Finding Your Lost Keys


Published on

Large Enterprises have a surprising number of access credentials un-accounted for. Finding, matching, and deleting excess credentials is a hard problem solved by True_Identity Enterprise Identity Matching.

Published in: Business, Technology
  • Be the first to comment

Finding Your Lost Keys

  1. 1. Finding Your ‘Lost Keys’ <ul><li>Ensuring the integrity & security </li></ul><ul><li>of your enterprise data </li></ul>
  2. 2. A login credential is a key to your sensitive and valuable data and systems
  3. 3. If you are a large enterprise (>30K employees)...
  4. 4. You likely have over 100,000 active login credentials that you cannot match to a person
  5. 5. And many of them are accessible on the net.
  6. 6. Whoa! ... How did that happen?
  7. 7. <ul><li>Legacy Systems were not designed with the Internet in mind </li></ul><ul><li>Credentials were not designed to be used across system silos </li></ul><ul><li>Much of security came from the fact that you had to be in a controlled building on a controlled computer to use your credential </li></ul>Legacy systems built for old business requirements
  8. 8. Business imperatives are breaking down the original legacy access security
  9. 9. Business Imperative #1: Anywhere, Anytime <ul><li>Legacy systems have been connected to the web and extranet access is enabled. (often against the objection of the security department) </li></ul><ul><li>This removes the legacy security of having to be in the building to get at the data. </li></ul><ul><li>More and more systems vulnerable on the net. </li></ul>
  10. 10. Business Imperative #2: Integrating Processes <ul><li>Legacy systems being integrated together on the net </li></ul><ul><li>Resulting in a multitude of legacy login systems and credentials for each person ( many not employees) with no easy way of matching them together and to a person </li></ul>
  11. 11. Business Imperative #3: Instant Productivity <ul><li>Managers of new employees can’t wait for all the old business processes to provision access </li></ul><ul><li>People hound IT to get provisioned </li></ul><ul><li>Business processes often circumvented because “they take too long” </li></ul>
  12. 12. Nobody Champions De-provisioning <ul><li>When you leave an organization, who hounds IT to take out your old credentials </li></ul><ul><li>How many times has your email or login worked after you left? </li></ul><ul><li>Do this for 10+ years and you get a large pile of old accounts, many of which are unmatchable to people. </li></ul>
  13. 13. What is the implication of having 100,000+ lost keys to your organization?
  14. 14. In the news: WestJet
  15. 15. This incident was mischaracterized as ‘hacking’...they simply used an ex-employee credential Source: Macleans Article
  16. 16. There are many, many more examples - most don’t make the news.
  17. 17. What risks do these lost credentials create?
  18. 18. <ul><li>Theft of Business Critical Information </li></ul><ul><ul><li>Sales data, business plans, competitive strategies, R&D, customer lists. </li></ul></ul><ul><li>Susceptibility to malicious acts </li></ul><ul><ul><li>identity theft, publishing of private data, extortion, illegal transactions, destroying/changing data </li></ul></ul>Business Risk
  19. 19. Reputational Risk <ul><li>Unauthorized access to your confidential client and employee information </li></ul><ul><ul><li>Privacy Violations: Personally Identifiable Information </li></ul></ul><ul><li>Loss in customer trust in system integrity </li></ul>
  20. 20. Financial Risk <ul><li>Lawsuits arising from events such as broad-based customer identity theft </li></ul><ul><li>Illegal transactions not discovered </li></ul>
  21. 21. Regulatory Risk <ul><li>#1 Source of Access Control failings prevalent and persistent in audit findings </li></ul><ul><li>Observed as root cause, barrier to SOX compliance </li></ul><ul><li>No comfort from Access Control Verification process due to bad data </li></ul>
  22. 22. Alternative #1: Maintain Status Quo CASE FOR <ul><li>These 100,000 have built up over many years. What’s another year or so. </li></ul><ul><li>Everyone in the same boat. We can fix it in the future when there is a forcing condition. </li></ul><ul><li>No need to carve out budget. </li></ul>
  23. 23. Alternative #1: Maintain Status Quo CASE AGAINST <ul><li>This must be done soon anyway for compliance or security reasons </li></ul><ul><li>What is the value of the operational and other risk being carried? </li></ul><ul><li>Already spending on hidden cost to other projects </li></ul><ul><li>Current access reports flawed, due to 20% bad data </li></ul>
  24. 24. Alternative #2: Delete Unmatched Credentials CASE FOR <ul><li>Low cost </li></ul><ul><li>Easy </li></ul><ul><li>Quick </li></ul><ul><li>Right? </li></ul><ul><li>(OK, this was a bit of a strawman argument) </li></ul>
  25. 25. Alternative #2: Delete Unmatched Credentials CASE AGAINST <ul><li>Could result in severe business interruption. </li></ul><ul><li>Hard to match credentials contain active, business critical credentials </li></ul><ul><li>Likely would generate flood of calls to the help desk </li></ul><ul><li>Would destroy evidence of any past improper use </li></ul><ul><li>You still have to do a matching exercise to determine the ‘hard to match’ entries </li></ul>
  26. 26. Alternative #3: Ad Hoc Solution CASE FOR <ul><li>Can start using internal resources and budgets </li></ul><ul><li>Get started quickly </li></ul><ul><li>Get early success with ‘easy’ matches (50%+) </li></ul><ul><li>OK for ‘best efforts’ matching </li></ul>
  27. 27. Alternative #3: Ad Hoc Solution CASE AGAINST <ul><li>Reinventing wheel </li></ul><ul><li>Cost and time escalation ending in incomplete job </li></ul><ul><li>No ability to deal with unmatchable resulting in a huge manual effort (5 Man Years) </li></ul><ul><li>Weak auditability. </li></ul>
  28. 28. Alternative #4: Work with your Identity/Audit Vendor’s Tools CASE FOR <ul><li>Have existing vendor relationship with related requirements. </li></ul><ul><li>They have matching and audit tools too. </li></ul><ul><li>No need to carve out incremental budget </li></ul>
  29. 29. Alternative #4: Work with your Identity/Audit Vendor’s Tools CASE AGAINST <ul><li>Identity vendor tools don’t deal with ‘unmatchable’ credentials </li></ul><ul><li>They assume you will clean up manually (5 man years) </li></ul><ul><li>What about the risk while you wait for that project to touch all the systems </li></ul><ul><li>Some systems too old to connect modern tools </li></ul>
  30. 30. “ Data Cleansing takes a long time .. implementing the (identity managment) product seems to be the easy part .. we thought that would be the hard part. This (data cleansing) has got to be the same problem for everybody else.” Frank Ma, Petro Canada Digital ID World 2005 , Provisioning Customer Deployment Panel Reference Podcast link @ 22 minutes
  31. 31. Alternative #4: Alternative #5: <ul><li>Leverages best in class data quality and matching tools developed over 2 decades </li></ul><ul><li>Provides unique ‘adjudication’ and ‘forensic matching’ tools specifically designed to address your ‘unmatchable’ records. </li></ul><ul><li>Provides clean data necessary for reports you can trust </li></ul><ul><li>Deloitte managed service engagement easily customized to your specific needs significantly reducing cost and timeframe. </li></ul>
  32. 33. <ul><li>Significantly reduce many risks now </li></ul><ul><li>Reduce significant source of Audit Deficiencies </li></ul><ul><li>You will complete a mandatory step for upcoming identity and audit projects </li></ul><ul><li>‘ Bad Data” great source of forensic information </li></ul><ul><ul><li>Possibly catch improper activity </li></ul></ul><ul><ul><li>Discover flawed business processes </li></ul></ul>Business Benefits
  33. 34. Links <ul><li>TRUE_IDENTITY Blog </li></ul><ul><li>Product Solution Page </li></ul>