Risk
10/23/2012
11:24 PM
50%
50%

7 Costly IAM Mistakes

Blunders that lead to costly identity and access management failures

While IAM project failures may not quite rank up there with the biggest ERP blunders on record, they still rank high among some of IT security's most embarrassing wastes of investment. When organizations fail to properly align business processes with technology, don't account for the dynamic demands of users in accessing IT assets, and don't confer with the right stakeholders prior to deployment, IAM initiatives are put at risk. The following are the most expensive IAM mistakes many enterprises make today.

[Will mobile biometrics be an IAM driver? See You're Nobody Without Your Mobile Device.]

1. Underestimating Mobility's Impact On IAM
As enterprise strategies change, so, too, must the way they manage user access to systems and data. One big mistake organizations are making right now is underestimating the impact of mobile devices on the enterprise, says Darren Platt, CTO of Symplified.

"Mobile device adoption by users will result in access to internal corporate resources from managed and unmanaged hardware devices," he says.

According to Lee Cocking, vice president of corporate strategy for Fixmo, today's IAM solutions typically hinge on the identity of the user without accounting for the identity of the device he is using. It's one of the factors of mobility that needs to be folded into IAM strategy.

"Right now mobility is essentially a bolt-on and does not play too well with other incumbent enterprise solutions like IAM. This has to change," Cocking says.

2. Making Provisioning A Revolving Door That Spins Halfway
Many enterprises spend a lot of time and hard work in making employee on-boarding as easy as possible through expedient provisioning. But they usually fall short when those same employees give their notice, says Jonathan Sander, director of IAM business development at Quest Software, now a part of Dell.

"When people take on provisioning, they often end up with a revolving door that only spins halfway around," Sander says. "But the real trick to doing provisioning right is doing deprovisioning right."

When enterprises fail to properly address account deprovisioning, they end up leaving lots of huge potential security holes open over time.

"I can't tell you how many times I've found people sharing accounts of people who have not worked at the organization for years because that account had 'all the right access' and they all knew the password," he says. "You need to make sure your provisioning is a revolving door that spins in a full circle."

3. Automating Bad Processes
Many security vendors will tell you that automation is the magic salve that will cure just about any compliance- or security-related sickness, including those around identity and authentication. But the truth is that if the organization hasn't intelligently addressed the business processes they're planning on automating, a set-and-forget automation technology may make the problem worse.

"In large companies, identity-related processes can be so complex and touch so many people that people don't know how to fix an inefficient or broken process or where to start," says Frank Villavicencio, executive vice president at Identropy. "Unfortunately, what usually ends up happening is that instead of determining a better way to do it, they automate a process that no longer serves the needs of the business."

On top of that, the automation technique needs to be thought through, as well. According to Stuart McClure, CEO of security startup Cylance, in his time running the IAM team at Kaiser Permanente, the very team there built out a lot of Web applications to scale the IAM on-boarding process. That was good for automation, but bad for opening up security holes.

"With an ID, of course you could get email and internal resources," he says. "But it was quite easy to perform a Web attack against the applications that automated the user."

4. Thinking IAM Serves End Users Only
When enterprises buy into IAM products and processes, they'll curse themselves later if they don't look beyond the end users as potential account-holders seeking legitimate access to data.

"One mistake enterprises make is buying IAM only to address the needs of employees," says David Baker, CSO of Okta, "and not thinking about how to make access and usage of customer and partner facing applications better to improve satisfaction and increase revenue."

Successful enterprises tend to take a comprehensive approach to IAM that not only covers all applications and devices, but also all users, whether they're employees, partners, or customers, he says.

"And that can change easily over time as their infrastructure, apps, and people change," he says. "IAM solutions should scale to address not only the needs of internal employees, but of customers and partners as well."

5. Rushing Into Unsupportable Infrastructure
We've all heard the horror stories around costly IAM projects that burn through a lot of cash and eventually fizzle into failure. Organizations must vet IAM platforms for ease of implementation and ease of use to ensure that once the technology has been purchased, it actually gets used.

"Many companies purchase IAM solutions -- only to hold off on implementation because they find they are too complex to integrate with existing applications, too," says Okta, explaining that security should be but one part of the product evaluation process. "We've found it to be absolutely critical that IAM solutions are easy to use and implement so that you will actually get value out of them."

Additionally, organizations have to really understand what it will take to maintain that IAM infrastructure throughout its life span, particularly in the form of customizations. Villavicencio suggests organizations follow an 80/20 rule.

"Assuming that your IAM solution leverages vendor-supplied technology, 80 percent of the functionality in the infrastructure should be standard functionality of the product, and 20 percent should be customized functionality," he says. "Beyond this balance, the infrastructure quickly becomes unsupportable -- ust wait for the first upgrade cycle."

6. Ignoring Politics
While the technology may play a big role in the success or failure of an IAM process, politics may play an even more fundamental part.

"The technical part is the easy part," says Dave Mahdi, senior manager of product marketing for Entrust. "It's getting all of the business stakeholders to agree and to have an executable, realistic action plan. IAM is just as much, if not more, about the people and processes than the technology."

Villavicencio agrees, stating that, as an example, the provisioning and deprovisioning of accounts is so fundamentally wrapped around the overall process of on-boarding or terminating employees that failing to liaise with human resources would be a fatal step.

"[This] project must have the appropriate support from human resources, with active support from stakeholders -- particularly during the requirement analysis and design phases," he says, explaining that failing to involve these stakeholders is one of the most common reasons why IAM initiatives fail.

7. Not Knowing The Difference Between Authentication And Authorization
Plenty of ink has been spilled on authentication -- technological mechanisms such as two-factor authentication, tokens, biometrics, and so on. But what often gets forgotten and taken for granted in the whole IAM picture is the equally important process of authorization, says David Gibson, vice president of strategy for Varonis.

"When it comes to authorization, organizations assume, incorrectly, that their security groups are aligned with their data -- reviewing security groups' memberships, by itself, is enough to manage authorization -- and that they are keeping track of which data sets belong to a business unit or business owner," he says.

Effective authorization is equally important in the IAM ecosystem to keep the rule of least privilege from turning into no rules and all privileges.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RWEEKS000
50%
50%
RWEEKS000,
User Rank: Apprentice
10/24/2012 | 7:19:57 PM
re: 7 Costly IAM Mistakes


Many organizations implement IAM solutions to automate user
provisioning G㢠an administrative step that ensures user access rights align
with business processes from the start; then companies perform periodic reviews
or certifications G㢠say, every three, six, nine, 12 months G㢠to certify that
those access rights are in order. Why? Because that is when auditors check on
it. This is a big mistake that organizations make, only certifying access when
needed for an audit. Many things change between the provisioning step and the
certification reviews that can introduce access risk: business changes,
infrastructure changes, regulatory changes, new resources coming on line, new
roles, policies, rights changes, hirings, firings, transfers - even terrorists
and hackers mobilizing.



This creates a huge identity and access management gap that
leaves an organizationGăÍs sensitive company information at risk to internal and
external threats. To avoid mistakes, organizations need a system that
identifies and evaluates risk in real-time in order to improve security,
demonstrate compliance and manage access risk.

Rachel Weeks, Courion

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.