Next Article +

Protecting Your Data with Novell Compliance Management Platform

Integration of IAM and SIEM Crucial to Regulation Compliance

Written by Eric Harper

Most organizations today are governed by one or more of the regulations directing the protection of personal information. These regulations, such as HIPAA or PCI DSS for example, were written to control the collection, storage, maintenance, distribution and disposal of private data. Most of these guidelines include somewhat vague mandates to “protect” or “restrict access to” customer, patient or member data. Consequently, many vendors have come forward to help organizations comply. And most modern identity and access management (IAM) products do a fine job of validating identity, provisioning resources and enforcing access roles.

However, IAM covers only part of the rules. Another important aspect of these regulations involves data access auditing. Auditors want you to track what happened, when it happened and who did it. Again, a large number of security information and event management (SIEM) vendors are able to satisfy the audit-log requirements of these various rules, laws and regulations. And again, most SIEM products do a good job aggregating security data from throughout the organization.

Lincoln National lacked a system that would have noticed whenever two different people logged in with the same username at the same time. If they had such a system, security personnel could have been notified, those users sharing credentials could have been identified and the policy violation could have been rectified. Because there was no integration between the IAM and SIEM systems, the policy violation went on for eight years.

Without Novell: Two Silos, No Communication

The result is two distinct sets of data: one set controls who has access to the organization's resources (through the IAM access policies) and another set shows who is accessing the organization's data (via the SIEM system). Unfortunately, they're usually not very good at talking to each other, causing all sorts of problems. Here's one example:

In January 2010, Lincoln National Corp., a financial services company based in Radnor, PA disclosed a security vulnerability that may have leaked the personal data of 1.2 million customers. An investigation revealed that some employees of Lincoln National and another one of its subsidiaries, Lincoln Financial Advisors, were using shared user names and passwords to access the portfolio information management system. Six shared user names and passwords, which were created as early as 2002, were found.

Obviously, sharing user names and passwords was a violation of Lincoln National's security policy. But they lacked a system that would have noticed whenever two different people logged in with the same username at the same time. If they had such a system, security personnel could have been notified, those users sharing credentials could have been identified, and the policy violation could have been rectified. Because there was no integration between the IAM and SIEM systems, the policy violation went on for eight years.

And here's the real scary part. The vulnerability was discovered in August of 2009 (five months before Lincoln National disclosed it), but not by Lincoln National! Someone sent an anonymous tip to the Financial Industry Regulatory Authority (FINRA) who notified Lincoln National. A forensic security company was hired to investigate, and they're the ones who found the violation. Unfortunately, it's fairly common for an outside party to discover security problems like this.

According to the “2010 Data Breach Investigations Report” from Verizon Business, while 86 percent of data breach victims had evidence of the breach in their audit logs, 61 percent of victims didn't uncover the breach themselves—they were notified by a third party! As the report states, “Verizon's past research consistently finds that breaches are not found by the victim organization but by an outside party.” How'd you like to be the one who got that call?

Not only do organizations regularly fail to discover evidence of breaches in their own audit logs, but the length of time needed for a third party to discover the breach is inordinately long. The Verizon Data Breach report notes that fully 70 percent of breaches go undetected for months or more. In fact, “Over the last two years, the amount of time between the compromise of data and discovery of the breach has been one of the more talked about aspects of this report. It is not without reason; this is where the real damage is done in most breaches. That a breach occurred is bad enough but when attackers are allowed to capture and exfiltrate data for months without the victim’s knowledge, bad gets much worse.”

If only Lincoln National had a solution that integrated their IAM and SIEM systems in real time—a system that constantly correlated identity access and policy information, as the events happened, across the entire enterprise. With such a system in place, if anomalous activity occurs, the proper people could be immediately notified—not months after the damage has been done, and not by a third party. If Lincoln National had a system like the Novell Compliance Management Platform, they could have avoided the embarrassing public disclosure and regulatory admonishments.

If Lincoln National had the Novell Compliance Management Platform, it could have uncovered the sharing of user names and passwords when that activity first occurred—eight years before the bank became aware of it.

The Novell Compliance Management Platform can tell you which users have been provisioned for a particular application, which employees are actually using the application, when they use it and what they do within the application. Only the Novell Compliance Management Platform can monitor those activities, not just for audit purposes, but to intervene—with remedies—at the time the activity is occurring.

You may have also heard about the case of France’s second largest bank, Société Générale. In 2008, they reported that "rogue" trader Jerome Kerviel had misappropriated over US$7 billion—the single largest fraudulent act ever in the securities industry. Apparently, Kerviel built-up entitlements as he moved from one position to another, and from one department to another. Société Générale had policies in place prohibiting this accretion of entitlements. These policies specifically forbid someone with one authorization (such as invoice approval) from having other authorizations deemed to conflict (such as check signing). But Kerviel didn’t simply acquire authorizations for his own account, he also tapped into accounts shared among traders (and others) in violation of the bank’s policies.

The Novell Compliance Management Platform can tell you which users have been provisioned for a particular application, which employees are actually using the application, when they use it and what they do within the application. Only the Novell Compliance Management Platform can monitor those activities, not just for audit purposes, but to intervene—with remedies—at the time the activity is occurring.

Industry-leading Technologies

Novell has been in the identity and security business for over a decade. In that time, they've built a host of technologies—such as Novell Identity Manager, Novell Access Manager and Novell Sentinel—that are considered industry-leading technologies. Novell is positioned in the Leader's Quadrant of Gartner Inc.'s Magic Quadrant for User Provisioning, Magic Quadrant for Web Access Management and, most recently, its Magic Quadrant for Security Information and Event Management.1

Conclusion

Examples such as the data breach at Lincoln National and the fraud at Société Générale show how companies continue to struggle with issues of policy compliance. Novell delivers a platform that provides a real-time, enterprise-wide view of the enterprise to mitigate the risk posed by internal and external threats and, ultimately, to ensure an organization’s image, brand and reputation are safe.

The Novell Compliance Management Platform combines powerful technology with documented best practices to provide the only real comprehensive approach to policy compliance.

To learn more about the Novell Compliance Management Platform and how it can help organizations bolster security, go to:
http://www.novell.com/promo/home/.

1The Magic Quadrants are copyrighted 2009 and 2010 by Gartner, Inc. and are reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Subscribe // Free monthly magazine

Or: Twitter | Facebook

Next Article +

Novell Connection Magazine
Special Editions
Archives

© 2011 Novell, Inc. All Rights Reserved.