Beethoven

I've been reading a biography of Beethoven, and came across a remarkable passage that I thought was worth sharing. The year is  1810; a prominent music critic, E. T. A. Hoffmann, has reviewed Beethoven's Fifth Symphony in the Allgemeine Musikalische Zeitung where he calls it "one of the most important works of the time". Hoffmann then attempts to set Beethoven in context:

In Haydn's compositions the expression of a youthful, light-hearted spirit is dominant. His symphonies lead us into an infinite green grove, in a cheerful, gaily colored throng of merry people. Mozart leads us into the depths of the spiritual world. Fear grips us, but without torment; it is more a foreboding of the eternal... Beethoven's instrumental music also opens up to us the world of the immense and infinite. Glowing rays of light blaze through the dark night of this world and we are made conscious of gigantic shadows which surge up and down, gradually closing in on us more and more annihilating everything within us, except the torment of endless longing...Beethoven bears deep within his nature the romantic spirit of music, which he proclaims in his works with great genius and presence of mind. Your reviewer has never felt this so clearly as in this particular symphony which, more than any other of his works, unfolds Beethoven's romantic spirit in a climax rising straight to the end and carries the listener away irresistibly into the wondrous spirit world of the infinite.

 Beethoven himself said of his muse:

You will ask me where I get my ideas. That I cannot tell you with certainty; they come unsummoned, directly, indirectly -- I could seize them with my hands -- out in the open air, in the woods, while walking, in the silence of the night, early in the morning, incited by moods, which are translated by the poet into words, by me into tones that sound, and roar and storm about me until I have set them down into notes.

The Problem with Entitlements and Access Controls

Ronald Reagan famously said "Trust, but verify". He could very well have been talking about entitlement management systems, which manage authorization to critical applications and other IT resources. Such systems are trusted to maintain control over entitlements (also called privileges or access rights). However, the systems themselves rarely have verification or assessment capabilities. This may be adequate for smaller organizations or enterprises where roles change infrequently. But the dynamic nature of most enterprises -- with layoffs, restructurings, aggressive use of contractors and other service providers -- makes assessment not only prudent, but necessary to ensure effective access controls and audit compliance.

Entitlements

Deloitte, in The 6th Annual Global Security Survey, reports that excessive entitlements, also known as excessive access rights, was the top audit finding over the past year -- for the second year in a row! In other words, a fundamental access control that represents a compliance exposure and security vulnerability was the top audit finding in 2007 and, despite all the attention that garnered, was also the top audit finding in 2008 (the latest year for which survey data exist).

Since all major regulatory frameworks, including SOX, PCI DSS, GLBA, NERC and HIPAA, require access controls, many thousands of companies are obligated to prevent excessive access rights and yet, according to the Deloitte survey, have failed to effectively do so.

Not only is excessive access rights the top audit finding, but IDC states that such vulnerabilities result in major financial exposure -- and that up to 60% of rights on most systems are expired and therefore dormant. The problem is that IT and security staff at most companies don't know that dormant accounts exist -- or more precisely, they suspect they exist but don't know how to find or remediate them.

Why is this a hard problem to solve?

Access Controls in the Real World

A paper written by a team at Dartmouth describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for three weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement, and they directly address the challenge of effectively managing access controls.

What they found was that the frequent shifting of staff may from one department or role to another often results in users accumulating entitlements over time. Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out:

"As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access."

This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:

Figure 1: Privileging in traditional hierarchical corporate structures (left) vs. in dynamically, "matrixed" organizations (right). An arrow represents a supervising relationship (directed graph). Note that on the left, each person has exactly one direct supervisor, whereas on the right, each may have two or more.

And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2: 

Figure 2: Complexity and dynamicism in entitlement systems. The number of applications, entitlements and users make it a large-scale problem, and the number of daily modifications makes it a fast-moving target.

The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.

Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process more effective. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least. Quoting from the Dartmouth study:

"At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant."

In the real world, access rights are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.

Managing Entitlements

Andrew Jaquith, an analyst at Forrester, in his book Security Metrics states:

"Today's information security battleground is all about entitlements-who's got them, whether they were granted properly, and how to enforce them."

Companies large and small employ different approaches to entitlement management, with equal lack of success. Mostly, they do manual reviews of entitlements prior to audits by going through HR records, reviewing application logs, and interviewing LOB managers-a process inevitably referred to as a fire drill. Other approaches to entitlement management include development of custom reports for SEIM and log management systems, network-based user activity monitoring, and RBAC systems.

The management challenge is to determine what's a reasonable target level of excessive access rights in terms of percentage of overall rights granted, and then ensure that solutions are in place to consistently keep actual excessive access rights on or below the target. It's more expensive to establish an excessive access rights target of 2% than of 4%, for example. Therefore, management must determine what level constitutes "enough" security, doesn't break the budget or put an undue burden on IT or line-of-business staff, and yet meets the compliance requirements as measured by auditors. What auditors are looking for is a sustainable, measureable process that demonstrates visibility (can the company detect when and where it has excessive access rights?) and the ability to remediate problems when they occur (can the company eliminate excessive access rights within a reasonable amount of time from their detection?).

Top IT Audit Findings

In a prior post I referred to the 2008 Deloitte survey which reported that excessive access rights have been the top audit finding for each of the past two years. Of all the security-related issues that IT auditors investigate, excessive access rights -- also known as over-entitlements, or failure to maintain least privilege -- was the most common vulnerability uncovered. Here's a chart showing the top 8 internal/external audit findings for 2007 and 2008, ranked by percentage of respondents citing findings in each category, with a brief explanation how my prior company, Cloud Compliance, would have addressed each issue:

Excessive access rights. Note that despite the improvement from 2007, excessive access rights remained the top audit finding in 2008 as reported in an earlier post. Part of the reason that excessive access rights has been the top finding for the past two years is that auditors have raised the standard, from evidence of the existence of a process to evidence that the process is effective.  Due to the urgency of this issue, and the lack of effective solutions available, this was an initial focus of Cloud Compliance.

Segregation of duties. Segregation of duties, also referred to as separation of duties and abbreviated SoD, is one of the most fundamental concepts of security and control, and also one of the most difficult to achieve. Cloud Compliance's innovative 3-layer rights model enabled definition of benchmark rights, where SoD concepts are embodied. Our analytics can report on inconsistencies between benchmark rights, provisioned rights and actual rights as detected by access activity in order to assure continued compliance with key segregation of duty principles. 

Access control compliance with procedures. This audit issue is closely related to excessive access rights; access control is required to prevent users without appropriate rights from accessing audited resources. Cloud Compliance's Identity and Access Assessment (IdAA) solution was able to determine if access controls were effective. 

Lack of audit trails/logging, lack of documentation of controls, and lack of review of audit trails. I'm grouping these three top findings together because they represent the facet of access audit where technology and process come together. Application logs, which represent the most effective way to determine user access activity, are an essential tool for ensuring that access controls are compliant. And reports that list who has access to what, along with who should have access to what, become critical components of how access controls are documented. 

Excessive developers' access to production systems and data. This audit finding is challenging to address, because it's unrealistic in most operating environments to completely block developers from accessing production systems for troubleshooting and critical maintenance operations. The objective, then, is not to prevent such access but to note when it's risen to an "excessive" level. Cloud Compliance addressed this by allowing a policy to be defined where a reasonable max level of developer access to production systems could be specified, along with a lower threshold for an early warning system. Access levels could then be compared to historical equivalents for trend analysis as well. 

Lack of clean-up of access rules following a transfer or termination. There's a clever vendor that claims to "take the SH out of IT". One of the reasons that there's an SH in IT in the first place is the typical IT department's need to manage rights and access rules in a real-world environment with re-org, restructurings, layoffs, role re-definitions and transfers. Especially transfers. Because transfers are not a discrete event so much as a process where an employee has overlapping responsibilities between new job and old job-and therefore must maintain access rights for both jobs. And the duration of the overlap can't be determined in advance. Cloud Compliance's advanced analytics examined user activity to determine when a user's rights to resources required for a previous role could be de-provisioned -- which ideally would be before an auditor happened to discover excessive access rights.

My prior company, Cloud Compliance, developed an Identity and Access Assessment (IdAA) solution to address the top IT audit findings as reported by Deloitte. As noted above, our initial solution helped organizations eliminate excess entitlements (also called dormant accounts, or zombie accounts). We identified users with excess entitlements, and provided tools for isolating high levels of over-entitlement by group, business unit or by application. Unfortunately, although we validated customer demand and the lack of competing solutions, we were unable to raise venture capital to scale the company.

Excessive Access Rights

Deloitte, in The 6th Annual Global Security Survey, reports that excessive access rights was the top "internal/external audit finding over the past 12 months" -- for the second year in a row.

What is meant by "excessive access rights", why is it important, and why did it remain the top audit finding in 2008 after all the attention it drew by being the top audit finding in 2007? In other words, why is this a hard problem to solve?

A cornerstone of security best practices -- and therefore of compliance requirements -- is to limit access to critical resources to only those employees and users who have a legitimate business need to access those resources. As a result, most companies adopt a policy of "least privilege" which is intended to restrict users to access only those applications that are required to do their job. See the table below for the relevant least privilege text in each of the major regulatory frameworks:

 

Whereas least privilege is the best practice, excessive access rights result from failing to achieve an idealized implementation of least privilege. And in the real world, completely eliminating excessive access rights is practically impossible.

The management challenge is to determine what's a reasonable target level of excessive access rights in terms of percentage of overall rights granted, and then ensure that solutions are in place to consistently keep actual excessive access rights on or below the target. And the tradeoff in establishing a "reasonable" target is -- you guessed it -- cost. It's more expensive to establish an excessive access rights target of 2% than of 4%, for example. Therefore, management must determine what level constitutes "enough" security, doesn't break the budget or put an undue burden on IT or line-of-business staff, and yet meets the compliance requirements as measured by auditors. What auditors are looking for is a sustainable, measurable process that demonstrates visibility (can the company detect when we have excessive access rights) and the ability to remediate problems when they occur (can the company eliminate excessive access rights within a reasonable amount of time from their detection).

Why is this so hard?

In the real world, access rights are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.

Companies large and small that we have talked to employ different approaches to this issue, with equal lack of success. Mostly, they do manual reviews prior to audits going through HR records, reviewing application logs, and interviewing LOB managers -- a process consistently referred to as a fire drill. Other approaches include development of custom reports for SEIM and log management systems, and network-based user activity monitoring.

As the Deloitte survey reports -- and customers confirm -- current approaches have failed to achieve the desired and necessary level of compliance. My prior company, Cloud Compliance, was founded to address this specific problem. Unfortunately, we were unable to raise venture funding. And so, as far as I know, there are no available solutions to comprehensively address this issue.