February 2011 - Posts - CA on Security Management

This Blog

Home
Contact

Syndication

February 2011 - Posts

Risk-based Authentication – A process whose time is NOW

Published: February 25 2011, 02:52 PM | 3 Comment(s)
by Sumner Blount

Many times we tend to view authentication as a black and white issue. You either are or are not the person you claim to be, and therefore authentication is either a success or failure. For example, if you know the password, then you are (in the eyes of the system) the person that you claim to be. Stronger or advanced methods of authentication represent a "higher hurdle" that one must meet in order to prove who you are. But, once you pass that hurdle (or jump over it, as the metaphor may require), your identity is deemed to be known, and you are now authenticated.

But, as contextual factors have started to be used in the authentication process, the decision becomes more complicated. For example, what if the person successfully authenticates themselves, but the request originates from an Eastern European country at 3 AM local time. Or, what if it originates from Italy, whereas the previous login originated from New York three hours ago? In those cases, it wouldn't be prudent to let these login attempts succeed, even in the face of correct credentials presented to the authentication service.

Both of these situations illustrate the importance of a risk-based approach to authentication that can help identify potential identity theft and attempted fraud. By creating policies for how "serious" certain aspects of an authentication context might be, you can develop a risk score that can help determine whether the authentication will succeed or not. Developing these criteria is not always simple, but once you have a general notion of how you rank the authentication context parameters, it will be much easier for the system to recognize possible fraudulent authentication attempts.

This is, in a nutshell, the purpose of the integration between CA Siteminder and Arcot RiskFort that was announced last week at RSA. By introducing a risk analysis and score into each authentication, CA SitieMinder can make a much more informed decision (based on the policies the security group has defined) about whether to allow the authentication or not. Or, if the risk score exceeds a certain threshold, SiteMinder could force a stronger, advanced level of authentication on the user, thereby increasing the level of assurance that this person is who they claim to be.

In my discussions with customers here at RSA and in the feedback that I've heard about this announcement, it appears that a risk-based approach to authentication is gaining significant traction as its benefits for fraud prevention become clearer.

Share this post:

Tags: #rsac, advanced authentication, risk-based approach, Risk-based Authentication, Strong Authentication

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

WikiLeaks – more experts weigh in: Beware the copycat

Published: February 24 2011, 08:27 AM | 2 Comment(s)
by Sumner Blount

I attended a very interesting session while at the RSA Conference. The session was called "WikiLeaks - The Aftermath," and consisted of a panel of journalists, security experts, and a legal advisor on cyber crime. They made some very interesting points and opinions about the WikiLeaks situation.

Not surprisingly, there was some disagreement about what should be done about WikiLeaks. One panel member argued that the breach put U.S. soldiers in direct harm's way, and therefore aggressive cyber attacks were justified. In fact, this panel member knew The Jester, an anonymous person who has attacked radical Islamic websites, as well as WikiLeaks, based on the same principle of protecting our troops. Another panel member leaned more towards the openness of the Internet, and felt that such a response was not justified.

Panel members felt that WikiLeaks was a serious problem, but the real problem was the imitators - small websites that have nothing to lose, and need to make a name for themselves by generating publicity at all costs. Ever since WikiLeaks has made leaking sensitive information "sexy," it has spawned a small but potentially very dangerous collection of sites that want to jump on the bandwagon and bask in the publicity that WikiLeaks has created.

WikiLeaks has brought a key ethical dilemma to the forefront. If a whistleblower at Enron had arranged to have documents posted online that would have highlighted the financial crimes that were ongoing. Would you have felt that this was a justified breach of privacy? What about the breach by WikiLeaks - was that justified? Where do you draw the line? Who draws it? Is it possible to allow some breaches (Enron) but punish others (WikiLeaks)?

A good way to avoid this ethical conundrum is for both companies and governmental agencies to clearly develop better information protection policies and enforcement mechanisms so that they can better protect their confidential information. This will help prevent this debate as each new breach and disclosure occurs.

Share this post:

Tags: access management, data loss prevention, DLP, insider threat, Security, WikiLeaks

Compliance in the Cloud – The Discussion Continues

Published: February 22 2011, 04:40 PM | no comments
by Sumner Blount

At the RSA Conference last week I, like others, attended sessions and scouted what the established and new vendors offered on the trade show floor. As with all RSA conferences, there was good content and fun all week.

I attended a session called "Cloud computing privacy and security - legal, ethical, and regulatory framework." The panel was comprised of three distinguished lawyers who were specialists in legal issues related to cloud computing. Judging from the fact that the room was packed, one can conclude that there is a tremendous amount of interest in this area. It also validates the many surveys that have reported that security and compliance are the primary inhibitors of cloud adoption.

There was much discussion about the privacy of the client's data, especially considering the fact that not only is it often co-located with other client's data, but in many cases it might be located at data centers in distant locations. And, the fact that it might reside in a country that is subject to European data privacy laws raises very significant compliance challenges.

All panel members emphasized that despite the complexity of data privacy challenges when using the cloud, ultimate responsibility to maintain customer privacy resides with the owner of that data, not the cloud provider. This forces the client to ensure that the security controls of the provider meets the requirements for security and compliance of the client, whatever they may be. This is a very complex problem because transparency of the provider's controls is not always what you would need it to be in order to reach an educated judgment as to their effectiveness. Cloud systems need to have the same level of governance as on-premise systems do, but the lack of control that is inherent in using the cloud makes this very difficult.

A few other key points that the panel raised, particularly in relation to contractual issues, included:

Auditability - the contract must allow the client to force the provider to have an independent audit of their security and compliance controls. In some cases, the client themselves might want to do the audit.
Secure destruction of data - make sure that it is clearly specified in the case of a contract termination.
Avoid limited liability provisions (even though the provider will likely push back hard) - if the provider negligently exposes your private information, the reputational damage can be much greater than the actual expenses incurred. Indemnification often includes a year or so of refunded fees, but in the case of a privacy breach, this is small potatoes.
Automate continuous monitoring of processes and controls - essential for ensuring the ongoing effectiveness of security controls at the provider. "Your controls are only as good as the last time you checked them."

These are just some of the challenges in developing a contract for cloud services that will help you meet your compliance and governance requirements. I covered a number of these issues in this mini-book: http://www.itgovernanceusa.com/product/2125.aspx.

Share this post:

Tags: audit, cloud compliance, Cloud Security

Mobile Advanced Authentication - a Word from RSA Conference

Published: February 16 2011, 11:46 AM | 3 Comment(s)
by Jim Reno

I'm attending the RSA conference in San Francisco this week, a yearly event for me the past ten years or so. Walking from my hotel to the conference I always feel self-conscious, because hanging on a lanyard around my neck is this badge holder the size of a paperback, festooned with advertising and ribbons, indicating I'm a Blue Delegate and in the Member's Circle and five other things. I feel like a kid whose mittens are tied together with a string through his coat, and have his name stenciled on them in large letters. Or perhaps like I have the word GEEK tattooed on my forehead. This isn't good because I became a geek years ago in the pre-internet days before Geek became Chic, and it wasn't pretty.

It occurred to me that the badge holder is essentially a form of authentication. It's supposed to be the actual badge inside the holder, but it turns out most of the door guards - and at the conference they enforce pretty viciously - are trained to look at the holder, not the badge. It has to have the right shape and the right word and color stripe across the bottom to get into certain sessions or the show floor. But in a conference dealing with the latest advances in security, it's a form of authentication that was probably exactly the same as that used at conferences in the 1950s, maybe even long before that. Plus it's one more thing I have to carry and feel embarrassed about when I'm ordering my latte at the Starbucks on 4^th.

Why I can't simply use my mobile phone to generate an authentication token for access to, well, anything? Especially since that device is always in my pocket - or more likely in my hand - which causes me to walk in front of traffic and trip on carpets. The fact is - I can use my mobile device for authentication with our mobile authentication application featuring CA ArcotOTP. CA ArcotOTP is an app for your mobile phone - pretty much any phone, smart or "differently abled" - that you use to generate single-use passcodes. These passcodes are generated using standard algorithms like OATH or EMV/CAP, and can be validated using CA Arcot WebFort server, or any standards-compliant OTP (one-time passcode) server.

We think of things like passwords and OTPs as useful for online authentication, like logging into a portal/VPN, or authorizing an online transaction like a purchase or a money transfer. They go well beyond that, because a lot of things in the world use a simple PIN or password to control access. Part of the reason these PINs/passwords are a problem is because they don't change. You've probably been using the same ATM PIN for years. That gives an attacker a long time to discover it, and once discovered, a long time to use it. Even if you changed your PIN every month, he'd still have (on average) fifteen days to use it before it changed. A single-use code avoids this problem because it's only good that one time. The bad guy can be looking over your shoulder, or reading your mind, or you can just tell him: "Hey, I'm using code 554642 for this transaction", and it doesn't do him any good, because 554642 is never, ever going to be valid again.

So CA ArcotOTP gives me a two-factor authentication token that's flexible, easy to use and best of all is based on something I already have in my pocket - my mobile device. Ah, you say: I'll just steal your phone and break into the app. Sorry, but the underlying keys CA ArcotOTP uses to generate the passcodes are protected with our Cryptographic Camouflage technology: getting them does the attacker no good.

I think about all the places in my life - both virtual and physical worlds - where I use some kind of authentication technology to access something, and I wonder how something like the CA ArcotOTP technology could make them easier, or help me carry around less stuff. Why do I still have house and car keys? My phone and car already talk to each other using Bluetooth; I should be able to generate a single-use code on my phone and open the car. Or open a door. Or log onto a VPN. Or buy that latte.

Share this post:

Tags: authentication, CA Technologies, iPad, iPhone, mobility, Security, smart phone

By: Jim Reno
Jim Reno is Chief Security architect at CA Technologies. He joined the company with the Arcot acquisition which was completed in October 2010. Jim is one of the inventors of the 3-D Secure protocol used in the Verified by Visa and MasterCard SecureCode programs and he holds multiple patents in the area...
Read More..

CA SiteMinder Now an SAP Endorsed Business Solution

Published: February 16 2011, 09:27 AM | no comments
by Sumner Blount

RSA is in full swing this week, with lots of great sessions, free T-shirts and other goodies, and some good parties. But, among all the excitement and chaos, there occasionally occurs some company announcements.

CA Technologies today announced that our flagship Web access management product, CA SiteMinder, has been chosen by SAP to be an Endorsed Business Solution (EBS). SAP selects a very limited number of endorsed solutions as part of its EBS initiative, and this selection is based on extensive functionality and integration testing, as well as SAP customer feedback.

CA SiteMinder can centrally manage access management policies as well as provide single sign-on across all Web applications and portals, including SAP.

This endorsement is an exciting step in furthering the partnership that CA Technologies and SAP have established around certain product areas. We are very excited to align with a leader in business applications.

Share this post:

Tags: #rsac, authentication, SAP AG, single sign-on, Web Access Management

CA Community

February 2011 - Posts

Risk-based Authentication – A process whose time is NOW

Leave a comment

WikiLeaks – more experts weigh in: Beware the copycat

Leave a comment

Compliance in the Cloud – The Discussion Continues

Leave a comment

Mobile Advanced Authentication - a Word from RSA Conference

Leave a comment

CA SiteMinder Now an SAP Endorsed Business Solution

Leave a comment