When access management becomes rocket science

By Bill Brenner, Senior News Writer 27 Jun 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

NASA's challenges are hardly limited to launching rockets and getting men to Mars. The space agency is racing to overhaul its identity and access management infrastructure, determined to seal off security gaps and protect vital IT assets from floating into dangerous corners of cyberspace.

The situation at one NASA outpost, the Ames Research Center in Mountain View, Calif., shows how difficult a task it is. William Likens, chief of the center's applications development and technology branch, said NASA's IT environment is decentralized and fragmented, without much interfacing or centralization of systems from one division to the next. To make matters worse, there hasn't been a groundswell of support among managers to foster change.

Access (out of) control? About this special report: You've heard about the need for companies to ensure that network users are who they say they are, and that employees can only access what their jobs require. In this special report, IT professionals surveyed by SearchSecurity.com share the pain points and solutions they've experienced on the way to better and more practical ID and access management. Special report menu: Day 1: When access management becomes rocket science Security can be a hard sell beyond the IT realm, even for security pros at NASA. But nothing motivates people like regulatory pressure and a fear of being the next data breach headline. Day 2: Looking ahead to life without passwords Security pros know that passwords are nothing but trouble. For them, single-sign on, two-factor authentication and federated ID represent the path to stronger authentication. Day 3: Active Directory users finding their way Many IT shops use Microsoft Active Directory to manage network access. Some say it's difficult, but others are using it as a key tool in successfully managing network access. Inside the numbers: Access (out of) control? In April, SearchSecurity.com surveyed 358 IT professionals from a variety of industries regarding their identity and access management programs. Here is a look at some of the questions we asked and the answers they gave.

"Get down to the research lab level and the managers are not supportive of change that may detract from what they see as their real job, which is research," Likens said.

In this environment, Likens said closing the accounts of people who have left is a big challenge.

"We know when someone employed by NASA has left, but when you are dealing with contractors, it's much harder to know when they are gone," he said. It's a considerable security risk, Likens said, because people often retain access to systems, sometimes privileged access, after their work at NASA ends. It means orphaned accounts could be exploited not only to gain network access, but also to leverage sensitive network resources.

In an agency with 19,000 federal employees and about 80,000 contractors and academic affiliates, there's plenty of room for error. Likens noted that 70% of those working at his facility are contractors. Much of the center's research and IT services support 3,000 people on site and some of those services support 100,000 people in the larger NASA community.

Yet NASA is moving toward a more centralized and automated system that will rely on smart cards with PKI credentials. Though some managers may not want to deal with security changes, they are being motivated to do so by the regulatory demands of Homeland Security Presidential Directive (HSPD) 12 and the Federal Information Security Management Act of 2002 (FISMA). Under HSPD 12, government organizations must have Personal Identity Verification (PIV) card systems in place by Oct. 27.

NASA isn't the only organization in which regulatory pressure has forced a move toward stronger identity and access management, if an April SearchSecurity.com survey of 358 IT professionals is any indication.

Nearly half of those surveyed said their top ID/access management priority in 2006 is to strengthen authentication, and 71% said regulatory demands are either an important or very important motivator when it comes to investments that get approved by the top brass.

Fear of data breaches is also a powerful motivator, in light of the growing list of headline-grabbing incidents. Reducing the likelihood of a breach was said to be an important or very important factor in the security plans of 88% of respondents.

Fear of the headlines
ESL Federal Credit Union, a financial institution with 17 branches and numerous ATM locations in the Rochester, N.Y.-area, is one company that has been sobered by the many recent high-profile data breaches. The organization hasn't suffered a breach, but managers were spooked after a tape with sensitive data went missing from Citibank last year, said Jessica Lynne Verzi, ESL's information security manager.

It's no secret that banks are transmitting quite a bit of information in an insecure manner via email and other means, she said, and that's why her company is intent on implementing strong email encryption.

"There's not a great handle on email security in the industry right now," she said. "Most of what we do is confidential and all that information must be secured."

One reason she said email security is so important is because it's the likely tool an insider might use to lift financial data from the bank. She's also mindful that data thieves are always on the lookout for flawed applications.

While the credit union doesn't want to become another shameful headline, that's not necessarily the prime motivator behind its revamped ID and access management strategy. Like most survey respondents, Verzi said the spur in the company's side is regulatory compliance. In fact, her department was created as a result of regulatory demands.

Some of those demands come from the National Credit Union Administration (NCUA), which provides ESL's insurance and audits the organization regularly. The NCUA standards demand that credit unions practice strong application security and tightly control who has access to what. Every six months, department heads must check and sign off on the list of users in their group to ensure the lists are up to date and people have only the network access their jobs require.

More automation needed
Seventy one percent of survey respondents said their organizations still use a manual process for provisioning accounts and determining access rights, but that they are striving for more automation.

Sixty-six percent said dealing with slow, manual processes for managing user accounts is a problem or a significant problem, and 52.5% said regulations are prompting them to make changes.

Likens said NASA still uses manual procedures, but that the organization is "definitely moving toward automation" as part of the work now being done to satisfy HSPD 12 and FISMA.

Verzi said her organization still uses manual procedures to some degree, most notably to handle account provisioning. Regulations have encouraged the organization to automate more procedures, but the main driver has been efficiency.

Jeff Bardin, an IT professional working for a New England-based Fortune 1,000 financial services firm, said his 5,000-employee company uses a manual process for account provisioning. He said that regulations like the Sarbanes-Oxley Act, Gramm-Leach-Bliley and California's Security Breach Information Act (SB-1386) are pushing the institution toward more automation. But improving the user experience is another goal.

As a result, one of the company's main goals this year is to complete deployment of an automated identity management system for its customers. "Automating this process simplifies the collection of secure data," Bardin said, "and provides the customer with an easy-to-use interface that provides them with near-immediate secure access to information." The firm is also increasing its automation so user accounts for new employees can be created more quickly.

Changing the culture
While top brass have been motivated to take identity and access management seriously, respondents said lower-level managers and human resources staff have been slower to identify its importance. More than half of respondents said upper-level management strongly supports such improvements, but more than half also said business unit managers and human resources personnel don't see themselves as key stakeholders in identity and access management projects.

This is a problem, Verzi said, because employees outside of IT need a certain level of security expertise for a company to have 100% identity and access management.

"We have such a [hard] time getting managers to fill out an online form to request certain user privileges for new or transferred employees," she said. "People like using paper because it's comfortable. Getting them to do it electronically is like pulling teeth. If they had more IT security awareness, they'd do it electronically."

Verzi said another implementation barrier is that different departments want to control their own basic information, and so they're reluctant to share it as part of a central repository, where it could be better secured.

Bardin said it's a constant battle to change the culture in favor of improved ID and access management, but that it is happening in his company. He added, "Periodic communications from the security team and from the CIO reinforce the need to execute the program."

Tags: PKI and Digital Certificates,  Enterprise User Provisioning Tools,  FISMA,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PKI and Digital Certificates Best Authentication Products DoD urges less network anonymity, more PKI use Researchers to demonstrate new EV SSL man-in-the-middle hacks Portable security storage device could replace OTP devices What is most misunderstood about EV SSL certificates? VeriSign addresses MD5 flaw Rogue digital certificates strike blow to Internet security Can any firm or organization get a digital signature certificate? How to obtain a digital certificate for a server PKI and digital certificates: Security, authentication and implementation PKI and Digital Certificates Research Enterprise User Provisioning Tools Content-aware IAM: Uniting user access and data rights Is Identity Management as a Service (IDaaS) a good idea? Top tactics for endpoint security How to edit group policy objects to give a user local admin rights Privileged account management critical to data security Making the case for enterprise IAM centralized access control Lesson 3: How to implement secure access Best practices for a privileged access policy to secure user accounts Risk management must include physical-logical security convergence PCI compliance requirement 7: Restrict access FISMA GAO report cites government weaknesses, data leakage DHS fills National Cybersecurity Center post Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance White House cybersecurity czar faces major hurdles Feds should get private sector advice on cybersecurity ICE Act would create White House cybersecurity post Experts alarmed over U.S. electrical grid penetration Group identifies top 20 security controls to thwart cyberattacks FISMA compliance made easier with OpenFISMA FISMA Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Certificate Revocation List  (SearchSecurity.com) Digital Signature Standard  (SearchSecurity.com) HDCP  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com) nonrepudiation  (SearchSecurity.com) PKI  (SearchSecurity.com) public key  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary