CA Community






This Blog
Syndication

September 2010 - Posts

Google’s New Strong Authentication Service: Adding Bricks to the Federated Identity Foundation

Published: September 29 2010, 02:09 PM | no comments
by Matthew Gardiner

Google's recent announcement of their use of one-time passwords delivered via SMS messages to mobile phones to strengthen authentication to Google Applications is an important on-line security step, but not solely for the reasons you may be thinking.  Yes it is nice to have a highly-visible and no extra cost example of the use of multi-factor authentication for mass-scale consumer use.  Anything that improves upon userid/password-only authentication schemes is very welcome.  Also it is a great and simple example of the use of a mass consumer phenomenon (mobile phone/texting) to help solve a security issue (online identity theft) that is a bane both to consumer and enterprises.  However, I hope it will prompt more Web site owners to start asking themselves, "Why am I authenticating my online users when Google (or someone else) will do it for me cheaper and better as a cloud service?" 

Taking it one further step, if Google (or someone else) is strongly authenticating users and supporting identity federation (which Google does), maybe Web owners should trust and use the authentication services of these specialized service providers instead of doing it for themselves?  This is exactly what happened with the traditional strong authentication in the past.  As organizations centralized their access controls to purely on-premise applications with Web access management systems, they simultaneously felt the need to strengthen their authentication to those applications.  Strong authentication and centralized access control are closely related concepts.  It is only logical as access gets centralized via a single authentication, a logical mitigating control is stronger authentication - which better protects your eggs that are in that one basket.  This concept helped birth the one-time password token and the other authentication technologies of the 1990s.  This is exactly what is starting to happen on the Web, but of course on Internet scale.

A key economic and security flaw of the Internet today is that every Web-site that processes sensitive data and transactions has to be in the user authentication business.  Meaning that they need to conduct some level of identity proofing and credential issuance and management, just for access to their single Web site.  This represents direct cost to both the Web site operator as well as the user, through an often poor Web user experience.  The system of the future that will be far superior is to have a person have a relatively small number of authenticators, perhaps Google being one of them, and then having that site vouch for them at other sites.  Of course all I am talking about is the mass-scale use of federated identity.  Those of us in the industry have been preparing the foundations of this new marketplace for many years.  Google has just laid down another brick with their deployment of stronger authentication for their massive user-base.  There are important industry initiatives, such as the Kantara IAF, that are well underway to help catalyze this fledging federated authentication marketplace by building on the existing federation foundation.

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

TSCP Expo-CA SiteMinder and Document Sharing Identity Federation

Published: September 21 2010, 01:35 PM | no comments
by Merritt Maxim

Last week I had the privilege of attending the Transglobal Secure Collaboration Program Expo in the Washington DC area.  For those that are not aware, TSCP is a cooperative forum whose members include the world's leading Aerospace and Defense companies, systems integrators and key government agencies.  TSCP members have been collaborating for several years to establish and maintain an open, standards-based framework for secure collaboration and assured information sharing.  With large defense projects spanning geographies and including thousands of contractors and sub-contractors, enabling secure information collaboration is essential to enabling program success and minimizing risk. 

CA Technologies is a gold member of TSCP and last week, we provided an in-depth demo showing how CA SiteMinder enables organizations to implement the TSCP DSIF v1 specification.  DSIF stands for Document-Sharing Identity Federation as a mechanism to allow users of different organizations to easily and securely access documents that are hosted in multiple security domains across international boundaries while still meeting regulatory requirements. 

Our SiteMinder demo (developed in partnership with fellow TSCP members Raytheon and Northrup Grumman) showed how users could access local and remote content using a variety of authentication methods (username/password, PKI based smartcards, RSA tokens, biometrics, and One Time Passwords) and federate out to other sites using multiple protocols (SAML, WS-Fed).  Our demo also showed how users have to provide a higher level of assurance for accessing more sensitive information which is a common use case in these highly distributed supply chains.

Attendee interest in our DSIF demo was very high and we will continue to work with the TSCP to enhance and develop its capabilities to meet TSCP members' needs for secure collaboration.  Stay tuned to this blog for more developments on this theme!

Share this post:  
Tags: , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

IT Auditors are ready to take a rational approach to cloud adoption - if their organizations let them

Published: September 20 2010, 02:17 PM | no comments
by Matthew Gardiner

I recently returned from the annual North America ISACA conference.  ISACA is a professional organization which focuses on IT governance, security, and audit.  Given the hot nature of the cloud it perhaps isn't surprising that nearly a third of the sessions at the conference, including the one I delivered, were focused on it.

Overall, given ISACA members' mandate of keeping IT under control and compliant with regulations, the attendees raised a lot of concerns about the use of the cloud.  Who can blame them?  Fundamentally they are concerned about how they can be responsible for something they don't control and over which they have limited visibility - that is applications and data running within public cloud service providers.  But they also recognized the value and inevitability of the cloud and came forward with questions and comments that showed that they are ready to take a rational approach toward security and control in the cloud.  But will their organizations let them?

As with a lot of compelling new approaches to IT in the past - the adoption of the Web itself being a good example - organizations often rush headlong into using them without fully considering their impact to security, regulatory compliance, and governance processes over data and workloads that will now be housed off premises inside a public service.  Given the challenge IT organizations have traditionally had addressing these issues within application within their own premises, IT auditors are rightly concerned about how they are going accomplish them with IT services that are elsewhere. 

This conundrum can be resolved, but it will require collaboration between cloud providers and cloud consumers at many levels - policy, legal, and technology to name a few.  It will also require that IT security and audit teams at cloud consumers be key players in defining what, how, and when specific IT services are migrated to the cloud.  If organizations naively bypass their own IT experts in the move to the cloud, the resulting breaches and compliance weaknesses will not be the fault of the IT security and audit teams.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

Shifts in information security threat calls for new IAM model to enter the game

Published: September 15 2010, 03:05 PM | no comments
by Gijo Mathew

Last night I participated in a panel discussion with Bob Blakley, analyst from Burton Group (recently acquired by Gartner, Inc.); Bernie Cowens, from AAA; and John Lu from Deloitte & Touche.  The discussion focused on the evolution of IAM as it becomes more content-aware and how that applies to cloud security ... The event was broadcast to more than 500 IT security staff in various cities across the country

During the discussion, the panel suggested IT is going through some major shifts from a technical, business and threat perspective and to address these changes it is necessary for us to utilize a new Identity and Access Management model.

I couldn't agree more, this new model has to be content-aware.  The products within this model utilize information that is not available within the standalone products to provide added intelligence and depth to traditional identity and access management. For example when we access a file on a SharePoint site it should be able to take into consideration the sensitivity of the content before it give you access not just check what group or role you are in. Protecting and controlling data however is no trivial task and for us to do it effectively we need to integrate identity, authorization and data classification from a technology AND process perspective.

We are in the middle of a serious IT paradigm shift  with cloud, virtualization and mobile computing and to fully realize the potential of this shift we need to evolve IAM to be more content aware.

Share this post:  
Tags: , ,
Leave a comment

 

By: Gijo Mathew
Gijo Mathew is Vice President of Security Product Marketing at CA. He leverages more than ten years of software development and security experience to interpret customer needs, drive security awareness and implement risk centric strategies within enterprise organizations. Throughout his career, he has...
Read More..

Enterprise Security Management Protection Profiles: A Progress Report

Published: September 15 2010, 12:03 PM | 1 Comment(s)
by Joshua Brickman

In my last blog I referenced a global threat survey that CA was administrating.   I plan on presenting the full results of the survey at the International Common Criteria Conference in Antalya, Turkey (ICCC) on Wednesday Sept 22, 2010.   Today I'd like to provide a sneak preview of those results and also where we are on the creation of the first Protection Profile (PP) in the Enterprise Security Management (ESM) space.

The survey polled staff in the U.S. Department of Defense as well as other U.S. and foreign government agencies. It measured 12 data points, which can be summarized as:  Operational Mission, Common Criteria knowledge and importance, Procurement Decisions and the Common Criteria, and the importance of Enterprise Security Management (ESM) products to the customers.

Operational Mission and Procurement

Two-thirds of respondents use ESM tools but a third are unsatisfied with their current ESM products. Over 50 percent of respondents said that they are planning on replacing one or more ESM tools with new products.    There is a tremendous opportunity for companies that make these tools to solve real cyber-security issues in the US Federal government and foreign governments.  However the products clearly need to be integrated; 50 percent believed that integrated products were very important, showing that point solutions are not an acceptable solution for these customers.

Knowledge of the Common Criteria

Interestingly the respondents overwhelmingly believe that a Common Criteria (CC) evaluated product is a more trustworthy product (almost two-thirds).    I wrote about this perception last December and believe this view shows that some education is needed in the field.   Common Criteria does do a reasonable job validating that companies follow industry best practices for software development.   However, its emphasis on documenting the whole product while minimizing configuration, implementation and vulnerability analysis clearly does not provide the proof that a product is "safe."  There are several working groups (industry plus government) looking at improving the Common Criteria, and NIAP has already declared their strategy with recent policy changes.   I expect the international reaction to  those policies will be the buzz of the conference.  I'll report on the happenings from ICCC as well.

There was no consensus that if respondents like a product, but its not CC evaluated, that it has to be replaced with a CC evaluated product.  Yet most agencies agree that CC evaluated products are a procurement requirement.   So essentially, if they are happy with a a product, even if it hasn't been CC evaluated, they will not necessarily replace it.  If they are buying a new product, then it really should be CC evaluated.

I'll have more detailed results to report after the conference in October, including what respondents think about the usability of Security Targets and their views of Protection Profiles.

The First Protection Profile for ESM

I'll be formally announcing at the conference the first Protection Profile that respondents selected.    The team has made tremendous progress, and plans on making the first Protection Profile available for public comments this year.  And the second Protection Profile, which is a follow-on to this one is already in the works!

Share this post:  
Tags: , ,
Leave a comment

 

By: Joshua Brickman
Joshua Brickman, project management professional, runs CA’s Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last five years (in both the U.S. and Canada). Brickman has given talks at the last four International...
Read More..

More Posts Next page »