Subhash Tantry, CEO of Fox Technologies, on Fighting the Insider Threat with Identity and Access ManagementThe insider threat is at the forefront of financial institution concerns these days, and a huge part of mitigating that threat is improving identity and access management. Read this interview for insights from Subhash Tantry, CEO of Fox Technologies, on:
- Five principles of an effective access control management program;
- How these principles also help with IT audits and regulatory compliance;
- Future trends in identity and access management.
TOM FIELD: Hi this is Tom Field, Editorial Director of Information Security Media Group. And today I am speaking with Subhash Tantry, President and CEO of Fox Technologies. Our topic today is "Fighting the Insider Threat: Best practices and identity and access management." Subhash, first of all I would like to thank you for joining me today.
SUBHASH TANTRY: You're welcome.
FIELD: Subhash, the insider threat is something that has gotten a lot of press recently. It is one of the financial institution's greatest risks, but being able to effectively and efficiently control access to diverse information systems is a huge challenge. What are the fundamental components of an effective IT program that address the access control challenge?
TANTRY: We at Fox Technologies believe that there are five key underpinnings to an effective enterprise access control management program. In our opinion those are in addition to key organization concentrations like culture, effective security processes and policies, and employ destination to those policies and processes. The five access controlling areas I speak of are authentication, which essentially means you want to identify who is trying to access what within your information technology infrastructure. The second element is authorization. Once you know who is trying to gain access upon the system, you also want to know what are they authorized to access, what services, and what transactions within an application, and so on and so forth. The third element is data security. You want to also be able to understand what kind of security you need to put in place around some sensitive data that you want to protect, and that might involve a process called "Data Classification" where you go and do an entry of all of your information assets and then come back and with an analysis that suggests that certain types of information, resident in certain systems, need to be controlled in terms of access. The fourth element obviously is administration. And I think the administration component is critical to access control management solution. Purely because in a large organization there are tens of thousands of users who access [systems] to set up information technologies as such. You need to be able to identify who they are and what they are authorized to access. This has to be managed centrally, as such an identity administration mechanism should be in place for a good access control management program to be effective. The last element is purely the ability to make sure that when people access, or processes access systems, there is audit log maintenance to who accessed what systems and for what purpose and what specific files or data they tried to access during the session. It is important that such an audit log be maintained for compliance reasons, and a lot of internal and external oracles are very critical about the need to have access to such information.
FIELD: Subhash, this is very interesting -- the five access control areas. Can you tell a little bit more about them and why each one of them is important to reducing the risk of insider threat?
TANTRY: Okay, so let me highlight the key dimensions of each one of those areas. Let's talk about authentication. Why is it important to authenticate somebody who is trying to access a critical system within your organization? It is purely because you want to make sure that the right people are accessing the systems they are authorized to access. Without being able to authenticate who is trying to access, it is impossible to even exercise any kind of control in terms of access to such systems. Now, there are different forms of authentication. The well known form is the simple single factor authentication, which is a classical user name password type of authentication. However, there are certain areas within your IT infrastructure that you want to provide access to only very few people because it consists of certain extraordinary privileges that allow people to either leave sensitive information or to change certain perimeters within a system that might effect the organization at large. As such, it is important that you be able to put a second layer of defense in the form of what they call "a two-factor authentication" which essentially translates to the fact that you might have to provide such users with a smart card, for example, that they could use as the second factor in terms of authentication, besides the user name and password. Sometimes the second factor authentications could also be biometrically driven. It could be a retinal scan that you have to provide. It could be a thumbprint that you have to provide. That is one of element of authentication.
The second element is because there are so many systems within a large enterprise, so many applications that any users have to access, it becomes a huge burden and makes it much more inefficient if users who are asked to access and log on to every single system each day of the week. Instead, people tend to implement what I call, "Single Sign on Solutions" within their enterprise and that basically allows the user to sign on once and all applications are accessible to them through that single sign on. And in order to enable that, you have to have what's called "Credential Store" that needs to be maintained on your desktop, which basically stores all of your passwords and user names for the latest application that you typically access. So that once you log on to the credential store, the credential store then uses that information to basically allow you to log on to other systems, literally transferring to it behind the scenes on your behalf. So, authentication is obviously a critical piece of any access control managing solution.
The second area of focus is obviously authorization. Once you have identified users, it is important that you provide access to systems within the context of what is called a "Road" that a user has within an organization. For example, I am the CEO; my road happens to be that of a CEO. I might be allowed access to certain types of information, and it might be my best interest not to be allowed access to certain types of information. Therefore, it is important that you have an authorization mechanism in place that clearly defines in my road as a CEO what types of systems and information or applications am I allowed to access. That mechanism is critical to a very good access-controlled management program. It is also important that there are certain accounts that are extraordinarily sensitive. For example, in the UNIX world there are certain super-user root account privileges that can be granted to users. These accounts are so sensitive by virtue of the power that they enable the user in terms of what they can do on a server. It is important that only certain people be allowed access to such sensitive account, as it is important to authorize them only to do only some things within their highly privileged account.
The last aspect of authorization is what has been termed as "Segregation of Duties." When you think about an application like an ERP system like SAP, it is critical that you provide access to certain types of transactions that do not create a conflict of interest situation where there is potential for fraud. To give an example, even an SAP system if I'm allowed to create windows as a user, then allowing me also to be able to write checks to that vendor within the SAP system, could create a conflict of interest situation where a fraud could be perpetrated by me creating phantom vendors to whom I write checks, which essentially goes into my own bank account. And these are things that auditors are very sensitive about when it comes to compliance. As such, from an authorization access control mechanism it is important that you provide a segregation of duties [Indiscernible] within this mechanism.
The third aspect is obviously data security. It is very important that when people access file systems and data bases that they be allowed access to only certain files or only certain tables in a database, and this kind of security needs to be in place. And again, this goes back to the road base access control mechanisms that I just mentioned when you authorize people to either run a certain sequel script within a database or be allowed to read or write or execute, or delete or copy a certain file. They need to be authorized to do such things.
The final piece in terms of access-controlled management besides administering the identity, providing an authorized mechanism, is also the ability to audit who accessed what systems and in the context of what drawer. And this is something that auditors look for a lot to make sure that the organization is complying with the policies that they have laid out. And to enable this, you have to have a centralized audit logging mechanism. You have to have the ability monitor file access. You have to be able to provide reporting to and you should be able to do an integrity check of either the applications that are being accessed or the servers that are being accessed.
So those are the five key elements of a good access controlled management program, and I think we have a fairly good understanding of this process and when you look at whom we are, five of the top banks in the country use our product.
FIELD: Now ,Subhash, beyond fighting the insider threat which we have been talking about, how can these best practices help banking institutions succeed in their IT security audits and at regulatory compliance?
TANTRY: Well, when you think about regulatory compliance, what they are effectively demanding is that an enterprise define a policy for access. They have to define not just for access, but for security at large. If you look at some of the new regulations like Sarbanes-Oxley, there is a need for enterprises for those that are publicly held enterprises that comply with section 404 of the Sarbanes-Oxley act. Which essentially translates to saying that you've got to define a policy, then you've got to administer to the policy, and then be able to enforce the policy, and then be able to audit against the policy. And those are some of the key elements that you need to show to an auditor in terms of best practices that will have such institutions succeed in their IT security audits.
FIELD: Well, that makes sense. Now for an institution that is just now trying to get a handle on the access management issues, where is the best place to start?
TANTRY: I think one of the key areas is trying to understand the IT infrastructure and the applications of the user IT infrastructure at large. In terms of what are the key elements of this IT infrastructure and applications that you really need to protect. Once you have a fairly good understanding of that, then it is a matter of figuring out where you want to exercise access control. Think about it like a stack. If you look at a typical IT environment, at the bottom of the stack are devices. There are hundred of devises being the servers, desktops, devices, PDA's, what have. There are hundreds of devices. One of the first things you have to figure out is how hardened do these devices need to be in terms of being able to access the configuration of these systems. So, it is important to exercise control on handling which of the systems in terms of how well you configure it to make sure that no other [openings] exist for an outsider to hack into such systems. So, that is at the lowest level.
The next layer obviously is the operating system layer. Each of these devices has some operating system. A PDA has a mobile operating system. A Router has its own internet operating system. And servers and desktops have their own operating systems like UNIX and Windows and so on and so forth. But then the question comes about, 'How do I make sure that I can have access control mechanisms in place as to who can execute on which of these operating system services?' So, that is the next layer that people have to look at in their organization, saying 'How do I control access to these critical operating systems services that can effectively shut down an IT infrastructure fairly quickly?'
Then, obviously, the third layer is the date layer where you want to say, okay I've got all of this data lying around in all these systems and including people's desk jobs. How do I go about protecting that? Do I have to encrypt it? Do I have to provide a road base access control mechanisms into the data system? Do I know who is trying to copy what data? Is that something I want to be able to audit against? Do I know who has been doing what type of data? So, those are those questions that you need to ask to figure out what is important.
And finally, the last layer is obviously the application layer, where you have different applications that run your billing system, that run your supply chain, that run your sales audit systems. It is very important to understand who has access to those systems and what kind of authorization mechanisms need to be in place, including segregation of duties, which becomes a big deal when it comes to dealing with fraud in an organization.
FIELD: Now we have talked about a lot of possibilities, and the question that banking executives are going to have: Is all of this available in a single solution? Or do the bankers have to buy from multiple software vendors?
TANTRY: You know, many banks do try and piece together multiple-point solutions. For example, they might get password management from one vendor, access control mechanism from another vendor, segregation of duties for business applications from a third vendor. We at Fox Technologies have taken a very unique approach which combines these technologies because like I mentioned, we have this vision of the stack all the way from the hardware layer to the operating system layer to the data layer to the application layer. And we believe we have the expertise and the solutions that can centrally administer access control to each of these layers within the IT infrastructure and the applications that people typically use. And therefore, Fox Technologies is in a unique place to be able to centrally administer an access-controlled management program and be able to enforce those policies from an access control prospective.
FIELD: Well, that's interesting and that's a good differentiator for you. Subhash, I want to thank you for good insight on this topic, but I also want to ask you do you have any final thoughts on future trends in directions in IT identity access and management?
TANTRY: We went through a recent analysis of what the world might look at as it moves forward, and we noticed there are a few macro trends that have micro effects in our world. Just to talk about a couple of these macro trends. One is obviously government regulations. Which essentially means that there is a micro effect by what you have that access controlled management has to be policy- and audit-driven. It is very critical that companies like us come to that realization, and we are providing the solutions to enterprises so that they can centralize the way they define their policies and be able to administer access controlled policies, enforce it, and then be able audit against it. So it is very critical that government regulations' being the key drivers and it is getting more and more complex out there. Every government on the planet has got its own set of regulations, and it is very important for a company that is a global player that they be sensitive to all of these regulations.
Then the second trend obviously is globalization. What that essentially means is that people would want to have access from anywhere on the planet. There is a lot of outsourcing going on out there, which also essentially means that people who are your partners should be able to access information from within the operation, which also leads to putting in access control management policies. So, globalization is another area or trend that I think that we have to become sensitive too.
The third trend, macro trend, that I see that has the micro effects on what we do is energy efficiency. If you look at large data centers that our customers have, it is becoming imperative that they would reduce the carbon footprint of such data centers. So what do they get to do? They look at new technologies. They try to reduce the footprint of servers in their data centers that would consume less energy and they look at technologies at virtualization. So we have to be thinking slightly ahead of the curve here and provide access control solutions to virtualized environments. And that is something we have already done. The other thing that happens when energy becomes a big issue is that people tend to telecommute more, so they want to be able to access critical piece of information from within the enterprise from their home devices. That brings in a whole lot of access control and identity management issues that have yet to be addressed. People are more mobile these days, and they also have to be able to access critical information from their PDA's, from their BlackBerries, and so on and so forth.
So there are some trends that will definitely have a major effect in our space, and it is very critical that companies like ours understand those strengths and be slightly ahead of the curve, so that when customers, our customers, are able to implement some of these access-controlled mechanisms, we are able to provide those solutions.
FIELD: Subhash, I think you have offered some very thoughtful insight today. I want to thank you for your time. I want to thank you for your thoughts today.
TANTRY: You're welcome. I hope this was useful, and if anybody has any questions they are always welcome to contact Fox Technologies.
FIELD: Very good. Thank you, Subhash Tantry, for your thoughts today. For Fox Technologies and Information Security Media Group, I am Tom Field. Thank you very much.