Insider Threats - Safeguarding Financial Enterprise Information Assets
This is a transcript of a recent webinar, Insider Threats - Safeguarding Enterprise Information Assets, sponsored by Imprivata. This session discusses the need and importance for convergence of physical and logical access control. To highlight the significance, Imprivata showcases their revolutionary product, OneSign.TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. Welcome to today's webinar entitled Insider Threats - Safeguarding Financial Enterprise Information Assets. Your presenter today is Geoff Hogan, Senior Vice-President Product Management and Business Development.
Before I turn this over to Geoff, let me tell you a little bit about Information Security Media Group. We publish two web sites: BankInfoSecurity.com and CUInfoSecurity.com, both of them dedicated to providing education and news regarding information security, specifically tailored to the finance community. With over 60,000 members registered to our web sites, we've created a true information source tackling the key issues of interest to our unique audience. I also want to point out our career center and job board, which highlight opportunities in information security, audit and compliance at financial institutions throughout the U.S. You can visit our career center and job board by following the URL indicated on your screen.
Let me introduce our sponsor today, Imprivata. Based in Lexington, Massachusetts, this privately-held company develops enterprise authentication and access management solutions. Its award winning and innovative product, Imprivata OneSign is an appliance-based authentication and access management solution that is changing the way organizations secure their networks, applications and integrated IT building access. With over 600-plus customers around the globe, Imprivata works in the vertical industries of financial services certainly, but also healthcare, government, retail and energy utilities. Common bond to each of these industries is the need for information security solutions.
Now before we begin, let me just start with a little bit of housekeeping. If you have any questions for our presenter during the course of this session, please submit them by the chat window on your screen. If anybody should experience any technical issues while viewing today's webinar, please dial the number on your screen. Dial extension 111 or 115; we do have technical support staff standing by. In addition, I need to emphasize that the content being presented in today's webinar is copyrighted material and is meant for today's session and individual study purposes only. If you or your institution would like to use the information presented in today's session or are looking for customized training education, please contact us.
Let me tell you a little bit about Geoff Hogan. He has over 20 years of business development, marketing, sales and general management experience in the storage, data management, and software infrastructure market segments. This includes both large organizations and start-ups. With that, it's my pleasure to turn you over to Geoff Hogan. Geoff, the floor is yours.
GEOFF HOGAN: Thanks for the introduction. So, in today's presentation we're really going to cut it into three sections. We want to lead off by reviewing the security challenges and business needs, then transition into how the Imprivata OneSign platform can really address those needs, and finally, we're going to save time for your Q&A's at the end of the presentation.
So, over the last 10 to 12 years, the most important security initiative has been to protect and to defend the network perimeter from the threat of anonymous hackers determined to break in from the outside and compromise data, and in fact, to wreak havoc with your systems. Billions of dollars have been spent for the deployment of firewalls, intrusion detection, anti-virus, malware, and spyware systems to keep networks safe from the outside, and for the most part this threat has been largely sorted out. However, today the biggest threat is not from the outside; it is from within. And we need to look no further than the recent events at Société Générale to highlight the severity of this threat and the implications from the last security and poor password management gaps were exposed.
In the case of Société Générale, the second-largest bank in France, you have a trusted employee of six years who combined the theft of his coworkers' passwords with the knowledge of his bank systems to perpetrate $7 billion worth of fraud. From what has been reported about the incident to date, he basically used his knowledge of the bank security systems, along with the computer login and passwords of colleagues from both his trading unit and the bank's IT department where he had formerly worked to eliminate controls that would have exposed his fraudulent market positions - positions that have created massive financial crisis for the bank.
But Société Générale is not alone. There are countless examples of this happening in every industry in every country, and it's costing companies billions of dollars. And these are the cases made known to the public. In fact, over the last six months we've become aware of these types of scenarios in multiple vertical markets, including not only banking but healthcare, universities and manufacturing. The recent studies found that 75% of all data fraud theft happens from within.
As evidenced at Société Générale, the implications of such threats are severe, and I'm sure you all agree with Damian Atkinson, CIO of ING Banking of UK and Imprivata OneSign customer when he states "Information is the life blood of the company, and it must be protected. Forcing access policy control is critical to protect against insider-based threat." And for many on today's call, it's also a legal requirement. Yesterday there were no regulations or mandates governing how organizations managed access and protection of information, but today compliance is like Y2K, but without an end date. And I'm sure many of you are challenged to demonstrate compliance with multiple sets of regulations or industry mandates.
In general, when you distill the bulk of these regulations and mandates, you find there are three key security objectives:
Imprivata has over 550 customers that we help address critical data access concerns, and I'd like for a moment to quickly review the following challenges that you are likely to share in common, to help us frame our OneSign discussion.
So some of the key questions that we constantly review with prospects and customers are some of the following:
Do you have more employees than you have accessed accounts? Let me give you an example. We have one customer who has 8,000 employees, yet has over 12,000 individual accounts. So why is this the case? They're not really sure, and they have an inability - they had inability to tie those incremental accounts back to departments and back to employees. Suffice to say, this was driving their auditors crazy.
Do you know who's accessing your applications? So, there are a lot of aspects of identity management that allow the establishment of certain roles and rules about what individuals should be doing by identity. But that really does not address the fact in measurement of who actually is accessing these applications. So, the ability to know this is a critical part of your security profile. And when you do that, do you know all your user's application log-ons, how many different ones they have, when they're being used, and hopefully by whom?
Can you enforce password policy across all your users -- this is a control point that's available to organizations today - or are there no controls here? Do you know your password management costs? Study after study has shown that the ability to manage passwords is critical, and that for every password reset the cost is at a minimum $30. Given the amount of password resets most organizations go through on a regular basis, multiplied by 30, this starts to get into some very serious dollars very quickly. And that's not even beginning to impact or include your IT help desk costs that may need to be used incremental to that.
Do you have visibility to all of these access activities across the disparate systems?
And finally, can you lock down all of your users' network and application access points?
All critical questions that must be addressed.
Just to give one other example, you may have recently read about Lending Tree. That's a situation where former employees, who still had network access after they were no longer with the organization, ended up going back in and obtaining proprietary information, which they then proceeded to sell to their competitors. All because Lending Tree had an inability to lock down all of those network access points for former employees. So all critical questions, all key things that every organization needs to ask themselves. Can they answer these questions? Do they have solutions for these questions? And in the vast amount of cases we found, the answer is no, they do not.
So, why are these questions so difficult to answer? For many, those are difficult questions to answer because the problem begins with the chaos of identity proliferation. For each of your employees, contractors, temporary hires, how many related but independent identities do they have? So, most will have a physical security identity that allows them to get into a building; they'll have a network access identity that allows them to logon to the network; they'll also have a remote access identity log-in. And most definitely they're going to have various identities that correlate to different applications they need to access in their daily course of business. Regardless of whether those applications are resident on a particular computer or laptop they may be utilizing or hosted externally by some third-party provider. Then the management of those identities comes even more complex when you start to bring multi-factor authentication into the equation. Organizations increasingly have been deploying multi-factor authentication for security purposes, but the difficulty is that authentication tends to vary by the point of access. So when organizations will use a building card or a physical access, they use different things for network access. It could be a one-time password for remote access or maybe a fingerprint biometric or SmartCard network access, but within the firewall. There are many different points of access, many different types of authentication. And then lastly, they're difficult to access - to address because of different access silo reporting. All these access points have different depositories capturing access events.
So what happens when the auditors show up? It's monumentally expensive and time consuming to dig up and aggregate or access activity across a pair of systems. Some of which may have access to physical entry logs, but maybe not. You may not have log data to application by some line of business department; you certainly will have difficulty getting access data from third-party software service centers, such as Salesforce.com.
So organizations are experiencing lots of issues dealing with this proliferation of identity and how to manage them. So, what if you could? What if you could merge and unify all of your authentication access into one place? One place to map and validate all of your users' different identities, one place to secure all points to your network access, one place to manage application passwords and single sign-on to applications, and one place to tie your users' network access to their physical location. And finally, one place to essentially track - trace all employee access events across disparate systems in real-time.
Well now you can with Imprivata OneSign, an easy, smart and affordable solution for enabling secure and compliant employee access to enterprise information needs. Imprivata One Sign early authenticates starting point to the network using broad range of strong authenticate devices. Two-factor authentication has rapidly emerged as a critical need for organizations of all sizes. And what those organizations would like to do is replace network passwords with some type of two-factor authentication device, regardless of whether that user is coming in remotely through corporate VPN or logging onto Windows from within their office within the facility inside their firewall. But the challenge most organizations have is that their user population varies, and they need to mix and match multi-factor authentication devices to successfully manage that various and diverse user population.
Historically, in order to do that, they would have to purchase, stand up, and maintain a multiple set of independent solutions that could support each of these independent modalities. But with Imprivata OneSign, that's no longer the case. Imprivata seamlessly integrates support for all these authentication choices into one solution; it allows through simple policy settings an IT administrator to mix and match any of these modalities to any part of the user population through a simple user scenario. So, users and organizations get flexible authentication policy and very easy-to-implement solution.
And once authenticated to the network, One Sign manages all your users' application passwords and extends seamless, convenient single sign-on to all your enterprise applications. For users, single sign-on cures the headaches of password management application access. For IT, single sign-on reduces the cost and resource burden for the help desk for password resets.
In order to make single sign-on successful, it obviously must support any type of application and enterprise they utilize employ. This includes Legacy green-screen applications, client server applications, Web Apps, JAVA Apps, those posted by third parties from emulators, those served up through Citrix. It really doesn't matter. All applications of this type are found in enterprise regardless of what the size of that company is. Imprivata OneSign can do this by its unique application profile generator technology. You point and click application able to paradigm; it allows the IT administrator to SSO enable any application usually in a matter of minutes.
The third aspect of One Sign is its physiological convergence. You may want to lock down access to a network computer based on the user's physical presence within a specific work place. For example, only allow a user access to the network if they are physically within the hospital pharmacy or within the bank's trading floor, or to allow a user access to SAP only if they've badged into the department. Providing network access with the user's physical location would have effectively prevented the fraud that occurred at Société Générale. Further, the single act of disabling the user's building access badge allows you instantly to lockdown the network access.
Along the way, OneSign will track, trace, monitor, report who accessed what and how - from where, providing visibility to all the access activities across a pair of systems.
So, simplifying access management, that is what OneSign is all about. What makes Imprivata is the unique way that we deliver our solution in a secure appliance form factor. So, what does that mean for you? It means no impact to existing IT or physical security infrastructure, no changes to directory or applications; the appliance can be installed in a matter of minutes and be up and operational shortly thereafter. There is simply no installation complexity. We've taken all that complexity, masked it and managed it on your behalf and provided you it in a very secure environment. It also means no disruption to your end user's existing workflows, which is a critical success factor. We're not asking them to do anything different than how they do today - how they've come in their facility, how they access the network, how they access applications and data. The Imprivata solution can provide all the benefits of security and password management without impacting that end user workflow whatsoever.
So let's look at a customer example. Probably someone has a similar background to many of you. This is of a regional bank customer. Just to put him in context, they had a little less than four billion assets under management, regionally focused, based in the US southeast. They had over 70 community banking, insurance, mortgage and financial services offices. So their problem was the time spent learning, resetting and managing passwords. And then that time was directly impacting their ability to do customer service calls. So, their initial objective was to provide a secure, unique password to each individual lending application to improve their productivity. And in looking for that solution, the requirements were to have something that was very affordable with fast deployment, but that was also easily extensible as they added incremental branch offices and that could be managed by their in-house visiting IT staff.
So let's look at the results they achieved when they implemented Imprivata OneSign. First of all, it only took 30 minutes to do the initial setup with a redundant pair of appliances. They're able to quickly roll out SSO to over 1,000 users and to provide password management to over 20 different applications. And the results were pretty dramatic pretty quickly. In the first year of use, password resets fell by over 82%. In addition, they got near zero ongoing maintenance in management by their existing IT staff. But not only that, they achieved some unexpected benefits as well. They found that they could much better utilize all their other licensed software, and that this resulted in an overall IT budget reduction of 5%. And because of this, OneSign is now the litmus test for any new IT solution that the bank brings in-house.
So what are some of the lessons learned? Well, some of these are relatively straightforward, but they're very important. So, obviously user adaptation -- this will make or break an installation. So, taking the friendly approach in getting all the people appropriate involved up front is critical. You also need to choose an IT savvy champion within the user community, someone who's a champion of the solution and can really drive it, communicate, and foster it with all - throughout all the other end users. You also want to design to streamline user work flow. As discussed earlier on, the ability to have minimal impact to the end user, how they go about their daily course of business is critical for success. Throwing something new and unknown and unusual in front of them will obviously cause delay and really drive down user adoption. So providing a choice of authentication modalities is critical. You have different users with different access needs and requirements, and the ability to provide them this choice and interaction provides for much greater success. You can, of course, never have too much communication, education as you're driving out these types of solutions, so, constantly providing communication along the way results in much easier deployments. Educating everyone once is simply not enough. You need to keep in close contact with users and appreciate and incorporate all their feedback into the process as the solution is being deployed throughout their organizations. So, holding their hands takes time, but it's absolutely worth it in the long run, resulting in a very successful deployment and much lower ongoing support costs as the organization moves forward.
Okay. So let's move on to some questions. It looks like we've had some come in, so let me try to pick out a few that maybe we can kick this off with and then we can open up the lines and take some more.
So, let's see, first question. How is OneSign priced? OneSign is priced on a per user basis. This means organizations can buy licenses specific to named enabled users. And the great thing is that they can buy licenses as they need them. So, an example, an organization may want to start out with a OneSign license that's just a subset of their user population, primarily because they like to get the service out and deployed with some departments first before they start rolling it out to incremental departments or users. So, someone could start let's say with a thousand licenses and get those up and deployed and then through just a simple license key they can enable more licenses to be deployed and rolled out for their organization. In addition, once all of OneSign's capabilities, whether it's the authentication management, single sign-on, or the physiologic convergence, are all natively packaged and delivered as part of the appliance form factor. So that means any of those capabilities can be licensed either at time of initial sale or at a later point, depending on what the primary objectives and priorities are of their organization and what the timeframe it is for them to roll out those capabilities to their end users.
Let's see, we have a second question. What brands of one-time password tokens does OneSign support? OneSign supports generically, virtually any OTP token that exists on the market today. That includes Secure ID from RSA and Digipass from VASCO, as well as those from Secure Computing, Aladdin, etc. OneSign can make use of any existing OTP platform that an organization may have and use that information for network authentication and then single sign-on as well. But in addition to that, with the VASCO Digipass, OneSign has actually integrated the complete infrastructure for Digipass within the OneSign appliance, which means no third-party external software or management is needed. The complete life cycle of that token is handled directly by OneSign, and all that policy can be set simply through the OneSign administrative UI. So, nothing else to buy, all that capability contained within OneSign, which makes that integrated solution, in fact, very attractive in the market.
Let's see, let me take one more question here before we open it up to all out there. Let's see, so how are applications enabled for SSO? So OneSign has a very unique capability called the application profile generator, which is a Web-based drag and drop paradigm that allows all applications of any type to be SSO enabled, in most cases in a matter of minutes. It has the ability to learn all the states of an application, such as its logon state, its change password state, its logon failure state, just to name maybe the most top three ones. And by learning the states of the application and recognizing those screens every time they present themselves, OneSign can recognize an application, it can capture and then manage an end user's credential, its password to access that application, and submit that password on behalf of the end user every time that application and hence, that screen, is presented to it. So this makes SSO enabling of applications of any type very easy, very straightforward, very simple, and then the ongoing management and ability to use that SSO by any end user in a very seamless way, very non-intrusive.
So, with that note, I'm going to go ahead and now turn this over to the people from BankInfoSecurity and they can start to take more of your questions as well. Thank you very much.
TOM FIELD: Geoff, thank you so much for a great presentation. I also want to thank each of our attendees for taking time out of their busy days to attend this webinar. I trust that today's discussion and the pints that Geoff raised provide valuable data points to enable your institution to be better prepared to tackle your security challenges. We hope to see you again at one of our upcoming events.