Is This Your Security Solution?

And then there was the notice we got from our building management asking us to tape up our windows. It had very specific instructions on the  pattern in which to lay down the tape. And of course they had tape for sale in case we didn’t have our own. Looking around, we could see a number of other windows where tape had been put up. So, following instructions and the trend, I started the exercise. After one window, I stood back and questioned the wisdom of doing this. It really didn’t seem like this tape was going to do much against any force strong enough to shatter the double-paned glass we had. A quick check on the web turned up enough “myth-shattering” articles (especially from official sources) to make me and my wife realize that the exercise was pointless. It was patently obvious that the tape was not going to prevent the glass from shattering, or keep the shattered pieces from flying around the room.

Yet all around us, people were spending precious time putting up tape. Why? Because they felt like they were doing something – something that would keep them safe, something they could point to and say “well, at least I tried”.

The analogy with how security and risk management goes in IT is laughably obvious. It’s classic security theater – getting a false sense of security for having done something that is of no benefit whatsoever, but which (literally) helps you sleep better at night. The real issue here is not the waste of good tape, but the fact that doing something like this actually increases your risks. Believing you’ve actually reinforced the windows could lead you to make the mistake of actually sleeping close to a window and putting yourself in harms way. And feeling that this option exists keeps you from actually analyzing the situation properly and taking the steps you really should take, like putting up hurricane shutters or installing hurricane proof glass. Keep in mind that you need to assess your risk accurately instead of going overboard, because while installing hurricane shutters may be a tad too much in an area like ours where hurricanes are (gratefully) a rare occurrence, it really should be top of mind if you’re down in Florida.

It’s also important to understand the psychology underlying these wasted efforts. All too often, “tape jobs” are last minute efforts that stem from a lack of planning. If you analyze your threats proactively, you have time to properly measure your windows and install hurricane shutters. But if you push things out and end up reacting to the news that a hurricane is coming – well, then you’ve run out of time to do a good job, the store is probably out of shutters and even plywood, and there’s little you can do at that point except retreat. How many times have we come across organizations that are under the gun to evaluate software, deploy and get a recertification process done in a completely unmanageable timeline because they failed an audit?

So if you’ve been pushing out that risk assessment, get on it now. Or you might just end up standing in a long line at the neighbourhood hardware store buying a roll of tape that will do absolutely nothing for your reality.

[Cross-posted from the Identropy blog]

Tags: Best Practices, Risk Management, Security, Security Theater

1. the need for financial institutions to perform risk assessments against an ever-evolving threat landscape,
2. the need to implement and constantly adjust a layered security strategy to mitigate the identified risks, and
3. the requirement to raise customer awareness of potential risks through education programs.

The most telling aspect of the enhanced guidance seems to be its recognition of the fact that the threat landscape is not just different from what existed in 2005, but constantly evolving. Without actually stating this explicitly, the guidance attempts to make the point that this constant evolution means that any guidance put forth will become defunct pretty quickly, and places responsibility on financial institutions to make the effort in understanding the risks they face (through periodic risk assessments) and continuously improving their security posture in response. Personally, I would have liked to have seen them be much more explicit and take a much harder line on this, because multiple case studies and anecdotal evidence suggests that far too many banks put in the minimal effort necessary to simply comply with the letter of the 2005 guidance without attempting to be true to its intent.

An Emphasis on Risk-Based Authentication

The guidance brings out the need for financial institutions to create a more accurate and granular model of their risks based on a much wider variety of factors than previously described – the evolving threat landscape, the changes in the nature of their customer base and the kinds of transactions being done online. A more accurate calculation of the transactions risk must then be mapped to appropriate security controls, both at the time of the initial authentication (logon) and at the time of the transaction itself. The supplement (smartly) brings out the need to factor in contextual information – from environment variables like device identification and time of day to detection of anomalies in behavior patterns – in any risk calculation. Interestingly, both anomaly detection and privileged account management are emphasized in the security architecture.

Calling Out Outdated Techniques

Both device identification (through cookies) and challenge questions are called out as having to be enhanced from their previous “simple” models to more sophisticated, or “complex” models. While the enhancements recommended in both cases are improvements, I don’t believe they go far enough. In the case of challenge questions, for instance, it recommends

1. increasing the number of challenge questions asked (without actually giving a number, so in theory just increasing from 1 to 2 is good enough),
2. avoiding challenge questions that can be answered by mining the users information through online searches and social networks,
3. including a “red herring” question that a fraudster would attempt to answer but a legitimate user would not (huh?), and
4. using only a random subset of the challenge questions that the user has provided answers for in a single session.

This guidance fails to take into account that this is actually hard to implement without neutering its effectiveness. Forcing users to set up more challenge questions usually leads to selection of easily guessable answers, and more helpdesk calls. The 2nd item above is very subjective, and the harder you make the questions, the more likely the legitimate user will mess them up too. And I don’t even know how the 3rd item is supposed to work.

Also of note, the guidance does point out the decreased effectiveness of multi-factor authentication (even though it was probably drafted before the RSA breach compromised SecurID tokens). It does however advocate it’s use as one of the many controls in a layered model. Out-of-band authentication mechanisms (like those delivering One Time Passwords over SMS) get a fair amount of time in this paper as a practical solution.

Whats Missing

I was disappointed that the guidance didn’t talk more clearly about passwords, and the need to really educate consumers about both better policies and their inherent ineffectiveness. And I think the fact that there was not a single mention of federated identity, especially in the context of “Business/Commercial Banking”, was a real missed opportunity for the FFIEC to move the discussion towards a better security architecture. I’m sure Stephen Wilson is not surprised by that, though.

Looking Forward

The guidance will go into effect starting January 2012, so there will probably be some banks scrambling to understand what the implications are for the controls they have already deployed. Smarter institutions that have been paying attention to the security landscape all along will probably find that they are in good shape, but a lot who did the bare minimum and want to meet these guidelines will face some serious work. I predict an uptick in the interest that risk-based security products like Oracle Adaptive Access Manager will garner in the market. The emphasis on staying up to date with the ever evolving threat landscape will create a requirement for more dynamic security products that aid not just in enforcing stronger controls, but in assisting with the periodic risk assessments (Identity Intelligence, anyone?).

But the fact that this is guidance and not regulatory mandates means that a lot of institutions will continue to pay lip service to it. Which is why the real emphasis needs to be on changing the fundamental security architecture underlying (and infiltrating) enterprise IT. The consumerization of IT will probably play a far bigger role in driving this change than the FFIEC guidance will. Time will tell.

Tags: Federated Identity, FFIEC, Identity Context, Multi-Factor Authentication, Online Banking, Oracle Adaptive Access Manager, Passwords Must Die, Risk Management, Security Architecture

As the article described, part of the banks security infrastructure included risk-based security based on RSA’s Cyota product, which “rates the riskiness of transactions by using several factors, such as the location of a user’s Internet address, when and how often the user logs in, and how the customer navigates the site”. This actually provides a much better layer of protection than simply authenticating the user based on passwords. Context-based security is a key element in the multi-layered security architecture that is the future of enterprise security, as I laid out in my recent talk.

But the bank actually made a big mistake in it’s implementation. As the article describes, the bank reduced the threshold for kicking in the 2nd factor (challenge questions) to $1, effectively eliminating that component from their security architecture. They might as well have not had it, because they were completely ignoring any kind of risk calculation that was being done.

In other words, all they had was “password+challenge questions”!

And as we have talked about ad nauseam, in this day and age this is simply not enough. Passwords and challenge questions are nowhere near what I would call adequate security for an environment that would include high risk transactions (like bank transfers). And while there will be great resistance to any (strong authentication) solution that would appear to increase friction for the user in executing their transactions (witness the continued lack of pins for credit cards in the US), I think the tides are changing with respect to users understanding the risks and wanting more from their online security.

Risk based security models also need to involve monitoring and alerts, even denial of access, for exception conditions (like a new device ID being used). And the 2nd (or 3rd, or…) factors employed must be commensurate with the nature of the online transactions. Challenge questions may be fine when we’re talking about a low risk consumer site like a gaming site (though even they have gone beyond these). Higher risk sites should employ more sophisticated factors like out of band challenges (the occasional SMS based challenge, or voice-based identification, for instance), so long as it is used with the correct risk scoring to trigger it. And despite the naysayers, I do believe externalized identity providers could help serve this market.

Crucially to all this, the FFIEC seems to recognize that security threats have evolved dramatically since their guidance was issued in 2005, and are preparing an update. From all indications, it would seem to put much more responsibility on the shoulders of financial institutions, asking them to put in place greater measures based on layered security to address fraud and attack vectors like Man-in-the-X attacks, and much more. Unfortunately, it will be too late to help Patco Construction. Let’s just hope other businesses are paying attention and getting ahead of the curve.

Tags: FFIEC, Identity Context, Multi-Factor Authentication, Online Banking, Passwords Must Die, Risk Management, Security Architecture

BT (Robert McCausland & Peter Boyle) and Oracle (the ever dapper Christian Patrascu) accepting the European Identity Award from Martin Kuppinger & Tim Cole

The Solution

BT MFR brings together a comprehensive suite of fraud reduction capabilities under a single service. Device recognition, location recognition, behavior recognition and comprehensive policy enforcement through a customizable ruleset (powered by Oracle Adaptive Access Manager) provide granular risk assessments, returned in real-time so that even digital services requiring instantaneous delivery can be risk assessed for suspected fraud.

This functionality is all strung together and orchestrated by an Oracle Service Bus and accessed via web service calls. The routing and transformation layer that OSB provides allows for the augmentation of all the transaction data presented which can subsequently be used in a much richer risk assessment. The sources of such checks could be external URU or internal to the enterprise based on intelligence they’ve built up over years.

Risk assessments from multiple services can thus be aggregated to provide a single response to the protected application, containing all the information required to determine whether any transaction should continue forward.

Thanks to this unique design the service is also able to evolve, with new services integrated into the overall risk assessment procedure as they become required or available, without impacting the single web service call that the customer needs to access this battery of anti-fraud protection.

The Benefits

BTs Managed Fraud Reduction service has brought together a unique set of capabilities that address online fraud in ways that adapt to the organizations specific needs:

• Most online retailers cannot afford to issue password generating tokens to a fickle and ever-changing user-base. so a risk assessment based on transaction parameters such as device recognition and location provides a different way to achieve greater security.
• Online retailers providing digital goods or services cannot wait until shipping to review transactions (as delivery is immediate) so a system based on real-time assessment is greatly beneficial.
• Financial service providers need to assure funds transfers and payments within increasingly short windows (due to regulations such as ‘Faster Payments’) so real-time responses are essential.
• Gaming and leisure services are reliant on age-verification, so require identity verification score aggregated with the normal risk assessment. MFR allows the integration of such additional web services and will launch with BT’s URU identity verification available as an option.
• With the BT MFR service in place, customers can demonstrate to auditors that fraud prevention strategies are in operation and as a cloud service allows them to demonstrate this at a fraction of the cost compared to a self build strategy.
• With a robust fraud solution in place, customers can demonstrate to merchant acquiring banks that liability has been reduced.
• The architecture removes the need for the customer to contract separately with multiple vendors providing identity and fraud related services.

Addressing all market sectors and territories, fully customizable and simple to use, BT Managed Fraud Reduction service is an evolving one-stop solution to the ever-changing challenge of online fraud. And Oracle is proud to be a part of the solution.

Tags: BT, EIC11, European Identity Award, European Identity Conference, Fraud Prevention, Identity Proofing, Managed Fraud Reduction, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Oracle Service Bus, Oracle_IDM, Risk Management

Their solution was built around SmartSoft’s SRM (Smart Risk Manager) Fraud Management System and Oracle Adaptive Access Manager, our solution in the area of strong authentication and proactive, real-time fraud prevention. SmartSofts’ expertise in EMV and payment card systems means that they understand credit card fraud at a deep level. This understanding is the basis for the fraud controls that SRM introduces at the merchant and issuer sides, detecting fraud in real-time and taking just-in-time precautions and actions. The bank has been using SRM for over 2 years to secure their credit and debit card operations.

The Challenge

The bank wanted to bring the same level of fraud management that they had achieved with their credit and debit card operations to their internet banking channel. This would require understanding the mechanisms of internet banking fraud, enable comprehensive and automated tracking of online transactions, and use this to identify instances of frauds in real time. The bank also wanted to make sure that they fully complied with international and domestic regulations for internet banking.

The Solution

In order to do this, the bank worked with SmartSoft and Oracle to add OAAM Adaptive Risk Manager (ARM) into their fraud controls system. ARM is OAAM’s back-end, proactive real-time fraud detection product, providing a behind-the-scenes comprehensive anti-fraud software solution. ARM provides a strong second and third factor of security by verifying a host of factors used to confirm identity – from device characteristics (the computer and mobile device used to login) to a user’s location and online behavioral profiles. Adaptive Risk Manager can also trigger numerous actions based on its analysis, such as challenging or blocking the user.

For the deployment, the project team conducted a broad analysis of requirements in terms of internet banking fraud rules, and configured more than 50 OOTB rules in OAAM’s rule engine. They also developed an advanced scoring mechanism for real-time analysis of each transaction’s fraud probability, aimed at achieving a detection rate of nearly 99% of all fraud attempts.

An information channel was defined between OAAM and SRM, whereby the two systems can enrich each others decision-making data. For interactions originating in the internet banking channel, OAAM can calculate risk levels and notify SRM about high risk transactions. Conversely, SRM can send fraud data for risky transactions it encounters to OAAM for use in its behavioral analysis. This integration between the two systems makes the fraud analysis richer and more reliable.

On top of this, the bank’s fraud analysts are using existing reporting capabilities and Oracle BI Publisher for deep down reporting and trend analysis to identify zero-day fraud patterns. Case management also enabled the organization to take care of risky activities and provide flexible service to end-users in real time.

The Results

The bank deployed OAAM in just three months, providing the bank’s fraud analysts with comprehensive visibility and monitoring capabilities for internet banking transactions. With the deployment in production, the bank was able to achieve a previously unmatched level of security for internet banking and fully ensure Şekerbank’s compliance with international and domestic regulations. They were also able to realize a decrease in operational costs for surveying internet banking transactions of ~70%, as now only 2% of all transactions require manual control following a system alert.

It’s always good when you come across a success story like this one, and when especially when the project teams get the recognition they so richly deserve (but seldom get). Kudos to them on the success of the project and the award.

Tags: Adaptive Risk Manager, EIC10, EIC2010, European Identity Conference, Fraud Prevention, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Risk Management

Kurt Johnson at Courion blogged about a ruling in a case (LVRC Holdings v. Brekka) regarding wrongful use of enterprise accounts by an employee after being terminated. Read his post for a more detailed description of the case and the ruling, but it basically boils down to this: It is the employer’s responsibility to terminate access, and therefore the (terminated) employee did no wrong by using it since their access was not taken away.

I’ll stay out of the moral/ethical implications here, but what this means to a business is that making sure you take away access from your employees/contractors when they shouldn’t have it any more has suddenly become a much higher priority. Because if that person uses their accounts to do anything when you no longer want them to, it is not their fault, it’s yours. Ensuring prompt revocation of access was always good business practice, but now it becomes a business imperative because your legal protections (employee contract be damned) are greatly weakened.

When compliance became a bigger driver for IAM than IT efficiency, the approach to rolling out identity management projects did evolve to reflect this kind of thinking. But this case is as good a reason as any to reiterate what we have been preaching for years now – that your IAM deployment must have both proactive and detective controls in place to ensure compliance. The proactive control in this instance is Deprovisioning, while the detective control is Attestation.

A common best practice staged approach (thought not the only one) to IAM projects that incorporates this idea is:

• Start by building up your Who-Has-What database (either in your provisioning product or in your identity governance product)
• Put in place a periodic attestation process to force review and sign-off of user access by those in the know (managers, application owners)
• Create a deprovisioning project. Start off with manual processes that are triggered off your HR and Contractor management systems. Evolve to an automated process over time, which should include linking your attestation process to your deprovisioning process for handling rogue accounts
• Start rolling out request-based provisioning for application access. Start with manual processes and evolve to automated processes in a phased manner
• Start working on a role management project as a way to implement role-based provisioning. Again, follow a phased approach.

The stakes in the IAM game just got a little bit harder. Make sure your project has these goals in its sights.

Tags: Attestation, Audit & Compliance, Compliance, Deprovisioning, Risk Management, Rogue Accounts

I’ll be taking part in two of their panel discussions, one on the topic of Separation of Duties (SoD), and the other on the topic of Attestation (or re-certification). Both are on Wednesday, December 9th:

• How to Efficiently Implement SoD Controls: Which Level Works?
  • 11am EST| 8am PST | 5pm CET
• How to Start: Recertification or Active Access Controls First?
  • 12pm EST | 9am PST | 6pm CET

Both panels will be focused on determining the right approach to rolling out these solutions, and where they should fit into your overall IdM program. This sometimes become a vendor driven conversation, so the opportunity for fireworks is always there.

Check out the conference if you have time. It’s virtual, so you can do it from the comfort of your home/office (which is always good in the winter). And it’s free (you can’t beat that)! Should be an interesting discussion.

Tags: Access Governance, Attestation, Conference, Identity Governance, Risk Management, Separation of Duties, SoD

The session had a nice flow to it, starting with a vendor presentation (Oracle, of course), followed by an analyst presentation (Bob Blakley and Lori Rowland from the Burton Group) and concluding with a customer presentation (our old friend Ramin Safai from Barclays Capital). Getting to discuss identity management from all points of view was quite a valuable exercise, and I gleaned lots of useful nuggets.

Security Inside Out

Amit Jasuja (who heads up the Identity Management team at Oracle) kicked off the day by talking about “Security Inside Out“, Oracle’s new message on putting together a complete security practice by bringing together Database Security, Identity Management and Information Rights Management. Weaving all of these elements together allows an enterprise to get a complete handle on the nature of their security risk across all tiers – database, middleware and application – and in all contexts – data at rest or in motion, internal users vs. external users, and so on. This led to a lot of discussion on moving towards risk-based identity management, which can be more adaptive to an enterprise’s needs and allow identity management to be a business enabler, not a hindrance.

One of the concepts I particularly liked was using identity management to enable “Break The Glass” scenarios that allow for contextual security decisions. In such a scenario, a user who ordinarily does not have access is allowed to get access but with added controls (like heightened audit, approval and attestation) to address the unique, emergency-like situation that presents itself. Being able to adapt to sensitive contextual situations without sacrificing on security and compliance is a powerful message that resonates in the enterprise world. Another topic that proved fertile for conversation was for risk-based IdM to leverage One-Time Passwords delivered via SMS or over land-line phones in order to implement higher levels of identity assurance (LOA). As two-factor authentication goes, enterprises increasingly view this as an attractive way to increase levels of assurance without having to invest in tokens and biometrics.

Complete Security

The Burton Group team talked about the state of identity management in the market today, especially emerging trends and hot-button topics. Lori validated my observation that cloud computing is going to have a huge impact on the future of identity management, and gave a nice shout out to my OpenWorld session on the topic. One of the interesting takeaways from their talk was this point that Bob made about achieving complete security: An enterprise needs to have preventive controls that allow business to be conducted as usual but flush the bad guys into the open, where detective controls can identify them and their activities, which would then allow responsive controls (aka the cops) to take action.

Down In The Trenches

Ramin then gave a customers perspective on implementing identity management – from “down in the trenches”, as he called it. There were a lot of good lessons in his talk – about scoping the project correctly and dividing it into small, achievable mini projects that demonstrate ROI, about the processes and architecture they put in place to ensure success of the project, and some of the achievements they had with their IdM implementation, especially when Barclays acquired Lehman Brothers. One of the major points made in the room during discussion was that security within the enterprise needs to be driven top down by an “Executive Governance Board” in order to achieve  consistency and completeness. It cannot be done piecemeal at the IT level.

I love taking part in sessions like these, as it is great to be able to hear so many different perspectives. And thanks to Greg Belanger from the Apollo Group for giving me a shout out during the analyst discussion on Oracle’s differentiators in the identity management area. The point he was making about Oracle demonstrating vision in IdM is an important one that we are very serious about here, and I am glad to be a small part of that.

Tags: Identity Assurance, Identity Controls, OOW09, Oracle OpenWorld, Risk Management