Risk
10/23/2012
11:24 PM
Connect Directly
RSS
E-Mail
50%
50%

7 Costly IAM Mistakes

Blunders that lead to costly identity and access management failures

While IAM project failures may not quite rank up there with the biggest ERP blunders on record, they still rank high among some of IT security's most embarrassing wastes of investment. When organizations fail to properly align business processes with technology, don't account for the dynamic demands of users in accessing IT assets, and don't confer with the right stakeholders prior to deployment, IAM initiatives are put at risk. The following are the most expensive IAM mistakes many enterprises make today.

[Will mobile biometrics be an IAM driver? See You're Nobody Without Your Mobile Device.]

1. Underestimating Mobility's Impact On IAM
As enterprise strategies change, so, too, must the way they manage user access to systems and data. One big mistake organizations are making right now is underestimating the impact of mobile devices on the enterprise, says Darren Platt, CTO of Symplified.

"Mobile device adoption by users will result in access to internal corporate resources from managed and unmanaged hardware devices," he says.

According to Lee Cocking, vice president of corporate strategy for Fixmo, today's IAM solutions typically hinge on the identity of the user without accounting for the identity of the device he is using. It's one of the factors of mobility that needs to be folded into IAM strategy.

"Right now mobility is essentially a bolt-on and does not play too well with other incumbent enterprise solutions like IAM. This has to change," Cocking says.

2. Making Provisioning A Revolving Door That Spins Halfway
Many enterprises spend a lot of time and hard work in making employee on-boarding as easy as possible through expedient provisioning. But they usually fall short when those same employees give their notice, says Jonathan Sander, director of IAM business development at Quest Software, now a part of Dell.

"When people take on provisioning, they often end up with a revolving door that only spins halfway around," Sander says. "But the real trick to doing provisioning right is doing deprovisioning right."

When enterprises fail to properly address account deprovisioning, they end up leaving lots of huge potential security holes open over time.

"I can't tell you how many times I've found people sharing accounts of people who have not worked at the organization for years because that account had 'all the right access' and they all knew the password," he says. "You need to make sure your provisioning is a revolving door that spins in a full circle."

3. Automating Bad Processes
Many security vendors will tell you that automation is the magic salve that will cure just about any compliance- or security-related sickness, including those around identity and authentication. But the truth is that if the organization hasn't intelligently addressed the business processes they're planning on automating, a set-and-forget automation technology may make the problem worse.

"In large companies, identity-related processes can be so complex and touch so many people that people don't know how to fix an inefficient or broken process or where to start," says Frank Villavicencio, executive vice president at Identropy. "Unfortunately, what usually ends up happening is that instead of determining a better way to do it, they automate a process that no longer serves the needs of the business."

On top of that, the automation technique needs to be thought through, as well. According to Stuart McClure, CEO of security startup Cylance, in his time running the IAM team at Kaiser Permanente, the very team there built out a lot of Web applications to scale the IAM on-boarding process. That was good for automation, but bad for opening up security holes.

"With an ID, of course you could get email and internal resources," he says. "But it was quite easy to perform a Web attack against the applications that automated the user."

4. Thinking IAM Serves End Users Only
When enterprises buy into IAM products and processes, they'll curse themselves later if they don't look beyond the end users as potential account-holders seeking legitimate access to data.

"One mistake enterprises make is buying IAM only to address the needs of employees," says David Baker, CSO of Okta, "and not thinking about how to make access and usage of customer and partner facing applications better to improve satisfaction and increase revenue."

Successful enterprises tend to take a comprehensive approach to IAM that not only covers all applications and devices, but also all users, whether they're employees, partners, or customers, he says.

"And that can change easily over time as their infrastructure, apps, and people change," he says. "IAM solutions should scale to address not only the needs of internal employees, but of customers and partners as well."

5. Rushing Into Unsupportable Infrastructure
We've all heard the horror stories around costly IAM projects that burn through a lot of cash and eventually fizzle into failure. Organizations must vet IAM platforms for ease of implementation and ease of use to ensure that once the technology has been purchased, it actually gets used.

"Many companies purchase IAM solutions -- only to hold off on implementation because they find they are too complex to integrate with existing applications, too," says Okta, explaining that security should be but one part of the product evaluation process. "We've found it to be absolutely critical that IAM solutions are easy to use and implement so that you will actually get value out of them."

Additionally, organizations have to really understand what it will take to maintain that IAM infrastructure throughout its life span, particularly in the form of customizations. Villavicencio suggests organizations follow an 80/20 rule.

"Assuming that your IAM solution leverages vendor-supplied technology, 80 percent of the functionality in the infrastructure should be standard functionality of the product, and 20 percent should be customized functionality," he says. "Beyond this balance, the infrastructure quickly becomes unsupportable -- ust wait for the first upgrade cycle."

6. Ignoring Politics
While the technology may play a big role in the success or failure of an IAM process, politics may play an even more fundamental part.

"The technical part is the easy part," says Dave Mahdi, senior manager of product marketing for Entrust. "It's getting all of the business stakeholders to agree and to have an executable, realistic action plan. IAM is just as much, if not more, about the people and processes than the technology."

Villavicencio agrees, stating that, as an example, the provisioning and deprovisioning of accounts is so fundamentally wrapped around the overall process of on-boarding or terminating employees that failing to liaise with human resources would be a fatal step.

"[This] project must have the appropriate support from human resources, with active support from stakeholders -- particularly during the requirement analysis and design phases," he says, explaining that failing to involve these stakeholders is one of the most common reasons why IAM initiatives fail.

7. Not Knowing The Difference Between Authentication And Authorization
Plenty of ink has been spilled on authentication -- technological mechanisms such as two-factor authentication, tokens, biometrics, and so on. But what often gets forgotten and taken for granted in the whole IAM picture is the equally important process of authorization, says David Gibson, vice president of strategy for Varonis.

"When it comes to authorization, organizations assume, incorrectly, that their security groups are aligned with their data -- reviewing security groups' memberships, by itself, is enough to manage authorization -- and that they are keeping track of which data sets belong to a business unit or business owner," he says.

Effective authorization is equally important in the IAM ecosystem to keep the rule of least privilege from turning into no rules and all privileges.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RWEEKS000
50%
50%
RWEEKS000,
User Rank: Apprentice
10/24/2012 | 7:19:57 PM
re: 7 Costly IAM Mistakes


Many organizations implement IAM solutions to automate user
provisioning G㢠an administrative step that ensures user access rights align
with business processes from the start; then companies perform periodic reviews
or certifications G㢠say, every three, six, nine, 12 months G㢠to certify that
those access rights are in order. Why? Because that is when auditors check on
it. This is a big mistake that organizations make, only certifying access when
needed for an audit. Many things change between the provisioning step and the
certification reviews that can introduce access risk: business changes,
infrastructure changes, regulatory changes, new resources coming on line, new
roles, policies, rights changes, hirings, firings, transfers - even terrorists
and hackers mobilizing.



This creates a huge identity and access management gap that
leaves an organizationGăÍs sensitive company information at risk to internal and
external threats. To avoid mistakes, organizations need a system that
identifies and evaluates risk in real-time in order to improve security,
demonstrate compliance and manage access risk.

Rachel Weeks, Courion

Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the ôsecurity connectedö approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.