CA Community






This Blog
Syndication

July 2010 - Posts

Securing Your Road to Virtualization & Cloud: Elasticizing Your Web Access Management Infrastructure

Published: July 29 2010, 07:46 AM | no comments
by Shirief Nosseir

In this blog I'll share how and why some of our customers are leveraging Web Access Management (WAM) to support their virtualization efforts (or is it the other way around?!).

As we know, modern web applications rely on WAM solutions for things like authentication, authorization and single sign-on facilities.  And this is why WAM solutions are highly transactional.  The demand and load on a WAM infrastructure can vary considerably depending upon the pressures of the business and its stakeholders (employees, customers, partners, suppliers...etc).  WAM solutions have already been used for many years in traditional environments and have been proven to be resilient and scalable for securing web applications. But should organizations embarking on virtualization have the infrastructure in place to cater for infrequent peak usage?

Elasticity is one of the primary benefits of virtualization. And as organizations add and remove virtual instances (which in turn run web applications) to meet the peaks and troughs in business transaction demand, WAM infrastructures need to keep up accordingly to ensure a quality customer experience that is balanced with minimum overheads.

For organizations looking to leverage virtualization to optimize their web application service levels, a virtualization-ready WAM solution is a must (don't assume that you can just simply virtualize any WAM solution... often the vendor will need to tweak and test their WAM solution, before supporting it on virtual environments).  So we're not just talking about securing the virtual environment, we're also talking about virtualizing the security infrastructure. The WAM infrastructure needs to be able to make use of virtualization to scale up and down to meet the changing business demands.  For example if business transactional demand increases beyond the current capacity of the WAM infrastructure, then it's likely that response time will increase, service level agreements will become negatively impacted, and users will become frustrated.  In this case, additional virtualized instances of the policy enforcement points (PEPs) can be started and dynamically added along with the existing PEPs that are already running to service the additional demand.

Today, it's clear that organizations need to ensure the quality of their end-to-end user experience.  The service quality of an application is as strong as its weakest link.  So when planning the move of your critical web applications to a virtual environment, you need to consider the implications on your web access management infrastructure from the very start (as well as all the other essential security services of course) and make sure to operationalize it with the rest of your virtual infrastructure stack.

Share this post:  
Tags: , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

Identity is at the Center of Security Management for the Cloud

Published: July 28 2010, 11:34 AM | no comments
by Matthew Gardiner

The identity industry has come a long way from the days of access control on the mainframe and the arrival more than 10 years ago of LDAP directories.  Identity management is now a multi-billion dollar market in its own right and has grown to be central to how organizations manage their security operations.

Now that the cloud has captured the attention of just about everyone in the computing industry, particularly those in the IT security world, we need to examine the cloud's impact on how identities are managed.

The identity industry is currently going through a very healthy process of reconsideration and re-architecture, along with the larger IT industry.  I like to characterize this re-architecture as a natural form of vertical disintegration.  Any student of business history knows that it is very common for industries, as they mature, to change their supply chains; to source from outside what they used to produce internally.  In many ways the whole cloud movement itself can be characterized as massive vertical disintegration of the IT industry.

The implications of this for the identity industry are powerful.  At CA Technologies we like to think about this change using the framework of:  To, For, & From.  In short, as the IT industry vertically disintegrates into a hybrid and dynamic mix of IT services being conducted in-house and via suppliers, the identity operations that secure and enable this environment need to flex as well.  Enterprises need to be able to extend their traditionally internal identity processes to incorporate their stable of cloud services - extending these processes to the cloud.  Conversely, cloud service providers themselves need to be able secure and manage their services to earn the trust of cloud consumers - improve the management of identity for their cloud services.  And finally, and as a direct reaction to the drive for vertical disintegration, enterprises are beginning to outsource multiple identity functions previously done in-house to specialized cloud providers, thus consuming these identity services from the cloud instead of conducting them all internally.

CA Technologies continues to expand our contribution to all aspects of identity and the cloud - to, for, and from.  You can read more about this here.  Identity certainly remains central to how security is managed with the emergence of IT clouds.

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

Access certification & attestation: Best practices for avoiding the rubber stamp syndrome

Published: July 28 2010, 02:10 AM | no comments
by Shirief Nosseir

Access certification is an ongoing process where managers and designated approvers review who has access to what to confirm that each user/role has access only to the resources necessary to perform their job function.  In doing so, organizations prevent users from accumulating unnecessary privileges and decrease their risk profile.

Accordingly, the risk mitigation benefits of access certification are only as good as how careful the approvers are in examining access rights.  However, access certification efforts often suffer from the rubber stamp syndrome - this is when a manager/approver bulk-approves all access rights presented in a review by "selecting all" and clicking "approve."  One common reason for rubber stamps is when approvers get constantly swamped with too many access certification requests.  This can be avoided by following these recommendations:

  • Once a year, have a full certification where each manager certifies all the entitlements of all their direct report team members
  • On a quarterly basis, have delta certifications where managers only certify the changes in entitlements for their team in the last quarter
  • To help eliminate toxic combinations (i.e., ensure segregation of duties) which might happen when an employee gets transferred to a new position, there needs to be an event-based certification where all the entitlements for this employee get examined

This might sound like more work, but actually as the delta certifications are much smaller and quicker to go through, it helps ensure that the approver actually gives it more attention and completes it properly. The drawback of a quarterly certification (and hence the need to complement it with a full yearly certification) is that the approver cannot see the bigger picture and the business implications without seeing the full set of entitlements for each team member.  At the same time, an employee that gets promoted or transferred to a new position might create toxic combinations and pose business risk for an organisation (due to the fact that that the existing entitlements in addition to the new ones that get granted to this employee might allow him/her to carry out a sequence of tasks that are in violation of segregation of duties policies, e.g., raise a purchase order and approve it), it warrants that the approver immediately looks at the full entitlements for this employee. From a workload perspective, managers do not transfer their direct reports to new positions on a regular basis, so it should not be an event that occurs that often to bother the certifying manager.

There are few other reasons for the rubber stamp syndrome, including:

  • Approvers don't understand the business context of what they're certifying. This is particularly the case when the certification tool doesn't offer plain-language descriptions clearly explaining the business relevance of the roles, users, access entitlements or resources involved in the process (think SAP and mainframe transaction codes, but similarly Active Directory group names are often guilty too). To create quality descriptions, you'll need to enlist the help of the application and system owners for this as they are the ones that have intimate understanding of their resources (i.e., application and systems) and what the relevant entitlements actually do. To provide business context and descriptions for the users and roles, you'll need to refer to human resources data sources as well as involve line-of-business managers and users. More importantly, you'll need strong sponsorship from the management to ensure the collaboration of all necessary stakeholders.
  • Approvers don't appreciate the implications of their approvals ("if it isn't broken, don't fix it" or "It's already been like this for a while, what's the worst that can happen" kind of reasoning). This needs to be alleviated by establishing a compliance-oriented culture and educating approvers on the importance of access certification.
  • Access certifications are complex, manual and time consuming. This can be resolved by using an automated access certification and role management tool. The market in this space is now mature enough and there are few good tools available in the market that can be of significant help (of course, including our very own CA Role and Compliance Manager tool). These tools can automate the discovery of new roles (through pattern-based analysis), identification of risks and anomalies (by highlighting excessive or unnecessary privileges), enforcement of centralized policies (such as segregation of duties), application of workflows, and much more.

This blog post is obviously just touching the surface of such a vast subject, so any additional tips and comments are certainly welcome.

Share this post:  
Tags: ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

Virtual Entitlements (VE) Sprawl

Published: July 22 2010, 10:22 AM | no comments
by Birendra Gosai

The late 1990's and early 2000's saw a proliferation of applications within the enterprise. This was not only limited to applications from vendors like SAP, Oracle, JD Edwards, PeopleSoft, etc., but also included JAVA and .NET-based custom applications. Around the same time, regulations such as HIPAA, PCI, and Sarbanes-Oxley were introducing various certification and compliance mandates on organizations. The large number of entitlements introduced by ERP, CRM, financial, legacy, and custom applications, coupled with the regulatory mandates, created a pressing need for comprehensive management of application entitlements within IT organizations.

Companies like Virsa Systems (acquired by SAP in 2006 for more than $400 million), Vaau (acquired by Sun), Eurekify (acquired by CA Technologies), Aveksa, and SailPoint, took the initiative to meet these entitlement management needs. They help customers manage application entitlements, ease certification/audit requirements, and enforce fine-grained access controls by providing role-based access control (RBAC), role modeling and role administration capabilities.

IT organizations will soon face challenges managing infrastructure entitlements in the virtual environment, similar to those faced with the management of application entitlements. With the advent of virtualization, a large number of new entitlements are being introduced into the data center. Management applications such as VMware vCenter, Microsoft SCVMM and XenServer Essentials, provide their own set of roles and entitlements for ESX/ESXi, Hyper-V and XenServer administration, respectively. The ability to couple/decouple the management of virtual machines to/from the management applications, access requirements by third-party applications, and the dynamic nature of end-user console access requirements, will exaggerate the problem of managing entitlements within the virtual environment. IT organizations that try to manage infrastructure entitlements in silos will face problems similar to those encountered with the management and certification of application entitlements.

Virtualization management products, such as those in the CA Virtual portfolio, provision, configure, assure, secure and optimize heterogeneous virtual environments. Comprehensive role modeling and analytics capabilities, coupled with virtualization management technologies, can provide a strong foundation to expand RBAC for the comprehensive management of entitlements across heterogeneous virtual environments - thus helping contain Virtual Entitlements Sprawl (‘VE Sprawl').

Note: This blog was first published on the Virtualization and Automation blog.

Share this post:  
Tags: ,
Leave a comment

 

By: Birendra Gosai
Birendra Gosai has a Masters degree in Computer Science and over ten years of experience in the enterprise software industry. He has worked extensively on data warehousing, network & systems management, and security management technologies. He currently works in the virtualization management business...
Read More..

The Data Breach PR Disclosure Recipe: 4 Simple Steps

Published: July 21 2010, 09:02 AM | no comments
by Merritt Maxim

People in Infosec are getting increasingly jaded (myself included) when we hear about yet another data breach.  Given the vast amounts of sensitive electronic data and continued operational lapses on handling sensitive data, the unfortunate reality is that data breaches are with us to stay.

I initially viewed yesterday's reported data breach at the South Shore Hospital in Quincy, MA as the latest breach du jour until I read and heard the local reporting on the story.  You can read the hospital's official press release here.

I soon realized organizations learn from prior breaches and follow a very simple script when announcing a breach.  There are four key components to this script.

  1. Always Refer to Breach in Hypothetical Terms-Usage of terms of "may" or "possibly" are essential here.  This means it is important to announce the breach early on. This enables the organization to shift the messaging from a breach to "potentially missing" which is usually deemed less serious. This same rule applies to describing the data itself.  Thus, you will see yesterday's press release comment that the data "may" have contained sensitive info like social security numbers and other medical related data.  As someone who has spent time in hospitals, I challenge you to find any piece of documentation that does NOT have your medical record number, SSN or diagnosis on it!  Leaving the data description vague enables organizations to avoid directly claiming that anything  sensitive was disclosed.
  2. Emphasis Data is Old- In addition to noting that the data may or may not have been sensitive, organizations should emphasize that the data is old.  The implication is that old data is less risky.  This may hold true for credit cards which are changed at normal intervals, but last time I checked, your social security number or medical record number stays with you for your entire life.  So the fact that the data is old should be of no comfort to anyone.
  3. Defer Blame Whenever Possible-While usage of other contractors and third parties is a reality in today's business environment, usage of 3rd parties does not completely absolve an organization.  In the South Shore breach, data was shipped off-site to another provider who did not provide timely assurances of the destruction.  Credit should be given to South Shore to request documentation of the destruction, but the four month lag between sending the data off and finally announcing the data is missing is still concerning.  But the delay and lost data allows the organization to deflect the blame.
  4. State that Cracking the Data would be Very Difficult-Hence, the release states, "...specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files."  That may sound good, until you realize that the people with the most to gain from this data (identity thieves) are very talented and likely possess (or have access to) specialized software, hardware and technical skills.  That argument is not reassuring, but stating the scale of difficulty can placate the public.

I realize that data breaches now involve regulatory issues, civil lawsuits and other expenses, and organizations are often limited in what they can disclose, so I do not mean to trivialize this process.  I also do not mean to call out the hospital; as I stated up front, this recipe is followed by most organizations when a breach occurs.  But, understanding these steps should help you understand and properly interpret any future data breach announcement.  I think that you'll see that they will follow this recipe.

Share this post:  
Tags: ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

More Posts Next page »