January 2011 - Posts - CA on Security Management

This Blog

Home
Contact

Syndication

January 2011 - Posts

Will the Cloud Cause the Reemergence of Security Silos?

Published: January 24 2011, 09:44 AM | 1 Comment(s)
by Matthew Gardiner

Infosecurity.com recently posted a blog from me, Will the Cloud Cause the Reemergence of Security Silos. Take a look and let us know what you think here. In short - my view is this: In the short term the answer is probably yes, but we already have the security architectures, standards, and technologies available to address them. So we should start doing it now.

Share this post:

Tags: Cloud Security, security framework

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

CA Technologies Celebrates its Community Managers

Published: January 24 2011, 09:14 AM | no comments
by Leanne Agurkis

CA Technologies today sends a special thank you to the team members who manage our Communities. CA Communities are online forums where our customers can engage and network with their business peers and solution and product experts from CA Technologies. This behind-the-scenes job involves everything from advising the customer board members who lead our Communities, to enabling message boards, webcasts and in-person regional meetings.

It takes a lot of attention and dedication to make these communities hum, and we appreciate the team that makes it all happen for the more than 20,000 users.

Check out the various communities here, or the Security Management Community to collaborate with your Security / Identity and Access Management peers.

Share this post:

Tags: Security, Identity and Access Management

By: Leanne Agurkis
Leanne Agurkis has spent 20 years in the communications field working in the areas of public relations, internal communications, and publishing. She has worked on the CA business for six years as both a consultant and now a full-time employee supporting CA’s Security & Compliance business which includes...
Read More..

NSTIC – You Should Applaud it Not Boo it

Published: January 19 2011, 01:34 PM | no comments
by Matthew Gardiner

Like many long time federated identity focused people in the identity community, I have been closely monitoring the early development of the U.S. government's National Strategy for Trusted Identities in Cyberspace (NSTIC) program -- most recently when the Secretary of Commerce and related folks went to Stanford to discuss the program in more depth. The NSTIC program, and others like it in other countries such as Canada and New Zealand, have the potential to catalyze a true marketplace for trusted identities on the Internet, making life online both safer and easier for everyone.

Maybe I am naïve to politics in Washington, but the quality of the reporting on the NSTIC program has been highly inconsistent at best. While some reports have been right on the money, such as this one from Fast Company, others have been poorly researched and have shown that they have not understood (and probably not even read) what NSTIC is all about in particular or the value of federated identity in general.

If you are leery of the centralization of personal information and credentials, in particular by governments; don't want a government monopoly on verifying online identities; don't want the excessive sharing of personal information between organizations, including government organizations; and don't want governments creating IT systems that can't interoperate and leverage best practices from the private sector; you should love the NSTIC program, not hate it.

Organizations have been federating their user's relatively high-security sessions for years now, generally in support of tightly coupled business relationships, such as the IT enablement for supply chains or other B-to-B applications. More recently identity federations have grown in support of low security applications around social networking (Facebook Connect & Google's OpenID) and University-oriented research collaborations. But what has been lacking to date is more arms length federations for trust requiring applications. NSTIC is a great example of a large community of potential applications (government ones) coming forward to take advantage of trusted identities that already exist on the Internet from potentially thousands of sources. Not only could this benefit U.S. citizens by enabling improved, more secure, and less costly access to government applications, but it could also have spillover benefits to the private sector, by helping to establish a new revenue generating business model that has benefits for all participants - including the user.

Share this post:

Tags: Federation, Identity Management, NSTIC

Tragedies, High-Profile Events and Privacy Breaches

Published: January 18 2011, 01:25 PM | no comments
by Sumner Blount

The shootings in Tucson have stunned the nation. But, almost any high-profile event like this often brings out the curious - folks who want to find out more about the famous or infamous people involved in it. And, when those folks have access to private information, the results can be bad.

Bill Brenner's recent blog at CSO.com, A Sickening Breach of Privacy, described how several employees of the hospital where the victims were sent had violated privacy policies and viewed their hospital records. These intrusions were detected, and it appears that all the policy violators were immediately fired, a very suitable punishment for these hideous breaches of patient privacy. Here's another comment on this situation at Healthcareinfoscurity.com, Great Work on Records Snoops Crackdown, which supports the swift dealing with the perpetrators.

There are two things that strike me about his particular case. The first one is that anytime someone can access information that you don't want them to access, there's something wrong with your security controls. It might be that these people had access rights to view the records of any patient, which almost certainly is more than their job requires. In this case, the problem might lie in insufficient granularity in their access privileges. An automated role management system, along with periodic access certification, also could help to make sure that each user had only the appropriate access rights at all times. But, whatever the cause, clearly there is some area of access management that could be improved.

Another thing that struck me was the fact that these people apparently were detected almost immediately, and summarily fired. This reminds me of a similar case many years ago that only the old-timers will remember. In the early 70's, President Nixon was going through a PR disaster as the extent of the Watergate scandal was unfolding. One seminal event that in some ways sealed his fate with the public was when his tax return was breached and it showed that he only paid a little over $700, on an income of several hundred thousand dollars. To the best of my knowledge, the person who disclosed that tax return was never found nor punished. The whole saga of the Nixon tax returns can be found here, and it's fascinating reading even for someone too young to remember it all.

Why is this relevant? Because back in those days, there were not only minimal controls on access to confidential information, but there was essentially no auditing of access nor monitoring to look for suspicious events like this. We've at least progressed to the point where privacy breaches can often be detected soon after the event (even if the information is not disclosed) and dealt with quickly.

Brenner's blog appropriately states:

"Curiosity makes us do stupid things from time to time. If you work in a hospital and you have some famous patients, the urge to look at their confidential records must be overwhelming. It's still wrong, though."

The fact that people are human is reason enough to ensure that all private information is protected by rigorous security controls, that users have access to information only if it is essential, and that controls over what they can do with the information once they access it are in place and monitored.

Share this post:

Tags: Access Control, HIPAA, HITECH, health information technology, healthcare, breach

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

WikiLeaks illustrates overarching goal of security professionals is to ‘build and protect reputation’

Published: January 12 2011, 09:12 AM | no comments
by Sumner Blount

The recent Wikileaks breach continues to generate comment and opinion in both the mainstream press and the IT security-related media. I came across this blog by Upasana Gupta recently at HealthcareInfoSecurity.com and believe that it made some excellent points about the lessons of Wikileaks, and the challenges that it presents for IT Security professionals and managers.

One key point made here is that controlling access, though critical, is not enough. You obviously have to ensure that everyone has only the appropriate level of access that they need for their jobs, and that these entitlements are reviewed on a regular basis. There will always be cases where someone needs access to sensitive information, but there are operations on that information that you need to prevent - such as emailing it, copying it to a private drive, etc. In the case of Wikileaks (as we have noted in several blog postings), there were non-existent or ineffective controls both in terms of user access (he never should have had access to such a wide variety of sensitive documents) and information use (he never should have been allowed to communicate them externally).

A second important point is that the role of an effective security executive goes beyond establishing policies, creating controls, and monitoring their effectiveness. This is critically important, but should not be viewed as the overarching goal of the organization. The true goal of every security executive should be to "build and protect a [company's] reputation." When all efforts are directed toward this goal, it should become easier to marshal support and adherence to policy from across the organization.

Share this post:

Tags: Security, data loss prevention, insider threat, content-aware IAM, WikiLeaks

CA Community

January 2011 - Posts

Will the Cloud Cause the Reemergence of Security Silos?

Leave a comment

CA Technologies Celebrates its Community Managers

Leave a comment

NSTIC – You Should Applaud it Not Boo it

Leave a comment

Tragedies, High-Profile Events and Privacy Breaches

Leave a comment

WikiLeaks illustrates overarching goal of security professionals is to ‘build and protect reputation’

Leave a comment