Snowden and Panama teach us how lack of control with access rights is a threat to IT security

What do the Snowden files and Panama Papers have to do with identity management and access governance? Everything, actually.

1. Christian Stendevad_Executive VP_Omada_T2015

By Christian Stendevad, Executive VP, Omada

Edward Snowden – the ‘All Access’ subcontractor

The Snowden leak is arguably the most spectacular breach ever, because of

  • the drama ensuing from the publication of the leaked data
  • the victim – the National Security Agency
  • the volume of leaked data

The leak was made possible, not because of intricate hacks and spectacular exploits, but because Edward Snowden, who worked for a subcontractor to the NSA, accumulated access rights over a long period of time to a wide range of systems and data within the NSA environment.

He did this quite legitimately, by requesting and receiving access rights to data he needed to perform the tasks he was hired to do.

Eventually, he had accumulated enough access rights, to enable systematic download of information.

If the NSA had had full visibility to Snowden’s privileges, alarm bells would have gone off, and rights could have been revoked, to ensure that no one – and certainly not a contractor – had access rights and user privileges, to the extent that Snowden did.

Panama Papers – who had the wrong rights?

A contender to the “Most Spectacular Leak” title is the recent Panama Papers scandal. The 11 million documents leaked to global media have shamed corporations, politicians and celebrities and fuelled the climate of distrust between ‘the people’ and ‘the establishment’.

While we do not at this point know the details of how the leak happened, I am not afraid to make a few assumptions.

For example: The sensitive information in the documents and the sheer volume of data suggest that an autopsy of the leak will include findings about IT security…

I will go so far as to guess, that the findings will fault the IT security efforts of Mossack Fonseca.

Secondly, I think we can assume that whoever was behind the leak had extensive access rights and user privileges. Far more extensive than just about any employee should have. So presumably, the source of the leak is either very high up in the organization – or is an employee or subcontractor who, like Edward Snowden, accumulated these rights over time, and under the radar.

I am also inclined to think that the law firm has been aware that IT security is a discipline to be considered, in a business that relies heavily on digital processes and stores large amounts of highly sensitive information for customers.

That Mossack Fonseca did not have their identity management and access governance in place, may be a simple matter of risk assessment gone wrong: the cost and resources required to implement the appropriate security measures may have been deemed too high, to be worthwhile. I suspect that, in hindsight, the conclusion of said risk assessment would be different.

And if the cost of IT security solutions were the issue, perhaps a few of Mossack Fonseca’s customers would be up for a bit of crowd funding, to help pay the bill…?

And you – who has access to your data?

These two high-profile incidents illustrate why identity management and access governance is an absolutely essential discipline in IT security.

Controlling who has access to corporate data will help you prevent damage from leaks from within the organization, simply by ensuring that no one individual can access too much data.

Controlling user access will also help you control the damage done by hackers attacking from outside of the organization, making it very difficult to retrieve data once they have made their way into your infrastructure.

While most employees do not go to work with malicious intent, they do make up one big soft spot of entry points for hackers, who worm their way into systems on the back of the employees’ user access right.

Effectively, they become a risk, simply by doing their jobs.

The bottom line:

You must conduct your everyday business on
the assumption that persons with malicious intent are present in your infrastructure at all times. If that assumption is your baseline, and your organization acts accordingly, you are a long way towards healthy, security conscious policies and procedures.


Are You Equipped for Strict EU Compliance Requirements?

With the expected introduction of new data privacy regulations EU reinforces a comprehensive reform of data protection rules to strengthen data privacy rights. This initiative places protection of personal data high on the agenda and creates demands for efficient processes to support the reinforced regulations and ensure compliance.

Companies will be required to document established standards and policies throughout their business, and must prepare to meet compliance requirements. That means setting up a technical foundation that can establish efficient documentation and implement appropriate security measures.

Get a head start by mapping and documenting the current state of your access rights. Omada’s newly launched Governance as a Service delivers simple and fast insight to IT users’ access to sensitive data. The solution provides you with necessary insight in an interactive Audit Report that establishes a solid foundation for your compliance effort.

Learn more about how Omada Governance as a Service addresses legislative data privacy requirements such as the EU General Data Privacy Reform.

NEW Release: Omada Identity Suite v11.1


All-in-one solution for identity management and access governance

The latest release of Omada Identity Suite further extends the benefits from an all-in-one solution with a homogeneous architecture that enables easy integration and configuration. Key release highlights include enhanced features and new functionality that provides detailed operations and system monitoring and a unified role-based GUI with consolidated dashboards for improved user experience. As part of the release, Omada introduces the Omada Provisioning Service for quick and easy integration of target systems with standard connectors to AD, SAP, and Cloud applications (supported by SCIM). The updated data warehouse platform utilizes in-memory technology that enables fast reporting and analysis on large data amounts from different source systems. User dashboards feature an Operations Dashboard that enables users to monitor and conduct investigations on system components and processes. On the ‘My Dashboard’ users get overview of relevant role-based KPIs for improved manageability and usability including access to self-service password reset functionality. Interactive reporting options with drill down functionality into additional information, gives auditors fast access to detailed information about user behaviors, compliance status, and survey responses as standard out-of-the box report options.   Continue reading


ikb Data GmbH is one of Germany’s leading service providers in the field of IT infrastructure and data security. With a strong customer portfolio in the financial sector, ikb Data has over the past years, established itself as a market leader in the area of outsourcing and consolidation of IT infrastructure. ikb Data develops not only the concepts based on the requirements of the customer, they also provide full service IT. The IT specialist provides the right solutions and ensures their operation across complex platforms and applications, where the ability to manage sensitive data is a top priority in areas such as cloud computing, hosting, IT compliance, It security / privacy, and eDiscovery.

To increase its efficiency in the management of access authorizations for employees and customers, ikb Data has recently decided to implement the software solution “Omada Identity Suite”. The solution will also empower the detection of IT compliance vulnerabilities, in line with compliance requirements such as MaRisk BA, reducing risk substantially, and enhancing the security of business critical data. ikb Data plans to implement Omada Identity Suite in the last quarter of 2014. To learn more about Omada Identity Suite, click here.


Are your digital assets protected? Cyber criminals are becoming increasingly advanced in finding vulnerabilities, but even the most sophisticated perimeter protection will not prevent fraud and theft. Very often vulnerabilities occur due to inside procedures, misuse of confidential data, or human errors by employees that inadvertently create a security breach.  To determine who has access to your critical business data and detect security vulnerabilities Omada offers a Risk Check Service powered by Omada Identity Suite to give you complete access control, stronger security, and sustainable compliance. Learn more and download services details here.

Combined Simple Sign-On and Password-Synchronization Offers an Efficient Alternative to Enterprise Single Sign-On Solutions

To ease the login burden when users access cloud-based applications, an increasing number of organizations are looking towards investing in enterprise single sign-on. These clients are either looking towards point solutions or extensions to existing access technologies such as SSL VPN appliances or software alternatives like Microsoft AD FS. Talking about Microsoft, standards-based technologies such SAML or Microsoft AD FS that is based on SAML2, has made it straightforward to use single sign-on for browser based cloud and web apps. Even AD-centric companies can use federated identity solutions, allowing a user to log-on to external third-party cloud applications authenticated with your local AD account.

This works fine for web based applications. But when it comes to desktop or client/server applications, IT departments face challenges as these typically require a client based single sign-on solution. In this case, a single sign-on client is installed on the local machine and “caches” the user name and password of the users as he or she access applications. Clients require management and installation on each desktop in the company and often falls short when it comes to many of the tablet, mobile and non-windows technologies used.

Similarly, when it comes to user self service password reset, web-based solutions for Active Directory is uncomplicated, but challenges may occur in connection with many enterprise applications that do not use AD for access and in addition, a client is typically required no the local PC.

The Omada Password management solution for system-wide synchronization and reset is based on the combined experience from implementing self-service password synchronization and – reset across complex platforms.  This solution is ideally suited to deliver above experience without using any local single sign-on clients. We call this “simple sign-on”. It enables synchronization of passwords across all connected applications, so the user only has one password to remember. Essentially, when a user changes the password – due to a scheduled Active Directory password expiration process or a forgotten password – the Omada solution synchronizes this password to all connected applications on the “back-end” enabling the user to log-on to all applications using the same password credentials. This back-end synchronization offers a more uncomplicated approach than implementing more traditional enterprise single sign-on.

In addition, it supports best of both worlds: With the Omada simple sign-on configuration, customers can leverage the benefits of single and federated single sign-on based on SAML2 and augment the solution with Omada’s password synchronization simple sign-on concept.

Our customers are increasingly combining this approach with password reset. In the Omada configuration, once a user has reset their password either via a four eye principle (an Omada packaged workflow that allows a manager to reset an employees’ password automatically once the employee has been validated) or via out-of-band verification, or challenge question based, the new password will automatically synchronize to all connected systems. A simple approach with no client hassle.

To learn more, contact us here.


KuppingerCole, a leading global analyst firm with focus on Information Security and Identity and Access Management (IAM), Governance and Risk Management and Compliance (GRC), has released their latest Leadership Compass Research.  We are very excited to have been included and listed among the leaders in Identity Provisioning in the ‘Product, Innovation, and Overall Leader’ catetories. The KuppingerCole Leadership Compass Identity Provisioning survey offers a comprehensive overview of the many Identity Provisioning solution providers in the market.  You can learn more about the survey here and about KuppingerCole here.