Frank Vukovits, Fastpath: “many companies would rather not publicly acknowledge their risk exposure”
As companies adopt more cloud-based systems, controlling the access and security of those systems becomes increasingly important. However, transitioning to a modern security system might be challenging.
Solutions like Fastpath help businesses monitor the activity of users with elevated privileges. It allows companies to model security changes, simulate edits, and view currently existing conflicts. While many rely on tools like Virtual Private Networks (VPN) for security, they might not always be enough for businesses.
To learn more, Cybernews invited Frank Vukovits, the Director of Fastpath – a cloud-based audit platform, to discuss the implementation of access management solutions, rising security issues, and the story of Fastpath.
Tell us about your story. What did the development of Fastpath look like?
Fastpath was formed to address Sarbanes-Oxley (or SOX) requirements that were lacking or required manual intervention in the old Microsoft Great Plains product, even before it became Microsoft Dynamics GP as it's known today.
Back then, Separation of Duties reviews didn’t exist. Fastpath was built on adding the controls that companies need around their business applications to address security that will come up during audits and allow them to go down the path to compliance.
Since then, we've expanded Fastpath's solutions to provide access control solutions for most major ERP and CRM software manufacturers, including all the Microsoft Dynamics products, Oracle, Workday, SAP, NetSuite, and Salesforce, to access control solutions, to name a few.
If the company does get audited, Fastpath gives them a solid internal control system that allows them to look at areas of user access: who has access to their business applications, how are roles defined in the application, and what Separation of Duties conflicts exist in those roles. Fastpath allows companies to manage user access, periodically perform access reviews and certifications, and check any changes to critical data in each business application.
The genesis of Fastpath was to develop solutions that give companies the proper automated internal controls to identify where they are at risk or exposed to fraud both inside and outside the company. Even if a company isn't regularly audited, the controls Fastpath provides are critical to a strong internal control system that helps mitigate fraud risks in any organization, big or small.
Can you introduce us to your access control solutions? What are their key features?
Fastpath has three core solutions around access control management.
The Access Risk Monitor (ARM) lets your company review who has access to your applications, what they are doing with that access, and which areas are at risk. This helps automate access certifications and user access reviews to see which users have been assigned to each application, what access they were granted, and what they did with that access. You can also look at specific roles and the assignment of those roles to make sure you don't have Separation of Duties risk, for example, individuals who can create a vendor and process payments to that vendor.
The Audit Trail module lets you track changes to critical data, such as configuration settings or financial information. Audit Trail enables you to report on who is making changes, before and after values.
Our Identity Manager module provides compliant user provisioning functionality that lets us establish a process for accepting user access requests, automating the approval and sign-off of those requests. Managers can check potential Separation of Duties violations before granting access. Identity Manager also helps manage elevated privilege (also known as superuser or firefighter privilege), ensuring these elevated privileges are activated and deactivated at the appropriate times and reporting this access change to the proper administrator or manager.
In your opinion, which industries should be especially concerned about implementing quality identity and access management solutions?
I always like to say that controls are important, whether you're a publicly traded or privately held company and whether you're a big or small company.
At Fastpath, we have found specific industries where our customers are more concerned about control, security, user access, and identity. Those industries are generally heavily regulated, such as healthcare, life sciences, pharmaceuticals, and so on.
The companies in those industries tend to look at controls a little bit differently. They realize an investment in access control and security is good internal control hygiene. They also know they're going to be audited at some point, so they need to ensure they have the proper controls around their identity access management and controls that Fastpath provides to their business software, whether it's their accounting or ERP, CRM, or HCM application.
When some people use the term "company security," they are focused mainly on physical security controls. And that's important too. But user access security is important as well to safeguard your critical information, such as financial information, personnel records, and intellectual property. That's why, at Fastpath, we would argue that our solutions are essential regardless of the industry or the size of the company.
How did the recent global events affect your field of work? Have you noticed any new security issues arise as a result?
Over the last two years, we've talked about the impact on security due to the shift to having employees work from home during the pandemic times.
And we talk about "threat actors.” When people hear about threat actors, they usually hear about actors from the outside: external threats trying to get into your systems from outside of your business software or business network.
Unfortunately, there are plenty of threat actors on the inside who are employees of your own company. The Report to the Nations from the Association of Certified Fraud Examiners found that 65% of fraud is internal fraud, that is, inside actors committing occupational fraud.
In the past two years, we have seen families and employees who have had to make tough decisions, resorting to fraud to make ends meet. They knew that their security was overprovisioned so they could, for example, create a fictitious vendor and then release payments to that vendor.
For many businesses, their employees were committing fraud through the company's business applications because the access granted to the employee wasn't appropriate, and this went undetected for months because nobody was looking at the separation of duties conflicts, and no one was conducting regular user and role access reviews.
What are the most common ways threat actors use in an attempt to bypass various access control measures?
Certainly, businesses should stop threat actors from outside of the organization, taking over someone's account, and accessing sensitive information in your applications.
The same holds internally as well. When we look at business applications and access controls, one area requiring scrutiny is monitoring the actions of individuals or users with elevated access, sometimes called administrator or superuser access. From a detective control perspective, companies should be reviewing the activities these individuals are performing and the day and time when they are in the system. For example, it could be a red flag if the system administrator logs in from a foreign country after midnight and starts moving money between accounts.
So companies must know when users with elevated access perform critical actions, such as changing configuration settings, accessing financial information, or conducting monetary transactions, the date and time those transactions occur, and how the system was accessed.
Solutions like Fastpath help businesses monitor the activity of users with elevated privileges. Fastpath can record any changes made to critical data, letting companies identify suspicious activity early and immediately take corrective action, such as disabling the offending accounts.
Why do you think some companies fail to acknowledge the risks they are exposed to?
There's a famous quote – "All companies have been hacked. It's just that some don't know it yet."
Most companies don't want the news to get out in the marketplace that they had risk exposure to a data breach. That exposure will hurt their brand and scare investors. So I think many companies would rather not publicly acknowledge their risk exposure.
I also think many companies don't acknowledge risk because they simply don't realize that their employees represent their most significant potential fraud exposure.
And yet, if companies don't face up to their exposure to risk, they can't figure out how to prevent it in the future.
Companies should be using identity and access management solutions like Fastpath to help lower the risk of fraudulent events in the future. You can never eliminate risk because the risks aren’t going away. In fact, they are becoming more widespread. But by having the right controls in place to prevent or detect those types of situations from an identity and access management perspective, you can reduce risk to a level acceptable to management.
What kind of threats do you think are going to become a prominent problem in the near future?
I think we’ll see more attempts to gain control of user accounts, whether the attack originates from an employee inside the company or someone who has hacked in from outside the company. You might identify the account responsible for fraudulent activity but not necessarily whether that individual was the employee or a hacker.
The best way to address this type of threat is to focus less on the individual tied to a specific user account and more on what that user account can do with their access. Most companies have over-provisioned access to their users and hence, risks are elevated. The result is that these companies don't even realize if one of these user accounts executes an erroneous or fraudulent transaction.
Most businesses do a great job keeping the bad actors out. But unless we address the access security risks to your business applications from within the organization, you still have risk. And that's what solutions like Fastpath focus on – access management control and identity solutions. I think shortly businesses will realize that to have true enterprise security they will have to address the threats that exist both inside and outside the company.
What are some of the security tools you believe everyone should use to combat these threats?
If you look at enterprise security like a donut, you have to have a robust set of tools to protect yourself from external threats – people trying to gain access from outside your systems and infrastructure. There are lots of great tools that do that.
But the security hole in the donut is if someone can gain access to one of the user accounts inside the system. So, in addition to tools that combat external risks, like hackers, the tools I would recommend would allow you to track and manage the user accounts and permissions inside your infrastructure and business applications.
Remember, 65% of fraud comes from inside the organization. And the risk can be spread across multiple business applications: your accounting system, CRM system, procure-to-pay system, HR system, and the list goes on. Each of those business applications has user accounts that perform different functions. You need to manage the user identity in each application and provision each account with the appropriate access permissions. It would help if you also had both preventive and detective controls in place to provision their access, including managing elevated privileges.
Share with us, what's next for Fastpath?
At Fastpath, we've long been a company developing excellent identity and access control management solutions that are detective and preventive. Our products are focused on compliant user provisioning and checking for items like separation of duty conflicts before you provision a user.
We are looking at technologies like machine learning and AI that allow us to be proactive and stop unwanted activities from occurring before they happen.
In the past, our detective controls would identify that segregation of duties conflict was compromised. We want to get to the point where we can stop the transaction before it's executed and immediately investigate whether it represents fraudulent activity.
As our products evolve, we’ll add additional functionality that helps companies identify various activities proactively and stop the high-risk activities before they are performed.