In this adaptation of the talk I gave at the Gartner Summit, I lay out how identity management, data mining, business processing and analytics come together as Identity Intelligence to address enterprise needs for greater transparency, compliance, risk management and business decision support. Check out the slidecast, which clocks in at a comfortable 20 minutes or so, and learn how we are bridging the divide between IT and the Business, and making security smarter.

Tags: Gartner IAM Summit, Identity Analytics, Identity and Access Intelligence, Identity Intelligence

The 3 case studies presented deal with one issue: Privileged IT Administrators who have complete access to systems, and use it to either systematically abuse your trust or wreak havoc when provoked. In every case, the damage to the organization was substantial, and the steps needed to recover were extreme (I especially liked one companies solution to their potential hostage crisis: put the guy on a cross country flight, and use those 5+ hours to change all the passwords).

It has been well understood for years that insider fraud is a far bigger threat to organizations than anything that could be done from the outside (barring specific domains like national security). Not only do system administrators usually have complete access, but they can move around your network with impunity – no auditing, no oversight, no accountability. In effect, the IT environment that you spend so much time locking down has a wide open backdoor that can be exploited by a small but highly skilled populace to do significant damage. And when you broaden your view a bit, you find that this goes beyond just the system administrators to other “trusted” users as well – employees that use shared, highly privileged accounts to execute transactions that are sensitive and crucial to the business, but could also be abused.

Organizations that take a comprehensive and holistic approach to identity and access management can protect themselves against the possibility of these sort of nightmare scenarios playing out. While the article outlines some basic HR type steps that organizations can take, like better background checks, it doesn’t go into any specifics about how a properly defined identity management program can help in mitigating these risks. So how can IdM address some of the issues brought out by the article? Let’s review.

1) Strengthen Your Core

The core of identity management – SSO, identity administration, provisioning (including de-provisioning) – is obviously essential. Within that, it’s important to realize that one reason shared accounts proliferate is due to its convenience and expediency, because no one wants  the overhead and pain of getting properly privileged accounts. But a well designed access request system, with intuitive self-service, adequate workflow and policy controls and the right level of automation will help organizations avoid slipping into shared account hell – by empowering users without sacrificing security.

2) Avoid Excessive Privilege Accumulation

The article points to classic “privilege escalation” as a culprit, where users are given additional privileges to deal with short term project needs, but then those privileges are never taken away after the need goes away. Over time the user accumulates a large set of privileges that not only allow them to continue to do things long after they should no longer be able to, but can can create a toxic combinations of privileges that gives them the ability to take actions that should never be allowed by policy.

There are a few things you can do to address this problem. First, your identity administration system should support time or context bound privilege escalations. If a user is being given additional privileges because of a specific need, make that grant role-based or time-bound. That way, when the conditions that led to the privilege escalation expire, those privileges get taken away and are not left with the user. Second, make sure to leverage Separation of Duties (SoD) policies, so that you can detect and therefore prevent situations where a privilege grant is going to result in the user having an undesirable combination of entitlements that could be abused. This would be leveraged not only during the initial privilege grant to alert someone with oversight responsibilities (like a manager), but also during an entitlement review, which is the third mitigating control. Periodic entitlement reviews are now essential to combat privilege accumulation and also prove compliance. And entitlement reviews that get triggered when events such as privilege escalation occur not only help in keeping people focused on the problem (instead of it getting buried in the details), but also let your people know that they are being monitored. Getting in-depth and comprehensive insight into your IT environment is key to managing excessive privilege accumulation.

3) Make your Access Context-Aware

This is where we think the future of identity management is headed. Two of the scenarios outlined in the article describe situations where the privileged employee decided that they were going to take drastic action to inflict maximum damage on the company. By profiling the behavior of the user, and comparing the users actions to established patterns, you can detect anomalies that would indicate that some kind of fraudulent activity is underway. The article also talks about “Sally” taking her laptop home and still being able to use high-level privileges. But if your access management system can leverage environmental variables like device IDs, network profiles and IP geo-location as part of its authorization context, then it can limit the use of elevated privileges when the right conditions are not met.

In all these cases, the IdM system, having detected potential fraud, now has the ability to initiate corrective action, like elevating the monitoring of the user activity, up-leveling the assurance of the identity in play by asking additional authentication questions or presenting 3rd party or application data that only the correct user could verify, and even outright denying the user access. By monitoring the full picture of what is actually occurring in real-time, you can detect or prevent fraud. And you can do it without negatively impacting the user experience. In effect, the access adapts dynamically to the user behavior and the risk level of the transactions.

4) Protect Your Keys to the Kingdom

The article points out that “threats from privilege-laden IT employees are especially hard to detect. For one thing, staffers’ nefarious activities can look the same as their regular duties”. And when you have multiple people in the IT staff who know how to utilize these system accounts, it’s hard to pinpoint the exact perpetrator of the actions. That’s why using a Privileged Account Management system is so important. By putting a control system around the most sensitive and powerful accounts that an organization has, you can make sure that you are never going to be in the situation where an employee can hold you hostage. Administrators can no longer go in and change the passwords without the organization knowing, all their activity can be monitored and traced, and their access to the privileged accounts can be cut off in one fell swoop (instead of having to put them on a plane ride to California).

5) Protect Your Data

Sounds obvious, right? But the fact that the current state of affairs means that your DBA can go in and “download 400 customer credit card numbers from your e-commerce server” is all too common. Your database cannot be overlooked in your access management strategy. Organizations need to ensure that their privileged users and DBAs are restricted from accessing sensitive application data, despite having high-level privileges on the database. They need to implement controls to enforce separation of duties and also use solutions like transparent encryption to protect data against unauthorized access by OS level users. And they need to monitor their database configuration on a continuous basis, and audit their users to know who did what and when for accountability.

The Right Tools Make the Plan

The article correctly points out that technology is not enough. “It’s a combination of technical safeguards and human observation that offers the best protection, says CERT’s Cappelli”. On the identity management side of things, however, there are a number of things that organizations should be doing that they don’t. And by putting in place this kind of comprehensive identity management program, with the right controls that constantly optimize and enforce policies that mitigate risk, an organization can help the people in charge be informed, aware, alert and in control. And that sounds like a plan.

Tags: Adaptive Risk Manager, Audit Vault, Database Security, Fraud Prevention, Identity Analytics, Oracle Adaptive Access Manager, Oracle Identity Management, Privileged Account Management

How many times have we heard stories of hospital personnel getting into trouble for accessing patient information for the wrong reasons. Broadly classified under VIP Privacy Protection, we usually hear about it when it involves a celebrity like George Clooney. But having spent some time talking to folks in the IdM and privacy protection practices at healthcare organizations, I have come to understand that it actually covers a much larger set of cases than just entertainers and politicians. For instance, it has to cover cases where people who work at the hospital have to get their own medical treatment there and want to keep it private from co-workers (has been described as an interesting use case for having pseudonymous identities). It must also cover situations where relatives of hospital personnel need medical treatment, but don’t want their family to find out (I heard an extremely interesting, bizarrely tragic, anecdote that I won’t share here, but will tell you over a drink if interested). There are many more such use cases. A side effect of this is that when a major hospital did a review of their records, they found that there were a very high number of cases that were classified as VIP cases. This meant that it couldn’t be handled on an ad-hoc basis.

Now, the prevailing thought has often been that these situations can be handled by putting in strong access controls that prevent privacy violations by restricting access. But in a hospital environment, such preventive controls are anathema, since you do not want a life-and-death situation running up against a case of access denial because the policies are too tight. So, unlike the policies you encounter in financial institutions where you err on the side of being more restrictive, healthcare institutions prefer to err on the side of being more permissive, relying more on trust than security.

This is why Detective Controls take on a far greater role in such environments. The ability to analyze behavior to raise alerts and initiate audit investigations takes on added importance. You can add in additional factors of authentication and notification that not only verify the identity of the individual, but also let them know that what they are doing is being scrutinized more diligently. This can both increase trust in the transactions taking place and also deter folks who may be nosing around in places they shouldn’t be. You also need an analytical system behind the scenes that is intelligent enough to handle “break the glass” situations while also being adaptable enough to be fine tuned and evolve over time – reducing the number of false positives, thereby avoiding the “ignore the fire alarm” mentality that can set in.

There are a few solutions trying to address this challenge, including our own Oracle Security Governor for Healthcare. The best practice is a good blend of both preventive and detective controls, one that has been tuned to fit the operational, regulatory and security needs of your organization. And that is a good lesson no matter which industry you are in.

Tags: Detective Controls, Healthcare IT, Healthcare Security, Identity Analytics, Oracle Security Governor for Healthcare, Privacy

Oracle Security Governor for Healthcare is a governance solution that is aimed specifically at healthcare organizations, where the introductions of various regulations globally and the transformation of healthcare IT has created a number of challenges in the area of patient confidentiality that need to be addressed.

• VIP record snooping
• Medical identity theft and fraud
• Healthcare data theft and fraud
• Coworker, family member and neighbor record snooping

Oracle Security Governor for Healthcare addresses these concerns by providing a solution that helps proactively protect and prevent privacy and security breaches, insider snooping and medical identity theft in an organization. The solution is based on some key features:

• Rapid Incident Detection: Criteria based automated reporting functionality that allows rapid incident detection, case management and investigations.
• Automated Privacy Audits: Allows audits on activities of various entities accessing the applications and reports suspicious activities.
• Accelerated Enterprise-wide Data Retrieval: Allows rapid integration with existing systems.

Architecture

Oracle Security Governor is built on some key products in Oracle’s portfolio, enhanced with some healthcare specific intelligence and artifacts.

Oracle Security Governor for Healthcare Architecture

• Oracle Security Governor for Healthcare leverages the Oracle SOA Suite Adapters (like Database, Log and HL7 adapters) to pull data in from virtually any data source into a central data warehouse.
• In-database data mining and predictive analytics built using Oracle Data Mining is used to detect anomalies and suspicious activity that may have taken place in the past.
• The solution also uses an advanced risk assessment engine (based on Oracle Adaptive Access Manager), which has been pre-loaded with healthcare specific risk and fraud rules to proactively detect incidents.
• Oracle Entitlement Server provides unique risk-aware fine grained authorization on record and data access, cutting down the possibility of unauthorized activity and fraud.
• Finally, Oracle Business Intelligence Publisher is used to provide insight into all of this through risk analytics, reports and alerts.

Benefits

Oracle Security Governor helps deliver significant benefits to a healthcare organization. Some of these benefits include:

• Historical Detection: that can be used as audit trails and for detection of suspicious activities related to access, privacy, fraud and security breaches, that have taken place in the past.
• Real Time Detection: Oracle Security Governor can also be used to detect suspicious and fraudulent activity, in the real time.
• Real Time Prevention: Oracle Security Governor can prevent suspicious activities, in the real time. The activities detected as anomalous or suspicious can either be completely blocked or the end-user can be alerted or required to meet additional security requirements, depending on the deployment needs.

Oracle Security Governor for Healthcare Benefits

Looking Ahead

Oracle Security Governor for Healthcare is just the beginning. In the future, Oracle hopes to use the Oracle Security Governor framework to build more solutions that address challenges faced in other verticals besides healthcare. But that doesn’t mean you have to wait – you can leverage the products mentioned above to build your own security and privacy solutions. Just ask us how.

You can find more information about Oracle Security Governor for Healthcare here on the product page.

Tags: Healthcare IT, Healthcare Security, Identity Analytics, Identity Governance, OOW10, Oracle Identity Management, Oracle OpenWorld, Oracle Security Governor, Oracle Security Governor for Healthcare, Privacy

Directory Services

Sun Directory Server Enterprise Edition (DSEE) and Oracle Internet Directory (OID) will co-exist as strategic products (contrary to some interpretations out there). This is because each product has a unique set of capabilities that address different market segments and use cases. Oracle will innovate both directories, which includes adding some of the administration, reporting and systems management capabilities that have been built for the OID and OVD products to the DSEE product. Sun DSEE will be re-branded as Oracle Directory Server Enterprise Edition.

Meanwhile, Sun OpenDS will continue as an open-source project.

Oracle Virtual Directory will be the strategic product for identity virtualization.

Access Management

Oracle Access Manager will be the strategic product for web single sign-on. Sun OpenSSO will continue on as an open-source project for the community.

Sun’s Fedlet capabilities will be integrated into Oracle Identity Federation, which will be the strategic product for Federated Single Sign-On.

Sun’s Secure Token Service will become part of the Oracle Access Management Suite going forward.

Products that aren’t impacted by the Sun acquisition, and therefore remain strategic for their specific areas are Oracle Entitlement Server (fine-grained authorization), Oracle Adaptive Access Manager (strong authentication and risk-based access management), Oracle Web Services Manager (SOA + Web Services security) and Oracle Enterprise SSO (SSO for Desktop and Mainframes).

Identity Administration

Oracle Identity Manager will be the strategic identity administration and provisioning product moving forward. Sun Identity Manager, re-branded as Oracle Waveset (didn’t think I’d hear that name again outside of reunions), will be maintained for quite some time, and some of its key features like IDE integration and tamper-proof auditing will be integrated into OIM.

Identity Governance

Sun Role Manager will be re-branded as Oracle Identity Analytics and will become the strategic identity governance product in the Oracle Identity Management Suite. It will provide capabilities in the area of role mining, compliance attestation, and identity dashboards and reports, and will be enhanced to leverage some of the best-of-breed capabilities that Oracle has in the area of business intelligence and data mining. Note that role lifecycle management capabilities continue to be offered currently via the Oracle Role Manager product.

General

Throughout this acquisition, Oracle’s focus is on the customer. We want to make sure that customers continue to remain successful in their projects, and get value from the investments they have made. This is reflected in some of the strategic decisions made, and in points made throughout the webcast:

• In most cases, Oracle will be developing migration tools to help customers move to the new strategic products.
• Oracle will be providing support and maintenance for all the Sun products for a very long period of time, including lifetime support in certain cases.

Obviously, there will be a lot more information coming in the next few weeks/months. Stay tuned, and check out oracle.com/identity for more information.

Tags: Identity Analytics, Identity Governance, OpenSSO, Oracle Access Manager, Oracle Identity Management, Oracle Identity Manager, OracleSun, Oracle_IDM, Sun Directory Server, Sun Identity Management, Sun Identity Manager, Sun Role Manager