By integrating security and identity management, firms can both streamline compliance and be more secure.
In 2011, organizations are expected to spend more than $4 billion on identity and access management software, according to IDC. They’re also expected to spend more than $2.5 billion on security and vulnerability management software. While there are many great reasons for the investments, there’s certainly no reason for organizations to overspend. Unfortunately, too many do.
Why? First, most enterprises today have a number of regulations they must comply with: Sarbanes-Oxley, the Health Information Portability and Accountability Act, the Payment Card Industry Data Security Standard, the Federal Information Security Management Act … and the list goes on. Today’s list of security threats isn’t so short, either. With the acknowledgement of sophisticated attacks, such as Operation Aurora and botnets now targeting corporate data, and complex worms such as Stuxnet aiming at industrial control systems, it takes a refined and solid defense to keep these types of risks at bay.
While it’s always a dangerous game to attempt to predict the future, it’s a fairly certain bet that the two trends of increased regulation and increased security threats will not only continue, but intensify. Now, what may somewhat be more difficult to calculate is why some organizations will be not only more prepared than others, in terms of stronger security and compliance postures, but also much more cost-efficient in doing so. Why would this be?
We think it comes down largely to approach. Many enterprises believe that if they are compliant, they are secure; or they believe the flip side is true: if they are secure, they are compliant. That unfortunately is a very myopic mindset; yet, very few organizations hold the broader perspective and manage both security and regulatory compliance in as a unified way as they could. The result is that those organizations have many ill-conceived and redundant compliance and security controls in place. For example, how much security data just lays dormant in log files? How many security events are occurring on networks that could be used to mitigate attacks, but go unseen? How much more secure would organizations be if they acted on that information?
Consider the 2010 Data Breach Investigations Report from Verizon Business which found that while 86% of data breach victims had evidence of the breach in their audit logs, 61% of those victims didn’t uncover the breach themselves – they were notified by a third party. How embarrassing. And, unfortunately, the attacks and embarrassment were completely avoidable. When it comes to compliance, many organizations don’t fare much better. According to the 2009 Deloitte Annual Global Security Survey, excessive access rights are the most common external and internal audit finding.
Organizations can – and need to – do better.
This can be achieved by coalescing security technologies and compliance efforts wherever it makes sense and is possible. Broadly, two classes of technology play critical roles in both compliance and security. Yet, these two technologies often are managed separately. The first is identity and access management. Whether it is security, compliance, or just good IT management, knowing who has access to what is foundational. If an employee stays at a company long enough, he/she eventually will be given access to many, many applications and services. And the more rights an employee is given, the harder those rights are to remove when the employee leaves or his or her responsibilities change. This creates both serious security weaknesses and regulatory compliance gaps. That’s why it’s crucial that every organization understands who has access to what and has a certification process in place to validate that access and to assure that employees have the correct access to applications and resources at all times. But, as important as identity and access management is to a well-ran enterprise, it’s certainly not enough to keep an organization secure or in compliance by itself.
That brings us to Security Information and Event Management (SIEM) systems. SIEM tools, through identification and integration of security-related information and events, can identify suspicious activities and events in real time. These events include everything from unusual log-on attempts to malicious network activity. This capability is essential for security and compliance mandates. And in today’s age of rapidly changing threats, reports from a three-month-old compliance audit do not get the job done. That’s why security must come first.
What’s needed is a system that provides a real-time, enterprise view of both security- and identity-related events. What does that mean? It means the system is constantly correlating identity, access, and security information against policies in real time, as the events happen across the IT infrastructure. If anything anomalous is observed, then the proper people can be notified immediately. By acting on the real-time security event as a catalyst to fix the security gap, organizations mitigate risk much more rapidly. That’s much more quickly than, say, a quarterly identity audit.
Such integration can be powerful. Consider the January 2010 case of financial services company Lincoln National Corp., which disclosed a security and compliance policy violation that had serious consequences. It was discovered in August of 2009, not by Lincoln National but by an anonymous tip to the Financial Industry Regulatory Authority (FINRA), which then notified Lincoln National. Soon after the notification, a forensic security company was hired to do an investigation, which revealed that some employees of Lincoln National and one of its subsidiaries, Lincoln Financial Advisers, were using shared usernames and passwords to access the portfolio information management system. Six shared usernames and passwords, which were created as early as 2002, were found.
The only way to find such situations is to have the security capabilities in place to monitor and correlate user identities with their actions. This is made possible by integrating identity and SIEM capabilities. Such integration is the most straightforward way to uncover similar sharing of usernames and passwords. And in the case of Lincoln national Corp., that would have been eight years prior.
Leveraging identity, system logs, and real-time security information in this way makes it much easier to discover when systems fall out of policy compliance, so they can be set right before breaches occur, or before there’s an audit finding. It also makes it possible to successfully execute on an overall risk governance program. In addition to increasing security and compliance, these efforts will cut costs. By correlating all of this information, duplicate processes can be eliminated and ineffective processes improved.
This also makes it possible to better document adherence to security and policy compliance, which will streamline the audit process and cut additional costs. In the end, organizations will be able to achieve what they need: fewer people running around with clipboards, and an improved, cost-effective path to security and compliance can be created.
**********
About the Author
Leo Castro brings over 10 years of cross-industry experience, in functional areas including IT Operations and Strategic Planning.
His industry experience includes stints at Applied Materials, Motorola, and A. T. Kearney.
Leo currently oversees solution marketing for Novell’s compliance management solutions, including the integration of those solutions with SAP’s GRC products.
Learn more about Novell about the company’s website: http://www.novell.com/
PDF 
[...] http://www.corporatecomplianceinsights.com/2010/no-b-side-it-security-and-compliance/ [...]