Last week, I attended ArcSight’s Protect 10 User Conference, and just like last year, it was an exciting and informative event. Without a doubt, HP’s acquisition of ArcSight brought more excitement to this event this year.
Throughout the conference, a consistent theme emerged, which seems reflective of IT security world nowadays: “a new approach is needed”. Not really new news.
During the initial keynote at Protect 10, ArcSight’s CEO Tom Reilly was joined by HP’s Bill Veghte. What stuck with me from Bill Veghte’s speech were his statements that this new IT Security model needs to be proactive and holistic. He must feel very strongly about this paradigm shift to justify a $1.5B price tag for ArcSight in just over 5 months at the job for HP.
Over the last few days, I have been digesting and internalizing this notion, particularly from an Identity and Access Management (IAM) perspective. Evidently, I concur with this view, but I would like to explain my viewpoint.
Context: Are we Doomed?
If you have been hearing about the impact, focus and sophistication of new attacks, and the term “Cyberwarfare”, then you would be very concerned to see how increasingly real the threats and damages are, and how vulnerable we are. – Some good examples are the Aurora vulnerability, which severely impacted Google and other companies in February 2010; and more recently, the Stuxnet malware, who’s sophistication level and precise focus on industrial plants as targets, has earned it the nickname of “cyber super weapon”. “Malware Exposed” provides a good reference on how modern malware works, and how today’s security tools and mechanisms are quickly becoming obsolete and ineffective.
During Protect 10, I attended a keynote panel on “global Cybercrime”, featuring Joseph Menn, Author of “Fatal System Error”, along with Barrett Lyon, CEO of 3Crowd Technologies, and Andy Crocker, former Investigator, UK National Hi-Tech Crime Unit. This engaging session discussed specific attacks against banks and the ATM network in graphical detail, both from a technical perspective, but more interestingly, from a business and jurisdictional standpoint. It was really fascinating to see how cybercrime transcends the technical world into cross-border and national sovereignty matters.
So it should come as no surprise, that after this dose of cyber doom, one feels more concerned and worried about the future, and the risks that a more vulnerable and interconnected society brings with it. With all the great things the Internet has brought us, it seems like we are now awakening to the extent and severity of its’ undesirable by-products.
So, does this mean that we are all doomed then to just accept these risks? Is it possible we just won’t be able to prevent great losses from happening? Should we accept this as the price of global interconnectivity?
There is Hope: Think Risk Awareness and Convergence
One approach towards a better model is where organizations create a strong baseline, leveraging traditional security controls. This mitigates some risks, but to effectively protect from more sophisticated attacks, the organization must complement this baseline with a more modern solution.
But how much does it cost? And for organizations struggling to answer basic questions such as “who has access to what?” and “is this the level of access that this person should have?” – how can this model be achieved?
I view the shift towards proactive and holistic security as the combination of risk awareness and convergence of security tools.
In the end, information security is about risk mitigation. The effectiveness of the security strategy will be predicated on whether the risks have been properly identified and assessed, and how well their potential impact is being mitigated. This way, the organization can determine the strength of each security control it requires.
Risk awareness helps with the “proactive” part of the new security paradigm shift. And while feasible, this is easier said than done of course, since risk tolerance varies widely, and it is difficult to really identify the risks the organization needs to mitigate.
This is where regulation, standards and auditing frameworks come into play – they identify a baseline for the risks and controls that need to be in scope. As an input to scoping risks, data classification is essential such that the various stakeholders define the sensitivity of a particular transaction or information asset. Beyond that, approaches such as continuous auditing can help broaden the inventory of risks over time on a more proactive basis.
From an IAM perspective, identity assurance is a practical concept that can help organizations classify and address identity-related risks and, thanks to available identity assurance frameworks, such as Kantara Initiatiave’s Identity Assurance Framework, organizations can streamline the adoption of identity-related security controls that can mitigate defined risks levels.
Being the Chair of Kantara Initiative’s Identity Assurance Work Group, I am a big proponent of identity assurance as a pragmatic approach to effectively mitigate identity-related risks, as I have stated in prior blog posts.
|In fact, I will be presenting via a webcast on this very topic next week on October 7th, 2010 at 12:00 pm ET, hosted by BrightTALK. The title of my session is “Identity Assurance in Everyday Life”. The session is intended to be interactive, allowing for real-time Q&A. Hope you can join me|
In the context of this article, I mean the convergence of security tools. The idea is that as security solutions evolve and become more sophisticated, they should intersect and integrate more seamlessly and synergistically; such that by integrating otherwise silo’d security tools, an organization can gain greater insight and visibility to potential threats and attacks as they unfold.
Convergence affords organizations the ability to better detect and prevent attacks at a much larger scale and in near real-time. Hence, convergence helps with the “holistic” part of the new security paradigm shift. It is a trend that we are seeing at play in IAM. For some years now, we have seen new approaches to information security emerge and become mainstream, such as Data Loss Prevention (DLP) as well as Governance Risk Management & Compliance (GRC); each of which combines different security technologies that have been integrated over time.
In IAM, here are some examples worth noting:
- The shift from linear to contextual access management – A trend I wrote about in 2007 along with Eric Leach, in the prelude of Oracle’s acquisition of Bharosa. In recent weeks, consolidation and evolution in the strong authentication space have validated predictions I made back in July 2010. Nishant Kaushik published a great blog article this week on the topic of multi-factor authentication. I like Nishant’s reference to the recently announced support for two-factor authentication in Google Apps and his description of contextual access management from the standpoint of Oracle Adaptive Access Manager. Even the Wall Street Journal published an article last week on the topic of biometric authentication’s increased adoption outside of Government. This is further evidence the market is awakening to the benefits and fit for this modern approach to controlling access to applications in real time.
- The advent of identity activity monitoring – a technique the combines Security Information and Event Management (SIEM) and IAM to provide an unprecedented level of visibility and real-time correlation of user activity and behavioral patterns, which allow organizations to gauge risk on individual users or groups of users within the organization. We have written about this topic, and continue to see increase in adoption in the market place. We believe this approach is demonstrating effectiveness in complementing an IAM infrastructure.
So, in conclusion, I believe that we are inevitably marching forward towards a proactive and holistic security model, and that this model will rely on traditional security solutions, and by leveraging their seamless integration and collaboration will afford organizations an agile and adaptable approach to mitigating risks as they are continuously identified and assessed.
Your comments to this discussion are most welcome.