CA Community






This Blog
Syndication

November 2010 - Posts

As Cyber Monday kicks off the online holiday shopping season, better think security

Published: November 29 2010, 06:17 PM | 1 Comment(s)
by Leanne Agurkis

During the last several years, many of us have opted out of the Black Friday crowds and embraced the Cyber Monday experience to kick off our holiday shopping marathon.  However, as retailers enhance online shopping for added consumer convenience, there are increased opportunities for crooks to sour the online shopping experience.  

This presents a security challenge from both the consumer angle and the IT department angle.  According to an ISACA survey on holiday shopping and workplace Internet safety, more consumers will be doing online shopping from their work computer or device. 

"47% of employees shopping online will use their company-issued mobile devices: notebook computers, tablets or smart phones. "Digital natives"-ages 18-34, the generation that has grown up with the Internet-are even more likely to shop using mobile devices, and are the least likely to use secure browsing technology. As mobile devices are increasingly used in the workplace, the need for network security policies to protect sensitive data on these devices is also increasing."

Rob Stroud, today's guest blogger at CNBC, ISACA International VP and CA Technologies employee, highlights some thoughts on "digital natives" and their shopping habits. http://www.cnbc.com/id/40380113

And consumers have a lot to be concerned about, too. They need to have the confidence that they are engaged in secure transactions and there is no risk of fraud around identities and credit card information.

The increase in card-not-present transactions during the holiday season needs more security verification than just the CVV number. They need identity verification as well. If you have ever experienced during a credit card transaction Verified by Visa, MasterCard® SecurecodeTM and JCB J/SecureTM, you are engaged in a more secure transaction thanks to the additional identity verification those systems offer. 

Arcot, a company recently acquired by CA Technologies, helped patent the technology behind Verified by Visa and other systems like it. The Arcot technology has verified more than 120 million identities protecting them from fraud. To further assist in more safe online shopping, CA Technologies offers just a few security tips as you shop online:

  • Shop at sites that show they support an extra layer of protection to help prevent you becoming a victim of fraud. Look for online merchants that display the Verified by Visa, MasterCard® SecureCodeTM and JCB J/SecureTM.
  • Look for secure payment processing. When a website processes your payment information, be sure the URL address changes from HTTP to SHTTP or HTTPS. This indicates that the purchase is encrypted or secured.
  • Secure, then shop. The bad guys constantly update their techniques, so consumers need to update their protection. Make sure your firewall, antivirus, anti-spyware and operating software are up-to-date.
  • Be alert and be suspicious. Identity thieves count on the holiday rush to catch consumers off guard with bogus e-mails that seem to be coming from a legitimate organization such as the bank, the IRS or UPS. These "phishing" scams can lure shoppers into divulging personal information. Be suspicious of anyone asking for additional personal information or asking you to click on links in an e-mail.
Share this post:  
Tags: , , , ,
Leave a comment

 

By: Leanne Agurkis
Leanne Agurkis has spent 20 years in the communications field working in the areas of public relations, internal communications, and publishing. She has worked on the CA business for six years as both a consultant and now a full-time employee supporting CA’s Security & Compliance business which includes...
Read More..

Thoughts from Gartner IAM Summit 2010

Published: November 19 2010, 01:32 PM | 1 Comment(s)
by Gijo Mathew

This week I attended the Gartner IAM Summit in San Diego.  The event covers a broad range of identity-related topics, with particular emphasis on and the identity challenges and issues that organizations face.

One of the most important topics this year was identity intelligence.   For example, I spoke at a session with Bernie Cowens (CISO from AAA) on Business Centric IAM. We presented our ideas, and Bernie's experience, in gaining intelligence from security solutions and tying it to business goals. 

In other sessions, there was discussion around users and access, and how it is important to also include data in an IAM strategy.  Another common topic was the importance of strong authentication, which was particularly timely for us because of our recent acquisition of Arcot.   Authentication has taken on new life recently and the debate between strong and easy authentication rolls on (why can't we have both?). While the expert sessions outlined the future and direction of IAM, the customer use case presentations were much more practical.  For example, in a customer session, American Century Investments spoke on why they used Arcot early on for multi-factor authentication.

Finally it wouldn't be an industry conference without much discussion about cloud. There was more talk about identity in the cloud but there were minimal real world use cases that were actually presented. One session, though, included Andrew Nash from PayPal presenting on the how consumer identity is evolving in the cloud including identity federation, user-centric identity, and identity proofing.

Overall it was a good, well attended event and I always enjoy catching up with my industry friends.

Share this post:  
Tags: , , , , ,
Leave a comment

 

By: Gijo Mathew
Gijo Mathew is Vice President of Security Product Marketing at CA. He leverages more than ten years of software development and security experience to interpret customer needs, drive security awareness and implement risk centric strategies within enterprise organizations. Throughout his career, he has...
Read More..

Protect data, not just access to it, with CA Technologies Content-Aware IAM

Published: November 10 2010, 09:44 AM | no comments
by Sumner Blount

If you are a regular reader of this blog, you may be aware of our ongoing vision and strategy relating to Content-Aware IAM.  The core tenet of this vision is to provide not only control over user identities and their access, but also over their information use.  And, further, we will be integrating our IAM components such that knowledge of information content will be used by the other components (e.g., CA SiteMinder) to make better and more granular access management decisions. The goal is to more effectively enforce information use policies, improve security, and simplify compliance across the entire IAM suite.

This is our strategy and roadmap.  We have heard very positive responses from both analysts and customers, and we are excited about the potential this provides for our existing and future customers as they embark on their next-generation IAM initiatives.

Today we announced several products that support Content-Aware IAM:

  • CA Identity Manager -can now directly provision, de-provision, and modify users into the CA DLP user hierarchy. As users' roles change, those changes are passed into DLP, which then automatically changes each user's data usage entitlements. For example, a user in the Finance organization accesses and sends sensitive financial information via email on a regular basis. When the user changes roles from Finance to Marketing, their entitlements will also be changed so that they won't be able to access financial information anymore.  In addition, CA Identity Manager makes this change within DLP, modifying the user's data usage privileges. Now, if this user attempts to email financial information already in his/her possession, the email will be blocked.
  • CA DLP - in addition to the integration with CA Identity Manager described above, this release includes:
    • Content registration detection technique - Scans files and creates a digital "fingerprint" to identify sensitive content as it travels within or exits an organization.
    • Policy driven data encryption for data in use - Initiates the encryption of emails, including attachments and files sent to removable devices, via integration with native and third-party encryption technologies.
    • Role-based event review - Delivers policy and role-based delegation that helps control visibility to events and enable segregation of duties in environments where CA DLP is deployed for multiple disciplines. For example, IT Security, Legal, Compliance, or HR could all deploy their own data policies and review infractions in isolation, protecting confidentiality and privacy.
  • CA TopSecret r15 and CA ACF/2 r15 - Supports Content-Aware IAM in the mainframe environment with new data classification capabilities that help satisfy regulatory needs to control data use.  The new releases of CA ACF2 and CA Top Secret for z/OS can be used to help classify data and ownership according to legal and government regulations. This allows the assignment of specific data classifications to critical resources for purposes of access policy refinement and reporting. Other security and administrative enhancements in these mainframe products include: reporting, certificate management, role-based security, operating system support, and protection of assets.

There are very aggressive development and integration plans in place to continue our rollout of this Content-Aware IAM vision.  We keep you up to date on new releases and progress on this important and innovative approach to information security.

For more info on Content-Aware IAM, please check out our Content-Aware IAM Technology Brief.

Share this post:  
Tags: , , , , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

iPhones in the Enterprise-A New IAM Challenge

Published: November 04 2010, 04:01 PM | no comments
by Merritt Maxim

Many organizations have tried to resist end-user demands to allow iPhone usage and other smartphones for business use (as opposed to sticking to a corporate device standard like Blackberry).  By and large, these efforts have been futile as the demand from end users has been too high to resist.  So the reality is that smartphones are in the enterprise to stay.  While this is very positive news for end-users, allowing these devices into the enterprise environment has created some negative side effects for the IT department.

We were recently meeting with a Fortune 100 customer who has had most of the CA IAM solutions in production for many years.  They have been experiencing escalating password reset costs in the last year.  Given that every IAM vendor on the planet (ourselves including) routinely extols the benefit of IAM in reducing the cost of resetting passwords (through features like self-service) and that this customer had previously seen a reduction in password costs following the initial deployment of our IAM solution, this was a curious development.

The customer revealed that the culprit was increasing internal deployment of iPhones and iPads.  This is what was happening.  These mobile devices allow users to cache authentication credentials on the mobile device.  The problem occurs when the main domain login credential changes (e.g. every 90 days per corporate security policy).  The end user updates his credential for accessing email, but often neglects to update the credential for other third-party apps.  In the meantime, the devices try to connect to other applications using the old cached credential.  Since the old credential is expired, the application times out after multiple failed authentication attempts and locks out the account.  When the user goes to access that application, they receive an "access denied" message which prompts a help desk ticket.

This issue is proof of the unintended consequences that can result from deploying new technologies.  There is also that added dimension that in many large organizations, the initial iPad users tend to be higher in the organization and more likely to mention it their frustration to the CIO.  So consider yourself warned that this issue might crop up in your organization shortly!

Share this post:  
Tags: , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

PCI-DSS 2.0 Is Out-New Emphasis on Securing Virtual Environments

Published: November 03 2010, 09:21 AM | no comments
by Merritt Maxim

Following meetings held earlier this fall, the PCI Security Standards Council has released updates to PCI Data Security Standard PCI-DSS.  The new version, PCI-DSS 2.0, will take effect on January 1, 2011, and represent the first significant update to the standard in over a year.  You can read a summary of the changes here.

As anyone who has been involved in standards work can attest, the process to create useful and meaningful standards can be laborious and time-consuming.  One can tell how much a standard is maturing based on the level of complexity in new versions of the standards.  Judging from the PCI-DSS 2.0, the standard is maturing very well as these new changes are incremental and further enhance what was in previous versions of standards.

Perhaps the most significant change in PCI-DSS 2.0 is that virtualization and its security implications are significantly discussed.  This is reflective of the importance of virtualization as a platform within the PCI community, but also that virtualization brings with it a host (no pun intended) of security challenges that need to be addressed.

In PCI-DSS 2.0, virtualization is discussed in a special section in the introduction (the only topic to receive this special treatment).   I encourage you to read the entire piece here, but these are some highlights

  • Virtualization platforms must have the ability to enforce separation of duties and least privilege, to separate virtual network management from virtual server management.
  • Special care is also needed when implementing authentication controls to ensure that users authenticate to the proper virtual system components, and distinguish between the guest VMs (virtual machines) and the hypervisor.

Readers of this blog should know about the importance of managing privileged users in physical and virtual environments and how products like CA Access Control can help address these issues.  The good news is that awareness of privileged users and the challenges associated with securing virtual platforms is rapidly increasing.  I am pleased to see PCI-DSS 2.0 discussing these challenges and hope that even organizations not involved with PCI can follow the best practices identified in PCI-DSS 2.0 to secure their virtual environments.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

More Posts Next page »