What should a CSO look for when selecting an identity and access management solution
Founded in 1996, Courion Corporation is the pioneer of risk-driven identity and access management. Seventeen million users across more than 500 organizations rely on Courion’s access risk management technology to align user access privileges with corporate and regulatory governance policies. Courion’s cloud and on-premise solutions provide a full range of identity and access management functionality that improves security, demonstrates compliance and delivers quick time-to-value. For more information, visit www.courion.com or check out our blog at www.courion.com/blog.
Rake Narang: What is causing breaches to rise and what can companies do about it?
Chris Zannetos: Most organizations today have a highly complex infrastructure made up of many applications, systems and networks, all with the potential to expose the company to information security risks if user access is not properly managed. Add in growing trends, like cloud computing and BYOD, which create open environments and leave an organization more vulnerable to breaches as users access information from outside their walls.
For years, organizations turned to traditional Identity and Access Management (IAM) solutions to secure their access to systems and information. These IAM implementations typically started with user provisioning, a process that put controls in place to ensure users were given only the access rights they needed to do their job. Then, the companies would perform periodic reviews or “certifications” – say, every three, six, nine, 12 months – to validate that those access rights were in line with policy.
But here’s the problem: many things change within an organization between the user provisioning step and the certification reviews that can pose serious access risk (i.e. business changes; infrastructure changes; regulatory changes; new resources coming on line; new roles and policies; not to mention hirings, firings and transfers). This creates an identity and access management security gap, or “IAM Gap” for short. Closing this gap requires an understanding of the constant changes in identities, access, activity and information stores – trillions of access relationships in most organizations – that take place in the months between provisioning and certification.
About Chris Zannetos
Christopher Zannetos is the co-founder, president and CEO of Courion, the leader in risk-driven identity and access management (IAM). Zannetos is on the Board of Directors of the Massachusetts High Technology Council, sitting on the Defense Technology Initiative and Education task forces. Before Courion, Zannetos was co-founder and partner at Onsett International, a strategic IT consulting firm. Zannetos has bachelor of science degrees in economics and political science from MIT and a master of science degree in management from the MIT Sloan School of Management.
Rake Narang: Why are companies failing to recognize the IAM gap and what should they be doing to address it??
Chris Zannetos: User provisioning has enabled customers to integrate access right management with the business processes to ensure the right people have only the access they need. Identity & Access Governance has enabled customers to periodically verify that people only have the access that they need. These solutions have added great value to improve information security, but they are discrete, point-in-time controls. Unfortunately the bad guys work in real-time. As customers’ IAM programs mature, they are recognizing this IAM Gap and the associate risk to their organizations.
They recognize that it can be months from the time someone acquires inappropriate or unnecessary access rights and when the organization discovers it through a periodic certification. They understand that customers are the soft underbelly of their entire system – that their credentials are often compromised and the person accessing their systems is not who they believe it to be.
There is growing realization that IAM needs to evolve from discrete to continuous operations, and provide organizations with a method to deeply analyze potential vulnerabilities. By pulling together data on the five elements of access – Identity, Access Rights, Access Policy, Activity and information about the Resources such as applications – customers can gain a deep understanding of access vulnerabilities and areas of non-compliance in real-time. A new form of IAM technology, Identity & Access Intelligence, has emerged to help organizations achieve this.
Rake Narang: What’s the next radical change in Identity Management and Access Governance solutions?
Chris Zannetos: This next wave of IAM solutions, driven by Identity & Access Intelligence, requires some very different technology. Connecting and evaluating these five elements of access in any sizeable organization results in billions, if not trillions, of “access relationships”. Given the magnitude of the problem, the new generation of IAM systems must leverage the kinds of “Business Intelligence” technologies that other areas of the organization have adopted. Specifically, an industrial-strength data warehouse to organize the data, analytic engine to continuously process the information looking for policy violations and security breaches, visualization to communicate these analytics and a proactive IAM system that not only can send real-time notifications but can automatically take actions. This next generation IAM system provides access intelligence which gives organizations insight into what is actually happening in those billions of constantly changing access relationships.
The data warehouse should embody advanced information security, policy, governance domain expertise – implementing intelligence to assist in organizing the information and delivering predictive analytics to analyze access risk throughout your entire organization in real-time. Properly constructed, an access intelligence system like this can uncover deeply embedded policy violations or improper access. It can generate instant alerts on those violations, or produce graphical “heat maps” spotlighting looming risks and security breaches.
Rake Narang: What should CSOs look for when selecting an identity and access management solution?
Chris Zannetos: To deal with these continuously changing risks to the business there needs to be a new technological approach that can look in real-time at who has access to what and what they are doing with that access, and can react quickly to deal with violations. CSOs should seek a system that helps understand what is actually driving risk so the appropriate people can be alerted and drive immediate remediation. This will enable their business to identify the trending of risk over time and implement more effective policies and preventive measures. This also provides an ability to predict future areas of risk to fix the fundamental business process issue and potential security “gaps” before they become a problem. With this approach, organizations can more effectively mind the gap and avoid the challenges of dealing with security breaches that imperil intellectual property and other assets.
Company: Courion Corporation
1900 West Park Drive, 1st Floor Westborough, MA 01581 U.S.A.
Founded in: 1996 CEO: Chris Zannetos Public or Private: Private Head Office in Country: United States Products: Managing user access to enterprise systems and resources is essential for companies to succeed in today’s ever-changing technology world, especially as access becomes more accessible via on-premise solutions, cloud environments, or through mobile devices. Courion solutions provide you with real-time visibility into what's happening in your organization at all times by closing the gap between the period of time that user access is provisioned and then certified. It's the same period of time when just about anything could happen -- a data breach, theft of intellectual property or sensitive data, financial loss to your business -- the list goes on. Courion provides you with intelligent insight into what's taking place in your organization so you can identify, quantify and manage access risk -- in real time and on a continuous basis -- ensuring that the right people have the right access to the right information and resources and are doing the right things.
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN