Category: News

Okta Named a Leader in the Gartner Magic Quadrant for Access Management

This week, Gartner released its second Magic Quadrant for Access Management, Worldwide, and Okta was once again named a Leader. They placed highest in “ability to execute” in the report, a recognition Okta also held last year.

Gartner’s recognition follows continued momentum for Okta, including its recent customer conference, Oktane18, where the company launched Sign In with Okta, Project Onramp, API Products for One App and ThreatInsight. At Oktane18, Okta also unveiled new partnerships with VMware’s Workspace ONE and Workplace by Facebook. Okta also continues to expand globally, recently announcing that it will be doubling the size of its San Jose office and opening new offices in Washington, D.C., Paris and Stockholm.

According to Gartner, “Access management applies to technologies that use access control engines to provide centralized authentication, single sign-on (SSO), session management and authorization enforcement for target applications in multiple use cases (e.g., B2E, B2B and B2C). Target applications may have traditional web application architectures, native mobile architectures or hybrid architectures. Increasingly, target systems include APIs. Smart or constrained devices with or without human operators may be incorporated as well. Applications may run on the customers’ premises or in the cloud.”

You can read the details and download the full report here.

Gartner Magic Quadrant Access Management 2018


Privileged Account Management is #1 Security Project in 2018 for CISO’s says Gartner

At the beginning of this month Gartner had their annual Security & Risk Management Summit. The event is always a valuable opportunity to learn from top CISOs and security and risk management professionals, to explore leading-edge research and to discuss emerging cyber security trends.

Although there were a number of excellent presentations throughout the week, one in particular stood out based on its pragmatic guidance and actionable takeaways. Also, organizations have long term strategic security programs, but they need to demonstrate quick wins along the way.

In his talk, “Top 10 Security Projects for Security and Risk Management Organizations,” Gartner VP and Distinguished Analyst Neil MacDonald outlined the top 10 security projects for 2018, based upon a number of criteria: the emerging technologies that support the project are not yet mainstream; the project helps deliver against the CARTA (continuous adaptive risk and trust assessment) approach; and the project has high risk reduction versus resources required as compared to alternatives.**  MacDonald identified privileged account management (PAM) as the #1 focus for organizations.

In our opinion, strategic privileged account management projects should be expanded into a longer term program. Comprehensive privileged account management that extends protections to other users and applications across the enterprise, in the cloud, at the endpoint and throughout the DevOps pipeline, will take an integral project to the next level.

Ready to get started?  Start by prioritizing the implementation of controls for protecting privileged credentials to drive tangible results quickly. A CyberArk report, “Rapid Risk Reduction: A 30-Day Sprint to Protect Privileged Credentials,” outlines a proven framework for an intensive sprint of approximately 30 days to help reduce risk and achieve quick wins.

Don’t stop there. After demonstrating the value of protecting privilege across high-risk areas to key stakeholders, it’s time to take a phased approach to expand coverage to new areas, evolving these projects into long-term, business-critical cyber security programs.  For guidance, we encourage you to download the CyberArk  Privileged Access Security Hygiene whitepaper.

*Gartner, Smarter with Gartner, Gartner Top 10 Security Projects for 2018, June 6, 2018

**Gartner, Gartner Security & Risk Management Summit 2018 agenda, https://www.gartner.com/en/conferences/na/security-risk-management/agenda/track

Source: https://www.cyberark.com/blog/privileged-account-management-1-security-project-2018-cisos-says-gartner/


SecurIT’s participation at Heliview IAM congress 2018

We look back at a successful day at the Heliview IAM congress 2018 . A combination of inspiring sessions about what’s hot in the IAM landscape. The day was divided in three different themes: Getting the basics right and get in control, IAM scalability and flexibility in different IAM infrastructures (hybrid, cloud and on-prem), Future ready IAM. For our presentation we focused on the second theme.

Peter Giervield, Security Architect at SecurIT was one of the speakers. Our presentation was about “Getting the Cloud under control” and SecurIT’s Best Practices. SecurIT’s best practices (SBP) is a method we use to help our clients with the whole IAM project. It’s basically a basic installation based of all the previous expertise, where 90% is preset and 10% can be customized. It speeds up the process to get to the first actual production deployment. It’s optional, custom projects will always be possible, they just require more time.

He also talked about the cloud, and how “the cloud” doesn’t exist, as in one single cloud. There are many different cloud solutions such as Private, Public or Hybrid clouds. But also, IaaS/PaaS/SaaS/FaaS/MSaaS and XaaS with all kinds of different deployment models. Currently we notice that clients mostly look at the following vendors: Amazon (AWS), Google (Google Cloud), Microsoft (Azure), IBM (IBM Cloud), Digital Ocean etc.

On the exhibition floor there were many different IAM solution providers pitching their solutions. We were able to tell people about our company as implementation partner of different IAM solutions. And how we differentiate ourselves from other implementation partners. Mainly by having a permanent staff in a business where knowledge sharing is key and the 18 years experience we bring with us.

We hope to see you at our next events. Got any questions? Give us a call.


We look back at a successful Round Table on IAM by SecurIT and IBM

Yesterday on May 3rd we invited some IAM professionals to discuss different IAM issue’s and current trends in the Identity & Access Management landscape. This gave us the opportunity to learn from each other and share some customer stories as knowledge partner at the table. For this round table we selected Kasteel Woerden as location. We look back at a successful day where everyone received plenty food for thought. A short summary below on some of the topics that we discussed.

The first topic we discussed was how we currently deal with the automated life cycle management. This means the whole onboarding/off-boarding process and giving people the right access from begin to end. It became clear that for most it’s currently only partly automated and a lot is still done by hand. Which means there is a lot of time to win and this gets more important everyday with the lack of good security resources.

Another topic was scalability of the IAM services within an organization and how people thought about moving from on premise solutions to the cloud. Many pro’s and con’s regarding the cloud came by. The most important concern was trust. How can you be sure the cloud supplier has the same high security requirements as you do, or where is the data stored? One of the ways you can check this is by looking at their certification. Not just everyone can walk into their datacenters. Most agreed that for the time being there will be many hybrid solutions, with part cloud and part on premise.

We also talked about Identity Management and how you can use context to gain trust and when to force a second authentication, when trust us low. For example, if the same person logs on from a new location a 2-factor-authentication might be required. But it goes even further than that, for example how quickly you type in your password. These can all be triggers to ask for the extra verification.

Resources, specially how to use them productively, was touched during many topics, but very specific during the cloud discussion. If you move your IAM functions to the cloud, would you still need all these security resources on-premise? How much of the responsibility are you willing to give away? It became clear that you will always need your security resources on-premise to manage these new cloud solutions. Knowledge is power and it can be too risky to depend only on third parties for this.

The last topic we discussed was how to handle privileged accounts and how to make sure they are secured. Many different solutions can help with this, but it became clear most of the professionals prefer to store the credentials in a vault. From there you can secure the way the organization works with the most sensible credentials. If a change has to be made this can be requested by sending a change request. This way you will always know who and why is inside your system. You can even shield some of the privileged functions and only give access to the ones that are required and for a limited period.

We are looking forward to the next one. Didn’t get invited or where you unable to attend this one? Let us know and we will keep you updated on when the next one takes place. Got urgent questions? Give us a call.


Less than 30% can prevent ransomware attacks

Less than 30 percent of IT security executives who responded to a recent survey reported that they would be able to prevent large-scale ransomware attacks.

Despite this, SolarWinds MSP’s new report, “The 2017 Cyberattack Storm Aftermath,” found that IT security executives have a high level of knowledge of crypto-malware. More than two-thirds (69 percent) of respondents said they were deeply familiar with ransomware attacks such as WannaCry, which infected hundreds of thousands of endpoints within 48 hours earlier in May 2017, and Petya, which affected systems in dozens of countries in June 2017.

This familiarity led approximately three-quarters of survey participants to rate the risk of both WannaCry and Petya as very high, but it didn’t translate to better protection against this type of incident. While most respondents indicated that they would be able to detect WannaCry (72 percent) and Petya (67 percent), only 28 percent and 29 percent, respectively, said they would be able to prevent these attacks.

For the full article please visit the following link.

Source: Less Than 30 Percent of IT Security Executives Can Prevent Ransomware Attacks, Survey Reveals


CyberArk acquires Vaultive

CyberArk (NASDAQ: CYBR), the global leader in privileged account security, today announced the acquisition of certain assets of privately-held Vaultive, Inc., a cloud security provider. The deal closed today.

The CyberArk Privileged Account Security Solution is the industry’s most comprehensive solution for protecting against privileged account exploitation anywhere – on-premises, in hybrid cloud environments and across DevOps workflows. Building upon the Vaultive technology, CyberArk will deliver greater visibility and control over privileged business users, and Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) administrators. By delivering a cloud-native and mobile experience, Vaultive will extend the CyberArk solution to these highly privileged users, which are frequent targets for cyber attacks.

“The Vaultive team brings innovative technology and advanced cloud industry experience to CyberArk. We look forward to incorporating the technology to add additional depth and proactive protection for enterprises facing an expanding attack surface in the cloud,” said Udi Mokady, chairman and CEO, CyberArk. “Vaultive provides a strong building block to accelerate CyberArk’s cloud security strategy, making CyberArk the only vendor able to extend privileged account security to administrators and privileged business users in cloud environments with this level of granularity and control.”

For the full article please visit the following link.

Source: CyberArk Press release


CyberArk DNA™

CyberArk Discovery & Audit (DNA) is a powerful tool (available at no charge) that scans systems on your network to uncover accounts, credentials and misconfigurations that can create risk. Following a scan, CyberArk DNA generates a detailed report that IT auditors and decision makers can use to evaluate the status of privileged accounts in the organization and identify areas of risk. The tool is an agentless, lightweight executable designed to expose the magnitude of the privileged account security challenge in on-premises and cloud-based environments. CyberArk DNA helps organizations uncover: ƒ

  • Windows accounts and account statuses. Identify privileged and non- privileged Windows accounts, including local administrator, domain administrator, standard user and service accounts. View the password strength, password age and last login date. ƒ
  • Unix accounts, credentials and permissions. Centrally view the status of root and individual user accounts on Unix systems, identify SSH key pairs and trusts, and uncover misconfigured sudoers files that can increase the risk of unauthorized privileged escalation. ƒ
  • Privileged domain accounts. Discover dormant or unprotected privileged domain service accounts that have access to critical assets or services. ƒ
  • Pass-the-Hash vulnerabilities. Locate password hashes vulnerable to theft, and gain a visual map of Pass-the-Hash vulnerabilities and potential pathways to sensitive data and critical assets. ƒ
  • Hard-coded application credentials. Identify systems that have embedded, hard-coded or exposed credentials in plain-text, which can be captured by malicious attackers inside the network.

Download the CyberArk DNA whitepaper.

Or fill out the form to receive your free assessment.


GDPR and PSD2

For professionals in security, identity management and access management (IAM) 2018 will be a very important year. As of May 25th all companies and other organizations must comply with the new GDPR regulations and as of Saturday January 13th PDS2 will be a fact of lite for the entire EU. When thinking of customer privacy and processing consumer data, obligations pile up. The question is: are these opportunities or barriers for business development?

In co-operation with partner IBM, SecurIT invited professionals for a ‘round table event’ end of last year in the Boardroom of the Rembrandt Tower in Amsterdam. Those attending discussed the impact of the new legislation on IAM.

The event was kicked-off by Angélique van Oortmarssen (KPMG) and Sonny Duijn (ABN AMRO). Ms. Van Oortmarssen spoke on GDPR and mr. Duijn shared his views on how PSD2 will impact retail business.

After these two short briefings the conversation concentrated on how companies need to adapt their own IT-infrastructure and open access digital platforms to benefit from the new opportunities GDPR and PSD2 will offer. Especially the impact on the financial services sector and retail was discussed.

An article by Sonny Duijn on the impact of PSD2 on retail is available here. A publication by Angélique van Oortmarssen can be downloaded here.

Download the full Round Table article


The Staggering Numbers Behind Breaches of PII and PHI

September 19, 2016|Michael Janeiro

Experts in the field of cybersecurity insist the world is in the midst of a cybercrime era. Nobody knows when or even if this era will diminish to the point where it’s not a challenge to the day-to-day operations of every business, government agency, nonprofit organization, and institution.

What is generally agreed upon is that trying to prevent and ultimately dealing with the aftermath of data breaches are now standard costs of doing business.

No matter whose study you review on the risks to your organization’s Personally Identifiable Information (PII) and Protected Health Information (PHI), the results show an increased risk of breaches related to hacking and an increased cost to remedy the consequences of data breaches.

A $4 million problem

The recently released 2016 Cost of Data Breach study found that the average consolidated total cost of a data breach is $4 million. The 11th annual edition of the study sponsored by IBM Security and conducted by Ponemon Institute also found that the average cost incurred on each lost or stolen record containing sensitive and confidential information is $158.

In addition, there is a 26 percent likelihood of a company or organization experiencing a data breach involving at least 10,000 records in the next 24 months.

In healthcare, a $6 million problem

The statistics are even more alarming when it comes to healthcare-specific data.

According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, about 90 percent of healthcare organizations represented in the study experienced a data breach in the past two years. About 45 percent suffered more than five breaches in the same period.

The study also estimated that the healthcare industry is shelling out $6.2 billion a year to pay the various costs related to data breaches. On average, covered entities are paying $2.2 million as the result of breaches, while their business associates and third parties have to pay $1 million on average for their role in healthcare-related breaches.

Those costs include lost business, fines from regulators, investigating the cause of the breach, and restitution to affected consumers.

Criminal attacks — most notably ransomware, malware, and denial-of-service (DOS) attacks — account for about half of healthcare data breaches.

It’s not just large regional hospital organizations and health insurance companies that are falling victim.

Go to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) so-called “Wall of Shame” website, and you’ll find plenty of local dentist practices, chiropractic centers, and independently owned pharmacies that suffered data breaches potentially affecting a few hundred or few thousand patient records.

The HHS’s Breach Notification Rule requires healthcare providers to promptly notify the agency, affected individuals, and in some cases the media if there is loss, theft, or breach of PHI of at least 500 individuals. All such reports are then listed on the OCR’s Breach Portal.

One analysis of the OCR website found 253 such breaches in 2015 that compromised a total of 112 million records. In addition, about one in five of last year’s healthcare breaches fell into the category of “hacking/IT incident,” including 9 of the top 10 breaches reported.

Why is healthcare data so sought after by hackers? According to some reports, each individual healthcare record is worth $10 in the criminal market, or up to 20 times more than a stolen credit card number. Other estimates place the value between $20 and $70.

While that may not seem like much to commit a crime for, consider how much 5,000 healthcare records are worth at say, $15 a record: $75,000. Target an easy-to-breach entity and that’s $75,000 with minimal effort.

How to minimize risk and cost of breaches

Among the lessons the Ponemon Institute shared in its recent report were ways companies can both minimize the risk and cost of suffering a data breach.

Data loss prevention controls and activities cited in the study include encryption, endpoint security solutions, and participating in a threat intelligence sharing platform to research security threats, aggregate intelligence, collaborate with peers.

Data governance initiatives that can potentially reduce the cost of data breach include incident response plans, employment of a Chief Information Security Officer, employee training and awareness programs, and a business continuity management strategy.


Why Enterprise, Automated Governance is Critical for Growing Retailers

August 25, 2016 | Michael Janeiro

How many retail locations and how stretched is your geographic footprint? A half dozen locations in a metropolitan area? Thirty stores in a specific region of the U.S.? Hundreds of outlets across the country?

Do you also, like most retail companies, enable customers to shop online? Do you have mobile apps that enhance the customer experience?

Consider the totality of your physical and digital presence. With each location, website, computer terminal, server, data center, cash register, etc., you have increased your company’s exposure to:

•    City, county, and state regulations on building codes, employment laws, and consumer protection.

•    Multiple entry points for hackers and potential data thieves.

•    A more complex supply chain that at any point can be the catalyst for business disruption, product liability, and non-compliance with standards and guidelines such as conflict mineral sourcing.

•    An employee base that causes any number of incidents, disruptions, and legal issues.

•    A network of third parties that extend your infrastructure beyond much of your control and increases the chances of disruption, IT security risks and non-compliance with increasing regulations.

The role of corporate governance

Creating, administering and enforcing policies throughout your company, as well as managing the relationships among your various stakeholders, is the role of corporate governance.

Whether you realize it or not, you have a corporate governance program. How effective and how visible it is across your expanding retail organization may be an entirely different matter.

One of the challenges faced in most retail organizations is the need to expand geographically and/or digitally to increase sales in an ever-competitive environment.

At the same time, any expansion increases the aforementioned risks and regulations, necessitating greater governance. Without it, your retail enterprise, regardless of its size, lacks consistent processes, policies, procedures, and technology requirements.

Consider the common governance challenges facing expanding retailers:

•    Increasing compliance with regulations and standards ranging from Payment Card Industry Data Security Standards to conflict minerals reporting.

•    Collecting and correlating data for regulatory compliance.

•    Developing policies in timely response to changes in laws or to specific incidents that occur.

•    Timely review and update of policies, communicating new and changing policies across the organization and ensuring all stakeholders understand and acknowledge governance policies.

•    Maintaining visibility into corporate governance objectives and results, especially to key stakeholders such as shareholders, directors, and executives.

•    Identifying, prioritizing, and addressing multiple risks throughout the enterprise, including compliance risk, IT security risk, operational risk, vendor risk, business continuity risk, and audit risk.

•    Maintaining an IT asset list to know how they are potentially impacted when certain threats and vulnerabilities arise.

•    Communicating incidents that occur at a single location up to the corporate parent and then across the enterprise. If not, smaller issues can become much larger ones over time.

•    Prioritizing incidents among billions of data points received. How do you know which ones to address and which ones are irrelevant to your organization before spending the resources to investigate?

•    The onslaught of data breaches that have hit retailers large and small. Although many consumers have accepted the risk of security breaches as a trade-off for convenience, one recent survey found that 39 percent of shoppers spend less at retailers that have experienced a security breach than they did before the breach occurred. Another 34 percent of shoppers don’t shop online due to fear of security breaches.

An enterprise, automated approach

The increasing risk and governance challenges posed by physical and digital expansion necessitate an enterprise approach to corporate governance. Introducing other types of activities into their business model can create new complexities and risks, which call for a broader approach to governance.

Managing corporate governance on an enterprise level, however, can be an arduous task, often requiring multiple employees dedicating long hours at extensive cost.

Therefore, retailers need an efficient, effective and automated solution to help their business processes and their security requirements work together to deliver improved efficiencies while strengthening their overall governance program.

The right automated solution can enable retailers to enforce policies and procedures, establish best practices, mitigate and manage risks, and comply with regulatory standards and requirements.