Deloitte warns of dangers of unmanaged login accounts – need to clean them up

In a recently released article on their website titled Unmanaged corporate login accounts are a significant source of risk, Andreas Faruki, Partner and Identity Management Lead for Deloitte Canada states:

“Most companies report that scrubbing old accounts requires a massive, long-term, manual effort, while still leaving 10% to 20% of the problem”

I urge you to read the details here.

Deloitte has done some significant fundamental research and analysis of real world enterprise identity data to verify the scope and nature of this problem. They are way ahead of the game in understanding the real issues and how to deal with them.

The main conclusions are:

• The risks of unmanaged login accounts are real
• These identity management risks affect all industry sectors
• Removing old login accounts is essential to robust identity management

Most importantly, Deloitte has build a service offering to solve this problem for large enterprises. I urge you to get in touch with them to explore it more.

(disclosure: The Deloitte solution uses components that I have had a hand in developing)

If you can’t trust your identity data foundation, you can’t trust your identity systems

Phil Becker, Editor of Digital ID World, and deep thinker on network identity offers some keen insights in his series The Coming Third Wave of Identity ( Parts: 1, 2, 3, 4). In the conclusion Phil points out the distinction between the management and use of identity data:

One of the more difficult things for people to gain clarity about in their understanding of identity management, is the separation of the management of identity data itself, and the actual leveraging and use of that data to accomplish various network application and data focused missions such as access control, provisioning, data protection, policy enforcement, etc.

He highlights the importance of the identity data foundation and the difficulty of getting a set of well managed data (emphasis mine):

..today the emerging identity third wave is producing more and more products that seek to leverage identity for a wide variety of purposes. But to be successful, they must rely on a well-managed network of identity data, and obtaining that is a major task in itself.

It turns out that this first step is the hardest one, as it brings to light all of a company’s processes around on-boarding and off-boarding both employees and contract personnel, along with processes around promotion, internal job changes, transfers within the organization, management changes, acquisition integration, outsourcing, etc.

He then points out that we have deluded ourselves in the past about how the problem will be solved by this or that technology:

It is this part of identity management that was long been thought to be “solved by a good directory”, but which has been seen to be a far more networked problem than that. (Although the rise of Active Directory in many companies promises a reprise of this difficult learning curve for many companies.)

So far, so good but, I have a problem with the following statement:

… resulting product evolution has been finding ways to create a well managed identity data set without radically disrupting and altering existing company processes. It is here that technologies such as identity virtualization, synchronization, delegation of management via workflow, etc. come into play.

Initially, the well managed identity data was used to feed such things (as) web access control..

I have two major challenges to this statement. Let me explain.

Read the rest of this entry »

One rogue user leads to $400Million Data Leakage

IT security focused publication SC Magazine reports $400 million corporate espionage incident at DuPont. This is a further example of the risk of only one person’s improper access to an enterprise. In this case, data leakage was the issue. It even went beyond the business dollar value and started to take on national security overtones. These are not trivial matters.

There are a number of strategies that a company needs to employ to mitigate this type of event. One of them certainly should be to gain control of the huge number of legacy login accounts floating around in your organization that are currently unmanaged.

There is no excuse for not attending to this as straight forward solutions are available.

What to do when you lose your keys? – change the locks!

If you have ever lost your keys, it is a real pain. Most people think it is prudent to change the locks, rather than take the risk that someone might have found them and take advantage of you. Most likely the keys are in the cushions of a couch or found by some harmless, trusting soul. However, why take a chance. Change the locks and sleep better.

Organizations have been losing track of keys (login credentials or login accounts) to their most important computer systems for decades and as I showed in my last post, for larger organizations, this is amounting to about 100K keys where they cannot answer the simple question: who controls this key? Mostly these misplaced keys are in safe hands but, in many cases, they are controlled by an ex-employee, consultant, partner, or current employee who has moved into another area and should no longer have that access. Some may use them against you.

Of course each one of these un-accounted-for keys is a potential negative compliance finding but, also, they represent a ticking time bomb for a business reputation disaster – or worse. For example:

Read the rest of this entry »

Some hard numbers on how bad ID data is out there

Up to now I have thrown out the round number that 20%+ of your login records are likely ‘unmatchable’ using normal techniques. Here is some more detailed data behind that number.

This particular table is a composite and simplification of detailed real-world findings. It is representative of an organization with about 30,000 active employees and considers data for 7 common applications/directories.

This is not a guess or speculation but, resembles what we have found when we do detailed analysis within organizations. Obviously specifics are confidential.

It is my hypothesis that this represents the situation in almost all large organizations. Every organization that we have investigated so far has a problem of this magnitude. You may be the exception but, I would not count on it.

Over the next few days I will dig into some of the details but, for now, here is the chart. Do you find this as shocking as I do?

click here to enlarge

100,000 Lost Keys

Our investigations have shown that large organizations have in excess of 100,000 active access credentials which cannot be easily matches to a person. This represents a large risk for any organization.

Solving this problem is not as easy as some first might think. Here is a presentation to take you through some of our thinking on the matter.

Open Presentation

Who is the champion for de-provisioning?

When someone joins an organization and needs access to tools and information on the network, there are many champions for provisioning them ASAP.

The person, their boss, admin, enlightened IT departments. All are eager to get this person productive and if someone is the bottleneck, they are hounded till they are not.

In fact, if the business process in place does not work fast enough, work-arounds are created. It is common that ‘faux’ records are created so that someone can be provisioned with an email or network login before the official HR record is created.

But, if the faux record stays in the system, who hounds IT till it is out?

How many organizations have you left where your email or access has remained operational for a while or perhaps forever? This is almost the norm rather than the exception. Does anyone hound them to remove this access? Of course not.

No wonder most organizations have thousands of lost or forgotten credentials in their systems.