Access Controls, Then and Now

For the past two years I've been telling anyone who will listen that ineffective IT access controls represent an ongoing security vulnerability as well as a compliance liability for many regulated firms. The Ponemon Institute has published a survey that not only confirms what I've been saying, but shows that it's getting worse. What a surprise.

Here's how Ponemon summarizes the problem:

When employees, temporary employees, contractors and partners have inappropriate access to information resources -- that is, access that violates security policies and regulations or that is inappropriate for their current jobs -- companies are subject to serious compliance and business risks.

Fair enough. But many enterprises and security-conscious organizations have a "least privilege" policy to ensure that, as regulations and best practices require, users are provided access to ONLY those resources for which they have a legitimate business need. Doesn't that prevent the inappropriate access referred to above?

Not really. Although least privilege sounds simple enough, in practice it has proven extraordinarily difficult to achieve. This is especially true in dynamic enterprise environments, where activities related to onboarding, offboarding, outsourcing, partnering, and use of contractors threaten to overwhelm whatever business processes exist. These challenges are exacerbated by the coordination required between line-of-business managers, IT staff, HR, security, and compliance staff to manage access controls. In fact, Bruce Schneier, a prominent security guru, states unequivocally that perfect access control just isn't possible. 

Schneier must be on to something. The Ponemon survey, sponsored by Aveksa, found that most relevant metrics for access management are trending down. Here are the top two findings:

• User access rights continue to be poorly managed. Eighty-seven percent of respondents believe that individuals have too much access to information resources that are not pertinent to their job description - up nine percent from the 2008 study.
• Organizations are not able to keep pace with changes to users' job responsibilities and they face serious noncompliance and business risk as a result. Nearly three out of four organizations (72 percent) said they cannot quickly respond to changes in employee access requirements; and more than half (52 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.

What's at risk when access controls are ineffective? Survey respondents' concern was highest for company applications, intellectual property and general business information. Not to mention audit findings.

So what's the primary cause of poor performance in IT access management? A plurality of respondents say "We cannot keep up with our organization's information resources."  This is consistent with Schneier's observation that organizations are simply too chaotic to make it work. So what should be done?

According to the IAM experts, this is where access certification comes in. Here's what Aveksa has to say about access certification:

Good access governance requires the regular review and certification of user entitlements and roles to ensure that access rights to enterprise information assets are appropriate and meet regulatory mandates and guidelines for Sarbanes Oxley, PCI, GLBA, MAR, FERC/NERC, Basel II and HIPAA compliance.  

Many IAM solution providers have integrated modules to help you with your access certification. The problem is, this level of certification -- while important -- involves a review of the rather complicated matrix of staff and roles/entitlement assignments that have overwhelmed organizations in the first place. 

It's not as if organizations don't know they have probable vulnerabilities: the vast majority say it's "likely" that users are over-entitled.

Here's what we can conclude: Organizations suspect that their users have more access than is required, a clear violation of compliance regulations as well as a security risk. And auditors have proven their worst fears, as excessive access rights have remained the top audit finding for years. So we know that organizations are motivated to solve this problem. But despite the availability of comprehensive role-based access control IAM systems, regulated enterprises apparently still do not have the right tools to manage access controls. What they are missing is feedback that quantifies the effectiveness of their access controls.

Current approaches have obviously failed to achieve the desired and necessary level of security and compliance. That's why Cloud Compliance, my prior company, was formed -- to address this and related access audit issues through an innovative SaaS-based capability called Identity and Access Assessment (IdAA). Cloud Compliance provided visibility into not just who is accessing what, but who should access what. And when excessive access rights inevitably occur, Cloud Compliance analytics would help determine the root cause and effective remediation strategies. 

Schubert

My favorite Schubert piano sonata is # 14 in A minor, D.784 (played by Mitsuko Uchida, a piano goddess). It starts by gently probing in the far reaches of our soul, asking ineffable questions that are of the sort one might ponder between dreams. Gradually we are drawn into the A minor universe, rising and falling on the swells of Schubert’s growing tempest. Through the first two movements the dialog progresses as a series of rising storms, sublime wind and currents that dance around themes noble and eternal—separated by interludes of sunlight, not just illumination but light that warms our hearts and enlightens our heads. Urgently and inexorably the melody pushes forward, increasing tension until it can increase no more and then, like a crossbow pulled back one more notch—is it possible?—and then another, and yet another! Finally the third and final movement (allegro vivace) resolves all the built-up tension, thunder and crossbow bolts filling the air with color, pulsing in strict accordance with the inexorable rhythm of the universe, and just as we bring ourselves into confident sync there’s the briefest pause—almost imperceptible—where the force behind the tides of the oceans and orbits of the planets gathers itself for the ecstatic finale. Somehow we’ve journeyed to the far reaches in just under 24 minutes, returning cleansed, fulfilled. I love Schubert's music.

I didn’t really know much about Schubert until a few years ago. And I wasn’t really attracted to classical piano music other than the odd concerto. Too boring compared to instruments that appeal to the ear such as a violin, which when expertly played could bring an audience to tears with a single note. The plaintive tone of an oboe, the rich warmth of the cello, the energy and passion of the brass all strike deeply within whereas the piano seemed to just offer notes. But, inspired by Thomas Mann (Doctor Faustus, chapter VIII) I decided to try again to appreciate the piano—the instrument, unlike all others, for beyond the senses, where what is heard is the noble, intellectual content of the music. Soon I had 10 hours of Beethoven and 9 hours of Schubert piano sonatas on my iPod.

How to deal with so much new music? With Beethoven, it was easy. Of his 32 piano sonatas, 8 or 9 of them became popular enough to have been named (Moonlight, Waldstein, Appassionata, etc.). So I focused on listening to and understanding the named Beethoven piano sonatas as a start.

Schubert was more difficult. I didn’t know where to start, and he didn’t have a list of named sonatas to work with. And so, one Saturday while Jo was in PA, as I was working at home all day, I listened to all 9 hours of Schubert piano sonatas When I heard a theme or phrase I particularly liked I wrote down the sonata that was playing. At the end of the day I had four Schubert piano sonatas to start with.

How do we learn to like pieces of music? For me, the only way is repetition. It takes at least 3 and sometimes 5 or more hearings before I have reached any level of familiarization with any but the simplest tunes. And while we’re at it, what it is about some music that we like and other that we’re not attracted to. In “This Is Your Brain On Music” the author (Daniel J. Levitin) makes the case that one of the attributes of music sophisticated listeners find pleasing is it’s complexity (within the constraints that make it music rather than noise, such as timbre, tempo, etc.). While it’s true that such an theory explains why repeated hearings are required to fully embrace a piece of music, on the whole I found that explanation unsatisfying. The opening bars of Beethoven’s Moonlight Sonata are anything but complex, yet we’re attracted to it nonetheless.

It seems to me there are at least two elements of satisfying music: it’s beauty; and how deeply it touches us, or moves us. And I would think that individuals with different tastes are more likely to agree as to the beauty of a piece of music based on its having a pleasing melody along with well regulated harmony, structure and tempo as per prevailing forms.

But what is it in music that moves us? Personally, for example, I find overwhelming beauty in Bach. I love the St Matthew Passion, the Mass in B minor, Goldberg Variations, Musical Offering, Cello Suites, and others—and listen to them often. But Bach rarely moves me. Same with Mozart; there's beauty, but not much in the way of passion. But Beethoven, Brahms and Schubert do indeed move me with their beautiful music. Why is that? And why is it that someone else might be moved by Back and Mozart, but not Schubert? Dr. Oliver Sacks researches this very topic from a neurological point of view, and shows various portions of the brain “lighting up” more when listening to that music which moves us (in Dr. Sacks’ case, that’s Bach). But I suspect the neurological view is more of the “what” rather than the “why”. Sacks touches on this when he suggests that music is able to reach the oldest, pre-verbal portions of our brain and thus elicit a primal response.

I started playing the four Schubert piano sonatas that somehow made an impression the first time I heard them—sonata #20 in A, sonata #7 in E-flat, and sonata #142 (which, published posthumously, is actually a collection of four impromptus) along with sonata #14 in A minor referred to above. And after listening to them a few times, I found myself drawn to them more and more strongly. I discovered that Schubert’s piano sonatas had the ability to transport me in a way that other pieces could not. I went back and selected other Schubert sonatas to listen to, and my collection of “moving” Schubert piano sonatas began to grow: I’ve now got about 7 or 8 that I listen to on a regular basis.

The following yearI got some Schubert chamber music. Now I have added to my collection of Schubert favorites his “Trout” piano quintet, several string quartets (including “Rosamunde” and “Death and the Maiden”) and the famous Cello Quintet (also published posthumously—he died young—and cited by Wikipedia as deeply sublime, with moments of unique transcendental beauty, and the “high point in the entire chamber repertoire”). In the documentary "Music From the Inside Out", Philadelphia Symphony concertmaster David Kim says the best thing about his career now that he's no longer performing by himself as a traveling violin virtuoso is that he gets to play the Schubert Cello Quintet in a chamber group, which he could never do before.

Schubert’s liturgical music is beautiful, especially his masses; my favorite mass is Schubert’s Mass in E-flat major, although Beethoven's Missa Solemnis, Kodály's Missa Brevis, and of course Bach’s Mass in B minor are favorites as well.

While Schubert in general seems to move me the most, I have found other pieces that do as well: Brahms cello sonata #1, piano quintet in F, string quintet in G, and his sacred choral music; Beethoven’s piano sonata favorites include Moonlight, Waldstein, Appassionata, Tempest and Hammerklavier; I also like his violin sonatas, especially Frühlingsonate and Kreutzer, and his string quarter in F, op. 135. And among the Russians I am especially moved by Tchaikovsky’s Rembrandt Trio and Rachmaninov’s cello sonata and piano concerto #2.

But mostly it's Schubert . He left a fairly large body of work considering the fact he died young (at age 31). He was buried next to Beethoven, whom he greatly admired and who had died the previous year. Many of his manuscripts weren’t found until after he died, and his popularity increased gradually as Robert Schumann and Franz Liszt, among others, transcribed, arranged and promoted his work. On the 100th anniversary of Schubert’s birth in 1897 Vienna celebrated with ten days of Schubert concerts. Imagine that!