CA Community






This Blog
Syndication

December 2011 - Posts

What I learned at the 12th International Common Criteria Conference (Part 2)

Published: December 20 2011, 08:35 AM | no comments
by Joshua Brickman

In October, I wrote about the issue that the "Common" in Common Criteria is at risk of disintegrating, which was the first of two main themes from the International Common Criteria Conference (ICCC), in Kuala Lumpur, Malaysia. As promised, in this post, I cover the second main theme: supply chain integrity. 

This year I introduced the rather small Common Criteria (CC) community to the Open Trusted Technology Forum (o-TTF).  I wrote about this last January and also participated in a podcast this summer. The unwritten theme of the ICCC was supply chain integrity, with formal sessions and many informal discussions on the topic over the course of the event. There were proposals around how to add assurance classes to the CC or use the "site certification" program created by the Smart card community.

As I mentioned, I focused on the o-TTF, which has brought together many of the top ICT thought leaders to address supply chain integrity and to develop best practices that companies should follow to minimize risks in this area. The Common Criteria is about product evaluations providing "assurance." I don't believe that supply chain can be evaluated on a product basis and there is consensus on this principle within the o-TTF. Supply chain integrity can only be determined with a "process evaluation," not a "product evaluation." When the o-TTF is released, the accreditation program will allow companies to evaluate overall processes and won't force a ‘product-by-product' evaluation.

Many industry insiders are afraid of adding an accreditation program, but if we limit o-TTF's scope to the process of ‘Source-Make-Deliver' and all that's in between (including end of life/scrap), there is something very relevant and reasonable that could come of our work.

The o-TTF is already demonstrating how competitors can cooperate to put together something meaningful. The team is working on a snapshot release of the specification with a focus on the risks of tainted and counterfeit products.  That snapshot should be available in the coming weeks, and after that, we'll be focused on conformance criteria and the accreditation program itself. 

One additional thought about adding supply chain to the CC. There have been other groups looking into similar approaches, but these are focused on changes to the Common Criteria. Let's face it, though, expecting anything to happen quickly within the CC is a tall order. Any changes require a vote involving the 26 member nations, and this process takes time. Instead, the o-TTF is well on its way to releasing a real standard with value, and the best way to ensure that it fills the gap is to support this effort. Common Criteria has plenty on its plate. Trying to add new Assurance Classes, methodologies or programs won't help the industry, and certainly won't scale.

Share this post:  
Tags: , , , , , ,
Leave a comment

 

By: Joshua Brickman
Joshua Brickman, project management professional, runs CA’s Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last five years (in both the U.S. and Canada). Brickman has given talks at the last four International...
Read More..

CoIT part 2: Security of Mobile Users - Does it Differ from Security for non-Mobile?

Published: December 13 2011, 03:35 PM | no comments
by Sumner Blount

A few months ago, I posted a blog on Consumerization of IT (here) where I explored some of the causes and impacts of this important trend (wow....has it really been that long since I last blogged?  What have you been doing all this time, Sumner?).  I mentioned in that blog that there would be a follow-up blog on some of the security implications relating to CoIT.  Well, here is that blog.

It seems to me that the use of mobile devices to access enterprise resources has one important difference from the normal case of access through standard work laptop devices.  Namely, you need some form of controls on the device itself to protect your information and to help prevent fraud.  This is driven from two obvious facts relating to mobile users.  First, you (the IT organization) can't always dictate the configuration of the device.  Second, once your user accesses corporate information, it physically resides on their personal device.  There is clearly a similar risk even when a work-issued laptop is used, but at least you have much more control over the configuration and ultimate disposition of that device.

Controls on the device are often hard to enforce simply because these may have been purchased by the employee for their own personal use. But, most consumer devices now come with some reasonably standard controls related to the security of the device and its contents.  Common controls include:

  • Encryption of the data on the device
  • User authentication (strong passwords, inactivity time-outs, maximum failed login attempts, etc.)
  • Device wipe
  • Device management to configure device security, and to push policy to the device
  • Application certification - most device vendors required formalized testing and certification of applications to minimize malware potential
  • Anti-malware products

These controls help to require more than mere physical possession of the device in order to gain access to sensitive data.  This is why attackers generally don't target the individual device because in most cases it won't provide access to information that could be used for financial gain.  They are more likely to attempt to attack central IT systems and information, since this is where the true financial benefit resides. 

In short, security of the device is a tractable problem because today's devices come with some security controls already on the device, and additional security is available from a large number of vendors eager for your business. 

But, the more important and difficult challenge is securing access (by the user of the device) to critical applications and information, as well as the use of information after it has been accessed.  Protection of your information from mobile users requires a layered approach to security, and requires controls on your user identities (and their access rights), enforcement of your access policies, and controls over how information is used once it has been accessed.  The following graphic illustrates conceptually how these controls help protect your resources, regardless of the type of user, or the method they use to access your resources. 

This model says, in effect, that other than controls on the device itself (described above), access from mobile devices requires essentially the same controls as any access method requires.  I believe that some areas of controls are particularly important for mobile users - for example, strong authentication and fraud detection.  But, a strong security infrastructure of controls relating to identities, access, and information use should also be sufficient to help ensure security from your mobile users.

I will reserve Part 3 of this topic for a short discussion of some issues relating to authentication of mobile users, and hopefully, it won't take as long as Part 2 did.

Do you agree with this model?  Would you argue that security of mobile users pose vastly different challenges than does security for all users?

For more information on consumer driven IT, please see www.ca.com/cdit.

Share this post:  
Tags: , , , , , , , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Need to Manage the Identities for an Entire Country or Small City? There’s an App for That!

Published: December 06 2011, 08:55 AM | no comments
by Merritt Maxim

Traditionally, identity management solutions were deployed internally to support employees and other third party users like partners.  These identity management solutions (from multiple vendors) are currently in use in organizations or all sizes across all vertical markets around the world, generally dealing with user populations in the thousands.  But in today's increasingly interconnected IT environment, organizations may now need to manage identities of millions of users and support those users throughout the entire identity lifecycle.

During CA World, I attended a session that discussed recent testing that the CA IAM team undertook with Accenture to verify the ability of CA Identity Manager to scale to support millions of users for use cases such as:

  • A government agency allows citizens to self-identify and register for access to external facing applications. Potentially millions of citizens may need to register for a specific event, online notification or government-to-citizen account.
  • A company selling goods and services over the internet needs to securely capture and manage their customer information for real-time purchasing, enable faster checkout processing and simplify opportunities for repeat business. Usage may be cyclical and highly dependent on specific events, days and times that can cause a spike in user activity.
  • Consumer products and retail establishments that need to securely capture and track customer responses to a global promotion. New user registrations will cause an increase in normal volume as the promotion is rolled out to different regions.

The test scenarios verified the ability of the CA Identity Manager architecture to withstand the high volume of users and virtual transactions without major failures or degradation of backend processing.

A white paper has been published discussing the tests and the findings. You can find it here. You also can access CA World 2011 sessions and keynotes here.

This work further demonstrates the maturation of identity management technology and indicates that identity management can support these types of high volume B2C use cases, giving organizations confidence that existing employee-centric identity management implementations can support the high scalability requirements of tomorrow's IT infrastructure.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

CA World 2011: What Happens in Vegas at CA World Shows Up on this Blog

Published: December 05 2011, 11:39 AM | no comments
by Merritt Maxim

This blog would not be complete without a recap of our recently concluded CA World.  And even though several weeks and the Thanksgiving holiday have passed since we wound down CA World, several impressions are still fresh in my mind.  I spent most of time at CA World in customer meetings or on the show floor and found the dialogue and interest in our current Content-Aware IAM solutions as well as our newly announced CA CloudMinder suite of Cloud IAM services to be significant.

So in keeping with our internal slogan, "What happens in Vegas at CA World is Shared with the World," here are my thoughts on key customer feedback I received at CA World.

  • Do more with what we have - This was a very consistent theme among customers I talked to and probably a reflection of the ongoing budgetary pressures facing IT organizations. Many of my CA World conversations focused on how our customers could either: Further optimize their existing CA IAM deployments OR extend the existing IAM deployments to cover new use cases, constituencies or business initiatives. These comments reflected today's budgetary realitites but also demonstrated that organizations still see IAM as a critical enabler and foundation for helping organizations grow. This was a very refreshing viewpoint and indicates that predictions about certain IAM technologies becoming obsolete may be misguided.
  • Scale matters - Scalability is one of those "abilities" (like manageability, serviceability, reliability) that is so widely used that it is often ignored. But the release of our 100 million test project for CA Identity Manager and the CA World session that discussed the results indicated that scalability does matter when it comes to IAM, especially as organizations look more and more to the web for interfacing with customers and suddenly have to contend with increasingly larger numbers of users. More on this in tomorrow's blog.
  • Cloud is real - The announcement of our IdentityMinder as-a-Service and FedMinder as-a-Service cloud solutions (as well as other CA cloud-related announcements) generated a lot of enthusiasm among all CA World attendees. And unlike some previous technology trends that I have been involved with, customers were not immediately dismissive of cloud, but rather were very interested in seeing how the cloud could help their business now or in the immediate future. This was just another positive affirmation on the importance of cloud, our strategy and the CA CloudMinder portfolio.

All in all, it was a very productive show and great to interact with so many CA customers and partners and gain perspective on where the IAM industry is headed.  And now that CA World has been put to bed, it is time to start prepping for the next conference - the RSA Conference that starts the end of February 2012!

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

More Posts