Security during layoffs: Inside out
When Pioneer Electronics delivered pink slips to its North American contractors in January, the company had to ensure that any cost savings generated by the layoffs – not to mention years of corporate research and development – wouldn't be wiped out by a single disgruntled employee.
Pioneer gave its third-party workers about two weeks' notice of the impending firings, prime time for anyone seeking revenge to maliciously exploit their privileges before their access was cut for good.
But the IT department was not going to stand by and let, say, a nefarious contractor plunder its systems of sensitive data, namely the highly coveted intellectual property used to build Pioneer's pre-eminent plasma televisions.
With the help of a role-based identity solution that manages who can access the company's local area network (LAN), Pioneer was able to document activity in real time, assuring nobody crossed the line separating routine work and criminal act.
“We went through our logs and made sure nothing out of the ordinary jumped out at us,” says Max Reissmueller, 40, the company's senior manager of IT operations and infrastructure.
“We concentrated primarily [on] the IT contractors, but did perform a less thorough check on some of the others. We focused on people with higher levels of system and application access.”
Pioneer's decision to play Big Brother is not as paranoid as it may seem. Seventy-five percent of U.S. breaches are now caused by insiders, concluded an October study commissioned by and conducted by the Ponemon Institute.
Through the years, companies have done a much better job of protecting against the external attacker, but still remain quite vulnerable to the so-called trusted insider, experts say.
And with the economy in tatters and layoffs happening so regularly that internet applications are being created solely to chronicle the firings (on the day of this writing, more than 71,000 U.S. workers were canned in what CNN aptly dubbed “Bloody Monday”), the insider threat is rising.
“People underestimate the potential and the risk of something to happen internally,” Reissmueller says. “It's like, ‘We worked with these people our whole lives – they would never do anything like that.' But they will, and there are cases like it in the news all the time.”
Time for a checkup
Given the global financial crisis, now is an ideal time for companies to review access processes, according to security analysts. What many will find, though, is that they still rely on simple and manual controls, which do a poor job of governing risk across heterogeneous platforms, systems and applications.
In January, McAfee CEO Dave DeWalt presented a comprehensive report – based on interviews with 1,000 IT decision-makers – at the World Economic Forum's annual meeting in Switzerland. Among the findings: Companies lost an average of $4.6 million last year in intellectual property, and 68 percent of respondents said they view insiders as the top threat to vital data.
The report says that “financially strapped and laid-off employees” increasingly will become tempted to rip off their employer, if for no other reason than the ease with which it could be done. After all, insiders have much more knowledge about a given organization than an external attacker would – and sometimes more motivation to act maliciously.
“Normal behavior patterns change when you're under stress,” says Paul Dorey, a private security consultant who formerly served as the CISO at BP. “People could start to be careless or have harassing behavior – either lash out against companies or lash out against people.”
The disgruntled employee may best be personified by the spate of U.S. Postal Service shootings in the early 1990s. But in today's technologically advanced landscape – where not just official employees have access to sensitive information, but so do contractors, consultants and other vendors – an insider bent on revenge can crush a company without having to resort to an Uzi.
In just the past year or so, there have been numerous examples of how much a seemingly trusted person can get away with. Arguably the most stunning instance came early last year when a 31-year-old trader from Société Générale exceeded his system privileges to disguise $7 billion in fraudulent trades. The French bank was forced to raise the lost capital from shareholders.
Société Générale apparently fell short in a number of security areas, but most observers pointed to its inability to control unauthorized access as the chief reason for the event. And, Dorey says, that is one place in the security stance where businesses cannot overlook.
“Anytime someone leaves the company or feels dissatisfied with their employer, there is a threat of data leakage,” he says. “It's not surprising that everyone is talking about information and data leakage. But other controls to protect data are pointless if you don't have proper identity and access controls in place.”
While the insider threat is certainly a driver, most organizations embark on identity and access management (IAM) projects for two other, more cost-oriented reasons: compliance (to avoid fines) and business enablement (to improve ROI).
Mandates, such as Sarbanes-Oxley, HIPAA and the Payment Card Industry Data Security Standard, require the implementation of strong access controls, while the upcoming Massachusetts data security law, considered by many to be the strictest in the country, also will impose access restrictions.
Meanwhile, a robust IAM framework has a cost benefit for businesses by, for example, freeing up servers and software licenses and decreasing expensive development cycles for individual authentication and authorization mechanisms, says Perry Carpenter, a research director with Stamford, Conn.-based analyst firm Gartner.
“IAM does have some ancillary benefits that folks will tout as cost-savings mechanisms,” he says. “Whether they are ever realized in a company is unknown due to deployment challenges.”
For years, companies have been trying to implement centralized IAM, but the process is often slowed or stymied altogether because of the sheer size of such projects, which must connect every piece of the business.
“With access management, either it works or it doesn't,” says Brian Holyfield, co-founder of New York-based Gotham Digital Science, a risk consultancy. “Everyone notices pretty quickly. If you don't get it right, the help desk gets flooded with calls. If I can't get in, I can't do my job.”
Still, while an IAM implementation may prove too costly and confusing for small businesses to even bother with, it is a must-do within medium and large companies, end-users say.
The basic concept of IAM is to ensure employees only have access to what they absolutely need access to. Microsoft Active Directory does a good enough job of authenticating users, but does little for assigning privileges across applications, and cannot deal with systems external to the enterprise, experts say.
Technology, however, is maturing, allowing for simpler automation to both accomplish these tasks and meet compliance demands, industry observers say.
Carpenter says advancements have been made in user provisioning (and de-provisioning) and role/entitlement management. The latter, he says, allows businesses to analyze workers to determine what attributes describe them.
“The old way that things worked was that John Doe transfers or gets promoted,” Carpenter explains. “He asks for additional access, but his old access never goes away – and it may be totally inappropriate for him to have that. Properly done role management would make sure that as the attributes change that describe the user, the appropriate role gets assigned to him, which results in appropriate access.”
Sachin Nayyar, chief identity strategist for Santa Clara, Calif.-based Sun Microsystems, says role-based access also can improve organizational efficiency by eliminating the need to manually determine what rights someone should have.
“Most companies will create access by copying another person,” he says. “But when you don't have role-based control, you [will give] extra access.”
Bilhar Mann, senior vice president of security product strategy at Islandia, N.Y.-based CA, which recently acquired role management firm Eurekify, says the capability is especially important for firms specializing in IT and biotech, where intellectual property is a core asset.
“They are finding that finer-grain access was needed,” he says. “It wasn't sufficient to have a broad stroke approach.”
While role-management may be the IAM technology de rigueur from the perspective of vendors, many end-users – even larger firms – are not quite ready for it.
“Most companies falter in trying to create pre-defined roles,” Pioneer's Reissmueller says. “There are just so many combinations of what a user needs, and trying to automate that becomes near impossible. Most people doing automated user provisioning are creating a few generic roles and then tweaking. You just create generic definitions that hit most of your population and then tweak it from there.”
At Atlanta-based Equifax, the 7,000-employee credit reporting agency with some 40 locations across 14 countries, the act of automatically classifying individuals by role would require a lot of coordination across many environments.
“It's a destination that we'll not necessarily ever get to,” admits David Galas, VP of technology. “It's very complicated.”
Instead, Equifax leverages Sun's IAM suite to automate user provisioning and de-provisioning, which means either creating an account and assigning authorities to it, or deactivating it once someone departs, he says.
On their first day of work, all Equifax employees start with the same clean slate. They sit down at their PCs and only have access to email, Galas says. Using their Windows NT login, though, they are able to request additional access through the company's intranet. Each request is manually vetted.
“We have a baseline of as minimal access as possible,” Galas says. “Everyone gets an email account. However, if you need access to any system, including even basic things such as Windows file shares, you need to go through this process.”
The IAM system is connected with human relations, so on their last day, users' privileges automatically are cut, he says.
So-called orphan accounts, though, remain commonplace. A survey conducted last year by Symark International, an IAM solutions provider, showed that 27 percent of 850 respondents reported more than 20 orphaned accounts exist in their organizations. Another 30 percent said it takes more than three days to cut access, and 38 percent admit to having no way of knowing if a former employee used their account to access data.
“It becomes more important now that the economy has turned down,” Holyfield says. “There needs to be no guesswork and no fire drill involved. There needs to be a checklist that says that when this person gets laid off, we need to do these things and make sure their access has been cut off.”
Beyond pure IAM
Of course, to combat insider theft, whether it is intentional or accidental, IAM alone will not stop all malfeasance, experts say.
An individual's rights may be strictly controlled, but if they are legitimately allowed access to confidential company data, other controls must be put in place. A survey from information management firm Cyber-Ark Software revealed that 47 percent of privileged users working in IT admitted to poking around in areas they should not have – but to which they were permitted.
That is why experts recommend a defense-in-depth strategy that relies on useful complementary measures, such as encryption, monitoring, network access control and data leak prevention (DLP).
Vendors, such as U.K.-based Lanxoma, are offering innovative ways to keep an eye on employees. The firm offers a solution that records a user's screen, keyboard and mouse when they are accessing, for example, the database.
“We're providing a DVR recording of what a worker did while they had privileged access,” says CEO Manoj Patel. “It's allowing the folks to carry on and do their jobs without hindering and slowing them down, but providing management with a means to know what the folks did while they had access. And if you know you're being monitored, it acts as a massive deterrent.”
DLP, meanwhile, is often hyped as a capable method for stopping insider unscrupulousness. CA has taken note and in January acquired Orchestria, making it the first IAM provider to combine its offerings with DLP.
The integrated solution essentially allows an enterprise to update its DLP policies to reflect a user's access rights, says CA's Mann. “ID management now extends out to the points in the network that it currently didn't reach out to,” he says.
At Pioneer Electronics, controlling access is a LAN-wide commitment, says Reissmueller. That is why the company not only deploys an IAM-specific product to deter people from accessing certain applications, but also runs a separate solution from ConSentry Networks that stops these people from even seeing the login page in the first place and, thus, not having the opportunity to guess or hack into the program.
“IT needs a broad way to control who can access which resources on the LAN,” says Jeff Prince, co-founder and CTO of ConSentry. “IT needs the ability to tie a user to his or her role and then control which servers, applications and even individual files that user can reach. That level of identity-based access control is essential to protecting assets on the network.”
The additional visibility is just one more way Pioneer can protect its data and maintain its brand, says Reissmueller, who also serves as the company's regional chairman of security for North and South America.
“IP is a big concern to us,” he says. “Being able to ensure that information is only getting into the hands it's supposed to is obviously very important. We're one of the most innovative companies in the marketplace. That's why we've done so well.”
Case study: Citizens Bank
Open up any newspaper, and you'll undoubtedly read about another company falling victim to a security breach. Details are sometimes hard to come by, but it appears that many of these breaches are linked to workers inside the company. These “insider attacks” are a real business risk that must be managed by every organization. The nature of business today requires that employees and contractors have access to strategic applications and data. The challenge for IT departments and their line of business counterparts is to limit, monitor and control user access and to proactively address the business risk of insiders.
Citizens Bank is one of the 10 largest commercial banking companies in the United States ranked by assets and deposits, and has more than 24,000 employees across 1,600 branches. As part of the bank's strategy for meeting compliance guidelines and better managing the “insider” risk, last year we transitioned from a manual process for managing user access to a fully automated one, allowing us to centrally manage and monitor access privileges across applications and business units.
Our previous process for access management gave us good visibility into who had access to what systems, but it was difficult to map employees to fine-grained privileges (exactly what they could do on those systems). A lot of our process was done by what I call “Excel over Outlook.” We'd email spreadsheets to managers asking them to review and approve user access, but the spreadsheets were not easy to understand, we had several version control issues, and they didn't provide a holistic view into our identity data.
To automate and streamline the access request and certification process, Citizens implemented a software solution from SailPoint that enabled us to consolidate all of our identity and access data into a single repository. SailPoint replaced our “Excel over Outlook” access certification process with a fully automated one that captured the data in compliant-ready audit reports and used workflow to distribute the reports to the appropriate reviewers. Using SailPoint, we immediately identified and removed about 10 percent of user access privileges as inappropriate.
SailPoint enabled Citizens to strengthen our controls over user access by:
- Building a central repository of identity data across our critical, regulated applications;
- Automating the periodic certification of access by both application owners and business managers;
- Providing better understanding of the linkage between users, access privileges and job duties;
- Improving visibility to excess privileges accrued over time (“entitlement creep”).
With SailPoint, our access certification process enables application owners to manage their risk appropriately in collaboration with their business counterparts. In the past, we didn't have that level of control because the business managers didn't have an overarching view of what systems people had access to. Now, we can go to the application owners and show them the business lines within the organization that have access to their data. They can certify whether that access is appropriate, and identify whether any entitlement creep had occurred that requires access to be removed. To complete the access review lifecycle, we then go to the business managers that are using those applications and ask them to certify each user.
By implementing SailPoint IdentityIQ, Citizens Bank has benefited from enterprise-wide visibility into and control over our identity data. We've been able to proactively mitigate business risk associated with weak user access controls, map employee access to the risk ranking of our applications based on Sarbanes-Oxley and other regulations, and work closely with business managers to ensure user privileges follow our corporate policies.
David Griffeth is the vice president of enterprise identity management at RBS Citizens Bank.