CA Community






This Blog
Syndication

October 2011 - Posts

School Buses and IAM Cloud Services

Published: October 20 2011, 08:48 AM | no comments
by Merritt Maxim

Faithful readers of my blog posts know my posts generally include at least one of the following three items:

  1. Pop culture reference
  2. Pop music or movie reference
  3. An analogy

Today's post is clearly centered on item #3, even though I am tempted to work something around my issues with the latest Rock n' Roll Hall of Fame nominations (glad to see the artists behind "Paid in Full" being nominated).

As a suburban parent with older children, each September we are faced with deciding whether to pay the additional fee for our children to be able to take the public school bus to/from school every day.  With rising fuel costs and declining enrollments , more and more towns are unfortunately having  to resort to these fees, especially for middle school aged students and older.

In our household, we determined that we needed bus service for our children, but only for rides home from school on 1-2 days per week.  Given our limited use requirements, we naturally asked whether some pro-rated or reduced fee was available to light bus users like us.  Unfortunately,  the system is structured so that you have to pay the full fee even if your child only plans to use the bus for a limited number of days.

This incident reinforced for me why many of our customers are interested in using IAM as a cloud service.  While these organizations are definitely attracted to the technical benefits of cloud (don't have to manage and deploy infrastructure), they are also attracted to the usage pricing aspect too.  Many organizations have invested millions to deploy full-blown user provisioning, but sometimes are prevented from deploying all aspects of user provisioning - either in terms of number of apps involved to number of users to more advanced functionality.  This is not necessarily a fault of the Identity Management software, but is more a reflection of what happens in many large scale enterprise computing projects that are waylaid by technical, financial or organizational limitations.

With the cloud-per-user-per-month pricing model, organizations can better model their user provisioning requirements.  Only want to provision to two or three web apps?  No problem.  Just want it for user self-service like forgotten password?  Done . Only interested in provisioning for your field organization?  Sure.

So unlike the every -citizen-pays-the-same-regardless-of-usage model I encountered with school buses, the cloud model actually gives organizations the flexibility to tip-toe into provisioning with a large deployment and then scale that up as time and budget allows.  In this way, cloud IAM services offer organizations some real benefits and opportunities.

School bus image used under Creative Commons License courtesy of indegino314.

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

What I learned at the 12th International Common Criteria Conference (Part 1)

Published: October 18 2011, 02:42 PM | 1 Comment(s)
by Joshua Brickman

I had the pleasure of recently presenting at the International Common Criteria Conference (ICCC) in Kuala Lumpur, Malaysia.  This was the fifth ICCC that I have attended and the fourth consecutive one that I was honored to present a paper.  There are two main themes that I took away from the conference:

  • The "Common" in Common Criteria is at risk of disintegrating
  • No one agrees on what Supply Chain integrity means and how it applies (or not) to the Common Criteria. 

In today's blog I will discuss the first item; I'll talk about Supply Chain in Part 2.

When I say that the "Common" in Common Criteria is at risk of disintegrating what do I mean?  Common Criteria currently uses Evaluation Assurance Levels (EALs) to provide a structure that has been adopted worldwide as a way of measuring depth of testing and security assurance.   There are seven EALs. The higher the EAL, the greater the depth and breadth of testing and documentation required, adding significant time and cost to the evaluation.  EALs generalize assurance activities without recognizing that different technologies may require different methods of validation.   At the ICCC, we heard that EALs are a fundamental element in the CC and to remove EALs would require a unanimous vote by all 26 countries in the Common Criteria Recognition Arrangement (CCRA).  So the US is pushing to remove Evaluation Assurance Levels (EALs) from the Common Criteria via National policies vs. cracking open the CC and revising it.   The US is driving its agenda to put all of the assurance requirements in the protection profiles being written by its technical communities.  Many of the other countries believe in the science of EALs and utilize them for important technologies like Smart Cards and Multi-function devices. National policies run the risk of fracturing the CC and potentially requiring vendors to evaluate their products more than once.  Without EALs there is no mutual recognition - no "common" in Common Criteria.

I have written previously about the flaws in the CC, including the issues that the CC doesn't really provide assurance that a product is safe or secure.   However this is a case where, "The Devil you know is better than the one you don't know" applies.  Since the CC does require products to go through a rigorous exercise of documentation and testing the results of these evaluations are "recognized" in 26 countries.  The CCRA allows vendors like CA Technologies to evaluate a product once and sell it globally.   This "mutual recognition" treaty is the critical element to what makes the CC so invaluable, but it only works if national policies don't break the fundamentals of the Common Criteria.     

So while this balancing act of mutual recognition risks fracture, the Common Criteria Development Board (CCDB), led by David Martin from The National Technical Authority for Information Assurance in the UK (CESG) is pushing its agenda of Collaborative Protection Profiles (CPP).   The group even wrote to the Common Criteria Vendors Forum and Common Criteria Forum and asked among other things for recommendations on best approaches for "...Collaborating with CCDB members on the production of a 'how to' paper describing the best approaches to the formation and running of a technical community."  Having led a Technical Community for the last 2.5 years with the Enterprise Security Management Protection Profile Project (ESM PP) we certainly plan on contributing to that project but right now it is not even clear that the ESM PP work will be recognized by the CCRA as a legitimate technical community. 

What is clear is that the Common Criteria will not be revised anytime soon, and the "ask" that I mentioned above for the CC community has placed the burden of revising or fixing the CC via technical communities on what David Martin called "coopetition" (a play on cooperate and compete).  The CC has it right that industry can and should help to evolve the standard, but the lack of overall "coopetition" cannot be ignored - let's fix this together! 

Share this post:  
Tags: ,
Leave a comment

 

By: Joshua Brickman
Joshua Brickman, project management professional, runs CA’s Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last five years (in both the U.S. and Canada). Brickman has given talks at the last four International...
Read More..

Protecting Sensitive Information within Microsoft SharePoint – Take a Lifecycle Approach

Published: October 17 2011, 11:35 AM | no comments
by Tyson Whitten

The recently sold out Microsoft SharePoint Conference 2011 is a reminder of the software's popularity and continued growth. As I speak with customers concerning current and upcoming IT and security projects it's extremely rare if the topic of SharePoint does not make its way into the conversation. It's an opportunity to discuss the risks SharePoint can introduce to corporate information assets if the proper processes and controls are not implemented.

As collaboration software goes, SharePoint is extremely easy to install and configure. You're just as likely to see Marketing or Engineering managing their instance of SharePoint as you are to see IT. The result - pockets of instances are up and running across the organization with limited oversight or process to control sensitive corporate assets. The ease in which SharePoint is deployed and information is shared also enables the ease in which sensitive information can be exposed and potentially compromised. Innovative designs, trade secrets, customer data and executive statements are just examples of sensitive information that could be accessed by unintended employees, contractors or partners.

If businesses wish to mitigate the security challenge that unstructured SharePoint information presents, they should approach it from an information lifecycle angle. Since information naturally follows a lifecycle, organizations often define processes to effectively manage versioning and retention of SharePoint information - from creation through disposal. This lifecycle also can be used as a foundation to protect and control information through its five phases.

Five Lifecycle Phases to Securing SharePoint Information

Creation, storage, revision, distribution and disposal are common information lifecycle phases that can be applied to the protection and control of sensitive corporate information. Here are tips on how to leverage these phases when defining processes and implementing technologies to control sensitive information within SharePoint.

  • Creation - As soon as information is created whether it is in text or graphical form it needs to be controlled at its source. Controlling what information is acceptable for SharePoint collaboration is of significant importance and should be actively enforced prior to and during the active posting process to SharePoint.  If sensitive intellectual property should not be uploaded to SharePoint, any attempt to do so should be denied.
  • Storage - If sensitive information is within policy to be posted to SharePoint it needs to be reviewed on a recurring basis to ensure it is stored in a location that is appropriate based on its sensitivity. If the location or container doesn't meet the security requirements of the information, it should be quarantined or moved to a safe location.
  • Revision - Information that may not have started out as sensitive quickly can become sensitive following collaborative revisions. For this reason, access rights must be assessed regularly. Access should be granted based on content and role of the individual. If the classification is not appropriate for viewing or editing by a certain individual, access should be restricted to mitigate this insider threat.
  • Distribution - Once a group of users has finished working on a centralized piece of content, the final deliverable is ready for distribution. At this stage of the lifecycle, content still must be adequately controlled. Content should only be distributed to recipients who have appropriate roles and entitlements. In order to adequately control distribution, organizations should actively monitor content, identity and mode of communication to prevent the accidental, negligent or malicious distribution of sensitive information to the wrong parties.
  • Disposal - The final step is disposal. Sensitive information not meant for storage and collaboration within SharePoint should immediately be removed. Organizations should remove content stored within SharePoint environments that could significantly impact the business if the risk of the wrong individuals accessing the content is too high.

Businesses able to properly define processes and implement controls that actively monitor the storage of structured and unstructured data throughout the SharePoint information lifecycle will significantly reduce the risk of information compromise while enabling necessary business collaboration.

Share image used under Creative Commons License courtesy of Niklas Wikstrom.

Share this post:  
Tags: , , , , ,
Leave a comment

 

By: Tyson Whitten
Tyson Whitten is a CISSP with 10+ years of information security experience managing application, network and risk based products and services. In his current role he has product responsibility for CA DLP within CA Technologies Security Customer Solutions Unit. Prior to CA Technologies, Tyson held...
Read More..

There Ain’t No Such Thing as a Free Abstraction Layer

Published: October 11 2011, 11:28 AM | no comments
by Russell Miller

Abstraction is a great thing. It's what allows us to build on previously-created tools and not start from scratch every time we perform a task on a computer. Most of us do not realize the many layers of abstraction we're sitting on top of when we do something as simple as reading this blog post. A typical presentation of computing abstraction layers looks something like this:

  • Operating System
  • Kernel
  • Assembler
  • Firmware
  • Hardware

Each layer provides an interface that makes things easier for users or the layer above it, along with delivering power and speed. Furthermore, the higher an abstraction layer is, the more important security becomes.

Virtualization is no different.  Instead of making a change to many servers one-by-one, a virtual administrator can simply make one sweeping change and apply it to several machines at once. Where installing or deleting operating systems on physical machines used to take time, in a virtual environment, both can be accomplished almost instantly. With this kind of power and flexibility, it is no wonder that virtualization has taken off.

In a famous cartoon it was once said: "With great power comes great responsibility." While this might be true, security best-practices and emerging compliance requirements are not satisfied by trusting administrators to be responsible. Tools are required to protect against the damage, whether malicious or accidental, that can be caused by virtualization administrators. Fortunately, new tools are emerging that make virtualization security simple by bringing best-in-class identity and access management tools to virtual environments.

There are generally two types of companies when it comes to virtualization: those that virtualize critical production systems without thinking thoroughly and critically about security and those that are not yet fully virtualizing due to security concerns. With the tools available today, there is no need to be in either camp.

Share this post:  
Tags: , , , , , ,
Leave a comment

 

By: Russell Miller
Russell Miller has spent over five years in network security in various roles from ethical hacking to solutions marketing. He currently manages marketing activities for the CA ControlMinder products. Russell has a B.A. in Computer Science from Middlebury College and an M.B.A. from the MIT Sloan School...
Read More..

More Posts