Restricted access

Risk mitigation goals and compliance mandates call for improved monitoring on identity data stores. New techniques make it easy to improve security while simplifying compliance. FST explores further with NetVision’s Matt Flynn.

FST. Identity and access management has emerged as one of the critical focus areas for Information Security Officers within the financial services industry. Why has it become so important?
MF. Financial Services companies have recognized a fundamental shift in the way we need to approach security. Not long ago, the focus was almost entirely on locking down the network perimeter to keep potentially bad people out of the network. Our experience though has proven that perimeter protection is not enough. Data regularly moves past the network firewall on USB drives and via email. Employees work from home and need to transfer information between systems. Often, critical business tasks are outsourced to other organizations or delegated to contractors. The speed of business requires perforations in the network’s hard outer shell and so we can’t rely solely on that layer of protection to secure sensitive assets.

We’ve been relatively successful in deterring unapproved access from the outside. And we’ve seen that insiders, people within the network using approved credentials, have become one of the most prominent threats to security.
Because of that shift, government and industry regulations have moved to require that financial companies keep a strict eye on internal user accounts and permissions in addition to traditional perimeter security.

Identity and Access Management processes are critical to mitigating the insider threat because those are the systems where rights and permissions are managed.

FST. What recent developments have taken place with identity and access management solutions that financial institutions should be thinking about?
MF. Traditional Identity and Access Management solutions have matured. User provisioning solutions, which provide account and rights management, have developed to include complex workflows, business rules, policy enforcement, and user attestation (enables managers to assess and approve employee rights). They do a great job of managing the synchronization of data between the connected identity stores. But until recently, direct protection of those stores has been largely missing from the picture.

The security industry’s move away from perimeter-centric security has driven increased demand for granular control and audit of rights directly on the various identity systems. Regulators and auditors are no longer satisfied with the logs generated from within the provisioning system. They want to see impartial details on what might have happened outside of the approved process. That’s where real damage can be done. Administrators of identity-driven systems, whether they are powered by relational databases, LDAP directories, or other, require direct access to the user store in order to perform their basic job functions. Auditors need to know that those privileged users are not able to subvert policy – even unintentionally. Direct monitoring of those critical systems simplifies the audit process by providing immediate and comprehensive answers to the critical access questions that auditors ask.

FST. Are there particular areas that financial services companies should be looking at first for improved monitoring?
MF. Yes. In almost every organization, employees authenticate every day to a central network directory which grants access to the network, email, file servers, printers, and more. Increasingly, companies are using this central directory as an authentication point for distributed applications as well – including web portals, content management systems, and remote access or VPN solutions. This enables users to leverage a single credential across multiple systems, which is ideal from a management perspective.

The central network directory is analogous to an airport security checkpoint. Once you’ve shown credentials and been authenticated, you have access to shopping, dining, and flights heading almost anywhere in the world.

Airports have achieved a high level of efficiency by centralizing the checkpoint. We complain about long security lines, but it would be much worse and more expensive if each flight had its own security checkpoint during the boarding process. In the same way, if we implement identity storage and management in every application, administration and user experience both suffer. As companies are centralizing application identity storage on the network directory, it is quickly becoming your most critical access point. The breadth of access granted by the network directory systems suggests that they would be the ideal place to start. They are the entry point to the network and keeping a record of that authentication serves as critical forensic support for an audit on other systems on the network as well.

FST. You mentioned that the central network directory is probably the most critical access point. What types of events need to be watched within those systems?
MF. There are really two sides. You want to monitor the user rights and privileges which grant access to sensitive corporate assets. And you want to monitor user activity; keeping an eye on actual access events on protected systems and sensitive information.
With regard to user rights, that means monitoring account creations, changes to group memberships, Access Control Lists, and other permissions, and finding accounts with inappropriate rights that might represent a threat to organizational policies.
For user activity, you want to keep an account of who is accessing critical information and compare access events to policy in real time. That enables you to send an alert or initiate a task if a policy breach occurs. With real-time monitoring in place, the audit of the environment becomes continuous rather than periodic and scheduled.

System administrators often require full rights on a system but don’t have a business need to access the information within that system. A common example is the administrator who manages access to HR files.

Because they understand file system permissions and how to use technology to grant or deny rights, they are entrusted with full rights to the files and folders that they manage. However, certain files, like Employment Offer Letters, contain employee salaries and other sensitive information. System administrators shouldn’t have access to that information.

Since you can’t revoke access rights or put controls in place to deny access in that scenario, you want to monitor administrative user behavior so that you can identify policy breaches in real time and take appropriate action.

FST. Does all of that event collection lead to information overload? What should security professionals do with all that information?
MF. First, the information needs to be relevant. You want systems in place that will do more than just collect logs and create a mountain of data. You want systems that provide answers to questions that are important to you and your auditors. That eliminates the information overload problem.
As you deploy a monitoring solution, identify specific events and the priorities for those events. You want to map events to company policy. For some actions, you might just want the ability to generate a report at some point in the future. For other events, you may want an immediate email alert or you might want to initiate a remediation process. Ensuring that event handling maps to business policies is a crucial part of the planning process.
The idea is to make the entire process simple – not more difficult. You want an auditor to be able to come in, run a few reports and move on without requiring much time from the IT staff. Sorting through a huge collection of logs to find relevant information would just slow down the audit process.

FST. What should a financial services organization look for when choosing a solution to help with identity system reporting and monitoring?
MF. Most important is to make sure that the event information is consumable.  A collection of unusable data isn’t worth much more than having no data at all. The system should provide reports that are relevant to the business need. You need to answer specific questions and the system should provide those answers without requiring you to search through logs.

You also want something that is easy to deploy and own. Systems that take months to deploy or integrate may be more trouble than they’re worth. You don’t want to find out at the end of the project that your needs have changed or that the next version of the product will require re-work. Look for a solution that deploys in a few days and doesn’t require constant attention.

You also want intuitive, flexible reporting. You don’t always know every question you want answered in advance. So, look for systems that are flexible in the reports they generate.

Finally, we discussed that Identity and Access Management is a critical component of the security infrastructure. When it comes to identity systems, and especially for the core network directory that serves as the security gateway to the network, you should look at solutions that provide baked-in expertise answering the right identity-related questions. For that system, even more than others, log collection is probably not enough.

Matt Flynn is Director of Marketing and Strategy at NetVision Inc., responsible for communication and strategic direction. Prior to NetVision, Flynn spent the past decade consulting on identity and access management strategies for many of the world’s leading companies.