Published: January 30 2012, 10:36 AM | no comments
by Merritt Maxim

Any new product or technology is invariably accompanied by certain levels of skepticism and cynicism.  Whether it is the latest smart phone lacking a certain mega-pixel camera or a new version of enterprise software not supporting a given operating system or standard, critics will always appear to question these new products' viability.

As we enter 2012, cloud computing, or more specifically, Identity and Access Management as a cloud service, is seeing a healthy level of criticism around its viability and maturity.  This is to be expected as with any new product or offering, but based on my discussions with customers and partners over the last few months; some of this criticism is unfounded.

Yes, organizations have certain levels of trepidation around IAM in the cloud, but interestingly many of these concerns are business and operational not technology issues.  Questions such as:

• Physical locations of datacenters
• Disaster recovery/backup procedures
• Ownership and storage of data in cloud
• Auditing procedures
• Background screening on datacenter employees

These are all valid questions and now that even Virginia is susceptible to seismic activity, surprisingly common.  But these questions should not be reason for skepticism.   The reason is that these issues can be solved and addressed.  If customers' questions were focused purely on underlying technology issues such as lack of standards support or lack of support for certain use cases, it would be cause for concern as such issues would indicate a mismatch between customer requirements and the actual technology (anyone remember PKI in the late 1990s?).

When concerns focus more on business issues, that is cause for optimism.  Security professionals need to look no farther than the growth of identity federation as a proof point.  Although identity federation had some early hiccups on standards and implementations, many of the obstacles for federation were centered around contractual issues between partners and how to execute/manage such relationships.  The continued maturation of identity federation has proven that these business issues have been resolved and that federation has grown successfully without continued technological obstacles.

There is no doubt that there are still many technology issues that have to be addressed with cloud IAM, but we can look to initiatives like SCIM as proof that the industry is committed to solving these.  When it comes to cloud IAM, in the words of the great 1980s band Timbuk3, "The Future is So Bright, I Gotta Wear Shades."

Share this post:  Email

Share

Published: January 18 2012, 07:38 AM | no comments
by Henk van der Heijden

I read with interest recently a paper from Forrester called ‘Rethinking DLP' by John Kindervag.

John made two observations about DLP strategies today:

1) strategies treat DLP as a product rather than an embedded function or process

2) most strategies focus on financial data such as cardholder information or personal identifiable information such as social security numbers in the US for example and forget IP

Treating DLP as something which can be addressed by a point product solution is doomed to fail, firstly because an organization is limited to focusing on the data itself, or only one potential data loss channel, such as removable media.

Most solutions on the market today are limited because they focus only on an end point -not allowing data to travel out through social media for example, or, by document type. How do you apply this approach to an excel file? You prevent financial information in an excel spreadsheet being sent via email by a financial clerk. But what about the CFO? Or what if we simply take a picture of the data source? This highlights the limitations of treating DLP as a point product solution; it's not a holistic approach and doesn't take into account other parameters such as the identity, the content and the context of the user.

Secondly the nature of the approach of Data Loss Prevention assumes the data is accessible in the first place. With a more holistic approach, that considers data protection combined with policies around identities and their access to data, this access assumption is not made.

Approaching DLP from a data protection perspective means implementing policies around identity and access management, giving the right people the access to the right data, and then knowing and understanding what they are doing with it. This approach negates the need for the silo end point DLP solutions which may prevent losses through certain channels, but may miss other channels for example. 

By the nature of this approach, an organization becomes more aware of the different types of data it may hold, because the data protection approach asks the questions of who has access to what data and what can they do with that data. Read more about Data Protection solutions and CA Technologies holistic approach here:

Content Aware Identity and Access Management solutions

Share this post:  Email

Share

Published: December 20 2011, 08:35 AM | no comments
by Joshua Brickman

In October, I wrote about the issue that the "Common" in Common Criteria is at risk of disintegrating, which was the first of two main themes from the International Common Criteria Conference (ICCC), in Kuala Lumpur, Malaysia. As promised, in this post, I cover the second main theme: supply chain integrity. 

This year I introduced the rather small Common Criteria (CC) community to the Open Trusted Technology Forum (o-TTF).  I wrote about this last January and also participated in a podcast this summer. The unwritten theme of the ICCC was supply chain integrity, with formal sessions and many informal discussions on the topic over the course of the event. There were proposals around how to add assurance classes to the CC or use the "site certification" program created by the Smart card community.

As I mentioned, I focused on the o-TTF, which has brought together many of the top ICT thought leaders to address supply chain integrity and to develop best practices that companies should follow to minimize risks in this area. The Common Criteria is about product evaluations providing "assurance." I don't believe that supply chain can be evaluated on a product basis and there is consensus on this principle within the o-TTF. Supply chain integrity can only be determined with a "process evaluation," not a "product evaluation." When the o-TTF is released, the accreditation program will allow companies to evaluate overall processes and won't force a ‘product-by-product' evaluation.

Many industry insiders are afraid of adding an accreditation program, but if we limit o-TTF's scope to the process of ‘Source-Make-Deliver' and all that's in between (including end of life/scrap), there is something very relevant and reasonable that could come of our work.

The o-TTF is already demonstrating how competitors can cooperate to put together something meaningful. The team is working on a snapshot release of the specification with a focus on the risks of tainted and counterfeit products.  That snapshot should be available in the coming weeks, and after that, we'll be focused on conformance criteria and the accreditation program itself. 

One additional thought about adding supply chain to the CC. There have been other groups looking into similar approaches, but these are focused on changes to the Common Criteria. Let's face it, though, expecting anything to happen quickly within the CC is a tall order. Any changes require a vote involving the 26 member nations, and this process takes time. Instead, the o-TTF is well on its way to releasing a real standard with value, and the best way to ensure that it fills the gap is to support this effort. Common Criteria has plenty on its plate. Trying to add new Assurance Classes, methodologies or programs won't help the industry, and certainly won't scale.

Share this post:  Email

Share

Published: December 13 2011, 03:35 PM | no comments
by Sumner Blount

A few months ago, I posted a blog on Consumerization of IT (here) where I explored some of the causes and impacts of this important trend (wow....has it really been that long since I last blogged?  What have you been doing all this time, Sumner?).  I mentioned in that blog that there would be a follow-up blog on some of the security implications relating to CoIT.  Well, here is that blog.

It seems to me that the use of mobile devices to access enterprise resources has one important difference from the normal case of access through standard work laptop devices.  Namely, you need some form of controls on the device itself to protect your information and to help prevent fraud.  This is driven from two obvious facts relating to mobile users.  First, you (the IT organization) can't always dictate the configuration of the device.  Second, once your user accesses corporate information, it physically resides on their personal device.  There is clearly a similar risk even when a work-issued laptop is used, but at least you have much more control over the configuration and ultimate disposition of that device.

Controls on the device are often hard to enforce simply because these may have been purchased by the employee for their own personal use. But, most consumer devices now come with some reasonably standard controls related to the security of the device and its contents.  Common controls include:

• Encryption of the data on the device
• User authentication (strong passwords, inactivity time-outs, maximum failed login attempts, etc.)
• Device wipe
• Device management to configure device security, and to push policy to the device
• Application certification - most device vendors required formalized testing and certification of applications to minimize malware potential
• Anti-malware products

These controls help to require more than mere physical possession of the device in order to gain access to sensitive data.  This is why attackers generally don't target the individual device because in most cases it won't provide access to information that could be used for financial gain.  They are more likely to attempt to attack central IT systems and information, since this is where the true financial benefit resides. 

In short, security of the device is a tractable problem because today's devices come with some security controls already on the device, and additional security is available from a large number of vendors eager for your business. 

But, the more important and difficult challenge is securing access (by the user of the device) to critical applications and information, as well as the use of information after it has been accessed.  Protection of your information from mobile users requires a layered approach to security, and requires controls on your user identities (and their access rights), enforcement of your access policies, and controls over how information is used once it has been accessed.  The following graphic illustrates conceptually how these controls help protect your resources, regardless of the type of user, or the method they use to access your resources. 

This model says, in effect, that other than controls on the device itself (described above), access from mobile devices requires essentially the same controls as any access method requires.  I believe that some areas of controls are particularly important for mobile users - for example, strong authentication and fraud detection.  But, a strong security infrastructure of controls relating to identities, access, and information use should also be sufficient to help ensure security from your mobile users.

I will reserve Part 3 of this topic for a short discussion of some issues relating to authentication of mobile users, and hopefully, it won't take as long as Part 2 did.

Do you agree with this model?  Would you argue that security of mobile users pose vastly different challenges than does security for all users?

For more information on consumer driven IT, please see www.ca.com/cdit.

Share this post:  Email

Share

Published: December 06 2011, 08:55 AM | no comments
by Merritt Maxim

Traditionally, identity management solutions were deployed internally to support employees and other third party users like partners.  These identity management solutions (from multiple vendors) are currently in use in organizations or all sizes across all vertical markets around the world, generally dealing with user populations in the thousands.  But in today's increasingly interconnected IT environment, organizations may now need to manage identities of millions of users and support those users throughout the entire identity lifecycle.

During CA World, I attended a session that discussed recent testing that the CA IAM team undertook with Accenture to verify the ability of CA Identity Manager to scale to support millions of users for use cases such as:

• A government agency allows citizens to self-identify and register for access to external facing applications. Potentially millions of citizens may need to register for a specific event, online notification or government-to-citizen account.
• A company selling goods and services over the internet needs to securely capture and manage their customer information for real-time purchasing, enable faster checkout processing and simplify opportunities for repeat business. Usage may be cyclical and highly dependent on specific events, days and times that can cause a spike in user activity.
• Consumer products and retail establishments that need to securely capture and track customer responses to a global promotion. New user registrations will cause an increase in normal volume as the promotion is rolled out to different regions.

The test scenarios verified the ability of the CA Identity Manager architecture to withstand the high volume of users and virtual transactions without major failures or degradation of backend processing.

A white paper has been published discussing the tests and the findings. You can find it here. You also can access CA World 2011 sessions and keynotes here.

This work further demonstrates the maturation of identity management technology and indicates that identity management can support these types of high volume B2C use cases, giving organizations confidence that existing employee-centric identity management implementations can support the high scalability requirements of tomorrow's IT infrastructure.

Share this post:  Email

Share