True Identity Management: Watch the Gamblers

To learn about good IT security management practices for your enterprise, take a lesson from a casino.

by Steve Woo

Have you ever visited a casino’s surveillance room? There are rows of TV screens capturing all activity at the tables and the people passing through. There are fixed cameras over every slot machine and blackjack table, and discrete cameras catching each and every action and event. These cameras can track one visitor as he or she plays at the table, cashes in chips, walks through the casino, hops on the elevator, and enters a hotel room on the twenty-fifth floor. This is a huge leap from the surveillance systems of 30 years ago: just a couple of expert gamblers watching from the two way mirrors in the ceiling.

Now, imagine this scenario: there’s a man at a blackjack table. He’s sitting alone, sipping drinks, upping his bet again and again. He’s won the last few hands without breaking a sweat and his face remains stone cold. He adds yet another chip. The casino management has already identified who this patron is the minute he walked in the door and scanned his “frequent player” card in the lobby.

The surveillance officer now zooms in on the monitor to get a closer look. The officer watches his behavior from the surveillance room and compares it to the previous day’s behavior, while a pit supervisor walks by to check him out in person. Is he cheating? Is he a pro? Is it beginner’s luck? Why take your chances? The casino, for the sake of good business, needs to monitor all gestures, movements, and behaviors to decide what to crack down on and what to let pass.

The ultimate goal of your business’s identity and access management (IAM) initiative is not so different from this casino scenario. Organizations should have the ability to continuously track, change, or terminate each user’s role and his or her complete interaction on the network to ensure essential business data remains protected. For those organizations that are mid-stream in their IAM deployments (and even for those with mature IAM deployments), there are still gaps in discovering “who is doing what and where” and in verifying behavior when someone is on the network.

Blink and You’ll Miss Them

IAM projects, on average, take two to five years to implement, according to leading analyst firms. In the meantime, thousands of users and roles must be defined, tracked, and updated. Originally, many of these users” identities are stored in legacy or non-integrated systems, so a (usually grueling) manual process is required to rectify the approved list. With so much information to sort through, mistakes are inevitable, and inappropriate users are going to make their way onto the system.

There will be duplicate naming schemes, incomplete files, and undeclared fields, all of which create potential security and operational gaps. Companies that have experienced this have sought identity-aware behavior monitoring to accompany and strengthen their IAM processes both during and after implementation.

Identity-based monitoring can help you discover who is doing what and where across the network so you can establish proper roles and rules. This practice also helps keep user access in line with your business rules while the IAM project ramps up. Monitoring helps reduce the workload of network administrators by providing alerts when users try to go through a back-end system to bypass existing controls and access programs for which they have no authorization. This is an especially important capability as you add contractors and outsourcers on the system; after deploying an IAM solution, the same monitoring can be used to verify that users are doing what they should.

Even the Good Ones Can Turn on You

It’s good business to forge close relationships with partners, customers, contractors, and employees. To help your business become more agile and profitable, you need to give these groups access to important systems and data. However, just as most casinos keep an eye on their dealers and employees, so should you. Take the world-renowned casino cheater, Richard Marcus. A once-legitimate dealer at the Four Queens, Marcus cheated the casino from the inside and ended up stealing more than $20 million from several casinos in his 25-year career. You need to approve your insiders” identities, monitor their activity, and confirm the correct transactions occur. Monitoring can be used to compare what employees are doing with what they should be doing.

Even if you do trust everyone on your internal network, the risk remains. Most vulnerabilities result from carelessness rather than intentional misuse. According to a March 2007 study by the University of Washington, there were more reported incidents in 2005 and 2006 than in the previous 25 years combined, and 60 percent of those incidents came from insiders and/or organizational mismanagement (see note 1). Clearly, there must be big improvements un controlling users” activities on the network and in protecting internal assets.

Thus far, the security market has failed to provide enough visibility and control over insiders’ behaviors, and we’ve seen the results in a rash of laptop losses and data thefts. To fix the problem, many organizations have deployed point solutions such as NAC and IDS, which can sometimes leave gaps when verifying certain network activity. Identity and access management, combined with real-time behavior monitoring, verifies who is doing what and where to prevent risks and threats. With this type of monitoring, you can target where the highest risk behavior is occurring—whether it’s by the roulette table or inside the accounting files—and instantly track it back to an individual user so you know what to address first.

The Stakes are High

Your monitoring solution can help IAM provision and revoke the roles of your employees, patrons, and contractors. It will help you decipher if a user should be on the network, and doing what he or she should be doing. Monitoring will help you verify if the business rules and controls you’ve set in the IAM system are working, and any exceptions will be detected immediately, instead of being buried in log files.

To return to our casino analogy, proper monitoring goes far beyond recording “coins in” or “total win.” Just as a casino can track what players are spending and chart what they potentially could be doing in the casino, monitoring enables you to identify patterns of behaviors and prevent the business version of “card counters,” “cheaters,” and “swindlers” from bringing down your business.

To prevent insider misuse and targeted attacks, security professionals are charged with an arduous task: understanding, in real-time, what each user group is doing with critical business systems. An IAM solution is essential, but alone it can present challenges when accounting for behaviors and roles, especially during its long implementation cycle. If you bolt the front door, it means nothing if a window is open. Likewise, a complimentary monitoring tool is just as crucial to your security.

- - -

Note 1: Erickson, Kent and Philip N. Howard; Journal of Computer-Mediated Communication, “A Case of Mistaken Identity? News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Digital Records", 1980-2006. University of Washington. March 2007.

- - -

Steve Woo leads the marketing, product management and strategic business development efforts at Securify, Inc., a leading provider of security appliances that help secure networks by enforcing network usage. You can reach the author at swoo@securify.com.