Traditionally within companies the IT security organization has mitigated risk through its set of policies, procedures...
and technologies, while user access and authorization has been controlled through the use of identity management processes and technologies managed by the IT organization. By bringing these two functions together, organizations increase their effectiveness to a level that is greater than the sum of the parts.
IT security departments have begun deploying security information and event management systems (SIM) within their organizations to monitor and report on information asset vulnerabilities. SIMs focus on remediating risk through scanners placed throughout the organization to gather information on information policy violations and then reporting on overall vulnerability to defined risks using management scorecards. While becoming more and more effective, these technologies act only as an early-warning radar system by recognizing when a large policy violation activity has occurred--which is then followed by a triage process to verify and remediate the problem.
Also today most SIMs have been configured only to concentrate on identifying incidences where sensitive information is attempting to leave the company's domain from authorized channels. While this reporting is important in any organization, ultimately managers are looking to SIMs to provide more proactive management of asset vulnerabilities and controls, rather than just reporting on incidents, to reduce fraudulent activities. But this functionality will go unrealized until the human component of security can be combined with the information views offered by today's SIM tools.
As security managers look inside their organizations to find where useful user authorization and role information can be found and married with their SIMs' data, they're finding that the most complete information doesn't come from the traditional human resources (HR) systems, whose data is more functional in nature, but from IT's identity and access management (IAM) systems. These systems, unlike the HR tools, are geared toward identifying the role or responsibility a person plays within the organization in order to grant them proper access to the systems and information they need in order to perform their duties.
In the past this access was granted through managing a series of entitlements, coarse-grained access rights. But the current trend is to consolidate multiple entitlements under a single role-based access and control (RBAC) definition for consistency and manageability. For example, if all Web-development engineers need the same 20 entitlements to the same 10 systems to do their job, it is easier to consolidate all these entitlements under a single RBAC object, such as "Web engineer" and assign or remove their accounts using this single value in the account request used by their provisioning process than managing 200 entitlements (20 entitlements x 10 systems). By basing user identity and access on an RBAC model, IT processes for on-boarding, changes and off-boarding user accounts become more timely, greatly simplified, and more effective.
LINKING SIM AND IAM REDUCES RISK
So how can these two disparate technologies work together to reduce risk to the organization? SIM technologies are the central tool used by security managers to recognize when a policy violation activity has occurred. However, in order to fix an identified vulnerability, a triage process must be followed to verify and remediate the problem. This typically requires an IT security person to delve deeper into the information provided and determine the downstream effects of the activity (see Triage, below).
While this is process is usually effective, SIM tools deal with information and systems, not people. Many times the IT security person assigned the remediation activity doesn't have access to the knowledge of whether a person was involved, when they were involved, and which person initiated or caused the violation to occur. If a person is involved then they have to ask a series of questions. Was it a fraudulent activity perpetrated by a disgruntled insider? Did an unauthorized person from outside the company gain access to an internal system? Was this a case of an authorized person doing an activity that the general user population isn't authorized to do, for example, an HR person sending tax identification numbers to an outside benefits partner? Did a developer have an error in their programming that caused sensitive information to be sent to another application as part of the data feed from one system to the next? Because this information isn't in the native SIM solution, the IT security person must take the time to track down this information causing undue delays in determining if this incident does indeed pose a serious risk to the organization.
One Bank, 3 SIMs, 100,000 Nodes, 40 Million Events
Scale is a more pressing need than new functionality for one financial services firm
You'd be hard pressed to find a better proving ground for new functionality in a security information and event management system such as identity management than the Bank of New York Mellon.
The global financial services company's uses three SIM products, including one from ArcSight that monitors more than 100,000 nodes, including endpoints, server infrastructure, NAC, DLP, antimalware and more. VP of global security architecture Daniel Conroy says integration with IAM and other technologies such as fraud monitoring are the way SIMs have to go. But those technologies, identity management in particular, have to get their act together before it can happen.
IAM's challenges aren't limited to integration, implementation issues because of the diversity of roles in any large organization, and the fluid nature of user permissions and access control.
"Merging with identity management is the way it has to go down," Conroy says. "I'd like to see SIMs ultimately be more interactive with these [other] tools, be more self-aware and for example, go to asset management systems and pull data from there versus manually doing it. More plug and play out of the box."
BONY Mellon is certainly a SIMs power user given its massive global infrastructure. Conroy says his company's SIM handles upwards of 40 million daily events, a number he expects to triple soon as they begin monitoring outbound connections as well.For now, Conroy wants to see his SIM chug along; scale and quality correlation, analysis and reporting taking precedence over new capabilities.
"You need it to scale to a certain number of events per second. With some products if it comes above a certain number of events per second, it can crush the box and become a problem," Conroy says. "Events per second is what SIM comes down to. If you have analysts looking at data from 16 different products in one console, there's your ROI right there."
--MICHAEL S. MIMOSO
Take, for example, when a data loss prevention (DLP) tool identifies to the SIM system that credit card information was found in an information packet destined for a system that is outside the domain of the organization and was blocked. While the SIM system will identify the date, time, type of violation, destination IP address, source IP address, username and severity of violation, it doesn't tell who the person was that initiated the transaction or whether the person was authorized to send out this type of information. By having access to the organization's IAM information, the SIM system has access to not only which user maps to the IP address/username in the incident report, but it can also determine from their role(s) whether this was an authorized activity or not.
This means that IAM technologies take on a role as a feed to the SIM system. They enhance and provide the information needed for the SIM system to provide more complete information so incidents can be remediated quicker with higher confidence factors. SIM technologies can also benefit IAM technologies by identifying issues which may not be inherently obvious such as separation of duties (SoD) violations--for example users who have access to information which they also administer--or flagging activities of a system administrator who manually bypasses authorization controls on the system they manage.
What's more, through their information channel monitoring capabilities, SIM technologies can help organizations monitor what employees are doing, even when applications move into the cloud. They can also give special attention to information and activities being conducted by certain outsiders within the boundary of the organization through these persons' roles established by the IAM systems.
RECONFIGURE IAM TO WORK WITH SIMs
But in order to achieve the benefits explained above, a certain minimum level of functionality must be deployed. As IT security personnel look at using RBAC and IAM technologies to help in providing better controls over user compliance for authorized access to information, they're finding their current IAM deployments aren't configured properly to help address the threats and unauthorized exposure of information that the SIM technologies are looking for. This means there are some basic limiting factors that must be addressed before any work can be done in integrating these two technologies to meet their needs.
- UNIQUENESS: One problem is the fact that no two companies are the same. That means defining a set of user activities to watch, or information assets that must be protected, monitored, reported on and controlled, will vary greatly; even within like industries. Details around the size of the organization, the corporate culture and management style, physical location of facilities, number/type of applications and services, types of clients and customers, regulatory compliance and reporting requirements, third party partnerships, etc. can greatly influence how IT security personnel mange asset vulnerability reporting.
- AUTHORIZED ACCESS: While IAM prevents unauthorized users from accessing unauthorized systems, they generally have difficulties managing authorized users using data in an unauthorized way. For instance, an account executive needs full access to a company's customer relationship management (CRM) application to perform their duties. But detecting that this person has decided to leave the company and is copying their client list to an outside source so they can take the list with them when they leave is almost impossible to detect within the IAM tools.
- RBAC IS AN ART: RBAC projects are significant activities and companies are still learning how to classify user responsibilities and roles. In many cases, RBAC projects are working to extend this control mechanism across the enterprise. This means there may still be large populations of users within an organization that are not being managed by roles. In addition, knowledge workers, program managers and executives are especially difficult to pigeonhole due to their ever-changing job responsibilities. If a SIM tool wishes to use RBAC objects in understanding user functions and responsibilities, the variability of a person's role must be understood to prevent false positives.
- REDUCED FUNCTIONALITY WHILE INTEGRATING: It has taken years to deploy, configure and tune IAM and SIM tools to perform the complex functions they do today. This means that in order to integrate these two technologies, great care must be taken to ensure that any activities to integrate these two technologies don't cause them to lose some of their current capabilities while trying to enhance the security of the organization.
- SCOPE OF COVERAGE: While IAM and SIM technologies are becoming an integral part of any organization's security and IT infrastructures, in most organizations they are not deployed across the entire enterprise. Certain lines of business, geographic locations, agencies, third-party partners and others may not have one, or both, of these technologies deployed, or they may be deployed unequally, limiting their use for these domains.
- ROLE VS. ACTIVITY: Just because the SIM technology detects an activity and uses a RBAC role to determine if the user involved in this incident is authorized to perform the activity detected, in the case of an unauthorized activity, the SIM system will not know how broad the user's access is in determining the degree of the vulnerability and the exposure of risk to the organization. This causes IT personnel doing remediation tasks to ask: Does the remediation need to include impeding the user from performing additional activities that caused the incident by shutting off their access? Or was this activity a single occurrence caused by not educating the user on proper usage procedures?
While the list above outlines some of the main limiting factors in integrating SIM and IAM technologies, the reality is as security and IT personnel meet to discuss the merger of their respective domains, many other organization-specific issues are sure to surface. Having good communications between these two groups is essential in order to move forward in integrating these two technologies. Understanding and fully documenting these limiting factors is also crucial as organizations move forward integrating their SIM and IAM technologies.
ESTABLISH CONTROLS, FRAMEWORKS FOR SIM-IAM COMBO
Combining SIM and IAM provides the link needed to tie user access to data use and exposure. While understanding any limiting factors is critical to the success of any deployment, it's not just a case of doing an integration project between the two but understanding the role each plays in securing the organization and which functions each provides as they begin to work together. This process starts by understanding the level of risk IT security management is willing to take and understanding any potential asset vulnerabilities. No technology can fully eliminate vulnerabilities and attacks. This means management (commonly referred to as Policy Management Authorities -- PMAs) must establish the controls and frameworks around how the technology tools will be used. The two most common standards that are followed are COSO (Committee of Sponsoring Organizations) and COBIT (Control Objectives for Information and Related Technologies) standards for controls and frameworks. It's imperative these controls be defined before any addition work is done.
Once the controls are in place, IT security management and personnel must establish areas of control around any identified risks or asset vulnerabilities (also known as Policy Decision Points -- PDPs). This activity directs any tools to be used to the areas of the organization that are most vulnerable, or which must be monitored due to regulatory and other business requirements. As an organization's monitoring capabilities mature, the scope of monitoring can then be systematically expanded to include other areas of the organization including subsidiaries, partners, suppliers and software as a service (SaaS) cloud environments.
With the definition of the control mechanisms completed, an organization can now execute their enforcement through policies and tools (also known as Policy Enforcement Points -- PEPs). SIM and IAM technologies fall within this realm. By providing an integrated enforcement front, the organization can now monitor, detect, and remediate incidents efficiently and have a more complete view of vulnerabilities and attacks. In addition to integrating IAM information into the SIM systems to combine human interactions with the information being monitored, scorecards and dashboards can be established to indentify incidents as they occur as well as let IT security management know how well the organization is protecting its most guarded information. In addition, by bringing these two technologies together, security managers can now take on a proactive stance to IT security by identifying that not only is information safely flowing through the right communications channels, but also that users are being properly authorized to access only the information they're entitled to see.
While SIM and IAM integration can provide an organization with a more complete view into their IT security effectiveness, there are many other security mechanisms that will help complete the picture. A few of these include: good policies and procedures, physical security services, HR employee background checks, application rights management, and of course the diligence of the IT security personnel. But just as the U.S. Government is striving to bring together the information collected from their various intelligence organizations to identify risks to the United States, integrating an organization's various control technologies, such as SIM and IAM, will increase the security effectiveness of the organization against inside/outside attacks and shore up previously unknown vulnerabilities.
About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures. Send comments on this article to firstname.lastname@example.org.