audit. I'm, I've got so much data in my identity system, on users and their access and their entitlements. I'm scared to death of the auditors, finding something before us. And so really what they're doing is running this an analytics to be much more prepared to show, you know, exceptions from normal, to look at things like, you know, here are people that have certified access for years, but those people haven't even logged into those accounts.
So why do you continue to certify accounts that your users are not even been using and providing that data back to them saying, you know, this person hasn't logged onto this and over 300 days, you really need them to have that access, as well as just digging deeper into it. You know, we, we found one customer where we identified that help desk employees were getting high level of privileged access. And it was because of a nested group, three layers D the certification review was at that high level group level and it showed help desk group. And so of course, all the managers were approving it, unknowing that it was providing deep privileged accounts and needed to be cleaned up. So it really is those type of things, give them more ability to be prepared, give them the ability of prioritizing their identity rollout, and then understanding the threats and vulnerabilities.
Great. Thank you. One other question just arise from the participants, just a technical question, more or less, what kind of infrastructure should be used for big data analytics of IM data, which probably also includes how many accounts and how many access rights are actually analyze at that moment. But can you give a rough figure of what is needed to, to do such an analysis on a continuous basis?
Sure. Yeah. So, you know, when we, when we introduce this new solution, we actually had to make some modifications to the architecture. And one of those is to have a data warehouse underneath that had the ability of pulling in and tracking large amounts of data. And then in addition to that, we actually licensed a business intelligence solution on top of it to provide the level of visualization necessary to categorize and identify and, and report on some of those risky events. And then in between that, what Curion has done is produced the content that we offer, you know, on a subscription basis, that's continuous providing more and more package content to look for these things, but it really did require that ability of being able to pull and analyze and correlate significant amounts of data with this package content that was looking for very specific things, building the trends, identifying patterns of normalcy, and then providing the rich visualization to make it easy for people to spot risk, and then give them the ability to drill down deeper. So, you know, a lot of identity identity and access management vendors are talking about intelligence and analytics as the, the popularity's increasing. But in many cases, that's nothing more than just richer reporting capability or doing advanced query searches to really provide proactive and trends and variances from normal require a true business intelligence with a data warehouse underneath it that have the content to understand what to look for and how to spot those vulnerabilities.
Okay, great. Thank you. Probably one last questions close, getting close to one hour limit. Yes. As an, as an Analyst, I, I think I am and access governance is a constantly improving process within an organization and it's moving towards a sustainable overall concept, getting more and more mature and all this kind of stuff. But can you see this in reality in your projects that organizations really understand the reasons, the core reasons behind the, the, the problems that you find within the organization and improve their processes? Is it something that is happening?
Yeah, absolutely. We we're seeing it happen. And you know, one of the, and what's been interesting is that initially we thought this would just be at kind of those, you know, kind of traditional industries that were kind of at the cutting edge of new technology, you know, financial services, for example, where so much of the, the threats and the pieces have been part of their day to day security. But, but we're seeing this across a broad array of customers, a lot in retail, especially with a lot of the payment card breaches, we've been seeing manufacturing, healthcare, more patient data. And it, it, you know, part of the, one of the things that Ion's done is we've introduced into our sales process, the notion of a quick scan, where we can come in in just a couple hours and scan the environment and give people visibility into this.
And, you know, we've concentrated on things like the privilege accounts, the orphan accounts, the abandoned accounts and the over credential accounts. And inevitably we give them real information to show what exactly is taking place and where that access is. And it helps them to put that business case together to then go and run this up and sell it to the board and higher levels of the organization. And, you know, and, and I think it really does need to be, you know, that simple that within a couple hours, we can give a good spotlight and then understanding that this continuous look is important, it has been necessary. And then what, we can really point out things I mentioned before, like the contractor accounts, which are often very much over what the privileged access and just how many systems are still using those default passwords, which, you know, just demonstrate the potential and the vulnerability in the organization.
And then when can start to look at the activity and see what people are doing, it's very eye opening. So I, I think all of these things have really just brought, you know, people, especially a lot of the senior security people understand that. Yeah, we know there's some risks, but you know, we're trying to tackle all these different things, giving some real view into that data has given people the ammunition, they need to sell this in areas of the organization that might be skeptical and saying, yeah, well, our managers are reviewing the access. We're fine. Just to point out how much that's not the case. And, you know, we've even seen some that, you know, that tell us whatever you do, don't show our auditors, this data. It's all about us being more prepared in other cases where we're talking to the audit side of the organization and they just can't wait to show this to the it organization to kind of do the, told your SOS. So, you know, ideally that's not the relationship we want. It's really being better prepared and providing this insight. And we're seeing adapt the initial stages of adoption and interest across some broad variety of industries.
Great. Thank you very much. So I think that's it for now. We are close to the one hour of at least over it. Thank you very much Kurt for this, for this talk and for the information. Very, I really want to thank the, the participants of this webinar and I would be happy to have you here again for another webinar in the future. Please switch on again, and maybe we can see you at the EIC or for a seminar, and that's it for today. Thank you very much. And, and goodbye.
And we think it is a must attend event. They should miss the EIC 2015 with its large number of speakers and sessions in the areas of digital identity, cloud management and GRC. Please consider having a look at our agenda for this upcoming event, using the given URL, the guidelines for this webinar, us, the participants are muted centrally. So you don't have to take care of this. We are recording the webinar and with the recording and the Slidex going online on our website tomorrow, there will be a Q and a session at the end of the webinar, but you can enter your questions during the presentations at any time using the questions panel on the right side of the go to webinar software. And please do so so that we can start the Q and a session right away with a good set of your questions.
The agenda consists of three parts. The first part will be my Analyst view and introduction into the area of access intelligence in the context of a access governance and realtime security intelligence. And then Kurt Johnson from Korean will take over and talk about going beyond standard access governance from Korean's experience and expertise. And the third part will be the Q and a session as already mentioned. So now let's start with our first part and let's start with access governance, as it is usually deployed with organizations, and it is not a surprise access governance already has arrived in corporate. It it's around for some 10 years. So now, and all the major companies, especially those with special regulatory requirements use it and they complement it. They complement identity management and access management with access governance, and they do it for main reasons, being pro providing governance to achieve compliance through the regulatory requirements and to mitigate actually the access related risks.
The drivers and stakeholders for access governance are more than just it. They are almost anybody within the company and everybody who is connected to the company. And this includes the employees be they internal, external or vendors, partners communicating with the organization. Of course, the customers which want to make sure that their data is protected when it is stored within a company. Of course the management actually, they pay for that and they want to earn money for that. And especially also in the EU, the workers councils are, are strong stakeholders within a organization and the way they handle data, the drivers for access governance are the usual requirements as they are imposed on organizations. Like for example, the data protection laws, which makes sure that the data is only handled in the way that it should be audit, both internal and external. The corporate policies are important because the companies decide themselves to what they want to have, what kind of rules they want to impose on their data usage. Of course, the re regulatory requirements, especially for financial institutions or for institutions handling medical data and more and more and more also best practice coming into, into a view at that point for making sure that access governance is done in a way that it makes sense.
Why do we do it? It's actually something that all of us already know, but it has to be made sure that, that we know what we're doing this for. And it's of course, to prevent access related threats. So if somebody has legitimate access, he is able to execute actions which are not wanted, or are even criminal, or actually do harm to a company or an organization. This includes illegal transactions and fraud, which is the criminal part of the legal transactions, information leakage. Everybody has heard the news and the recent weeks, what can happen to a company. And this also includes reputational damage. And in this case that I'm talking about, of course it was an external attack, which makes this information leakage possible and public. At that point, we want to prevent loss and we want to make sure that the data we store is unchanged. So we want to prevent change the data.
Usually companies for that reason create an access governance system, which collect information from various systems. They include information from roles and entitlements. They include the entitle identities from the several identity management systems, or if they're lucky, just from one, if there's only one, the policies and the systems and applications, all this information comes into a system, which is the so-called access data warehouse, where we collect all assigned access information from many systems in one place. We add some role management, which makes sure that we have a one overall role model, which is used for assigning access and entitlements to users. We add a access request management system, which defines the processes to request and approved or access once it is approved, it has to be made sure that the access also recertified, and this is usually done on a, on a scheduled plan. So once a year or twice a year is the usual ertification schedule that is in place in many companies.
Once this information is available in the access warehouse, then of course, we also can make sure that we can check whether there are violations to the segregation of duties requirements. So we have sod management and enforcement. And one important part is once we detect that there are violations, we have to make sure that this it's also directly again, changed in the system. So we need integrated provisioning for removing unwanted access. Be it either from access, not being re-certified or being violations against the OD rules, some questions at that point. And maybe we can improve these processes, this classic access governance system. First of all. Yeah. Is it enough to be compliant once a year for every single access? Is this the way that we want to go every single access, even if it is not that important and the important one also just once a year, why not AMA always being compliant?
Why don't we want to make sure that audit can come at time any time and check. So wouldn't it be great to be permanently prepared for audit? So I'm now focusing on two main aspects, first of all, the risk aspect. So why not treat risk access differently, high risk access differently from low risk access. And the second part will be why not apply continuous analysis to access data and realtime activity data, because we usually have access to this data. We just have to make sure that it's, that it's fed into the right system, that the right mechanisms are used to make sure we understand what is happening in our systems. First, the risk aspect as mentioned access risk is not an it thing. This is, this is most important because inappropriate access is directly connected to business risk and business risk is the classic threefold thing called strategic risks, operational risks, and reputational risks.
Of course it has to make sure, make sure that policies are followed and changes are executed as defined in the underlying processes, but it's not only an it thing. Business risks require business expertise. And this includes also the, their expertise for approval re-certification and termination. So to allow people to have a right to again, allow them to have a right and yeah, to the right, if it is not necessary anymore, or if it is in violation of sots. So what we, what I want to look at just shortly, because I know that Kurt will look into this in more detail is how to assess risks. At that point, we want to make sure that there are risk categories. We understand that a risk can be high risk or low risk or access can be high risk or low risk. And we want to identify the risk probabilities, how probable is it to have a risk being actually happening as a, as a, as a threat to an organization.
So on this graphic to the right, we have on the X axis, the probability of occurrence and on the Y axis the risk level. So we understand that the things that we have to look at first would be the one in the, in the right upper corner, the red ones, because they are of high risk and they are highly probable. So these are the ones to prevent first. Not that we don't prevent the others, but this is the main focus. And on the high risk access, there should be some actions already taking. For example, we have to make sure that these access rights are re-certified more often and that there are stronger approval processes, maybe a four I or six I principle in place for to make sure that this access is applied only to people who really need it. And in general, if we do these changes to the risk assessment, we will get to an increase in the governance overall quality because we focus on what's really important.
The second part is a, the real time analysis. So what we are trying to, to focus on is trying to add real time analysis to access governance. So we want to have access to near realtime data. It's 2014, that should be possible and apply rules and patterns for the access analytics. So we have to define the rules and we actually have to apply them to understand what is actually happening. So it's a mixture of access data of what is happening right now and the, and the real time access we have to, we want to make sure that we can do ad hoc and all analysis that we understand what is happening just right now. If management comes and say, it's says, Hey, what is happening in this system? We should be able to tell them and dynamic triggered recertification is what I mentioned before. On the last slide, we have to understand that if it its right changes and it changes in the risk, or if there is a, in general, a movement within the associated risk, we want to make sure that we can immediately make sure that there's a recertification in place, not when it is scheduled.
Cause it's important to re certify it now. So we have immediate, actionable and target results. Media means now actionable means we know what to do and target is we know where the check. So we add two more boxes to our access governance picture. Here, we add access analytics and access intelligence. So we want to make sure that we have this mechanisms in place. We add access risk management and both together and in with the added information about real time activities lead to the possibility that we have notifications, for example, for it, but also for business to make sure that it's understood that there's something happening at the moment, which should not be the case. We can give overview over the overall access through dashboards for management, for people being in charge for understanding what's happening on the systems. We have actually results, actionable results, and we have the focus on the high risk access at first. So access intelligence is what we added in red. So we have a, a new quality of information within the access governance system.
So to, to sum it up, we have continuous analytics and automation. We have permanent monitoring of access and activities with page, make sure that we have a continuous analysis instead of the scheduled reports. Scheduled reports are fine. They should not be omitted through that, but continuous analysis as another quality to that. So we get proactive instead of reactive, we have an automated risk scoring, which makes sure that we have a rule-based risk assessment on the fly. And we understand what is to be recertified immediately. And we can understand which person which login ID has accumulated access, for example, which would be a result of a good defined analysis rule. And the third part is something that is sometimes with a bad connotation, but is required for, for organizations handling important data, financial data, medical data. We have to make sure that there's user activity monitoring that there is a, a constant stick scan, at least on a, on an overview level for deviations from expected user behavior.
If there's one person, one login in a team which does something completely different or more often than others, this should be something at least to have a look on. Maybe it may, it might be okay, but it has to be checked. So we have to apply continuously policies and controls. And once something is at least suspicious, make sure that the immediate notification is taking place. And if necessary remediation it's done as well. Of course, the question where should we place access intelligence in the organization? And actually I mentioned it before. It's a thing that has to happen both in the business because they know what is going on from the business side of things. They know how to re-certify a business access and they know and understand if there is an outlier with a substantial access deviation, if it is fine, or if it's not, and they can check and remediate sod violations because they understand business.
And we have to have the it team as well onboard the application owners, the service who have instant controls for detective breaches, for example, the provisioning processes, it accounts coming into existence without being provisioned through the usual process. So they do it directly in the, in the end system. Then this is something that should be prevented, detected and avoided. So revocation of abandoned or generic accounts is something that is very important. So, oops, this was too fast. Sorry for that. So we have to make sure that abandoned accounts accounts, which are no longer used or have no business owner associated with them should be, should be removed and have to make sure that no generic accounts are in place accounts, which have no owner at all.
As a short look at a, a new rather new development that we have observed is something that is quite similar to what we see in access governance and access intelligence at the moment, because there is a service that is coming up from different, from several vendors, they're moving towards integrated methods for realtime security intelligence. And this is achieved by, by combining various technologies and services. They, the main part is big data analytics. This is the reason why it's in the middle and it's red. This is software, which is able to handle lots of information. And we are talking about access information for a security system for overall information security system for a big organization. And we feed into these systems, the, the necessary data, which includes real time activity data. And in comparison to that historical data, which makes sure that we can compare whether the access which is happening right now is legitimate or not.
And we add existing data sources, for example, from existing theme systems. The interesting part is that we add services as well and services includes real time security information services that provide up to date information about, for example, newly detected security challenges, the, the zero day things that we read in the news every day that this information is fed into our big data system as well. So that we understand that we are actually just subject to this threat at the moment we add real time rules and patterns for analytics. And this is something that could be a service provided by a vendor and could be a subscription basis for the user, for the end user company. And as the last service, it could be people doing this analysis or for configuration of this big data analytics system. So we have also people on site, which make sure that the, that the rules and policies applied are, are accurate and, and current.
So the last part is, is the it GRC solution, which actually is the front end then for the, for the team, which is checking the information coming from this realtime security intelligence system, so that we make sure that information gets to the right places again, through visualization and dashboards and notifications. So realtime security intelligence is quite similar to what we see in access intelligence as well. So, or to put it the other way around access intelligence can be looked at as a subset of the generic, realtime security intelligence concepts. So, and with this short look at the biggest picture of realtime security intelligence, I want to hand over to Kurt of Korean, who will tell us in more detail how these realtime analytics and the risk based approach are applied to access data and activities. And I'm we looking forward to that?
Okay. So thank as Martinez kind of pointed out, you know, the need and the gap in the traditional governance. I really want to kind of, you know, explore that further and dive into more detail about how organizations can extend their existing identity and access management and governance capabilities by adding many of the things that Matthias had talked through before I get started. I just wanted to give you a quick overview on who Corion is. You know, our mission is about helping customers succeed in this world of open access and increasing threats. And, and really what I mean by that is that there's a business requirement today for organizations to provide access to a broader and richer set of data, more than ever before. And the business requirement to get this data in the hands of their employees, of their contractors, but also potentially even their customers through a widening variety of devices and the significant business benefits that this offers at at the same time, we recognize that providing this access comes with associated risk and how can we balance that need of providing this access with the same time as protecting our organizations?
And so it really is the business need today to ensure that we're providing the right people with the right access to the right variety of resources, information, and data, and that they're doing the right things with it. And, and Curion has been around for a number of years. We provide identity and access management software solutions traditionally around automating user provisioning, also automating the identity governance and the policies and the access certification process. But recently we've added to that. Our suite with a continuous monitoring and identity analytic capability is we solve as necessary to provide our customers with this kind of capability. And if you look at it, providing the right people with the right access to the right resources and doing the right things with that access sounds fairly straightforward and simple, but we know in reality, it's a very complex thing because there's so many in the stresses and strains of dealing with access on a day-to-day basis.
You know, we have those routine changes, the hiring, the transfers, the promotions, the terminations that require us to turn access on, to modify access and to turn access off. That takes on a multiplicative effect where we've got significant volume of this. When we have things such as business changes, including mergers and acquisitions or divestitures or layoffs. When on any given moment, we might have to turn on thousands of accounts or turn off thousands of accounts, you know, geographic expansion into new countries, signing on a new partner that we, we need to provide them the access volumes and significant volumes of access has been a significant administrative burden to many organizations. And then on top of that, we've also got infrastructure changes. We're rolling out more mobile devices that need to provide access to this data. We might be moving from a legacy on premise application to a new cloud based application, and we need to provide end user's access to that.
And again, turning on thousands of accounts on one system, turning off thousands of accounts on another system, all of these types of changes just demonstrate how complex it is. And that access is an ever changing thing within our organizations and the first foray and venture into identity and access management was aimed heavily at making lives easier for the administrators, because this was such a manual process, such an inefficient process took days or weeks to get people. The access may never have actually turned it off. That automation was a significant benefit to ease that efficiency. And so as we started down the road of identity and access management, dealing with these problems, all of a sudden we were introduced to the new stresses and strains that came as a result of audit. And I challenge anybody to see any duplication of any regulation on this slide.
And it's just a snapshot of the wide variety of different regulations our organizations are being forced to deal with, and whether they be very specific country, privacy laws, whether they be associated with things such as Sarbanes, Oxley, or HIPAA and healthcare in these states, dealing with things like PCI for cardholder information, one of the common threads and consistencies across these regulations is the need for organizations to demonstrate controls of what they have in place to ensure that the right access is in the hands of the right people. So what controls do they have in place to make sure that that access is appropriate? And it really, and introduce the whole concept of access certification reviews. And as Matthias pointed out, there was this need to check these things on a periodic basis and make sure the business managers, because it's not an it thing that of owning access that the business managers could formally sign off and certify that the access they were providing in their organizations was appropriate to the users who had access to that.
And really, if we look at these pieces, you know, the, the provisioning and the governance, they really were the controls we had in place of making sure that the right people had the right access. And as I mentioned before, provisioning was all about turning on access, changing access, and turning access off and automating that could ensure that these processes and policies were being followed. But if you look behind the scenes, the primary control in place is really an approval. And as long as some manager signed off and approved the fact that that user should get access, then we were pretty comfortable in setting that access up. But as audit came in, looking at these controls, this wasn't enough, and they really wanted to see what governance and reviews were in place. And as I mentioned, the periodic certification review was introduced. And at the same time that as well, relied on an approval or a certification.
And again, as long as the manager signed off saying, yes, Kurt access is, is appropriate for his job function, then audit was relatively happy and said, okay, that's, that's fine. If there's a manager assertion that that is close. But if we really think about it, what this relies upon is the fact that managers are carefully looking through everything and approving only the access requests that are appropriate. And most of the time we're making them approve everything. So their inbox can be just loaded with numerous different approval requests. And at the same time, when we're doing an access certification review, the concept is to look through all those users access and see if that access is appropriate. And I'm sure we're all a hundred percent confident that our managers are taking the time and diligence and effort of carefully reviewing each and every one of those line items and ensuring the fact that we don't have just the rubber stamping going on.
I mean, we're all confident in that, right? Well, in reality, we know darn well that managers may very well not be doing that. And we've seen cases where, you know, we had one customer of ours where they looked and saw that a manager went through their access certification review of over a hundred people in under three minutes. And at Curion, we actually, once we introduced our access certification product, the first request we got from end users and our customers was can you add a check all box to approve everything? Cuz we know managers are just going through this. And if these are the controls we have in place, what is the risk to our organization? And the risk is increasing. You know, this data is from the 2014 Verizon data breach report when they peeled the onion back and looked at the actual ways that hackers breached this data.
The number one form hacking was the use of stolen credentials. Over 50% of the hacking breaches leveraged stolen credentials as the source to gain access to that data significantly higher than the number two, which was back doors or commanded controls and not only a significant gap between one and two, but the use of stolen credentials has been rising significantly and faster every year. The other concerning details from the Verizon data breach report happened to look at how long it actually takes for a hack to occur. And this red line is the percent of the total breaches where the time to compromise by a hacker was days or less. And as you can see in almost 95% of the cases, hackers were able to get in and steal the data in under day in days, minutes or less yet the blue line there, the time for our organization to actually discover that the breach occurred and less than a quarter of the cases, was that able to be done in days or less.
And in over 60% of the cases, it was months or even years before that was protected. And in over 90% of the cases, it was not even detected by the organization itself. It was detected by law enforcement, the customer themselves, or some other outside force. So there's a gap is widening. And if we have more and more breaches being taken place quicker and quicker, we've got more breaches in total. Yet this gap is widening. It's a serious concern to our organizations. And if the number one cause of breaches is coming from the use of stolen credentials, do we really feel confident, comfortable in the fact that reviewing access once or twice a year is going to be appropriate? The, this is the Lockheed Martin threat kill chain here and looks at the life cycle of the typical breaches. And many of them follow this type of pattern where it starts off with some fishing attempt and some malware being introduced into the organization.
And from that malware, it launches the ability of taking on control of the system and command of the system to actually get in infiltrate the organization and then where the P and a P T comes in. The persistence of advanced persistent threats is the lateral movement. The hackers take their time to look through the organization to identify prime targets and data to then access those targets. And then once doing so elevating privileges to give them the ability of packaging up that information, exfiltrating that data and stealing it. And we've got controls and systems and tools in place to look at those early stages. Can we look for malware? Can we try to detect when somebody's trying to enter our systems? And we've also spent a good deal of time and technology on things, looking at identifying if something's being packaged up and being sent out of our organization, such as DLP data loss prevention, security incident, and event management.
Yet we've spent very little time and attention focused on this core area where the lateral movement and the accessing of targets occurs. And this again is where we might see somebody's access that is inappropriate or them doing different things in activity that looks malicious in the organization. Yet we're not looking at these things on a continuous basis. So understanding this really puts the spotlight on risk. We have vulnerabilities and threats to organization coming from stolen credentials, coming from people, misusing, elevating privileges. Yet we've been content to look at this once or twice a year in response to audit. Clearly we have to change our mindset and thinking and evolve our identity and access management programs to do this. We're not there yet. You know, Curion sponsored a survey where we looked out and asked over a thousand organizations about their identity and access management pro processes.
And one question we asked is, does your organization have the ability to detect if access credentials are misused or so, and as you can see in less than 30% of the cases, only 29% of the respondents agreed with that statement. In addition to that, you also can see that the 42% actually disagreed with that statement and another 30% or 29% didn't know. So we don't have a lot of visibility into what's going on. And the other concerning another interesting part from the data was we asked what are the things that are of most concern to you and some of the highest levels of risk in the organization and what jumped out significantly were those privileged accounts accounts with increased levels of permissions that provided elevated access to these systems and data unnecessary entitlements, where people had access that was outside of the scope of appropriateness or violated some policies such as segregation duties, abandoned accounts, people that had accounts that were just left out and inactive for long periods of time and also orphan accounts accounts that existed that didn't even exist for people.
These were some of the key areas of concern for them. And yet again, how can we stay on top of this when we're relying on once or twice a year access certification reviews, but we also need to understand that, you know, the systems themselves need to evolve above and beyond to truly address this. And it really is a big data issue. If you look at the traditional definition of big data, it's the three B volume, lots of data variety, lots of different types of that data and velocity that is ch changing rapidly and quickly across the organization. And I think that absolutely applies for the world of identity and access, where we've got identities, employees, contractors, business partners, and even customers that might mean hundreds of thousands or even millions of potential identities, who they are, what they do, what role they play in the organization, hundreds of policies governing what people should or should not have access to in the organization, the resources, the applications, the data, the portals, the systems that people are accessing, what their access rights are and what they're entitled to do and what their entitlements are within those systems.
And then the activity itself, what are they doing? And does those, does that activity follow patterns of normal behavior, or does it look like abnormal behavior or potentially malicious behavior pulling all of these different types of relationships of data together can potentially represent trillions of various relationships, clearly something that cannot be viewed with the human eye, clearly, something that just can't be relied upon to, for two dimensional reviews of people in their access. We need to be looking at this continuously to identify normal trends of behavior and quickly spot when activity or access is above and beyond what that normal is. This relies and requires a sense of continuous monitoring with rich analytics in order to provide this information. CIO recently had a magazine. Our CIO magazine recently had an article about how to present cybersecurity issues to the board and their advice was to use stories and visual aids and simple language.
So in many ways they're telling us that, you know, how presenting and communicating cybersecurity issues to our board is very much like talking to your five year old, lots of pictures, lots of good stories and put it in language they understand. And so understanding that we've got these trillions of potential relationships when Curion introduced our access insight product, which was the continuous monitoring analytic identity intelligence extension to our suite, we thought of just that, how do we put those in? And Matthias mentioned it before, you know, that risk is the risk level versus the probability of change. We use that same type of approach where we look at that vertical access being kind of the degree and of risk and the horizontal access being the potential of that. And again, spotting those things quickly and easily in the upper right hand corner that present risk, and then giving them the ability of drilling down to exceed exactly what are the sources of that risk.
Be it elevated credentials or unnecessary access or Orped accounts or privileged accounts. And from that, being able to drill down deeper to see, you know, for example, with abandoned accounts, how many days have these accounts been unused? How many of these accounts are out there? How many of these fit into various categories, such as privileged accounts that are not being used in abandoned in the organization and also to provide instantly and easily view into an individual's access. So you can see exactly what kind of access that individual has and where those privileges are coming from. Even if they're from nested group levels, three levels deep, so quickly spot these things in the sources of where this access is. And this screenshot here is actually an interactive ability to not only click on the users, but click on some of those groups and permissions to see everyone who has access to a potential privileged group or why it's nested three levels deep.
And if we removed it, do we really remove that privilege access? Or is it also being associated through some other connection, easy visualization, easy ability to see what's at fault, but also the notion that this is being looked at on a continuous basis in the organization. And some of the things that we're looking at are all about associating that risk. And we package this solution with content that our developers are working on the spot risks, such as weak credentials. And at the lowest, you know, we, we find a system that has the default password in place. It's an age password. It hasn't been changed in a long time, but what we find that that's occurring on a privileged system, well, that's a higher degree of risk and it's associated with the user. That's no longer with the organization and it's still having activity associated with it.
We can put this on the spectrum of what the risk and vulnerability to the organization truly is. Similarly for this privileged access classifying and identifying, discovering the privilege counts out there, being able to infer if accounts are privileged, our people are having privileged access and that we see all these people that we infer have privileged access. They all have the role of it administrator. Yet we see one person who's a sales manager with this privileged access. Why is that? Why does he not look like that peer group? We can start to monitor this assignment and making sure that privileged accounts are associated with active individuals and even monitor the activity on those accounts to identify and spot threats as they occur. Similarly for policy violations, such as segregation of duty, understanding what the toxic combinations of access are, being able to spot this as soon as those accounts are created, but also monitor when they're happening outside of the provisioning system and review these types of things immediately when they're occurring, not later on in the year during a certification review, all of these are just examples of some of the things that are critical and correspond back to those survey results, privilege users, the over credentialing of users, the abandoned accounts and orphan accounts that exist in the organization are just a handful of some of that content that we can monitor and analyze on a continuous basis.
And a great case study that demonstrates this came from one of our customers that had been using Coons provisioning and access certification products for years. And they went through their more recent audit for certification and across 87 key risk applications and tens of thousands of accounts on each of those systems found just five orphan accounts accounts that didn't belong to people anymore. And they were deliriously happy, no audit findings, cash, their audit, and literally had cause for celebration to see of hundreds of thousands accounts. So few not associated with individuals, they cleaned these accounts up and again, the auditors gave them glowing reports. When we went in with the risk analytics capability, it was somewhat telling in the fact that we identified that, you know, these accounts where the orphan accounts existed, or the systems that these orphan accounts existed on happened to be some of the highest risk applications to the organization, included money, transfer systems, wealth management systems, very sensitive data, very different or sensitive accounts to the organization in scanning all those different accounts.
We identified all those accounts that had privileged high level, super user type of access that essentially gave a user the rights to do almost anything in those accounts. And coincidentally, those five orphan accounts all had these highest levels of privileges associated with it. We also saw that the individuals that these accounts exist were created for were names that never existed in their human resources database. All of these accounts were created within a couple hours of one another. They were created natively in the application themselves and never went through the provisioning system, never had any approvals associated with them. And all of those accounts had a significant amount of user activity associated with them. So what turned out to be, cause for celebration in their certification review process and audit was actually a major vulnerability for a former administrator upon leaving the organization, went into the systems, created these accounts with high level privileges.
And then once leaving the organization, went back into these systems to do some very awful things. And so again, what looked like passing of the audit was indeed a significant vulnerability and threat to the organization and put a whole new spotlight on exactly what this data was showing. Imagine. However, had they been using a continuous monitoring capability looking at this, and this is the concept of what we call intelligent governance that all of a sudden a threat pops up and looking at that threat, we see, Hey, a new account was created outside of the provisioning system. Well that in and amongst itself is a high risk activity. But when we see it's associated with a high risk application, it raises that threat level even higher. When we see that the account in question actually has a significant amount of entitlements and privileges associated with it it's even higher risk.
And oh, by the way, it's for employee that we can't find anywhere in our HR system that represents high risk immediately pops up. All of a sudden another one occurs and another that this can immediately trigger a, what we call a micro certification, a real time certification that goes to the business manager with this context associated with it to say, Hey Kurt, do you know who this employee is or what this account is? And here's the information behind it, which made us sense that this looked like a vulnerability or a risk and have them take immediate action upon that as soon as it was identified and obviously for a high risk event like this, but also for things like segregation of duty conflicts or access that looks different than the peer group, all of these can provide a micro, immediate certification as opposed to waiting for the end of the year certification review.
That's what we call intelligence governance. We can also bring this earlier in the process of provisioning as well. That today the usual process is you get a request and that request is routed to a manager for them to evaluate whether that request looks within policy or not. And they go off and can approve that and have that kickoff, the fulfillment of those accounts, or if they reject it to prevent those accounts. But as we know, the most traditional process today is we send everything off for approval. And again, with this high volume of activities and requests going to a manager, it lends itself to the potential of rubber stamping and not looking at this very carefully. But imagine if instead we get that request and the system itself evaluates the risk of that request. And, you know, we can put a risk score on it to say, Hey, this looks like a low risk event.
This activity or request is the same request that everybody in that peer group is requesting why even send that off for approval, just fulfill it, send it up and notify the manager that it took place. But when we find a request that has a higher level of risk, higher level privileges, higher level application risk, then let's send that off to the approval with context, Hey, we're asking for your approval, cuz Kurt is requesting something that looks different than the rest of the people in that job function. And then have the manager approval reject that accordingly. But when we see something that tips the scale on risk, high level privileges, high level of risk associated with it, then we'll send that off for multiple approvers again with that context. So they can know whether to fulfill this request or reject this request. And again, by giving them less things to review with more context, we have better assurance than what they're actually looking at is taking the time to do that appropriately.
And then we can bring this to even role mining where the traditional role mining is looking at all accounts and all users and trying to build roles associated on that access with intelligence in real time monitoring, we can look at activity associated with that. Are people really using those accounts or are we just over provisioning them? We can infer roles based on commonality of access and peer groups and use all of these principles of the access they have, the entitlements they have and their job functions to infer and create virtual roles to make it easier for the organization. And this is what we mean by intelligence. And by providing this continuous monitoring and analytics, we can take all of these attacks that have deliberate intentions or even inadvertent intentions and providing the provisioning controls are still important, setting it up, modifying it disabling. It can reduce the amount of risk to our organization providing detective controls to do the governance certification reviews are still important to try to reduce that risk, even further, provide information back and deprovision access that looks outta sync.
But when we can add the notion of continuous and deep analytics to this, we can reduce that threat vector even more so. And by immediately providing that information back to do micro certifications, to determine if that access is appropriate. Even doing that at the point of the provisioning requests, we can shrink the number of vulnerabilities and threats to our organization even more. And this is what we mean by having intelligent identity and access management by adding continuous monitoring and analytics, to not only identify threats and risks to the organization, but as a feedback mechanism, back to provisioning and back to governance to do that better and by doing so, we can take ourselves to the next level. What started with provisioning led in the first phase of identity access management, based on higher fire relocation transactions doing automating the passwords and the user provisioning. We can enforce policies and have a consistent process, but we were forced into a governance led approach with cons, adding certification reviews, making it a business friendly experience that enable us to better pass our audits and again, having the consistency of the process, but with the increase in threats and data online, and number of users, we are moving into this intelligence led generation, which is evolutionary in the sense that it provides better decision making in real time to know what is the request being made?
What is the event we've identified and providing additional context to it that it gives us the ability of being revolutionary to see things that were impossible to see before through all of the data that we have available to us to make better decisions and identify anomalies, you know, from normal and even detecting what normal is. This is the area we need to move to. This is where we can get to and really kind of, you know, playing off of what Matthias said, had mentioned before. We need to look at a lot of the rules and patterns for these things and move to a sense that we provide continuous monitoring, automating of the analysis of the risk and adding the dimension of user activity to our analysis. So with that, I'll turn it back to Matthias the wrap up and to deal with some of the questions and answers that are or questions that are coming in Matthias.
Thank you very much, Kurt. That was very interesting, a great insight into your current experiences and yes, we are now at the question and answers part. Once again, I would like to ask the participants, we have a few minutes left to, to go into some questions. So you might want to type the, the questions into the questions panel of the go to webinar software. And while the questions are coming in, I want to start with one from your experience, Kurt, what is currently the main driver for actually adding this access intelligence to an existing IAM for your customers? What is actually making a company executive doing this thing? Because this scheduled re-certification might be enough for audits. What, what makes, what is the initial event that makes the company realize I need this additional levels of, of, of access intelligence within my company?
Yeah, so, you know, the, you know, we we've really just started to see, you know, since introducing this product and launching it late last year, we've really started to see, Hey, pretty significant increase in demand and the initial wave of customers implementing it. And, and the driver has come from, you know, primarily three areas. One is there are those advanced organizations that are really looking at this from the risk and threat level. You know, when we hear stories like target being compromised, because if a contractor in their pays a heating and ventilation air conditioning partner, that access was compromised to get access to their organization, there are some that just recognize they need more monitoring and more continuous analysis of this, you know, and, and they say, you know what? The provisioning and certification are fine, but we've got no way of looking at this between certification reviews and understanding more of this, that they really are looking at it from that threat level.
In addition to that, there are those that are just doing the, the other driver are those who are really trying to figure out where to prioritize their identity and access management implementations. You know, the traditional way was, well, let's start with the accounts that we've got the most of. So let's automate the provisioning of active directory and, you know, email and maybe one core business application. But by looking and doing some of these scans first, we can quickly go in and scan to see in the organization where maybe those vulnerabilities might be. You know, for example, we did a scan for one organization and it identified the fact that there was a significant amount of contractors that still had access, even though those people were no longer working within the organization. And, and this one organization had a process that after every 90 days, they would produce a report of contractors, send that off to the managers and say, who among these are no longer working with you, but clearly people were rubber stamping and not doing it.
And it showed a bunch of contractor accounts that were still active with a significant amount of privileges. So what they started with, as opposed to just setting up ad for new hires, they started with contractors to put an automatic expiration date into the provisioning process, to automatically notify managers when those accounts were being turned off. So they could either extend them or understand that they would be automatically turned off. So it was all about recognizing where in the organization they wanted to concentrate. And then the other driver that we hear a lot is I just wanna be better prepared for the audit. I'm, I've got so much data in my identity system, on users and their access and their entitlements. I'm scared to death of the auditors, finding something before us. And so really what they're doing is running this an analytics to be much more prepared to show, you know, exceptions from normal, to look at things like, you know, here are people that have certified access for years, but those people haven't even logged into those accounts.
So why do you continue to certify accounts that your users are not even been using and providing that data back to them saying, you know, this person hasn't logged onto this and over 300 days, you really need them to have that access, as well as just digging deeper into it. You know, we, we found one customer where we identified that help desk employees were getting high level of privileged access. And it was because of a nested group, three layers D the certification review was at that high level group level and it showed help desk group. And so of course, all the managers were approving it, unknowing that it was providing deep privileged accounts and needed to be cleaned up. So it really is those type of things, give them more ability to be prepared, give them the ability of prioritizing their identity rollout, and then understanding the threats and vulnerabilities.
Great. Thank you. One other question just arise from the participants, just a technical question, more or less, what kind of infrastructure should be used for big data analytics of IM data, which probably also includes how many accounts and how many access rights are actually analyze at that moment. But can you give a rough figure of what is needed to, to do such an analysis on a continuous basis?
Sure. Yeah. So, you know, when we, when we introduce this new solution, we actually had to make some modifications to the architecture. And one of those is to have a data warehouse underneath that had the ability of pulling in and tracking large amounts of data. And then in addition to that, we actually licensed a business intelligence solution on top of it to provide the level of visualization necessary to categorize and identify and, and report on some of those risky events. And then in between that, what Curion has done is produced the content that we offer, you know, on a subscription basis, that's continuous providing more and more package content to look for these things, but it really did require that ability of being able to pull and analyze and correlate significant amounts of data with this package content that was looking for very specific things, building the trends, identifying patterns of normalcy, and then providing the rich visualization to make it easy for people to spot risk, and then give them the ability to drill down deeper. So, you know, a lot of identity identity and access management vendors are talking about intelligence and analytics as the, the popularity's increasing. But in many cases, that's nothing more than just richer reporting capability or doing advanced query searches to really provide proactive and trends and variances from normal require a true business intelligence with a data warehouse underneath it that have the content to understand what to look for and how to spot those vulnerabilities.
Okay, great. Thank you. Probably one last questions close, getting close to one hour limit. Yes. As an, as an Analyst, I, I think I am and access governance is a constantly improving process within an organization and it's moving towards a sustainable overall concept, getting more and more mature and all this kind of stuff. But can you see this in reality in your projects that organizations really understand the reasons, the core reasons behind the, the, the problems that you find within the organization and improve their processes? Is it something that is happening?
Yeah, absolutely. We we're seeing it happen. And you know, one of the, and what's been interesting is that initially we thought this would just be at kind of those, you know, kind of traditional industries that were kind of at the cutting edge of new technology, you know, financial services, for example, where so much of the, the threats and the pieces have been part of their day to day security. But, but we're seeing this across a broad array of customers, a lot in retail, especially with a lot of the payment card breaches, we've been seeing manufacturing, healthcare, more patient data. And it, it, you know, part of the, one of the things that Ion's done is we've introduced into our sales process, the notion of a quick scan, where we can come in in just a couple hours and scan the environment and give people visibility into this.
And, you know, we've concentrated on things like the privilege accounts, the orphan accounts, the abandoned accounts and the over credential accounts. And inevitably we give them real information to show what exactly is taking place and where that access is. And it helps them to put that business case together to then go and run this up and sell it to the board and higher levels of the organization. And, you know, and, and I think it really does need to be, you know, that simple that within a couple hours, we can give a good spotlight and then understanding that this continuous look is important, it has been necessary. And then what, we can really point out things I mentioned before, like the contractor accounts, which are often very much over what the privileged access and just how many systems are still using those default passwords, which, you know, just demonstrate the potential and the vulnerability in the organization.
And then when can start to look at the activity and see what people are doing, it's very eye opening. So I, I think all of these things have really just brought, you know, people, especially a lot of the senior security people understand that. Yeah, we know there's some risks, but you know, we're trying to tackle all these different things, giving some real view into that data has given people the ammunition, they need to sell this in areas of the organization that might be skeptical and saying, yeah, well, our managers are reviewing the access. We're fine. Just to point out how much that's not the case. And, you know, we've even seen some that, you know, that tell us whatever you do, don't show our auditors, this data. It's all about us being more prepared in other cases where we're talking to the audit side of the organization and they just can't wait to show this to the it organization to kind of do the, told your SOS. So, you know, ideally that's not the relationship we want. It's really being better prepared and providing this insight. And we're seeing adapt the initial stages of adoption and interest across some broad variety of industries.
Great. Thank you very much. So I think that's it for now. We are close to the one hour of at least over it. Thank you very much Kurt for this, for this talk and for the information. Very, I really want to thank the, the participants of this webinar and I would be happy to have you here again for another webinar in the future. Please switch on again, and maybe we can see you at the EIC or for a seminar, and that's it for today. Thank you very much. And, and goodbye.
Stay Connected
How can we help you