CA Community






This Blog
Syndication

June 2010 - Posts

Catalyst 2010 in Prague

Published: June 30 2010, 08:42 AM | no comments
by Matthew Gardiner

I recently returned from Burton Catalyst 2010 in Prague where I did what you are supposed to do at such conferences - present, listen, and socialize.   As part of the first full day of the conference, where identity was the central theme of one of the three tracks, I sat on a panel on Identity Assurance Frameworks (IAFs) with Bob Blakely of Burton and Tony Nadalin of Microsoft.  I was there representing Kantara Initiative's IAF.  The takeaway for me is that assurance frameworks are necessary for identity federations to be set up and operated amongst more loosely coupled organizations and inevitable with the rise of cloud computing and its inherently hyper-distributed approach to computing.  The next six to nine months will be critical to see if the IAF snowball continues to pick up speed.

I listened to a lot of sessions both within and outside the identity track.  I was thoroughly informed and entertained as usual by Kim Cameron of Microsoft and Bob Blakely and Ian Glazer of Burton and somewhat befuddled by content in the SOA track.  SOA seems to continue to suffer from too much theory and not enough practice.  Hasn't that been part of the problem for the last 10 years?  Finally on the socialize front, CA put together a great (I had nothing to do with it) hospitality suite on the theme of Avatar.  The décor, food, and ambiance were really well done and the room was packed all night.  I plan to be at Catalyst 2010 in San Diego doing another round of presenting, listening, and socializing.  Please join me if you can.

Share this post:  
Tags: , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

Sarbanes-Oxley Dodges a Bullet

Published: June 28 2010, 02:00 PM | no comments
by Sumner Blount

The US Supreme Court today (June 28) issued a ruling that has been eagerly anticipated (details at http://www.nytimes.com/2010/06/29/business/29accounting.html?hp).  The case is related to the constitutionality of the PCAOB (Public Company Accounting Oversight Board), which was created as part of the 2002 Sarbanes-Oxley Act (SOX) to help fight future corporate accounting scandals after the Enron and WorldCom downfalls.  The challenge to this element of SOX left the entire law at risk because in the wording of the law, the invalidation of any part of it potentially invalidated the entire law.   This section of SOX was being challenged on the basis of separation of powers, in that it was claimed that the powers of this board were too broad, and that it was too difficult for the President to actually remove members of the board.

The Court agreed with this claim of those who filed the suit originally.   However, they also ruled that the charter and operation of the board could be separated from the rest of the SOX law itself.  Therefore, the mere existence of the board was not unconstitutional.  And, most importantly, Justice Roberts stated that Sarbanes-Oxley "remains fully operative as a law."

It seems likely to me that political reality entered somewhat into this decision.  If the Court had invalidated the existence of the PCAOB, and therefore essentially thrown out the entire SOX law, the impact could have been significant.   Entire careers and market niches have been built around SOX compliance, not to mention all the products that have been built to address this market.  And, possibly even worse, the whole movement towards regulation might have suffered a setback.  However you might think of SOX, there are clearly some important benefits of mandates such as HIPAA, GLBA, PCI, and many others.  I for one would hate to see those benefits disappear due to a headlong rush to combat regulations on philosophical grounds.

In comparison to how they might have ruled, this Court ruling is very good news.

Share this post:  
Tags: , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Security is irrelevant. Resistance is futile.

Published: June 25 2010, 05:34 AM | 2 Comment(s)
by Shirief Nosseir

There are many analogies that can be used to highlight the effects of cloud computing, but on a lighter note, any followers of Star Trek would be aware of the Borg.  The Borg represents a major threat to the Federation. They are a race of cybernetic humanoids, organized as an interconnected collective (somehow just like a cloud!).  The Borg used a phrase that became quite popular -- actually considered one of the 100 Greatest TV Catchphrases:

"Strength is irrelevant.  Resistance is futile. Your culture will adapt to service ours."

Today, businesses that are considering cloud computing can say the same thing about security:

"Security is irrelevant.  Resistance is futile. Your culture will adapt to service ours."

Cloud computing offers a compelling business case, whether for enterprises or IT vendors alike.  And I don't want to add more fuel to the cloud hype, but the irresistible value proposition here is not just about improving costs and quality of service.  More importantly I think, it's about the orders of magnitude in agility to deliver and consume IT services in support of evolving business environments.  Enterprises are able to change more rapidly, while being truly enabled by IT, to capture business opportunities and avoid risks.  And it becomes a lot easier and quicker for vendors to deliver new innovative and competitive IT solutions that meet market needs.  In today's constantly changing and ever competitive economy, the words of Charles Darwin are more relevant to businesses than ever: "It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change."

The point I'm trying to get to here is that business executives will often not stop from consuming cloud services that they need, just because these services were not vetted enough for security - A statement that should raise few eye brows from risk, security and compliance professionals. However, this is a trend that many of us already see happening in organizations. For instance, CA Technologies recently announced the results of a cloud security survey that it sponsored and was conducted by the Ponemon Institute. Over 900 IT practitioners, who are already cloud computing users, from large enterprises in Europe and USA were interviewed. Some of the key findings show:

  • 49% of respondents said their organization uses cloud computing applications without thoroughly vetting them for security risks. 
  • Also, 68% of respondents said that their security leaders are not the most responsible for securing the cloud computing resources in their organisations

 

 

 

 

 

 

 

 

 

 

 

 

 

Business supporters of cloud computing often highlight business's ability to buy IT services themselves, bypassing their IT organization altogether. IT organization that will resist the move to the cloud will ultimately be made irrelevant. Resistance is not an option.

In security, we are often the people who historically have been saying no to things. We are the people that are seen as being a bit of a break on the system. Where as in fact in this case, there's an opportunity for us to be a real differentiator and enabler of the business. We can educate the stakeholders on the value we can add, we can show that the risk can be managed, we can implement policies and controls that secure the cloud as part of our overall enterprise architecture and not as a silo, and we can make sure that all the organization's critical assets are controlled and protected (It's much easier said than done I know... but maybe the ‘how' is a topic for another post... or feel free to leave comments to start a discussion).

You can download a copy of the Ponemon Institute study entitled "Security of Cloud Computing Users." If you're interested in cloud security (if you're still reading this post then I assume you are!), it's surely worth a browse.

Share this post:  
Tags: , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

How to Get Cloud Providers More Involved in Industry Security Initiatives? Ask Them!

Published: June 16 2010, 02:02 PM | no comments
by Matthew Gardiner

With a few notable exceptions, such as Microsoft and Google, I remain concerned with the lack of engagement in the identity and security communities by cloud providers.  Over the last 5 years or more the Web security standards community has been addressing the issues and necessary standards around cross domain security, which directly affect cloud (what is cloud security after all, but an issue of cross-domain security?). The community has produced such standards such as SAML, SPML, & WS-Security, to name just a few.  But if you look at the security related implementations at the cloud providers - again with some notable exceptions, such as SAML adoption by Google, Salesforce.com, and WebEx for example - most cloud providers have not implemented Web security standards in their solutions.  And for that matter aren't even involved in the related security industry conferences or standards committees.  For example, OASIS recently has put together a new technical committee that was specifically formed to address issues of identity in the cloud.  But where are the cloud providers?

I recently moderated a panel at the EEMA/OASIS identity management conference in London on cloud security and related standards.  I brought up this lack of adoption issue there as well.  The Web security industry has been working for years on the issue of how to ensure secure interoperability across domains.  As a result the majority of the technology questions have already been answered, but it seems that the cloud provider community is not yet aware of this fact.

So what to do about it?  It reminds me of the advertising push by the Red Cross to increase blood donations where the spokesman closes out the TV ad with, "...consider yourself asked."  Cloud providers, "consider yourself asked."  It is in your best interest to make secure interoperability with your cloud service as easy as possible.  While it might take a bit more work to make your interfaces compliant with the various relevant security standards you will reap the benefit through standardized implementations with a large portion of your enterprise customers.  If the standards don't work for you for some reason, then please join the community and propose changes. 

Enterprise cloud consumers, you are the linchpin here.  It is imperative that through your dollars you also "ask" cloud providers to support the appropriate security standards and become more involved.  Everyone seems to agree that security is one of the biggest inhibitors of cloud adoption, so let's do something about it.  We have to avoid a world where every cloud provider has their own proprietary approach to secure interoperability.  We have the knowledge, we have the standards, and we know the consequences or poor security systems. Now we just need to ask this largely new class of vendors to leverage our already well-vetted best practices and standards.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

Compliance Myopia Redux - Don’t Assume Anything!

Published: June 15 2010, 01:06 PM | 1 Comment(s)
by Merritt Maxim

Almost every IT security vendor presentation references rogue Société General trader Jerome Kerviel as a poster child for what happens when organization deploy inadequate security controls and do not enforce segregation of duties.  And while Kerviel's story certainly demonstrates the risks of such inadequate security controls, the other aspect of the story is what kinds of supervision did Société Generale have on Kerviel?  A large multi-national firm such as Société Generale has compliance officers and others tasked to verify and prevent such activity, correct?  Why didn't they notice such activity?

This very point is central to Kerviel's defense in his criminal trial which has commenced in Paris.  I encourage everyone to keep abreast of this trial as it offers some great insights into compliance and communication in large organizations. 

The central issue in the Kerviel case is whether Kerviel's superiors were aware of his activities.  Kerviel's defense is that yes they did know and they allowed the activity as long it was profitable.  Kerviel's superiors argue that Kerviel deliberately bypassed controls to evade identification.

The Financial Times report (requires reg-if not interested use this link) on yesterday's testimony caught my eye and is worth listing here.

"A former SocGen compliance officer also told the court yesterday that several databases would have been available to Mr. Kerviel's superiors where all trading operations could be tracked.

Valérie Rolland said his superiors would also have been able to track down changes made in the data entry system to mask positions."

If databases were available, then surely this trading activity would have been stopped?  First, as my favorite movie actor Leslie Nielsen uttered, "stop calling me Shirley" and secondly, don't ever assume for a minute that just because your organization has tons of databases and BI that anyone is going to use them regularly. 

While the databases could (and should) have been configured to generate alerts when certain trading thresholds were reached, the testimony reflects a myopic view that merely having the data means that compliance needs will be met.  Unfortunately, we know too well that hectic work schedules make it very difficult to expect senior executives to utilize such tools on their own.  Such compliance data needs to be delivered to them directly for analysis.

In the end, successful compliance requires a vigilant proactive mindset.  I am not holding judgment on this specific case as testimony is ongoing but this excerpt should make every organization evaluate their compliance processes (even if you are not in financial services).  Are you expecting your end users to do a lot of the investigation?  If so, you might want to re-evaluate this approach.

Share this post:  
Tags: ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

More Posts Next page »