CA Community






This Blog
Syndication

February 2012 - Posts

A Balanced Approach to Business Enablement and Information Protection for SharePoint

Published: February 27 2012, 02:30 PM | no comments
by Tyson Whitten

Businesses are often caught in the ineffective tradeoff of enabling employees to be more efficient and protecting sensitive organizational information. It's the constant management of broad vs. restrictive information access policies. On one hand business processes run freely but sensitive information is exposed, while on the other hand information is protected but business is inhibited or simply can't get done.

This problem is common across all corners of the enterprise, but it is pervasive when it comes to the SharePoint-centric organization. With SharePoint the issue of "balance" is front and center given its wide deployment, high user adoption and constant sharing of sensitive information.

SharePoint business process efficiency often comes with risky tradeoffs - especially as more users collaborate.  As more users are granted access to SharePoint, more sensitive information is accessed and exposed -- often unknown to information owners and site administrators.  Even with good architecture designs, permission schemes and data management processes, sensitive information often finds its way into unintended locations as a byproduct of collaboration.  The result: sensitive information exposed to employees, partners and customers.  So as business efficiency improves sensitive data is exposed increasing overall risk to the business.  

Businesses need a solution that provides the best of both worlds - a balance of enablement and protection. CA Technologies can help meet these objectives through today's announcement of its SharePoint Security Solution. The SharePoint Security Solution from CA Technologies enables the business to:

  • Efficiently and conveniently connect users to SharePoint resources;
  • Protect sensitive information through fine-grained content-aware access management; and
  • Reduce risk by controlling information throughout the entire SharePoint information lifecycle.

The key to delivering this capability is to take identity and access management to the next level and make it content-aware. CA Technologies is continuing to execute its content-aware IAM vision and has applied it to SharePoint through the integration of CA DataMinder with CA SiteMinder. CA DataMinder extends its content classification capabilities to CA SiteMinder policies and access control. As users attempt to access files within SharePoint, they find that access is no longer granted at the container level. Instead content classification is brought into the picture. So as data changes and becomes sensitive, CA SiteMinder access controls dynamically adjust based on the sensitivity of the content and the user attempting to access the content. No longer are policies too broad or too restrictive.

The result is the right user gaining the right access to the right content enabling businesses to be more productive while also being more secure. This is a balanced approach that supports the business while also supporting the demand for security.

 

Share this post:  
Tags: , , , , , , ,
Leave a comment

 

By: Tyson Whitten
Tyson Whitten is a CISSP with 10+ years of information security experience managing application, network and risk based products and services. In his current role he has product responsibility for CA DLP within CA Technologies Security Customer Solutions Unit. Prior to CA Technologies, Tyson held...
Read More..

And now a word about Accessibility

Published: February 22 2012, 02:10 PM | 2 Comment(s)
by Joshua Brickman

At the upcoming RSA Conference I'll be presenting an Expert Talk at the CA Technologies Booth #1630 on our Accessibility Program.  Now Accessibility has very little to do with Security, and yet our Security Products are raising the bar in this area.  In today's blog let me explain why Accessibility is important to CA Technologies, and clear up some misconceptions as well.

First let's clear up some definitions:  Accessibility very simply means that people with disabilities can use a given product/ application.  More specifically, accessibility means that people with disabilities can perceive, understand, navigate, and interact with a product, and that they can contribute to it.  Accessibility also benefits others, including older people with changing abilities due to aging, and provides usability benefits for all, such as easy keyboard navigation.

CA Technologies Accessibility Program goal is to go beyond legal requirements and encourage the creation of efficient, easy-to-use solutions for all users.  We want to be a recognized industry leader in advancing the cause of universal access.  Wait a minute...did I say legal requirements?  Yes there are U.S. laws that have impacted our strategy.  Let's discuss them now.

  1. Section 508 of the U.S. Rehabilitation Act, as amended by the Workforce Investment Act of 1998, requires all U.S. government agencies to "ensure that ... people with disabilities ... have access to and use of information and data that is comparable to the access of those without disabilities."  This means that whenever we sell software to the U.S. government they want to know that all Federal employees can use our products.  We prove this access by providing VPATs (Voluntary Product Accessibility Template).  With VPATs vendors "voluntarily" state 508-compliance.  VPATs are actually required despite the "voluntary" title.  We need VPATs for every product released.
  2. The Americans with Disabilities Act (ADA) is often confused with Section 508 but currently addresses more physical issues, like the requirements for wheel chair ramps.  However ADA also is undergoing a revision to adopt many of the items in Section 508.  When ADA came out the internet was not as widely used.  Now if you want to apply for a job, or buy many products, often the only way to do it is via technology like computers or mobile devices.  When and if the ADA changes being proposed go into effect (and this would require an act of Congress), the impact will be that enforcement will no longer be limited to Federal employees and customers, but also commercial entities that have websites, e-commerce systems, etc.

Accessibility is not only a U.S. issue.  The Web Accessibility Initiative (WAI), established by the World Wide Web Consortium (W3C), has developed standards that are more specific that the current version of Section 508.  It is focused on web accessibility and provides a vast array of resources for technology including guidelines, tools, education and outreach and research/development.  The WAI developed Web Content Accessibility Guidelines (WCAG2.0) and these are now the standard that Europe and Canada require when we sell software to not only governments but a growing number of commercial entities including financial services firms.

In the U.S., accessibility is binary; either you are or you are not.  However when a product is 508-compliant the agency MUST give priority to that product.  Demand for vendor-furnished software products by the U.S. government will increase from $6.5B in 2010 to $8.4B in 2015 (according to INPUT's Federal Software Products Market research) at a compound annual growth rate (CAGR) of 5.2 percent.  The software addressable market in Europe is $1.7B.  So it also makes business sense to be accessible.

CA Technologies security products are all aiming for 508-compliance.  With each release, these products have improved their position, but it's a marathon not a sprint and and we will go the distance.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Joshua Brickman
Joshua Brickman, project management professional, runs CA’s Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last five years (in both the U.S. and Canada). Brickman has given talks at the last four International...
Read More..

Thank you CNN for some Pre-RSA PR

Published: February 16 2012, 11:11 AM | no comments
by Merritt Maxim

CNN published an article yesterday, "Will a standardized system for verifying Web identity ever catch on?"  I highly recommend this article, if only because it describes the web identity challenge in simple terms without resorting to the usual acronym soup and jargon that often dominates these discussions (present company included).

Articles like this appearing in mainstream sites such as CNN are evidence that the internet identity problem is real and not theoretical.  While discussions on internet identity generally focus on the problems it poses for end-users, the identity problem is equally concerning for any web property that provides identity or consumes identities.  The internet identity problem can lead to:

  • Poor user experience (leading to customer defection/attrition)
  • High management costs (for providers) and
  • Increased risk.

While there seems to be universal agreement that internet identity is a problem, solutions have been slow to develop.  Fortunately, we have seen some progress over the last 18 months with the emergence of trust frameworks.  Simply put, trust frameworks are an entire ecosystem for managing identities.  A good analogy is the existing credit card processing networks.  Yes, these networks are closed, but there are clear definitions of roles and responsibilities among all members and most importantly, of the liability exposure for each involved party.  As a result, most consumers do not even think twice when pulling out the plastic to pay for groceries, gas or anything else.

We need the equivalent for the online world.  The emergence of trust frameworks such as Kantara, OIX and NSTIC are all very positive steps.  While the author of this article correctly points out some of the limitations and issues impeding progress of these initiatives, the existence of these initiatives is proof that there is considerable interest in finding a solution to this problem.  Multiple frameworks can and will co-exist as they offer different capabilities.  Some initial deployments in the US government have identified considerable cost savings from standardizing identity interactions in a trust framework.

And now for the shameless plug:  I will be speaking on this very topic at the RSA Conference in San Francisco on Wednesday February 29, 2012 at 9:30 PST in room 304.  If you are attending RSA, I invite you to join and learn more about trust frameworks, the benefits they provide and what individual organizations can do to best take advantage of these frameworks.  If you will not be attending RSA, please chime in on the comments section and let's take this discussion online.

Flickr ID image used under Creative Commons License courtesy of LarimdaME.

Share this post:  
Tags: , , , , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

You can't outsource responsibility

Published: February 15 2012, 04:25 AM | no comments
by Henk van der Heijden

I have recently been traveling in Europe, particularly the Nordics - where I have been meeting with customers. The number one topic of discussion at the moment is legislation and how to ensure compliance to some new regulations. The interesting aspect in this debate is around the use of outsourcers - let me explain.

There is no question that outsourcing parts of your IT estate can bring great value to the business. Not only in cost savings, but because outsourcing areas to an expert can leave the internal IT department to focus on the areas where they can add the most value to the business and reduce some expense at the same time.

In the last few years the business of outsourcing, like the rest of IT, has become more complex. In the beginning, it was commonplace to outsource the network, the infrastructure, the desktop etc to one vendor - with the assumption that they would take on the responsibility for security. It soon became clear that this assumption was wrong, and that the client needed to maintain control and retain responsibility for the security of what they were consuming as a service.

But fast forward a few years, and the business of outsourcing is more complex - clients are spoilt for choice with the number of vendors all vying for their business in multiple areas. Today it is commonplace to find a customer who has outsourced their network to one vendor, their infrastructure to another, and then their applications to a separate development company. Globalization and the opportunities around this such as using resources from India or China has made this issue even more complex. If it was difficult to ensure the right security controls were in place for one outsourcing company - how do you begin to approach it with multiple global vendors?

The simple fact is that you can't outsource responsibility. Take for example an outsourcing company who may have highly privileged users who are not based in the EU. How do you ensure that you, as a business, are adhering to the European Data Protection Act? Or how do you ensure that these privileged users are only touching the relevant customer platforms and, how does the outsourcer provide reports to demonstrate this?

The fact is that as a business you will need to enforce solutions which mean that regardless of your outsourcer you do fulfill all regulatory and compliance duties.  This will mean that you enforce separation of duties for privileged users and have fully compliant Access Controls in place. You cannot leave that to your outsourcer - they may not be subject to the same EU legislation that you are. It isyour responsibility to ensure that risks are quantified or mitigated as you move your business forward.

All this may only be top of mind for companies in the Nordics right now because of legislation but, this should be common practice for all!

Share this post:  
Leave a comment

 

By: Henk van der Heijden
Henk is responsible for Security Sales in Europe. He is an information security professional with over 24 years’ experience in IT sales and services. Henk has an illustrious history of producing results through new sales and business development both in the Netherlands and across Europe. In his previous...
Read More..

Invisible Hackers Consume Power

Published: February 13 2012, 01:00 PM | no comments
by Luke Forsyth

When I'm out talking to prospective customers, there is usually one topic of discussion that crops up - not just regularly, but ALL the time. Hacking.

This activity is so pervasive - it's almost an international sport. Jokes aside, it is a serious threat to business across the globe, and methods are becoming more and more intelligent by the day.

Spotting an attack as it happens isn't as easy as you think - neither is spotting the fact that you have been hacked - there is often no trace.

The first thing to remember is that when arming your business against cyber attacks, it's not always the intrusion detection/firewall and malware software that will help you fight the hackers - it's too obvious.

The best time to spot an attack would be during the preparatory stages however, comparing a ‘normal' information environment to one which is under attack is a challenge. Having a clear view of what is normal information environment is the best method for detecting an attack.

Attacks may show many unrelated anomalies in disparate areas of the environment, this means that recognition of a normal operating state requires you to include all areas of the environment where these anomalies are visible so that they can be correlated.

The challenges of defining a normal operations state is not just across the network, but in storage and hosts (PC, Laptop and mobile devices) which need to be monitored as they are all a source of information and a potential avenue of threat. Hosts are a rich data source as they now house significant threat detection technologies. Application performance monitoring technologies may also be able to correlate software performance, as an information source, APM could be an early indicator of anomalous activity.

One indicator of a hacker attack is the consumption of bandwidth and power. In recent discussions with a prospective customer I highlighted that reports about bandwidth  and power consumption don't lie - whereas perhaps it is harder to spot data which has been compromised/copied because it looks the same regardless!

The customer in question found huge bandwidth spikes on weekends when really consumption should be at its lowest, taking a closer look, it was obvious that they were the victim of malicious activity.

So Eco governance tools which are able to monitor Power (AC/DC) and Environmental (HVAC) data, are both useful indicators of an attack and a nod to a business's environmental policy.

There are multiple infrastructure management solutions which can help you spot and divert hacker attacks, if you are interested in discussing these further contact me at or leave a comment.

 

 

Share this post:  
Leave a comment

 

By: Luke Forsyth
Luke Forsyth, VP, Security Services EMEA Luke joined CA Technologies in September 2010. Prior to CA Technologies Luke worked at McAfee, Accenture and began his career at Telstra. Luke is a Certified Information Systems Security Professional (CISSP) with more than fifteen years consulting experience,...
Read More..

More Posts