Welcome!

Industrial IoT Authors: Liz McMillan, JP Morgenthal, Elizabeth White, Pat Romanski, Scott Allen

Related Topics: Agile Computing, Java IoT, Industrial IoT, Microservices Expo, IoT User Interface, Recurring Revenue, Cloud Security

Agile Computing: Article

Five Steps Toward Achieving Better Compliance with Identity Analytics

Automation is the key to increasing the effectiveness and reducing the cost of compliance

Identity management just isn't what it used to be. Gone are the days when knowing who had access to what was simply enough. In today's world of increasing government and industry regulation; networked communications and collaboration; and pervasive mobility, the requirements have fundamentally changed. Effective identity management and access governance requires insight into not only what employees are doing with their access to systems and applications, but also how well an organization is managing and securing that access.

Such a comprehensive understanding of an organization's access matrix is essential to reducing the risks that employees, partners, customers, and even malicious third parties can introduce. It is also critical to efforts to comply with regulations that mandate access controls. In fact, without it companies have no way to provide meaningful evidence to auditors explaining how and why they assign access.

The need to perform the numerous complex tasks that comprise identity management - such as certifying access, enforcing security policy, and remediating policy violations - is compounded by the reliance on slow, error-prone manual processes to handle them. These issues, coupled with the lack of a comprehensive, cohesive approach to compliance and auditing, make it nearly impossible to address the challenge in an effective and cost-efficient manner.

As a result, enterprises are in the unenviable position of committing significant resources to compliance efforts with little assurance that they will prove successful. Most struggle with satisfying stringent compliance mandates to perform access reviews of users with access rights to thousands of business applications and target platforms, and making it a sustainable and repeatable exercise. Adding to the challenge is the fact that organizations are faced with implementing identity compliance policies within short windows and often with limited resources.

To keep pace in an increasingly competitive business landscape, obtaining quick compliance results and establishing reliable and sustainable control processes through automated compliance has become critical. However, establishing robust, organization-wide automated compliance is by no means a flip-of-the-switch endeavor, and businesses oftentimes implement inadequate and disparate policy procedures that leave key areas of the organization exposed to security threats. In order to implement identity compliance that meets today's rigorous standards while maintaining company productivity, identity analytics solutions can help improve all of the elements of an effective compliance program.

Security Compliance
Organizations that are looking to implement automated, analytics-powered compliance programs need to recognize certain truisms when it comes to ensuring secure access to systems and applications. Security compliance is a substantive and procedural undertaking that is only as effective as the processes that track and automate it. Factors such as the latency of audit and remediation efforts and the rate of change within an organization go a long way toward determining the effectiveness of a compliance effort.

That said, compliance programs must also be flexible. The general guidelines for achieving secure access to applications and systems may seem firm on the surface, but the processes that underlie compliance efforts vary greatly from one organization to the next. What's more, every security control must be designed to accommodate loopholes and exceptions necessary to accommodate business efficiency and productivity. For instance, compliance programs must allow for variation to access controls during emergencies such as severe weather, natural disasters, or even economic turmoil.

Additionally, certification of access controls cannot be an IT-only decision. It needs to be a collaborative process that involves business stakeholders and is embedded in an organization's culture. In exchange for the visibility into applications and systems they receive, those business stakeholders need to understand and accept the inherent risks. But ultimately, IT has to be responsible for providing and mitigating the necessary controls and for remediating any negative audit findings.

Unfortunately, because the collaboration that occurs around access control today is largely email-driven, most organizations have only been able to successfully audit a handful of applications or systems. In fact, according to Verizon's 2012 data breach report, 96 percent of the companies subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS) - which governs any company that processes, stores or transmits credit card data - that were breached during 2011 were not compliant with PCI DSS guidelines.

Growing Complexity
One of the reasons enterprises are so challenged by identity management is the unprecedented complexity they face today. With applications and data residing in so many locales - on premise, in the cloud, at a hosting provider's site, etc. - and users relying upon ever-growing sets of tools, IT security teams struggle to keep up with the need to apply access control across systems and geographies. It was difficult enough to track several pages of segregation of duties controls for a single application; tracking controls across the increasingly heterogeneous landscape of systems today is geometrically more complicated.

Cloud-based apps, in particular, introduce a layer of complexity that can result in the business finding itself disconnected if it loses visibility into the related access control data. Along those lines, one of the most common audit issues organizations encounter is a failure to maintain the same level of security controls over their virtual environments as they have over their physical ones.

Dovetailing with the challenges cloud computing introduces is the explosive growth of mobile apps for use in the workplace, a phenomenon that has further fragmented access control processes. As organizations develop their authorizations for mobile apps, they largely are doing so separately from their existing app-authorization systems, which compounds the challenges. According to an August 2011 survey by enterprise mobility vendor Partnerpedia, 58 percent of organizations are creating mobile apps stores, leading to much more complex implementations of certification reviews and controls.

What's more, it's not just the systems that have grown in complexity. Employees have become a much more dynamic enterprise asset, causing organizations to adjust their access controls to reflect the matrices of roles that have resulted from the challenges of trying to classify access. A perfect instance of this is in the health care sector, with drug companies featuring multiple teams across the globe conducting trials and contributing research. Maintaining the privacy and confidentiality of data in this dynamic workgroup setting is a prime example of how the problem of access has evolved.

Five Steps for Leveraging Identity Analytics
Despite these numerous challenges, which collectively can prevent an organization from achieving its identity management objectives, there are ways to ensure that access control efforts can keep up with today's complex business landscape. Specifically, organizations can turn to fast-maturing identity analytics solutions to help them get a handle on this daunting business problem.

Following are five key steps organizations can take by leveraging identity analytics technology that will assist them in achieving robust identity compliance and remaining in compliance moving forward:

1. Become risk aware
While large chunks of IT budgets in recent years have been spent on regulatory compliance, many people still don't feel any safer. The ultimate cautionary tale can be found in the stories of two global financial firms. Despite the focus both companies no doubt had on complying with regulations like Sarbanes-Oxley, auditors at both firms failed to remediate excessive access violations by trusted trading employees, resulting in more than $9 billion in unexpected - and potentially crippling - losses combined.

By adopting an automated system that would enable weighted risk to be tied directly to systems access, organizations can significantly reduce their potential exposure to such embarrassing fiascos.

2. Control privileged access
Access to privileged accounts, such as root, system administration and those with elevated privileges, poses a huge threat to enterprises. These are the most powerful system accounts that, naturally, bring the greatest potential for fraud. Because they don't actually belong to users and are instead often shared by multiple administrators, they're notoriously difficult to secure. In an economy like the one we've experienced the past few years, there are more disgruntled workers, meaning an even greater emphasis should be placed on having an automated system to control privileged access.

As if that's not enough, control of privileged accounts is key to efforts to comply with everything from Sarbanes-Oxley to the PCI DSS to the Health Insurance Portability and Accountability Act (HIPAA), which typically translates to it being at the top of lists of auditors' findings. Moreover, most business partners today want to know that there are sufficient controls placed on privileged accounts as part of their SAS 70 reviews.

Given the clear sensitivity and importance of privileged access, it's imperative that organizations adopt a circumspect approach that enables passwords to be issued for limited periods of use in order to reduce potential exposure.

3. Automate remediation
Today's largest enterprises must contend with tens of thousands of employees accessing hundreds of systems, resulting in a cacophony of controls that audit groups can't possibly hope to manage. It's simply too big of a job for humans to address in a limited number of hours per day. That's where an automated identity analytics solution can help.

By setting up a workflow-based system that can automate the simpler remediation, auditors can instead focus their efforts on the findings that pose the greatest risk. Even then, however, exceptions must be accommodated; for instance, in those moments when emergency privileged access must be granted, it's critical that the system be able to automatically undo that privileged access once the emergency has abated.

4. Reduce the potential for audit violations
As much as it may sound like advice from Yogi Berra, the best way to prevent audit violations is to stop them from happening. The easiest way to do that is to perform the proper due diligence when access is being requested. That's the time when an enterprise needs to check for any common audit problems so that they can be addressed prior to a violation occurring.

When a user requests access that could be considered excessive, if the organization has adopted a system that flags that access, it can automatically collaborate with a business owner to approve or deny the request. Similarly, if a request for access results in a violation of either the segregation of duties or the rule of least privilege, then the system can flag this and provide visibility into the potential risk introduced by the request.

5. Take a platform approach to identity management
Merely having identity analytics technology in place doesn't guarantee that an organization will meet its compliance objectives. But for those enterprises wanting to increase their compliance success rate, having an identity analytics module that's part of a larger identity management platform greatly improves the odds. Like many other categories of software, identity analytics - and compliance in general - benefits from the tight integration of a platform approach.

This truism was further validated by a recent Aberdeen Group study in which companies that adopted fragmented identity and access systems were compared with those that acquired integrated systems from a single vendor. The findings? The companies that adopted pre-integrated systems experienced 35 percent fewer audit violations and reduced their identity analytics costs by 48 percent. They also reported improved end-user productivity, reduced risk and enhanced agility.

Conclusion
It's clear that the growing complexity organizations face has upped the ante when it comes to compliance with identity access controls. That increasingly complex landscape calls for better tools that enable enterprises not only to effectively administer access to applications and systems, but also to understand how they're managing that access.

Automation is the key to increasing the effectiveness and reducing the cost of compliance. Automation streamlines compliance-related processes, reducing the need for resources while at the same time lowering the risk of manual error that can lead to audit failure. More important, automation makes it possible to create sustainable, repeatable audit processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit.

A software solution, such as identity analytics, that automates access control can play a critical role in achieving effective compliance and lowering the related costs. In these turbulent economic times, organizations can't afford to ignore this increasingly important - and complex - part of their security paradigm.

More Stories By Vadim Lander

Vadim Lander is Oracle's Chief Identity Strategist responsible for direction and architecture of Oracle's Identity Management portfolio. He has more than 20 years of experience in the IT industry. Previous to Oracle, he served as Senior Vice President and Chief Security Architect at CA, where he advised the company on key technology trends and helped guide its strategic direction in security management. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO and was instrumental in the definition and development of the company’s identity and access management products.

Vadim holds a BS in computer science from Northeastern University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that MangoApps will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device. For more information, please visit https://www.mangoapps.com/.
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
The IoT is changing the way enterprises conduct business. In his session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, discuss how businesses can gain an edge over competitors by empowering consumers to take control through IoT. We'll cite examples such as a Washington, D.C.-based sports club that leveraged IoT and the cloud to develop a comprehensive booking system. He'll also highlight how IoT can revitalize and restore outdated business models, making them profitable...
SYS-CON Events announced today that ContentMX, the marketing technology and services company with a singular mission to increase engagement and drive more conversations for enterprise, channel and SMB technology marketers, has been named “Sponsor & Exhibitor Lounge Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York City, New York. “CloudExpo is a great opportunity to start a conversation with new prospects, but what happens after the...
The essence of data analysis involves setting up data pipelines that consist of several operations that are chained together – starting from data collection, data quality checks, data integration, data analysis and data visualization (including the setting up of interaction paths in that visualization). In our opinion, the challenges stem from the technology diversity at each stage of the data pipeline as well as the lack of process around the analysis.
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit y...
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo New York Call for Papers is now open.
Designing IoT applications is complex, but deploying them in a scalable fashion is even more complex. A scalable, API first IaaS cloud is a good start, but in order to understand the various components specific to deploying IoT applications, one needs to understand the architecture of these applications and figure out how to scale these components independently. In his session at @ThingsExpo, Nara Rajagopalan is CEO of Accelerite, will discuss the fundamental architecture of IoT applications, ...
In his session at 18th Cloud Expo, Bruce Swann, Senior Product Marketing Manager at Adobe, will discuss how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects). Bruce Swann has more than 15 years of experience working with digital marketing disciplines like web analytics, social med...
SYS-CON Events announced today that Enzu, a leading provider of cloud hosting solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to foc...
Customer experience has become a competitive differentiator for companies, and it’s imperative that brands seamlessly connect the customer journey across all platforms. With the continued explosion of IoT, join us for a look at how to build a winning digital foundation in the connected era – today and in the future. In his session at @ThingsExpo, Chris Nguyen, Group Product Marketing Manager at Adobe, will discuss how to successfully leverage mobile, rapidly deploy content, capture real-time d...
IoT generates lots of temporal data. But how do you unlock its value? How do you coordinate the diverse moving parts that must come together when developing your IoT product? What are the key challenges addressed by Data as a Service? How does cloud computing underlie and connect the notions of Digital and DevOps What is the impact of the API economy? What is the business imperative for Cognitive Computing? Get all these questions and hundreds more like them answered at the 18th Cloud Expo...
As cloud and storage projections continue to rise, the number of organizations moving to the cloud is escalating and it is clear cloud storage is here to stay. However, is it secure? Data is the lifeblood for government entities, countries, cloud service providers and enterprises alike and losing or exposing that data can have disastrous results. There are new concepts for data storage on the horizon that will deliver secure solutions for storing and moving sensitive data around the world. ...
What a difference a year makes. Organizations aren’t just talking about IoT possibilities, it is now baked into their core business strategy. With IoT, billions of devices generating data from different companies on different networks around the globe need to interact. From efficiency to better customer insights to completely new business models, IoT will turn traditional business models upside down. In the new customer-centric age, the key to success is delivering critical services and apps wit...
SYS-CON Events announced today that 24Notion has been named “Bronze Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. 24Notion is full-service global creative digital marketing, technology and lifestyle agency that combines strategic ideas with customized tactical execution. With a broad understand of the art of traditional marketing, new media, communications and social influence, 24Notion uniquely understands how to con...
WebRTC is bringing significant change to the communications landscape that will bridge the worlds of web and telephony, making the Internet the new standard for communications. Cloud9 took the road less traveled and used WebRTC to create a downloadable enterprise-grade communications platform that is changing the communication dynamic in the financial sector. In his session at @ThingsExpo, Leo Papadopoulos, CTO of Cloud9, will discuss the importance of WebRTC and how it enables companies to fo...
SYS-CON Events announced today TechTarget has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. TechTarget is the Web’s leading destination for serious technology buyers researching and making enterprise technology decisions. Its extensive global networ...
Korean Broadcasting System (KBS) will feature the upcoming 18th Cloud Expo | @ThingsExpo in a New York news documentary about the "New IT for the Future." The documentary will cover how big companies are transmitting or adopting the new IT for the future and will be filmed on the expo floor between June 7-June 9, 2016, at the Javits Center in New York City, New York. KBS has long been a leader in the development of the broadcasting culture of Korea. As the key public service broadcaster of Korea...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
There are several IoTs: the Industrial Internet, Consumer Wearables, Wearables and Healthcare, Supply Chains, and the movement toward Smart Grids, Cities, Regions, and Nations. There are competing communications standards every step of the way, a bewildering array of sensors and devices, and an entire world of competing data analytics platforms. To some this appears to be chaos. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will discuss the vast to...