Posts Tagged ‘Risk’

PII & NIST, two great tastes that go great together!

Thursday, August 4th, 2011

Protecting Personally Identifiable Information (PII) is an issue that continues to grow in importance for individuals, companies big and small, multi-national corporations and governments. .  PII is defined as ‘information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc’.

It is in the news often (and it seems daily lately), as you can see from a few headlines I pulled through a quick search of breaches that occurred this week:

  • Massive Data Breach in South Korean Portal Effects 35 Million Users
  • EMC Foots a $66 Million Bill for RSA Attack
  • UNLV Admits a Possible 2008 Security Breach

The National Institute of Standards & Technology’s (NIST) take on it

In regards to these seemingly daily breaches there is a newly proposed NIST set of standards for Security and Privacy which is due to be published as Appendix J: Security and Privacy Controls for Federal Information Systems and Organizations in the NIST Special Publication 800-5 document in December, 2011.  It is of great curiosity how the government is tackling this sticky problem. Since the Appendix has its own review cycle separate from the review of the entire document one can surmise that the government is taking it very seriously.

So what is covered in this Appendix and can we apply it to the issues facing the Private Sector as well as the Public Sector?

The NIST approach is risk based. Identifying and managing risk factors in PII information is crucial. First, examining the existing data for PII criteria is suggested all the way down to the data fields themselves. This is data that is directly under an organizations control and would also be utilized by contractors or may be stored and available in a virtual environment.  There are two types of data defined, ‘Linked Data’ and ‘Linkable Data.’

Linked Data is data already associated with other PII where Linkable Data (currently “unlinked”) can conceivably be linked together to form information to find a specific individual.  PII data is not all equal either and as such it should be rated on a defined ‘PII confidentiality impact level.’   This level is determined by the amount of harm that could result from an information breach.  The rating levels are suggested as low (limited adverse effect), medium (serious adverse effect) and high (severe or catastrophic adverse effect).  At issue in the document is that a combination (‘linked data’) of lower rated pieces of information can cause a serious high breach such as ‘mother’s maiden name, place of birth and birth-date.’  In most states these three pieces of information supplied will get you a birth certificate.  Thus  information marked as low if combined correctly can be a much higher risk and might signify a higher rating. When determining PII impact level this of critical importance to keep in mind.

The NIST document also provides recommendations on how much PII should be collected by an organization or agency. Carefully making sure that redundant information and non-essential information is not collected and stored also reduces the amount of risk that is being taken on. For example, if you have already collected the email address can it be verified and referred to instead of collected again?

Reviewing how long PII retention is necessary also takes on important levels of risk so it is highly recommended to regularly determine what can be purged from the system.  Literally, put this on your schedule and make it a repeated activity!

Also extremely important is Access Control: Who has access? Do they need it and for how long? In most cases the math is simple, the less people with access to PII, the less risk there is.  If employees need access only to certain data for a project, give them limited access and an end date instead of the ‘keys to the kingdom.’  This is a good time to mention governance and training.  Comprehensive policies for handling PII and utilizing that to train employees to utilize and handle the data correctly with as little risk of exposure as possible also lessens the concerns that a ‘mistake’ or other incident will happen.

These follow the common areas:

  • Access Control
  • Separation of Duties (SOD)
  • Least Privilege
  • Remote Access
  • Auditable Events, Monitoring and Reporting

Basically how do we minimize risk to our customers, organizations, etc and still are able to get the job done well.

The Appendix also discusses minimizing PII information in another way that is important in organizations large and small.  Instead of using complete data for environments other than ‘Production,’ strip the data or ‘sanitize’ it for use.  Remove any fields that will identify the person referred in the object as much as possible.  This means removing PII data and still be able to develop and test with valid ‘production-like’ data sets.

Lastly, the document recommends having a plan for when a breach happens, not if it happens.  The plan should include initial notification of responsible and concerned parties, assessing the possible impact to the company and individuals and how to handle different scenarios that might occur.  The time to plan is in advance, not in the moment. Things that seem basic can sometimes get overlooked during a crisis unless it is documented with a checklist and test driven in advance.

In summation, the NIST document is for use as a guideline outside of the Government and at times inside. Your mileage may vary depending upon the regulatory laws that govern your business or organization and even your country.

Looking for additional insight into how PII affects your organization?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , , ,
Posted in Best Practices, NIST, Personally Identifiable Information (PII), Security & Risk, Standards | No Comments »

Identity Management & the Art of Removing Cloud Security Obstacles

Thursday, February 17th, 2011

First the fun, why Cloud?  Well, we seem to define this a lot here at IDMWorks.

The quick and dirty:

1. Pay As You Go Approach to IT
There is no upfront cost and this helps keep the cost down for the service consumers. Cloud computing is a pay-as-you-go approach, in which a low initial investment is required to get started, and additional investment is incurred as system usage increases.

2. Highly Available Infrastructure
Many cloud providers sell their service as highly available. This gives Cloud services the aura of a utility which is an always on and that can be leveraged anytime and from anywhere.

3.  Strong Time to Value Ratio
With Cloud computing organizations realize benefits more rapidly than with the traditional packaged software use model. In the traditional IT model, a large investment is made early in the project prior to system build out, and well before tangible business benefits are realized. This model has several risks associated with it since a large percentage of IT projects are cancelled due to poor ROI or user acceptance. Cloud provides IT a way to outsource non critical functions to an organization better equipped to run those services.

4. Flexible Computing Model
Cloud computing offers much more flexibility than traditional computing models. Your Employees can access information wherever they are rather than having to be restrained to their desktop.

5. It’s Simple
One of the advantages of cloud computing is that businesses of all sizes can instantly obtain the benefits of the enormous infrastructure without having to implement and administer it directly.

Enough of the pitch, now on to Identity Management in the Cloud

Cloud Identity Challenges:

1. User Lifecycle Management:
New Cloud applications bring new complications of management, more costs and administrative hassles. You may have invested hundreds of thousands or even millions in enterprise provisioning software only to find out that it does nothing to address your identities in the Cloud. There could be windows of time where your terminated contractors may not have been de-provisioned from critical applications.   As such, organizations will quickly find out they need a centralized infrastructure to manage user identity information effectively.  Further, explosive growth in the use of web applications increases the complexity and administrative overhead of which users should be entitled to access across applications. So it is critical in the cloud framework to be able to facilitate self-service registration whenever possible. This can lead to better agility, reduced help desk costs and higher convenience for end users.

2. Compliance:
As more services and applications are being provided by 3rd parties, organizations have new compliance issues to worry about. The more sensitive data we have via these 3rd party applications the more we need to be able to enforce the types of controls that allow us to be compliant.

3. Federated Authentication:
The ability to collaborate seamlessly with your partners, vendors, and customers. An organization may already have all of its internal user identities stored in Active Directory and its external users such as partners and vendors in an LDAP directory and the organization may want all of their users to leverage an external cloud application without replicating all of that identity information in a third party product. Many organizations also want the convenience of having their users sign on once to access not only internal applications but also SaaS applications in the cloud.

Cloud Identity Solutions:

1. User Lifecycle Management:
Identity Administration helps solve the user lifecycle management challenge and many other common issues such as self service registration and compliance reporting.  Automation of provisioning and de-provisioning of users and administering user identities for both on premise and cloud applications will bridge the security gap regardless of the size of the network.  The addition of Role Based Access Control (RBAC) allows for when a user changes a role they are automatically de-provisioned from systems no longer needed and added to new ones relevant to their new role.  Additionally, automated Identity Administration allows us to identify and remediate orphaned accounts (those accounts with long gone owners).

Throw in user self-service access requests and self-service password reset capabilities and the User Lifecycle Process can be fully automated across the Cloud.

Need this to be standards driven?  Let’s implement SPML connectors.

2.  Compliance:
Simply put, utilize Identity Management tools to log and report Who has access to What, When, Why, and How and fulfill those pesky regulatory requirements, such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA, and HSPD-12.

3.  Federated Authentication:
Need to collaborate seamlessly and yet securely across complex heterogeneous environments?  Make sure your Single Sign-On solution can support SAML, Windows CardSpace, WS-Fed and/or OpenID.

In summation, contact IDMWorks and let us help you plan your Cloud based Identity & Access Management (IAM) security solutions around the core tenets:

1. Identity Management

a. Roles based User Provisioning

b. Self-Service Request &  Approval

c. Password Management

2. Access Management

a. Authentication & Fraud Prevention

b. Single Sign-On & Federation

c. Authorization & Entitlements

d. Web Services Security

e. Information Rights Management

3. Governance, Risk and Compliance (GRC)

a. Analytics

b. Fraud Prevention

c. Privacy Controls

Tags: , , , , , , , , , , , , , , ,
Posted in Access Management, Cloud Computing, Identity Management | 1 Comment »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

PCI yai yai!

Wednesday, August 18th, 2010

If your business accepts or processes payment cards, it must comply with the PCI DSS (Payment Card Industry Data Security Standards). All businesses and merchants that store, process and or transmit card holder information are now required to be PCI compliant.

PCI DSS is a set of requirements for enhancing data security. This originally began as individual programs from Visa, MasterCard, American Express, Discover, and JCB. To facilitate the broad adoption of consistent data security measures Visa, MasterCard, American Express, Discover, and JCB aligned their individual policies to release the Payment Card Industry Data Security Standards.

In today’s economy, with merchants and business owners required to thoroughly evaluate operating costs, merchant processing fees are an area frequently overlooked. Evaluating and comparing merchant processing solutions including fees for services, such as PCI compliance for your business, can be well worth the time it takes and may result in considerable savings for your company.

Many companies are struggling with some of the same issues repeatedly around PCI DSS compliance and Governance.  First and foremost, companies need to know whom and how to pay for PCI Compliance and where the ROI is.  Second,  how do companies free up the System administrators to do what they pay them to do (administer systems that is).  Whether they be network engineers, UNIX administrators, or Windows administrators (to name a few); too often organizations have turned our technical assets into grumpy compliance administrators and/or control owners.  I think we all know how much system administrators just love to get involved in compliance and governance (can someone get Johnny form under his desk and let him know I’m not here for PCI, SOX and Audit).  Third, spreadsheets, spreadsheets, spreadsheets.  Did I mention spreadsheets?  I’m not sure about how much I need to elaborate here, but multiple spreadsheets housing your control environment assures that everyone is working off a different set of controls.

Too often we task our administrators to be owners of controls that are poorly written (often by other System Administrators).  Most times these controls are written very broadly and are not housed in a central repository (which, by the way, external auditors love to flag).  With broad controls the external auditor can test what they believe the control defines, often times leading to the entire control failing and thus having to be retested.  Additionally, we do not supply our System administrators with the correct tool set, what tools says Johnny.  We spend many times manually going through IOS Code, systems logs, Active directory logs, and of course spreadsheets to try to test controls and assure governance.

This is where IDMWorks can come in.  IDMWorks QSA’s can build a framework based on Risk Drivers, write general controls that can be applied to most standards, build automation into the process, reduce your external audit time by 50% (ROI), and assist you with writing solid test plans to execute.  Look at IDMWORKS as your tax preparer, but for Compliance and Governance.  Creating a new framework along with solid test plans assure a very efficient process to reduce the amount of time wasted by your external auditor during the testing of poorly defined controls.  Additionally poorly written test plans are part of this spiral of non compliance.  IDMworks takes a practical approach that will assure your PCI certification and reduced your audit cycle and costs.

Tags: , , , , ,
Posted in Governance, PCI Compliance, Risk & Compliance | 4 Comments »