CA Community






This Blog
Syndication

June 2011 - Posts

Livin’ in a Mobile Software World

Published: June 16 2011, 03:03 PM | no comments
by Merritt Maxim

So how does this play on the title of a great 1989 Neil Young song have relevance to computer software and IT security?

The continuing news about the attack against RSA Security is still generating interest and articles.  The continuing discourse on what may or may not happened and how to mitigate against that threat vector is all good since it is raising awareness to help prevent future attacks.  But this discourse is also missing something.

Even if RSA had not been attacked, the reality in 2011 is that a single-function proprietary hardware authentication token is an anachronism in today's modern distributed mobile IT environment.

The two-factor authentication market emerged in the days of remote dial-up access-kind of hard to believe that is how we accessed networks but in the 1990s dial-up was the norm not the exception.  In the dial-up model, hardware tokens were an excellent choice-low bandwidth and low latency.  This was before smart phones and iPods, so users did not mind carrying a separate hardware token.

Fast forward to today's mobile, distributed world and hardware tokens are just not practical - who wants to carry a token around with them alongside their smart phone, iPad and laptop?

This brings me back to my blog title.  If you look at how the IT industry has evolved over the decades, proprietary closed hardware-centric architectures generally lose out over time to open software-centric architectures.  This explains the rise of companies like Microsoft and Google and the demise of others like Digital Equipment.

Irrespective of the recent RSA attack, organizations should start assessing whether single-function hardware tokens still make sense, not just from a security standpoint but in terms of what is more convenient for end-users. An open software based authentication solution that can run on existing mobile platforms is a compelling alternative to hardware tokens.   And while hardware tokens used to tout their "zero footprint" deployment model, deploying software in distributed environments is something that has improved dramatically in the last decade.

If software-based authentication solutions offer comparable security and are easier to use, why not go the software route vs. staying with the dial-up days of hardware tokens?

Share this post:  
Tags: , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Addressing the Identity-Unaware Internet – EEMA’s European Identity Management Conference

Published: June 14 2011, 10:41 AM | no comments
by Matthew Gardiner

I recently attended the EEMA European Identity Management conference that took place in Tallinn, Estonia.  A key topic that carried on throughout the two-day conference was the continued penetration and evolution of government operated eID systems for citizens.  While these systems for the most part are focused on easing access to government applications, they also help crystallize what the future of Internet identity could look like.  The discussions stretched into the possibility of how these programs could be extended to address how identity is managed and controlled on the Internet as a whole.  

We also heard presentations from our Estonian hosts on their quite broadly penetrated card-based eID program (more than one million cards for approximately 1.4 million Estonians) as well as about the new German card-based eID program that is in its first year of operation.  One impressive statistic for the Estonian program is that it enabled nearly 25 percent of votes to be made online in the most recent parliamentary elections. 

In addition there were sessions on two more futuristic government programs, NSTIC from the United States and SSEDIC from Europe, that are looking to deliver on the bigger mission to improve how identity is created and consumed on the Internet at Internet scale for much more than just government applications. In my session I compared and contrasted government eID initiatives in general, and then analyzed three in particular - namely Germany, New Zealand, and the US.  You can see my conclusions near the end of that deck.

It is clear the industry is on the threshold of restructuring how identities are managed and consumed on the Internet and that this will significantly address the usability and security problems that seem so intertwined with the current identity-unaware Internet.

Share this post:  
Tags: , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

Blog title: Obey me for I am root

Published: June 01 2011, 05:59 AM | no comments
by Tim Dunn

I admit to being a bit of a geek. I tick almost all the boxes: I like to know about latest gadgets, enjoy superhero films and "cool" t-shirts with witty one-liners on them.

It was as I walked my daughter around a trendy market in London last summer that I saw a T-shirt with the rather esoteric slogan, "Obey me for I am Root!"

As I'm in the IT industry it made me smile. While returning home on the train, I started reflecting on the implications of that slogan and the following points occurred to me:

  • 1) Root access to Systems, or administer account privileges really can be that powerful
  • 2) Some people with said privileges may well reflect the attitude of the t-shirt's slogan and the issue is recognised enough to have filtered into mainstream consciousness.
  • 3) Interestingly, whilst the public may have visibility of the problem (all be it a niche community, many top companies don't take the issue of privileged user management seriously enough or even acknowledge the threat.

It is ironic that one of the biggest areas for IT security vulnerabilities in a company is often where the worst security practices are employed. For example:

  •  Access Privileges that are seldom reviewed or revoked
  •  Frequent and inappropriate use of "break glass" accounts
  •  No Monitoring or enforcing of system access.
  •  Poorly defined administrator roles and their required privileges / segregation of duties

The reason this topic is racing back up the priority list of many CIOs is twofold:

1) Using cloud providers for key business applications is highlighting the lack of transparency on how data and system access is controlled.

2) Many business regulations and standards do not explicitly cover this area and auditors will often target it as a typical area of weakness.

The problem isn't due to a lack of technology solutions, or defined best practices. The issue is complacency or ignorance of the threat. Luckily those two stumbling blocks are the easiest to address.

It was as I walked my daughter around a trendy market in London last summer that I saw a T-shirt with the rather esoteric slogan, "Obey me for I am Root!"

Share this post:  
Leave a comment

 

By: Tim Dunn
Tim Dunn has spent 13 of his 23-year career in Enterprise software focused on the security market in EMEA. Tim is currently responsible for the strategy and go to market approach for CA Technologies security solutions, ensuring that CA continually evolves technologies which meet customer requirements...
Read More..

More Posts