Effective Access Rights on a Single Server

If you're not familiar with the term effective rights, it refers to the calculated rights that result from the number of different permission settings applied via group memberships, nested groups, hierarchical permissions, object ownership, and other considerations. NetVision's latest product is now available in a Single Server Edition (SSE) to provide effective rights reporting on (you guessed it) a single server for a very reasonable price ($795 per server).

Special Offer for Blog Readers!
Give Access Rights Inspector SSE a free trial on your own server. If you decide to buy, use the promo code "access10" until Dec 31, 2009 to get $300 off the price and pay only $495 to generate an unlimited number of effective rights reports on a single Windows Server. This can save an enormous amount of time during security audits.

Revenue Opportunity for Bloggers
We're looking for affiliates. Post a link from your blog and get 15% for each sale. That's ~$120 at full price. If you're lucky, you'll make that in a year with Google Adwords. Sell a dozen servers and you'll be picking out a brand new flat screen TV (maybe one of those backlit LED displays) ...or maybe making a down payment on a new car? It's easy. And it's a useful product. Give it a try for yourself and let me know if you're interested.

Querying AD from SQL Server

This is a great how-to article on querying Active Directory from within SQL Server. I've written in the past about using Virtual Directory technology to query SQL data via LDAP. This is the reverse and I can envision many use-cases where this would be useful. This isn't exactly new technology, but it's a new write-up on how it's done and very easy to follow.

For example, you could use this approach to extend the information available to an application without doing any data synchronization or introducing new data sources. If the application's logon ID is the user's email address, you could query AD based on that email and get info about the user's group memberships, attributes, manager, location, etc. and have that returned to the application as if the data were stored in the local app's database.

...another useful approach to keep in your development toolbox.

Windows File System Access Rights

I recently did some research into how Windows networking environments apply access rights across file systems. I've been in the IT business for more than a decade. So, if asked, I probably would've told you that I already know how it all works. But, there are a number of intricacies and things I didn't know -- like how security policy can override local NTFS permissions or how Windows doesn't always enforce the most restrictive policy. It seems that Windows enforces permissions based on what it believes to be the administrator's intent, which is interesting.

I published a whitepaper describing all the details. It describes how the controls work and covers the affect of group memberships, inheritance, deny ACEs, the owner attribute, and more. And of course, it provides some guidance for taking control of all that complexity.

You can register for a copy here:
http://www.netvision.com/offer

The End of Internet Security

Remember all that stuff I said about how we already have an end-to-end security solution that ensures that users are connected to the right web site and that there's no eavesdropping going on? Well, you can scratch all that.

I knew there was a User Experience problem with SSL in that most people ignore that it's happening and therefore don't notice when it's not happening. I also knew that there are known potential attacks on SSL, but it seems there's a newly discussed renegotiation problem that makes the whole system seem suspect. This posting from RSA does a good job at providing an explanation.

This is a big deal. SSL really IS web security. So many other security solutions rely upon it -- assuming that communication is safe and secure because it's done over SSL. Even if all the major vendors get a fix out tomorrow, we'll probably see this problem around for years to come.

Implication of Cisco MARS decision on SIEMs?

Notice the question mark first. I'm interested in what you think this means. This isn't me trying to make any great claims.

Cisco has acknowledged that it will stop adding support for additional devices on its MARS SIEM platform. While the plan is to continue providing updates for already-supported devices, it's difficult to argue that this isn't a strategic move toward completely dropping support for the product (in it's current form).

I, of course, wanted to use a title like "The END of SIEM", but it's hard to make that leap given that one of the biggest SIEM players was ranked among Deloitte's 2009 Technology Fast 500 with over $100 Million in revenue for 2008. And ArcSight has shown 32%, 34%, and 25% year over year growth in its last three quarters respectively.

Still, Cisco is thought to be the most widely deployed SIEM with over 4000 installations. For them to make a strategic move to discontinue addition of future platforms means (and read this with your favorite accent) something doesn't smell right in Denmark.

As I speak to organizations about NetVision (and we are clearly NOT a SIEM player), I hear concerns about SIEM tools and log management applications that are big, complex, difficult to implement, expensive, and not user-friendly. I have nothing against SIEM tools or the role they play. In fact, many of our customers integrate our product with SIEMs. ...which is why the topic comes up. But, I've been wondering if the fire-hose approach to data collection is proving to be too much. i.e.) too much data and too much complexity given the problem at hand.

I sense that the SIEM approach is troublesome and that SIEM vendors who can't adapt to changing market expectations for more readily available answers will start making announcements like Cisco's indicating that they won't be around forever continuing to support an ever-growing number of devices. There will likely continue to be a market for large scale event data collection into the foreseeable future. I'm not arguing against that. But a segment of the market seems to be defining itself as a group that wants easy answers in lieu of a data flood.

Am I reading too much into it? What do you think?

Two Factor Authentication is Worth Nothing?

Apparently, Roger Dean, executive director of EEMA, recently declared two-factor authentication “not worth anything anymore.” According to the article, Dean's thinking is that man in the middle (MITM) attacks render strong authentication useless.

Isn't that like claiming that firewalls are worthless because they don't prevent viruses from being installed on desktops? Strong authentication (which includes two-factor) was never intended to prevent MITM attacks. That problem was already (theoretically) solved with SSL.

Perhaps Dean was reading Bruce Schneier's thoughts from back in 2005. I get it. Issuing tokens to users is not a panacea. But, there is no cure-all in the security space. We rely on SSL to establish secure links to sites, which should both identify the site as being who it says and prevent snooping. Theoretically, that end-to-end encryption and use of trusted certificate authorities is what would prevent MITM attacks.

But even when using SSL correctly (and assuming there are no flaws in SSL), there is still an authentication challenge that strong authentication techniques such as two-factor rise to meet. Without it, users may share credentials or use weak passwords exposing numerous other potential attack vectors.

I think Dean's frustration is focused in the wrong direction. Strong authentication techniques are good at what they do and (still) have their place in the security infrastructure. I think the problem he's seeing mainly lies in the user interface of SSL. Like any good security feature should, it does a good job of staying transparent to the end user. But a little too good. So good, in fact, that most users don't even know when it's not there. And that's the problem.

If we could force users to look for and expect the SSL connection and to confirm the domain with which they're connected, phishing and MITM would become immediately unprofitable. I'm surprised browser vendors haven't done that yet (and EV certificates are not the answer). Personally, I'd want to see a white list approach for personal banking and other regular-use sites coupled with a per-use hoop to jump through for occasional other data transfers.

But don't blame strong authentication for SSL's incompetence.

Cloud-Based Strong Authentication

Yesterday, RSA and Verisign announced a partnership on cloud-based secure authentication for the consumer market. Pretty interesting stuff. The management of these organizations should be commended for looking past their competitive rivalry to identify a new business opportunity.

The solution isn't new. Verisign has been offering its VeriSign Identity Protection (VIP) authentication services for quite some time. I've had a token that I use with my PayPal account (and my OpenID) for the past couple of years (made in China by ActiveIdentity). But adoption of the offering has been less than overwhelming.

We could probably all count on one hand the number of people we know with a non-work-based authentication token. And most of those are likely tokens handed out by banks and other financial companies that are tied to a single account. The VIP solution gives you a token to use across multiple sites. And there are a few other perks as well.

I don't know what they charge to add this strong authentication to your site. But, I expect that it's more competitive than implementing your own solution. And the end-users benefit from a single token that can be used across systems.

RSA hasn't been wildly successful in getting tokens into the hands of consumers. So, partnering with Verisign seems like a good move - leverage an existing solution to sell more product. And Verisign customers benefit from more choice. RSA has a lot of token options and some are impressive. Their manufacturing is done at their headquarters in MA and the quality assurance process is top rate (I've been through the tour).

In addition to overall quality, some provide additional convenience as well such as a token with an integrated smart chip (for access to encrypted laptops and digital signing) or the software tokens for BlackBerry, iPhone, Win Mobile, etc. that don't require an additional piece of hardware. I should note that the release only mentions hardware tokens, but in the consumer market, it would be a bad move to restrict usage to hardware only.

Provisioning to the Cloud

I posted recently about identity in the cloud. Many identity vendors are doing interesting things to get their solutions 'in the cloud' or available 'as a service'. It's a lot of buzz, but there's also some actual cost savings and operational efficiencies at the bottom of these efforts.

Today, Optimal IdM announced their cloud provisioning solution. Similar to what Identropy is doing with IC2, Optimal IdM's solution leverages existing provisioning solutions and acts as a connector to cloud applications.

This use case of acting as a connector for remote, unknown, complex, or varied systems is a perfect fit for virtual directory technology. MaXware released a similar connector for Salesforce in 2006 while I was still an employee. Perhaps they were ahead of their time? The virtual directory solution can be added to virtually (no pun intended) any environment and provide immediate connections up to numerous, complex cloud systems, thus saving cost and effort as compared to developing custom connectors.

Having said all those nice things about the virtual directory approach and once again encouraging IAM integrators to consider virtual directory solutions while whiteboarding on how to meet requirements, I should be fair and point out an alternate viewpoint. If you already have a provisioning solution from the likes of Courion, Novell, Oracle or IBM, and a requirement to provision to cloud applications, you owe it to yourself to take a close look at Identropy's IC2 offering before making any purchase decisions. That's exactly what it's designed to do.

Another interesting note - I spoke to someone from Arcot today (think secure token-less authentication) who informed me that all of their solutions for secure authentication are now available as a service. They already have one of the most widely deployed authentication-as-a-service solutions on the market, so it seems to be a natural migration to offer their other solutions from the cloud as well.

Who recently said there was no more innovation in the IAM space? The latest innovation in this space is in direct response to the market complaints that IAM is too complex. Once simplicity is realized, innovation will no doubt trend elsewhere. I call that a success in meeting customer demand.