CA Community






This Blog
Syndication

October 2010 - Posts

The First Protection Profile for Enterprise Security Management

Published: October 31 2010, 07:01 AM | 1 Comment(s)
by Joshua Brickman

As promised in my previous blog I'm proud to announce that the first Enterprise Security Management (ESM) Protection Profile (PP) will be for "Access Control." At the International Common Criteria conference last month, I walked the attendees through the results of the Global Threat Survey  which showed that Access Control was the No. 1 priority.  

  • 86% of respondents said that either Access Control or Policy Management were the highest priority
  • 63% of respondents said that Access Control was in their Top 2 in order of importance
  • The Access Control protection profile could be written to cover at least four product sub-types including User Management and Provisioning, Host Access Management, Web Access Management, and SOA Security

So our strategy is to publish the first PP focused on implementing the policy (policy enforcement point) from a Policy Manager. We'll follow that with a second PP for Policy Management itself. The plan is for  the Protection Profile to go up on the NIAP website for public comment sometime in November, with a target publication in December 2010. We'll also be seeking international mutual recognition by getting it evaluated by another lab outside the U.S. so it ultimately can be used by any vendor in any participating country.

Other observations from the International Common Criteria Conference

I was asked to participate at the last minute in a panel discussion before the entire conference. The title of the panel was "Meeting the user needs - the power of protection profiles and technical communities." The ESM initiative is now being seen as the new Gold Standard for how to move the Common Criteria forward. Here is an audio recording of the session.

Here are the other survey results, in particular participant's thoughts on Protection Profiles and Security Targets:

  • Almost 70% said they compare Security Targets when they select products. Considering that ST's are written in the obscure jargon of the Common Criteria, it was very surprising that anyone reads them, never mind that they compare products via this method.
  • Also 73% said that Protection Profiles were important; clearly respondents recognize that without PP's, comparing Security Targets is infinitely more difficult
  • Finally, half say they plan on replacing existing security tools with new ESM products. The opportunity for ESM vendors is clear

The main themes communities, mutual recognition and protection profiles were completely in sync with CA Technologies approach to the Common Criteria. We continue to commit to actively participating in the evolution of the standard to make it more useful for all.

When the Access Control PP is available, I'll be sure to let everyone know.

Share this post:  
Tags: ,
Leave a comment

 

By: Joshua Brickman
Joshua Brickman, project management professional, runs CA’s Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last five years (in both the U.S. and Canada). Brickman has given talks at the last four International...
Read More..

Taming the wild west of cloud service sprawl

Published: October 29 2010, 06:55 AM | no comments
by Shirief Nosseir

Yesterday, we talked about data sprawl and the need to take an identity centric approach to information protection (or a content-aware identity and access management one, depending on which way you look at it).  In this post we'll look at service sprawl and why it is a problem for cloud adoption.

In these early days of cloud computing, most cloud-sourcing decisions are decentralized.  It is quite common for a business line to adopt a cloud service without consulting all the relevant teams that should be involved.  Few months ago I wrote a blog titled "Security is irrelevant.  Resistance is futile."  There, I argued that many business executives will go ahead and consume cloud services whether these services have been vetted enough for security or not.  I also cited a cloud security survey that showed 49% of respondents were actually experiencing this trend in their organization (over 900 IT practitioners, who are already cloud computing users, were interviewed).

And with so many different cloud deployment options being available (including SPI service models [i.e., Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service], internal vs. external hosting, public vs. private deployments), organizations today are increasingly evolving to a hybrid model that blends in-house IT with external services consumed from the cloud.

Service sprawl is not a new phenomenon.  For example, when an organisation first adopts a service-oriented architecture, it's common that it ends up with several similar services: they might have different development projects that need to use a specific functionality (i.e., a service), and due to lack of sufficient coordination, consistency and common standards, each project ends up developing their own version of the same service (in this scenario it's usually just sub-services that we're talking about here, e.g., manage customer address).  Another typical scenario is mergers and acquisitions where both enterprises already have similar services.

Cloud computing, however, amplifies the service sprawl problem.  The concern here is not with the number of cloud services that are rapidly finding their way into our organization.  The issue is these services lack consistency and standards.  In turn, it becomes exceedingly challenging to establish baseline controls and enforce uniform policies for security, compliance and management across the organization.

Arguably, technology today is mature enough to help us develop a unified management framework that enables us to consume and deliver consistent cloud services.  The clear challenge, however, remains in establishing and adopting industry standards to deliver the required consistency (and if consumers do not demand it, providers will not be obliged to comply).  Similarly important for the cloud paradigm shift to successfully happen is for orgnaizations to effectuate the cultural, operational and architectural changes that are required to wield the technology that is available for us.

Other blog posts in this series:

1. Securing your road to virtualization and cloud: Welcome to the sprawl galore

2. Virtual machine Sprawl: An issue of quantity or quality?

3. Entitlement sprawl: Are you managing privileged users in your virtual environment?

4. Data sprawl?  Content-aware identity and access management to the rescue

Share this post:  
Tags: , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

Data sprawl? Content-aware identity and access management to the rescue

Published: October 28 2010, 05:54 AM | no comments
by Shirief Nosseir

Yesterday, we looked at entitlement sprawl and the importance of managing privileged users in virtual environments.  Now, let's move on to data sprawl and talk about what's needed to protect our most vital business asset: information.

In the good old days, before the explosion of information technology, most data was held in paper form.  If we needed to control who has access to the information, we controlled the paper.  And if the amount of paper was getting out of control, we trimmed it back to keep it in check.  It was also inherently more difficult to copy or share papers and, in turn, information as a whole (remember how groundbreaking the fax machine was when it first came out?).

Nowadays, as data has transformed into bits and bytes, copying sensitive data or sending it across the globe is just a mouse click away.  As we all know, this brought about new levels of efficiency and fuelled the democratization of information.  On the flip side however, we ended up with data sprawl: in most cases now, we have little control over how information is being used and shared and by whom it is being consumed.  And with the enormous amounts of information we process and share on a daily basis, we are not able to keep track of where all copies of our sensitive information is located.  Needless to say, data sprawl has introduced all sorts of security problems, since we simply cannot secure what we cannot locate and control.

With virtualization and cloud computing, data sprawl becomes even more of an issue.  Workloads are more mobile and the nature of these environments is highly dynamic and often extends beyond the typical boundaries of our organization.  Clearly, traditional perimeter security cannot offer enough control over data and its movement.  And although typical data loss prevention (DLP) technologies do a good job at locating, classifying and controlling information, they are simply not enough for what is truly needed.  An identity-centric approach to information protection and control becomes paramount in virtual and cloud environments.  Content awareness (provided by DLP solutions) allows us to understand what information is held in our files and documents, whereas an identity-centric approach adds more intelligence to data sprawl and brings in the context of who is trying to use the data and how they should be allowed to use it (e.g., email, copy, print, etc). 

Consequently, DLP technologies need to become more identity centric and integrated with identity and access management (IAM) technologies.  And conversely, IAM needs to become more content aware to provide the right level of control that fosters information sharing, while mitigating unnecessary risks (and without blowing our own trumpet too much, CA Technologies is still the only single vendor that offers both fully-fledged IAM and DLP solutions in an integrated fashion). 

Well, instead of blabbing any further, here's an 11 minute demo that illustrates how a content-aware IAM approach can effectively help control data sprawl.

Tomorrow, the final episode in this series explores cloud service sprawl.

Other blog posts in this series:

1. Securing your road to virtualization and cloud: Welcome to the sprawl galore

2. Virtual machine Sprawl: An issue of quantity or quality?

3. Entitlement sprawl: Are you managing privileged users in your virtual environment?

5. Taming the wild west of cloud service sprawl

 

Share this post:  
Tags: , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

Entitlement sprawl: Are you managing privileged users in your virtual environment?

Published: October 27 2010, 05:18 AM | no comments
by Shirief Nosseir

In yesterday's blog I talked about virtual sprawl and the security implications it has.  Today, it's time to touch on entitlement sprawl, which from an identity and access management perspective, is probably the most critical and challenging issue in virtual environments.

We know how difficult it is to manage and enforce administrative access rights in heterogeneous physical environments.  This issue is exacerbated further in virtual environments, since the hypervisor layer introduces many new far-reaching roles and entitlements.  For example, privileged users are able to power on, power off, copy or move guest machines running on a virtual host server.  If these new hypervisor entitlements are not well managed (e.g., follow the principle of least privilege), our businesses will be unnecessarily exposed to significant risk.  Moreover, hypervisor entitlements should not be managed in isolation: they need to be maintained in concert with the entitlements assigned to privileged accounts on the guest virtual machines, as well as the resources and systems running on these guest machines. 

Furthermore, native virtualization management platforms (VMware vCenter, Microsoft Virtual Machine Manager and Citrix Essentials) provide their own implementations of roles and entitlements.  At the same time, some surveys show that 50% of organizations already use more than one virtualization platform in their environment.  And since security is as strong as its weakest link, we need to ensure the functional consistency of hypervisor entitlements across our various virtualization platforms (e,.g., VMware ESX/ESXi, Microsoft Hyper-V or Citrix XenServer, etc).

There are many security considerations that we do not have to worry about in development and test, or even limited production environments.  However, as we accelerate our adoption of virtualization across production environments, it becomes essential to manage entitlement sprawl to ensure accountability, segregation of duties and consistency throughout our entire infrastructure stack.

And as is common in enterprise settings, where there is a need, there is a market.  Similar to how some vendors provide identity and access management solutions to complement native operating system security, few vendors (including CA Technologies of course) are already doing the same for virtual platforms to help avoid entitlement sprawl, combat insider threats and support compliance.

Tomorrow, we'll cover data sprawl.

Other blog posts in this series:

1. Securing your road to virtualization and cloud: Welcome to the sprawl galore

2. Virtual machine Sprawl: An issue of quantity or quality?

4. Data sprawl?  Content-aware identity and access management to the rescue

5. Taming the wild west of cloud service sprawl

 

Share this post:  
Tags: , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

Virtual machine Sprawl: An issue of quantity or quality?

Published: October 26 2010, 11:33 AM | no comments
by Shirief Nosseir

Yesterday, I mentioned four types of sprawl that organizations commonly face when moving to virtual and cloud environments.  Today let's look at the first type: virtual machine (VM) sprawl. 

VM sprawl is the most commonly cited type of sprawl.  What's important, but often not mentioned, is that we need to distinguish between two primary problems when tackling VM sprawl.

The first, and more well known, boils down to concerns over the weed-like growth in the number of VMs that get introduced (in articles it usually goes something like this "as users realize how easy and quick it is to create virtual machines...").  This issue is compounded by the fact that often these VMs never get decommissioned, even after having no business reason for them to continue running.  From an IT management perspective, this results in a catch-22 situation: as VM sprawl leads to unnecessary overuse of infrastructure resources (since they use up memory, CPU cycles, energy, etc), it defies virtualization's promise to maximize resource utilization, lower costs and reduce energy consumption.  Security wise, as long as all the VMs remain configured according to a standard build, the problem here stays limited to an increase in the surface attack area as well as the burden on our resources (human and otherwise) to secure superfluous server workloads.  It's true that from an administrative perspective the appeal of virtualization includes how easy it is to provision, clone and move VMs and how this can be done at the touch of a button or even automatically (which is a key capability for reaching higher levels of IT agility).  However, if the full lifecycle (e.g., configuring, provisioning, monitoring, cost accounting, deprovisioning, etc) of VMs is not well thought of and managed from the very start, our virtualization efforts will backfire at us.

The real security issue, though, lies in the second problem related to virtual sprawl.  The concern here is more about the proliferation of rogue VMs due to inadequate IT controls.  It's about ensuring that VMs remain consistently configured and hardened and that they are properly managed and secured across all our various virtualization platforms (since similar to how we typically rely on more than one operating system, we will also rely on more than just one hypervisor platform.  And as far as security is concerned, all platforms need to be equally secure for purpose).  This is not exceptionally difficult to achieve, especially in organizations with more mature and automated policies and processes.  However, simply applying the same change and configuration management practices currently in place for our physical servers is not a viable approach.  Many of the processes currently in place are not optimized to address the dynamic nature of virtual and cloud environments and applying them without a revisit would severely impact our agility.  Another notable challenge here is around managing and securing our dormant VMs, and ensuring that when they wake up they are compliant with our corporate security policies and configured according to the relevant standard build (somehow similar to how we apply changes to physical server machines that are switched off).

Embarking on virtualization and cloud computing initiatives without addressing change and configuration management implications is a sure recipe to introduce significant operational problems as our environment grows far more quickly than our ability to control it.  Make no mistake, virtualization and cloud computing are disruptive innovations and require us to revisit how we can deliver business value through IT services.  We need to reconsider our organizational, operational, functional, architectural and technological requirements and capabilities, to name just a few aspects.  What's exciting though is that there's a genuine desire for change and the IT industry is willing to make the leap forward.  Granted, it's not an easy ride, but there is no reason why it cannot actually enable us to reach new levels of automation that power the agility and efficiencies we're desperately striving to reach.

In tomorrow's blog post, I'll talk about entitlement sprawl.

Other blog posts in this series:

1. Securing your road to virtualization and cloud: Welcome to the sprawl galore

3. Entitlement sprawl: Are you managing privileged users in your virtual environment?

4. Data sprawl?  Content-aware identity and access management to the rescue

5. Taming the wild west of cloud service sprawl

Share this post:  
Tags: , , ,
Leave a comment

 

By: Shirief Nosseir
With a degree in computer science and business administration, Shirief brings business and technical know-how to his role on the EMEA Security Management team. As he interacts with many organisations and experts in the field, he is able to understand their experiences and challenges and help devise...
Read More..

More Posts Next page »