Trust But Verify

Yesterday, I posted on The Value of Security Audit and Bruce Schneir's recent writings on the topic. Today, Richard Stiennon posted on the topic in an expansion of his three security laws.

He writes (abbreviated):

"...the first two rules could be simplified to 1. Don’t trust the network. 2. Don’t trust end points. But that level of simplicity does not transfer to people. You have to trust your users. So, borrowing from Ronald Reagan’s immortal words Trust but verify, you have to apply the following...

1. Strong authentication and granular access controls.
2. A published policy on acceptable use of resources.
3. A monitoring and alerting system that informs the user of policy violations."

He continues and suggests that making security achievable requires all three. The idea that monitoring and alerting is required has finally become mainstream. More and more smart people seem to be listing it as a necessary component of a secure environment.

..our little baby is all grown up (sniff).

The Value of Security Audit

Bruce Schneir wrote in the Wall St. Journal last week:

Most security against crime comes from audit. Of course we use locks and alarms,but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit.

Wouldn't it be nice if the police got an email alert every time a gun was fired with the name of the person shooting, where it happened, time & date, what they hit, what type of gun, etc.? Schneir was obviously using an analogy to talk about information technology.

And in IT, these types of alerts are actually possible!

Also, earlier in the article, Schneir concisely sums up a related point:

Audit helps ensure that people don't abuse positions of trust.

So, yes – Audit to catch and deter evil doers (to use the term one last time) AND to ensure that system administrators' power is kept in check. And go for the fancy email alerts too.

Dixon on Identity, Context, Preference, and Persona

Yesterday, Mark Dixon offered a very clear and concise explanation of identity, context, preference, and persona. And I agree with his definitions. This would've been useful for my discussion with Marty on the Identity Reference Model. I was pretty much using the same definitions and making the case that in actual implementations, personas (which are more abstract in nature) are usually mapped 1-1 with specific user accounts.

Melding Identity Technology into Future Architecture

One of the really fun things about being in technology is thinking about what COULD BE in the future. By now, we've all heard the promises of SOA and Identity Federation technologies. We've them each implemented to some degree. We've discussed policy servers and XACML that enable systems to share authorization information. But I think we'd all agree that we're in the pretty early stages of figuring out how an enterprise could really use all this stuff together in the future.

Last month, Todd Clayton took an ambitious step toward doing just that. He took the concept of what we want to see in the future – systems communicating freely and sharing information – and mapped out how it can be achieved using today's technology.

I don't know if the FOA moniker is the right fit (many smart IT people still don't really understand the first use of federation – we probably shouldn't start using the term elsewhere.) But, the concept is really interesting.

Now, if only there were a few brave organizations who were willing to take a leap and build out their future architecture a little early... it would be really interesting to see what we'd learn from them.

Small Orgs Hit by Economy - Maximize Your Budget

A new CIO article titled How to Maximize your IT Security Budget discusses how to make the most of your IT Security budget given current economic, regulatory, and threat conditions.

Cybercriminals are finding it easier to move downstream and target small to medium businesses... Regardless of whether you are... [smaller] ...you face the same problems as a global enterprise when a breach occurs: potential fines, bad press, class-action lawsuits and customer attrition.

I have noticed recently that the affects of PCI-DSS are extending out of retail and into Healthcare and other verticals. HIPAA is extending into law firms and other organizations that somehow support healthcare rather than actually being healthcare.

So yes, the NEED to provide security and proof-of-security (audit) seems to be GROWING as BUDGETS to address the needs are SHRINKING.

NEED - GROWING
BUDGET - SHRINKING

...not an ideal scenario. So, what do you do?

Page 2 has the tips on how to maximize the budget. Basically, you need to look at efficiency, automation, and finding the right fit (rather than blowing the budget on something that attempts to cover everything). Think Operationalizing Security.

One thing I took away from SC World Congress was the fact that smart people are still recommending an approach that includes business alignment and risk analysis rather than a shotgun approach. Be a surgeon. Figure out your risks and find the right way to address them while balancing cost, approach, efficiency, etc. Don't just keep boarding up all the windows.

SC World Congress - NYC

I'm looking forward to a couple days in the city next week for SC World Congress. It's sort of my home turf, so I look forward to taking some visitors downtown for some food and drink - maybe falafel on MacDougal St? What events are happening after the show hours? Let me know if you'll be there - I always like to meet up in person. Feel free to leave a comment if you have a sponsored event or other happening in association with the event.

BTW - speaking of MacDougal, if you have nothing to do and like good live music, check out Cafe Wha? while you're there. It's a landmark.

Industry's First Managed Service for Identity & Access Audit

Last week, I mentioned NetVision's new Managed Service Offering. Now, it's official. The press release is out.

I know you don't all want to hear me blabbering on about my products, but bear with me on this one for two reasons:

1 - It's what I do all day, so it's hard to NOT talk about it.

2 - This is REALLY interesting stuff. I'm not talking about a new feature or bug fixes. This is a new way of delivering solutions that really makes life easier and is more cost effective for our customers. Nobody else is doing this.

Here's what it boils down to:

Our software has gotten better over the years. It's been around for a decade and we have scars, battle wounds, lessons-learned, and the benefit of the collective experience of twelve years worth of customers. But, solution software isn't enough.

You need hardware, platform OS software, database and reporting software, and it all needs to be installed, configured, maintained, and integrated. Assuming all of that is done, to get the answers you need, you'll also need knowledge -- of the systems that you want to audit and of the requirements (what questions should you ask).

So let's say that you spend some consulting dollars to get the system setup, it's producing all the right answers, and you get knowledge transfer on how to use the system. What happens when requirements change? Or when the guy who was trained leaves the company or switches roles?

Systems are complex by nature. Understanding how to tie together directory, file system, database, reporting, takes a fair amount of knowledge -- especially when you think about re-configuring, tweaking settings and performance, troubleshooting issues, etc. And when you're doing it for the first time or it's not your primary job function, it can be inefficient to say the least.

So, we put our money where our mouth is. We will maintain the investment in expertise. Expertise in the systems we rely on, the systems we audit, our own system, and the requirements & best practices needed to coax out the right answers. We already do this stuff, so we decided to scale it out a bit and pass the economy of scale cost savings on to our customers.

We made improvements to the management interface, nailed down hardware requirements to an appliance, and put resources in place to provide the service and monitoring delivery.

I'd love to know what you think. I'm particularly interested in those of you who are setting up managed identity services businesses. This is something that can help you keep an eye on the effectiveness of the IAM solutions you manage. AND it can help your customers keep an eye on what changes you might be making to their environment. It's also a great solution for organizations that outsource IT and have no in-house directory expertise but want to monitor access rights and other directory or file system rights changes.

Visit our site for more info on Microsoft Active Directory solutions or Novell eDirectory solutions. I look forward to hearing what you think.

Managed Service for AD Monitoring

The engineers at NetVision were incredible visionaries back in 1995 when they built some of the first identity management tools (for Novell-Microsoft sync) and identity audit tools. (check out their site from 1999) Their directory knowledge is unparalleled and now, that spirit of leadership is alive again.

NetVision recently brought to market the industry's first managed service offering for monitoring and reporting of identity & access information on core network directory platforms (Microsoft Active Directory and Novell eDirectory) and their related file systems.

We have effectively removed all the typical obstacles - software, hardware, configuration, setup, maintenance, etc.. The solution is delivered via an appliance allowing us to handle the heavy lifting (while the data stays close to home):

• WE do the configuration to match your environment
• WE install, configure and lock down the OS
• WE install and configure the supporting software (database, report engine)
• WE install and configure the solution, including setup of policies, reports, and customizations
• WE handle all of the patch management and upgrades
• WE monitor the system for performance
• WE provide policy and report updates when needed

The only thing left for our customers to do is to enjoy the critical data that they wouldn't get anywhere else (and the extra time they now have on their hands).

Please say hello to SIMON.

U of Rochester IdM Journal

I just stumbled across Mike Conklin's new blog. There's not much there yet, but Mike's promise was enough to make me take note. (No pressure Mike!) It seems he is going to help develop an identity management strategy for a university and also help implement all the supporting technology. That's a story that I look forward to hearing. I hope we get all the details - service providers, product selection, architecture, etc.. This type of blank slate scenario is a fantastic learning opportunity for those involved (and those who get to read about it). Again, no pressure Mike -- I've just always wanted to see someone tell the story each step of the way.

[enter Leslie Nielsen]
"I just want to tell you both good luck. We're all counting on you."

Identity Management is Like Watching Paint Dry

This from a Dark Reading article titled Identity Management: Low On Excitement, High On Payback.

On the humorous side, twenty one percent of respondents in an Imanami research report found managing Active Directory to be more boring than filling out expense reports. (It's great that they even included that option in the survey - it could be fodder for OfficeSpace 2?)

On the serious side (from the research):

5.8 person-hours per 1,000 users is spent during a typical week on updating or otherwise managing groups in Active Directory.

81% of respondent organizations manage groups manually, while 55% use scripts and 34% use some sort of automated solution.

And back to the article:

"User provisioning and multifactor authentication are two projects you should keep if you are thinking about cutting back," said Forrester Research's Andras Cser about identity management today. "These are areas where there's a real opportunity to increase efficiency and cost savings."

42% of organizations report that someone has accessed information from Active Directory that they were not authorized to access.

This issue becomes even more acute during difficult financial times, when employees may become disgruntled following layoffs or pay disputes, experts noted. During such times, the ability to quickly provision and deprovision employees may play an important role in the enterprise's overall security, they said.

I've talked about the motivations behind Identity Management projects before, but I wasn't accounting for the current economic climate. There's definitely an argument to be made that the pendulum is swinging back toward cost savings as the prime mover of Identity projects.

Two Kinds of Security Threats

Rich Mogull said it succinctly (a few weeks ago). There are two kinds of threats....

1. Noisy threats that break things people care about.
2. Quiet threats everyone besides security geeks ignore, because it doesn’t screw up their ability to get their job done or browse ESPN during lunch.

I noticed it too, but haven't thought to call it out like this. I feel like the distinction between noisy and quiet will become a common part of my vocabulary. It explains why some people just don't care about very high-risk threats that are fairly likely to occur yet they'll dump their piggy banks to cover up threats that don't seem to carry all that much risk. Apparently, it's all about ESPN.

It also helps call out why some people throw money at compliance in a way that just quiets it down without really providing the best risk mitigation or value.

Log Management

Nov. 10th's Information Week has an article on Log Management comparing LogLogic with LogRythm.

The first paragraph gives a nice summary of the log management dilemma:

IT managers–and system admins, for that matter–hate logs, because they seemingly go on forever and often provide an overabundance of useless information. Administrators get lost looking for one or two important log entries scattered through a log file with tens of thousands of entries.

It goes on to discuss how LogLogic and LogRythym attempt to deal with the problem.

We (NetVision) don't compete with these vendors because we don't take a horizontal approach attempting to cover every system under the sun that can produce a log. We're focused on core network directories (Active Directory and eDirectory) and related file systems. But, we take a different approach to the overabundance problem.

Rather than trying to streamline the search into a huge mountain of useless information, we process events very carefully so that you never even create a mountain. Instead, you create a streamlined set of highly relevant information.

Because of our focus on core platforms, we're able to really excel at depth and provide unparalleled filters and capabilities -- such as capturing lots of information that doesn't even exist in the logs. We get user names, before and after values, any combination of objects or attributes, and even failed attempts.

And if you're enterprise still needs enterprise log management, we can contribute highly relevant event information about arguably the most important security component in the environment - the network directory (Active Directory) and its related file system (Windows). ...which ultimately makes the mountain easier to navigate.

Events we cover? User accounts, access rights, administrative changes, and user activity. In addition to platform focus, we're also focused on what events we care about -- identity and access. We answer Who Has Access to What? and monitor any changes that affect the answer to that question.

Outsourcing Security is NOT Riskier

Network World posted an article yesterday titled Myth or truism? Security experts judge conventional wisdom. I really love the idea of putting a panel of security experts together for a single question - it gives you multiple points of view on an issue. I also like that it wasn't conversational. Without hearing the other expert answers, people were free to wildly disagree with the crowd.

Expert Advice

The first take-away is that there is almost never consensus. So, add your own perspective to whatever security advice you hear. There will usually be someone smart who disagrees and you'll need to find your own middle ground based on your individual needs.

Outsourcing Security

The other really interesting thing I took away is on the topic of Outsourcing Security. Other than one, all of the experts seem to acknowledge the potential for better security in outsourcing. I often hear the argument that outsourcing has benefits in spite of security concerns. But, this panel had good reasons why outsourcing may create better security. Here are a few of the responses:

People are risky, whether they get a paycheck signed by you or one signed by the outsourcer... Often, an outsourcer has more security measures in place than you do.
- Bruce Schneier

If you need 24/7 coverage, choose a solid managed security service provider, and choose the right services to outsource.
- John Pescatore

Outsourcers can hire better people and because they see more real bad things, they are better at reacting.
- Richard Stiennon

As I said above, think about your own needs and make your own analysis, but hopefully we can agree to stop assuming that outsourced security is less secure.

SC World Congress - New York City

Want to get the latest info on Information Security, Compliance/Audit, Risk Management and Policy?

The SC World Congress will happen Dec. 9-10 at the Jacob Javits Center in NYC. New York is a great place to visit in December - let me know if you plan to be there. Maybe we can meet for a drink. Also, NetVision will be there as a sponsor. Stop at the booth - we'd love to talk to you about our latest accomplishments.

I'll also be blogging about the event as part of the Security Bloggers Network. The SBN is pleased to offer our readers a 35% discount on conference rates. It could be just what you need to get approval to attend the event. To take advantage of the discount, just use the promotional code BLOG1 (for one day pass) or BLOG2 (for two day pass).

For more info, go to the SC World Congress site.

FREE Pass: CSI 2008 (DC Area)

The CSI 2008 Security Conference will happen two weeks from now in the D.C. area. It actually starts on Sat., 11/15 and runs through Fri., 11/21, but the main conference runs three days - 11/17 - 11/19. It will be held at the Gaylord National Resort and will cover Identity 2.0, NAC, Anti-Virus, and Virtualization, just to name a few.

I have been authorized to give away a FULL 3-Day Conference Pass FREE (an $1895 value).

I only have one to give, so I'll have a small contest. Here's how to enter:

CONTEST DETAILS

You must enter by Thurs. 11/6. I will contact the winner on Fri. 11/7.

To enter, send me the most creative, interesting, unusual, funny, or exciting thing that you've seen, heard-of, done, or would-like-to-do with Active Directory.

Be sure to include email, phone, company name and title in your response.

If you want to win, but can't think of anything, try something like "use it to store network credentials". - you never know. That might be enough to win ;)

Those of you who don't win, can still take advantage of a 25% Discount!
The 25% Discount code is: BLOG25

You can also go directly to the site for a FREE Exhibition-Only pass.

I look forward to reading your entries!

Productivity was the big motivator

If you clicked the link to this page from the article titled Ease your identity management issues in IT World Canada, I wanted to provide a quick pointer to some of the content I *think* you might be interested in.

The link occurs in the line:

And while user productivity was the "big motivator" behind identity management strategies several years ago...

So, I think the writer may have read one of my previous posts which said:

Provisioning has typically been about increased efficiency and reduced cost. But, it's time to extend the ROI into security and compliance as well.

I expanded on the theme in a later post and then discussed the topic in an article on eBizQ.

You might notice that my ultimate conclusion is a little different than the one in the article. Here's the full paragraph from the IT World Canada article:

And while user productivity was the "big motivator" behind identity management strategies several years ago, it has now assumed a back seat as the rough economy has brought to the fore the need to reduce help desk and security administrative staff by automating previously manual user access processes, said Shohan. “People at least pay lip service to the idea of regulatory compliance and improving security, although I suspect in many cases, they… are really more interested in ROI and access termination,” he said.

So, it sounds like they're saying that the initial drivers for IAM were user-productivity and that has shifted to operational cost savings. In contrast, I would say that the initial driver was operational cost savings, it later included user-productivity, and now the shift is toward greater security and compliance / audit-ability.

In a completely separate post, I also talk about the difference between enabling end-user productivity in some SSO solutions and enabling security in others. ...perhaps that was the motivation for the link?

Either way, thanks to IT World Canada for the link!

More Insider Threat Data

RSA recently released their latest data on Insider security.

Some interesting results:

53% of respondents feel they NEED to work around security policies to get their jobs done.

37% of respondents have stumbled into areas of the network to which they SHOULDN'T have access.

50% of U.S. respondents switched roles and still had access to UNNECESSARY accounts/resources.

And that's with most respondents understanding security policies and having been given training about the importance of following security practices.

The last time I wrote about an RSA survey pointing out that employees feel they NEED to work around security controls to get their jobs done, the number was at 35%. So, it's either gotten worse or it varies from crowd to crowd (likely the latter).

Get the full survey report here

Ian's Managed Identity Services Survey

Ian Yip has posted his Managed Identity Services survey results. Good stuff. Thanks Ian!

I would've identified the top two benefits of a managed solution as:

• Lower Cost
• Fewer Skills/Knowledge Required
  (Hiring, Training, Employee Turnover, etc.)

The respondents confirmed those, but reversed the order. To them, the fact that a managed solution eliminates the need to find and keep people with the right knowledge/skills is more important than the fact that a managed solution costs less. (That's my own analysis of question 13 after combining a few of the answers.)

Another interesting point is from question 12 - biggest barrier to outsourcing IdM. If you take away the top two concerns by leaving infrastructure and data on-site and limiting external access to sensitive data, the top concern is cost - which was also identified as one of the top benefits. So is there confusion about whether outsourcing cost more or less? Or is it listed as a barrier to changing the way things are done today (as in, I need to find budget)?

Check out the results for yourself to do more digging.

Effects of the Economy on InfoSec

Should we start talking about how the economy will affect IT and Info-Security? Spending has slowed for many of the people that I've talked to. I don't think things are dyer quite yet as software companies are still hiring for pre-sales help. But, customer budgets have gotten smaller. And some are predicting that cost-cutting solutions will likely be king.

But how do organizations reconcile the need for security with cost-cutting? Security solutions are not always about cutting obvious costs. There's often a focus on reducing the potential cost of a breach or failed audit. What about operational costs?

Perhaps now is the time for service-based solutions? Identity-as-a-Service or Audit-as-a-Service? There's a pretty clear argument that allowing someone else to manage a complex infrastructure will save cost vs. trying to build expertise and manage it yourself. ...more on this very soon. But, what do you all think? Should we be buying the duct tape and plastic sheets to brace for a coming storm? How has this economy affected IT security buying decisions?

Litmus Test for Metadirectory vs. Virtual Directory

No, I don't want to re-open a debate. Just floating someone else's idea...

I already mentioned some of the things I overheard at DIDW 2008 and the panel titled Lessons From Successful Virtual Directory Deployments. I was looking at my notes today and wanted to float an idea that one of the panelists offered (I think it was Divya Sundaram of Motorola). He said (paraphrased):

If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).

Is that a good general litmus test for the Metadirectory vs. Virtual Directory debate?

As I've said numerous times, I can think of clear use-cases for both scenarios. But this might be a good general rule of thumb. BTW - the panel seemed to unanymously agree that both capabilties are useful and should be part of the toolbox.

Better data from Active Directory for your SIEM

If you Have or are Planning to Have:

• A SIEM solution (ArcSight ESM, RSA enVision, Novell Sentinel, IBM TCIM)
• An enterprise Log Management solution (LogLogic, TriGeo, SenSage)

And your employees log on to:

• Microsoft Active Directory / Windows
• Novell eDirectory / NetWare

And you're unhappy with the solution's ability to:

• Get complete information from the directory or file system
• Filter which information is collected
• Generate highly relevant alerts based on filtered event data and custom policies
• Collect event data directly from the source (independent of system logs)
• Apply decisions or alerts based on WHO is performing the action
• Report on ANY combination of objects and attributes in the directory
• Report on who is opening or modifying files, folders, or file system permissions

THEN ...Please give us a call.

I recently wrote a paper discussing how we (NetVision) extend the ability of SIEM or log management solutions by getting better, more reliable, and more relevant information directly from what is arguably your most critical source (the network directory). The paper isn't publicly available (it's not that kind of paper). So, let us know and we'll pass it along or we can save you the trouble of reading and just explain it.

85% of Security Breaches are Opportunistic

I've talked before about security breaches being crimes of opportunity. I've given presentations and webinars discussing the Insider Threat and talking about security breaches. And I always mention that I don't think the concern should be that people are bad. I don't think that employees are out-to-get their companies.

I didn't want to paint a picture of bad guys huddled in a dark room trying to figure out how to breach the company's security. Sure, that happens too. But, I don't think that's the real Insider Threat. Some of those attacks may have an element of insider advantage, but the big number of security breaches that I attribute to insiders are more opportunistic. It's administrators who have been given explicit access to sensitive information and stumble across it in their daily routine. And it happens all the time.

According to a new Data Breach Report by Verizon Business,

85% of security breaches are opportunistic.

I always thought the percentage of insider breaches that are opportunistic would be high. But, of the breaches covered in this report,

18% were caused by insiders.

I believe that number to be much higher. This report is based on breaches that were not only reported, but brought to Verizon Business for help. Nobody calls a forensics team when an admin opens up an HR doc containing a co-worker's salary. Or when an admin creates a new account and grants full system rights in order to get a new application up and running. I would consider both scenarios to be a security breach, but neither would appear in this report (or other reports). Those breaches are generally not reported and quite often not even noticed.

Does your environment have a mechanism that enables you to even see that kind of activity? Most do not. ...which leads me to the last stat I'll share from the report:

87% of breaches in this study were considered
avoidable through reasonable controls

...and I would argue that the same is true for the unreported, opportunistic, insider-threat type of breaches that are likely unrepresented in this research.

Identity-Based NAC or UTM

While walking the floor at Interop in NYC this week, I stopped to chat with the guys at the Cyberoam booth. Cyberoam provides a security appliance that provides identity-based Unified Threat Management (UTM). Similar to most Network Access Control (NAC) devices, the solution grants and denies access to systems and resources based on the IP+port destination address. Typically, this is done at the network layer by enforcing policies based on the requesting machine's MAC address (laptop X is allowed to access application Y on server Z).

Cyberoam's messaging is that they are identity-based. This means that the appliance (the red box below) doesn't enforce policies strictly based on MAC address (the user's hardware). It is identity-aware in that it knows who is logged onto the desktop, verifies policies and access rights against the network directory (Microsoft's Active Directory, for example) and grants access to the user rather than to the machine. This is a level of protection and intelligence above purely hardware-driven NAC solutions.

I can't vouch for Cyberoam as a solution. I haven't used it and don't know more than was told to me in a five minute conversation. But, I immediately recognized a use-case scenario for NetVision.

If access to systems and assets across the network is based on data held within Active Directory, then you better be able to monitor changes to that data and get immediate alerts if there's a policy breach. If it's true that 88% of IT admins would steal from their employers or snoop around the network, then an environment that puts the keys to the kingdoms in the hands of the Active Directory administrators needs a comprehensive ability to audit and monitor administrative activity.

So, if you are a Cyberoam customer or if you have a similar NAC or UTM solution that relies heavily on the network directory, please let me know. Even if you're not interested in finding a monitoring solution, I'll buy you a cup of coffee and maybe lunch if you're willing to tell me about your environment, the business challenges, how it's going, what risks you see, etc..

Building a Central Identity Store

The folks at SECUDE Consulting, who are SAP ERM specialists, have an identity practice that focuses on (among other things) SAP NetWeaver Identity Management solutions (the former MaXware products). Matt P, part of SECUDE's IAM team, recently authored a white paper titled Strategies for Creating an Authoritative Store.

If you are building a provisioning system, deploying SAP NetWeaver Identity Management, or designing an enterprise identity store, you should review this paper. Matt discusses terminology like source repositories and target systems, discusses data join techniques, and introduces the concept of layering. The paper provides an overall road map for designing an enterprise identity store, which can be a critical component of a provisioning solution.

You can get a copy via the links or contact info in Matt's blog post about the paper.

Situational Awareness in Logs & Events

Anton Chuvakin put together a great list of reading on logs. Are they useful? Are they painful? And more. Included in the list is Michael Baum's brilliantly titled post Life after SIEM. Situational Awareness is next. Baum discusses SIEM technologies and the next evolution. I love his idea of bringing situational awareness into the equation. It's a great way to describe what happens when your monitoring solution does more than compile data. When it is intelligent.

At NetVision, one way that we're working to achieve intelligent monitoring is to limit our scope to the core network platforms. This is where your employees authenticate each morning and their entry point into the network. I see the network authentication as the launchpad into the network. And once you're in, you have potential access to systems and assets.In the real world, this usually means Microsoft Active Directory or Novell eDirectory (and their respective file systems). These core systems are incredibly strategic to overall information systems security. And I posit that they deserve more careful consideration than simple log scraping. Many of our customers agree. They feed our data into their enterprise SIEM or log management solution.

In many smaller organizations (SMEs), full-blown SIEMs and massive log management solutions may not be necessary. For them, full insight into the core network system (often Active Directory and Windows) provides answers to most of their security audit questions. This is especially true if Active Directory is considered strategic and is used by other systems for authentication or authorization (as is often the case with Sharepoint). And also true in environments that rely on Active Directory to feed accounts, attributes, or group memberships into a provisioning system.

To get back to the point, the more an organization leverages Active Directory strategically, the more valuable the concept of situational awareness can be within the monitoring solution. For us, it means having different business rules depending on event variables or policies that update in real time based on environmental changes.

I don't agree that SIEMs are dead. But organizations seem to want more than stockpiles of data. And it's extremely important to use context when processing events from core systems.

Understanding the Identity Reference Model

I mentioned that Marty and others are working on an Identity Reference Model. I came to the conversation late and am trying to understand the progress they've made so far so I might be able to contribute to the discussion. Marty's latest post adds context around what they're trying to do. My original reply to this post was via email, but so that others can read along, I'm providing the email content below (Marty is the "you" I refer to).

--

The context you provided is helpful. It gives me an idea of what you are intending to accomplish, which is a model for identifying identity data, right?

So, this isn't about modeling the authentication process or provisioning process. This is just about identifying the types of information that is used to represent an identity. Correct?

I'm still unclear about the differences between entity, subject, persona, and account. The way I see it, a "persona" is like a mask (or character being played by an actor). So, if I am an "entity", I could have multiple "personas" and would use each based on situational context. In our current-day real-world, personas tend to manifest themselves as "user accounts". With information cards, I see each card as being representative of a persona. So, an entity (me) would have numerous personas. Each persona will likely have its own account, but the account seems to be something that doesn't need to be represented on this model.

I see "account" as a digital representation of a particular persona. But, that's melding "model world" with "implementation world". In the model, I think persona captures the idea that people (entities) will have subsets of information about themselves for various contexts. I know you said there was already a lot of discussion about accounts.

Each persona could have entitlements, roles, etc. I'm not sure why a sponsor would be relevant to this model? If the model is intended to illustrate the universe of information about an identity (an entity, its personas, and its entitlements), sponsor seems erroneous. Sponsor is important in the provisioning process, but is not part of the identity data itself.

I also don't get the difference between an entity and a subject. It seems to me that when you show the model in-line (when an entity is trying to access a resource), the entity is doing so AS A PARTICULAR PERSONA. Otherwise, there's no context for the policy decision point. So, it would be an instantiation of a persona that makes the request and the policy decision point would query the identity store for attributes and roles that relate to a particular persona. It wouldn't even know about the entity's other personas.

What do you think? Am I missing some of the terminology?

DIDW 2008

I saw, heard, and did a lot of interesting things this week at DIDW in Anaheim.

First, thank you Ping Identity for a good mid-week party at the HoB. (We should all publicly thank Ping and give them reason to continue hosting such events.)

We had a bloggers meet-up, though you won't hear too many others talk about that (maybe Ash). I did get to meet a number of folks who I've only previously met online. And I had many good conversations.

I heard more about the consulting (and other) capabilities of companies like Identropy, CoreBlox, and Optimal IdM – all worth a conversation if you need some Identity consulting help. And each has unique strengths. I wonder if you would all benefit from some kind of cooperative network rather than having the perception of competition. I'll have to think about that.

We gave away a lot of sticky eye balls. One became known as the eye in the sky.

I learned about important things like:

• The Identity Assurance Framework
• Marty's Identity Model
  (with which more of us should be helping)

And heard a lot of interesting discussions and tidbits, including:

• The US Treasury Dept transfers more than $1 Billion each day via PKI
• There seems to be consensus that enterprises will be affected by market forces on consumer identity and Web 2.0. ...perhaps TPS reports will be replaced by Twitter.
• Searching on "Identity Management" has declined throughout 2006, 2007, and 2008. My own research reveals that searching on "Microsoft", "Oracle" and "Active Directory" have all declined at a similar rate. So, it may mean nothing.
• One interesting case for synchronization vs. virtualization: If you front-end data that you don't own (and therefore can't control), you should replicate data and sync rather than using a totally virtual approach. It sounded like someone learned that the hard way.
• Not all Virtual Directories are created equal. I heard a panelist ask vendors for a feature that I know exists in at least two Virtual Directory products.
• Virtual Directories might be able to fill a gap in the real-time link between physical and logical security (grant access only when employee is swiped in).

On the flight back, a crazy thing happened. I heard a horrible scream outside the window of the airplane and when I looked outside, I saw something that seemed to be flying past us at a close distance. I quickly grabbed my camera and got a shot of it. (OK - you probably had to be at DIDW to appreciate that.) If you weren't, use this short waste of your time as inspiration to go check out Symplified and see what they're doing with SaaS-based Web Access Management. Pretty cool stuff. Their model removes a lot of the pain that gave Identity Management a bad name in its early days. And no, that's not Che.

I guess that's it for my DIDW update. For now.

Two Cool Security Technologies

Today, I came across this review of two very cool technologies working together. I unfortunately gave away my MXI USB device when I left RSA. I thought someone else at RSA might want to use it to help sell MXI's solution (which is why the folks at MXI gave it to me in the first place). So, I did the right thing. But if anyone at MXI wants to send me another, I'm available to receive it. It's biometric, encrypted, storage, RSA token, private browsing, and portable.

I haven't personally experimented with MojoPac, but I have played around with Moka5, which is similar. I setup the 2GB SanDisk USB device that was included in the participant package at the 2008 RSA Conference with a fully functional Linux desktop environment. Now, I just plug it in wherever I am and I have an office suite, browser, graphics editor, etc. in a secure and portable package.

Good stuff.

Sample A. Sample

I just got an email from my credit card company offering an indulgent golf getaway. It's a cross-marketed card from a hotel chain and financial org with points, rewards, etc.. The email was addressed to:

Sample A. Sample

I realize that was probably human error, but with all of the cross-brand marketing that's happening, it's a shame that they didn't look at my past history to see that:

- I don't golf very often (I've never used this card for anything Golf related)
- I spend most of my rewards points on electronics

We talk a lot about privacy, but there is some value in these two companies looking at the information I have already given them to provide a better product for me. At a minimum, though, get my name right.

Sincerely,
Sample A. Sample

89% of Security Incidents in 2007 Unreported

I've been saying for the past few years that most security breaches go unreported, but I had no hard data to back it up.  I just believed it by instinct and some anecdotal evidence.  Now, we have a survey to point to with supporting data that claims 89% of data leakage incidents in 2007 went unreported.  I've also talked a lot about non-malicious insider breaches which is listed as the #2 security challenge by respondents of this survey.  I haven't seen that question asked very often.  Interesting data points.  Data leakage, lost devices, insider threats continue to be a major concern (along with email attachments, malware and phishing).

Cyber-Ark Study: 88% of IT admins would steal

From the press release:

Of the 88 percent that said they would take valuable information with them, one third of devious IT administrators would take the privilege password list which would give them access to all the other sensitive and valuable documents and information such as financial reports, accounts, and HR records.

Also:

The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people's personal emails, board meeting minutes and other personal information that they were not privy to. They did this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.

I guess if you're hiring an IT admin, you might ask if they participated in the Cyber-Ark study and if so, there's an 88% chance that you shouldn't hire them. I know the criticism about surveys like this, but is it really that hard to believe? Seems like human nature to me.

DIDW 2008 Bloggers Meet & Greet

We're on for a quick bloggers' meet and greet! If you blog on Digital Identity or want to say hello to those that do, please join us for this very informal event. I had a few suggestions to take the party upstairs, but we can play that by ear. This will just be a chance to put names with faces, shake some hands, and say hello.

WHEN
6pm Monday night during the Exhibit Reception

WHERE
Inside of the Exhibit in front of the main exhibit doors (near booth 102 and 103). 103 is one of two big 20x20 booths (Microsoft or Novell).

Thanks for all the responses! See you there!

Digital ID World - Bloggers Unite!

It looks like a number of you Identity bloggers will be at DIDW in Anaheim. Anyone up for a bloggers meet-up? ...maybe just a happy hour somewhere? ...or during one of the exhibit area receptions?

Ash?
Nishant?
Dave Kearns?
Jackson?
Mark Dixon?
Pamela?
Felix?
Ian Glazer?
Who else is going?

Let me know by leaving a comment or contact me directly.

[UPDATED 9/4 - details are here]

A few interesting Identity findings

User-Centric vs. Enterprise Identity

Dave Kearns offers a concise explanation of the core difference between user-centric identity and enterprise identity. His summary:

Enterprise-centric identity management is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form. User-centric identity is about keeping various parts of your online life totally separated so that they aren’t accessible and no report can be drawn.

I like the simplicity of this explanation. I think it really captures the essence of the difference in an understandable way.


Management Profile

In this article from ComputerWorld, the Director of IS, strategy and architecture at Universal Service Administrative Co. is profiled. He talks about his current project:

An IAM framework will allow for customer information of applicants and contributors to remain consistent across IT platforms while spanning new and legacy systems and applications. My goal is to have one authoritative repository for contributors' and applicants' access information that will be used in managing a secure access control infrastructure. I believe that identity and access management will become an underpinning technology that IT leaders need to address.

He goes on to say that Identity Management is the most critical technology of the year. It's nothing earth shattering, but I always give priority to real customer insights.


Interesting Service Offering

I've discussed the idea of outsourcing identity and managed identity services, but CoreBlox, a company founded by ex-Netegrity folks, have this posted in their service offerings:

Dedicated CA SiteMinder Support Professional

It's an interesting twist on managed identity services and one that I think would resonate with customers. I've known a number of companies who would've liked to just outsource the identity support role to someone who knows what they're doing -- without having to hire and without having to pay for a full-time resource who sits around waiting for something to go wrong. One of the things I like about this is that CoreBlox isn't trying to provide a support professional for any identity system. They're focused on the technologies that they know.

So, if you had a provisioning solution from Courion or SAP and Siteminder for Web Access, you might need to go to two different people or companies to get the right support. BUT - that focus on core expertise is a recipe for success (especially in a support role). And likely still more cost effective than hiring, training, and retaining someone to support these complex systems.

Criminal Data Loss

Seems like some people just aren't paying attention. Every time I think we've gotten past a point as an industry, someone proves me wrong. I would think by now we wouldn't be carrying very large highly confidential data sets on unencrypted USB sticks.

Can you imagine how the exposed data on 130,000 criminals will be used? I'm sure someone would find a way to monetize a list like that. I can see a few angles:

----

SUBJECT: WORK FROM HOME!!

Dear _____,

Why break into homes and cars when you can steal from the comfort of home?!? Try our latest web site phishing kit and collect credit card information from unsuspecting shoppers. No black ski masks, no up-front discovery work, and no commute!

----

Or maybe...

----

ATTN Hiring Manager:

Are you having trouble staffing up for your next big heist? Contact CriminalTemps where we can provide full or part time criminals. 100% no-police guarantee!!

Insider Threat: Crime of Opportunity

For the past few years, I've talked to many people about the insider threat. I don't spend too much time focused on the hardcore criminal element that plan an attack against their employer. I have mostly been thinking about the 35% of employees that claim they need to break policies in order to get their jobs done (see my post on Insider Threat - By the Numbers). And the unknown percentage of employees who break policies without being noticed (or in many cases without even knowing it).

A few days ago, security researcher Ira Winkler articulated one aspect of this very plainly.

Why is there a sudden epidemic of violations of sensitive personal information? The answer is, Because it’s there.

The scenario of an employee viewing sensitive information that they shouldn't be viewing is a fairly common example of real-world insider security breaches. While it won't likely lead to a $7 Billion loss, it could mean a failed audit, bad publicity, lost customers, or other lost business opportunities. In today's transparent business environment, it's only a matter of time before juicy information is made public. State Dept. employees were probably snooping on passport information for years before they found the 2008 presidential candidates. Then, it got out and became a news story.

Winkler goes on to note:

Anyone developing or maintaining information just better accept that their fellow workers will look at information and that they need to track and limit access. More importantly, they better look at their audit logs and specifically search for violations.

I agree. One of the scenarios I often run into is where administrators require access to files (in order to manage access) but they don't require access to the information within those files. A good example is the admin who controls access to HR files and has the ability to open offer letters containing salary and other personal information. To Winkler's point, if the capability is there, they will likely open the files to take a peek. After all, they have been explicitly granted access to those files in order to do their jobs. Doesn't that make it OK? No. And to Winkler's final point, the admin would probably exercise additional restraint if they knew that file access was being monitored.

Something Old and Something New

Eric Norlin provides some insight into what to do (related to identity management) in an economic slowdown:

Something Old:

"1. SSO and Password Reset: The facts are on the wall. If you can reduce the number of helpdesk calls for password reset, you're going to save a TON of money. You can do that through self-service modules, E-SSO, web sso, or even federation. Just do it."

Something New:

"2. Automating Compliance: This is a big one, and you probably won't get it done before the recession ends. However, the more you achieve automated compliance controls, the more big bucks you can save on manual audits. Throw everything from RBAC to de-provisioning into this bucket and then get started looking at what really will slice greenbacks soonest."

Password Reset and SSO have long been good entry points into Identity Management and also proven creators of cost reduction and efficiency.

Automated Compliance is a somewhat more recent phenomena that also yields cost reduction and efficiency. You may be wondering though how many companies are able to get to automated compliance without giving an arm and a leg to define requirements and processes that enable automated compliance. Might the initial effort might defeat the purpose of cost reduction?

One thing Eric wrote is probably key to that discussion – "the more you achieve automated compliance controls..." which to me means, let's not get caught up in the grand notion of automated compliance. Implement a few key automated controls that eliminate significant manual effort in the compliance audit process. And that will bring you cost reduction.

SaaS Eases Security Cost and Complexity

I first read an article in InformationWeek titled SaaS Makes A Run At Security and then found this very similar article by the same author online.

I've posted recently about identity as a service (be sure to check the comments and links if you visit that posting). But my day job dictates that I think more about identity reporting as a service. (intelligence around who has what access and what changes are being made).

One of the striking take-aways from the article is the Gartner estimate that by 2018, 85% of security intelligence will be offered as a service. I guess the words "offered as" seem to deflate the energy of the claim. I wonder what the estimates are for how much will be consumed as a service in 10 years.

In any case, I think the writer hits on the right points - cost and complexity. Especially for the mid-market (his target audience). I think (particularly in the mid-market) the simplification of key capabilities will outweigh the emotional hurdles that make SaaS a tough sell for security. Of course, actual security capabilities may remain a harder sell than security capabilities. That is, companies may be more willing to have managed identity reporting than managed provisioning.

I think mid-market security practitioners want their lives to be easier. They're not driven by the same concerns as large enterprises. What do you think?

Ouch

Dave Kearns calls my argument smoke and mirrors and labels it FUD. His argument is that the Global 2000 have more users and are therefore more important? Should their needs drive solutions for the mid-market?

Dave, I don't think the number of users is even relevant. What is relevant is the experience of those customer organizations and how they can meet their requirements. The number of infrastructures is more relevant than the number of end users in this discussion. I don't think a huge amount of them have a need or desire for multiple user directories. They seem to run off of AD and seem to prefer to have apps leverage AD instead of figuring out how to use a virtual directory (or metadirectory for that matter). Where is the FUD in that? Where is the smoke? What would be my motive to raise smoke and mirrors?

The discussion of how should Oracle build a product is very different than whether customers should consider metadirectory as an alternative. I think they should. I think there are still plenty of environments that could benefit from that approach. But I conceded Clayton's point -- if Oracle wants to build a virtual directory into it's suite to enable flexibility for customers, that's great. I just don't think a virtual directory is the answer to everything (and I spent a lot of time discussing the various use-cases that cry for one).

I would just hate to have people shy away from a good technology because some people say it's no good anymore. That doesn't make sense.

Ultimately, we might agree. Dave's conclusion is one that I've echoed over and over:

The need for, and uses of, virtual directories is growing and is still a few years away from peaking.

Let's just not declare something dead because it no longer seems cool to the in-crowd. It's OK to take a pragmatic approach to whatever challenge your organization is facing. That's my point.

Metadirectories: What's left to say?

If you haven't been following the flurry of conversation since my post last week stating that metadirectories aren't dead, well you're in luck. We couldn't have asked for a better recap of the conversation than the one provided by Ian Yip (although I think he gave Nishant a bum rap on this one).

There were so many different angles explored that I'm not really sure where to start or what's left for me to say.

• I'll restate that I see perfect use-cases for both metadirectory and virtual directory. Now and in the near future. In the far future, there will probably be better ways to achieve the same goals.


• Also, it sounded like Clayton took my comments to mean that "everyone needs to be using Active Directory for everything", which was (I think obviously) not the intent. My point is that although the top 500 or 1000 companies may have a number of directories for various strategic uses, there are probably 20x that number of companies that use only Active Directory as the central and primary user store because of it's network and email integration. And those companies might like for their application vendors to offer direct plug-in to AD as an option.
  
  Plugin to LDAP might be another good option and virtual directory technology would be a great enabler to incorporate various vendors, schemas and even relational databases through that single mechanism. But those mid-market companies probably would prefer not to take on the complexity of virtual directory (even if relatively simpler than writing numerous connections) if they could just use AD natively. And I think some percentage of the Fortune 1000 would see AD as strategic enough to ask the same as well.
  
  That's my guess based on a customer perspective as opposed to a software vendor's ideal state of architecture. And I don't think this is limited to companies who are 100% Microsoft shops. AD just has a very far reach and because it holds email in most of those companies it will already have an account for every employee, be available, etc..
  
  I don't think any of this should be seen as threatening to the role that stand-alone directories or meta- or virtual- directories play. The difference in viewpoint between me and Nishant & Clayton (if I can group them together) might be in the types of customers we've been talking to. There are still a ton of companies out there that aren't super-strategic about their Identity Management architecture. Or that just want a point solution because it fits the current business needs.

I think that's it. For now.

[UPDATE] - forgot one:

• Bavo, I wasn't requiring that the HR database is the primary source for account creation and status. I also wasn't telling you that the HR database should be the primary source for Identity information. (However, I think it's more true than you think.) I was stating a requirement (one that I've seen many times). HR has been deemed THE authoritative source for employee existence in a majority of the companies I've worked with. My experience seems to differ from yours. [That's at least interesting! ...and one of the reasons I blog – to engage with people that have different experiences.]
  
  Yes, companies struggle with getting HR updated for the employee's start date. But, I've actually seen more than one customer implement a complicated AD-to-HR-back-to-AD process to accommodate for the issue. One customer integrated the candidate review system into the provisioning system. I think the reason for HR being authoritative is usually for deprovisioning. They want a disabled HR account to ripple downward.
  
  I think what you call the IDM system assumes a provisioning solution with work flow and its own internal store. These are luxuries that are not always available. In my scenario, the cost and complexity of a provisioning solution is probably overkill based on the requirements. And that's my point. There are scenarios where the simplicity of a metadirectory are not only sufficient to meet the requirement but actually a bit more of an elegant way to meet the requirements.

OK, now I'm really done for the night.

What to Monitor in Active Directory

If you manage an Active Directory infrastructure, you probably know that you should be monitoring activity or data or something. But what exactly needs to be monitored? Well, as I say in my latest paper, there is no one-size-fits-all prescription for Active Directory monitoring. But, there are five items that carry particular interest. In this paper, I go into detail on each of the five – what needs to be monitored and why.

For many mid-market organizations, these five may cover 80% of security monitoring needs – especially for organizations that are strategic about their use of Active Directory. As the title says, it's strictly limited to Active Directory, so don't look for firewall logs or changes to virus protection files. There's a short excerpt here if you'd like to take a peek.

If you're a security or Identity Management consultant, feel free to contact me directly and I'll be happy to send you a copy.

...The 5 Most Critical Points for Active Directory Security Monitoring

Metadirectories Aren't Dead (They're Just Aging)

Nishant Kaushik updated his blog and one of his old posts showed up on PlanetIdentity reminding me of the recent discussions on metadirectories and virtual directories between him and others (Dave, Jackson, Kim).

Not that I want to pick a fight with any of these guys, but for anyone who thinks the metadirectory is dead, I have a simple (albeit a bit late) scenario for you.

There are three identity stores:

• An HR app built on a black-boxed Oracle DB
• A custom-built line of business app built on MySQL
• Active Directory

Requirements:

• The HR system needs to be authoritative for account creation and status.
• Active Directory needs to feed email address to the other apps upon creation (and occasional changes).
• Systems should be updated within 4 hours.

That's it. What do you think? Is a virtual directory the best solution to meet these needs?

I love virtual directory technology as much as the next guy (Hi Mark), but claiming that any technology is superior to another without a discussion of the specific requirements being met just doesn't seem to make sense. Companies, departments, and projects within departments have different needs.

I've said it before. They're just tools. So, when James McGovern asks what the role of virtual directory should be, I don't have an answer. There is no should in this discussion. Ian Yip had a similar pragmatic answer. And Nishant echoed with "the mantra should always be to choose the right tool that solves your problems". Exactly.

If the idea is simply to talk about what the future should look like, I think James hit on something. There has been a ground swell of apps that directly support Active Directory as the user store. So, maybe the next versions of the HR and LOB apps in the above scenario would attach directly to AD eliminating the need for any solution here. As prevalent as AD has become, that seems more likely than mass-consumption of virtual directory technologies. And it's probably what Jackson was alluding to (Quest enables *nix systems to leverage AD).

Another possibility is that apps will support SOA-based authentication and authorization, though that hasn't quite spread like wild fire quite yet.

Don't get me wrong – I don't think the need for virtual directory technologies will go away anytime soon, but I wouldn't be surprised if it never becomes a standard in the mid-market. And I don't think it'll ever completely replace metadirectory technologies.

Metadirectory may be aging, but hey, 50 is the new 30. It's not dead yet.

SaaS-ish Identity Management

Matt P wonders about the security and reliability of having identity managed as a service. The more I think about IdM as a service, the more I like it. A company might tell you that they are concerned about the security of having their critical IdM systems hosted by (or managed by) someone other than their own trusted "Active Directory guy". But, that same company probably wouldn't think twice about bringing in consultants to help out (who easily have access to plant code, create back doors, enable bad accounts, etc.).

I think most companies are already outsourcing IdM – they just do it on a project basis and therefore have the associated personnel continuity, troubleshooting, and learning curve issues. Not to mention customized hardware and software combinations that nobody has documented or even understands. Wouldn't it be better if the consultants that designed and implemented the IdM solution did it in a repeatable way that is easily understood, managed, and configurable or extensible to adapt to future requirements? And they just continue to manage it taking the burden off of you?

This model also helps with infrastructure reliability due to economies of scale and the value of having a known environment. Yes, the Internet could go down. But, the internal network could go down too. Or the server. Or the database. With a managed solution, someone else will have the economies of scale to ensure a higher up time probability and a quicker response time (if they do it right).

I don't think security or reliability is a good argument against buying into IdM as a service. Data can be encrypted. Admin activity can be monitored. Redundancy can be built-in.

I agree with Matt that "only firms that specialize in the IdM space will be able to be successful hosts." I'd rather see an IdM service company try to move to the SaaS model rather than a SaaS provider try to create an IdM offering. But the complexity, repeatability, and value of IdM seem to make it ripe for a service-based delivery model. What do you think?

The Bear Story

from this article:

...hikers walking in the back country of British Columbia round a corner and suddenly confront a 1,000-pound grizzly bear standing 8 feet tall in front of them. The hikers drop their packs and take off back down the trail running for their lives. One of the hikers says, “[pant, pant] This is crazy! [pant, pant] We can’t outrun a grizzly bear! [pant, pant] They can run 25 miles per hour and they can climb trees!” The other hiker responds, “[pant, pant] I don’t have to outrun the grizzly bear. [pant, pant] I just have to outrun [pant, pant] YOU.”

The point of the article is to get you thinking about security and why you should avoid being the low-hanging fruit for attackers.

It reinforced something I've been thinking about, which is base lining of security activity for companies. It would be cool to understand how your company matches up against others. I wonder if that could be useful input to compliance audits?

Value Adding Security to the ROI of Identity Management

Two months ago, I posted about the prospect of extending the ROI on provisioning. The post was inspired by conversations with many smart people and led to additional conversations (like this one) that helped formulate the ideas presented in an article that was published today at eBizQ titled Value Adding Security to the ROI of Identity Management.

The initial draft had a number of quotes, but the quotes didn't read well according to the editor who was concerned that a quote by anyone less famous than Gartner could appear biased. I see his point, but apologies to those who I had requested permission to quote and who might have been expecting to be a part of the article.

I hope the article clarifies what I meant by extending the ROI of provisioning. I led a round table discussion at a CSO conference recently on the topic and I'm not sure that the idea resonated immediately. The bottom line is that provisioning solutions can be augmented to become a true (secure) funnel for account management rather than just the preferred avenue.

Know what you're protecting against

You know that advertisement where the CEO (Todd Davis) gives out his social security number and tells you how secure it is because he uses his company's product to protect his identity information? Well, there have been 20 people who used his social security number to get a drivers license. And there was one "guy in Texas who duped an online payday loan operation last year into giving him $500 using Davis' Social Security number".

Today, I read a few articles (including this one and this one) that suggest that LifeLock should be chastised because it doesn't protect you against everything that one might think it should. My first reaction was to agree with the writers. I always knew there was no way for a product to protect your SSN against any or all unwanted uses. And they shouldn't claim it does. And ha ha for Mr. Davis' identity being compromised.

But, then I read Davis' rebuttal, "There's nothing on my actual credit report about uncollected funds, no outstanding tickets or warrants or anything" and I realized that this isn't really a case of a product not doing what it claims to do. It's a case of mis-aligned expectations about what a product can (or should) do.

It reminded me of all the times I've heard that some strong authentication technique isn't effective because it's susceptible to man-in-the-middle techniques. Sure it is, but that's the wrong problem. SSL was developed to solve that problem. There are certainly issues with SSL (mostly around user experience and education about how it works), but strong authentication is not the answer.

In the same way, there are problems with relying on SSN as authentication. And LifeLock won't protect against that. But, if it keeps your credit report clean, then maybe it's doing what it's supposed to. I haven't really followed the ads and I have no idea what the company promises its customers, but I thought I'd use this opportunity to remind you of the old cliche – there is no silver bullet. Analyze your risks and know which types of threats a security solution will be effective at protecting you against.

Correctly aligned expectations yield happy customers.

PCI Compliance and Network Segmentation

I spoke at a CSO Executive Seminar on PCI Compliance in January. During my talk, I put up a slide showing a PCI reference architecture and went through many of the various security components that could help lock down an infrastructure and mapped each to the related PCI requirements. I covered topics like authentication, access control, IDS/IPS, anti-virus, encryption, key management, policy management, change management, rights audit, user monitoring, and a few others.

Before I began with that slide, I gave a disclaimer that there are a few key techniques that I would not include in the reference. One was network segmentation. I hadn't heard others mention it before in reference to PCI, but as I was thinking about my talk and building the reference architecture, it occurred to me that segmentation would be a really useful way to reduce risk in an environment where credit cards are accepted. So, I mentioned it in passing as something that companies should think about in addition to what I had on the screen.

Today, I read this article, by Stephen Cobb, in which he discusses PCI compliance and pays specific attention to the topic of network segmentation. I thought it would be a nice supplement to my talk back in January. In retrospect, I might have spent a bit more time on that topic, but I really tried to cover a ton in a short time. So, if anyone from that audience is reading this... Or if you're looking to improve your security or your PCI compliance posture...

The SecurID Killer

I'm a fan of RSA's SecurID product. It's got a highly secure approach, nearly indestructible hardware form factor, lots of form factor options, tons of partners and coverage for apps, servers and devices, and a flawless track record. But the competition has been creeping up.

Some try a similar approach to RSA with key fobs displaying numbers or other hardware tokens:

ActivIdentity
Aladdin Knowledge Systems
EnTrust
CryptoCard
MyPW
SecureComputing
Vasco

Others have a software only approach:

AdmitOne (formerly BioPassword) - uses keystroke dynamics
Arcot - uses PKI
PassFaces - uses user's ability to remember human faces
PhoneFactor - uses mobile phone as the device

Some are biometric:

DigitalPersona
L-1

And they all have redeeming qualities. But many are susceptible to keystroke logger attacks (which are getting more and more sophisticated). Others are cheaply made hardware. Some just lack partnerships and market penetration.

But there's a new kid on the block. And it seems to be a very cool solution that may quickly become a force to be reckoned with. It's a very small form factor, seemingly very secure, extremely easy to use, requires no client software, inexpensive, and works on any platform.

Welcome YubiKey to the arena.

I'll let you figure out the details for yourself.

It won't allow you to converge a single credential for physical and logical access and it won't work across multiple systems (unless it's used with OpenID or something like that) and it won't serve as a single form factor for multiple uses (like signed email and remote VPN). But, it's a pretty cool new entrant to this arena. And that's a feat in itself.

Let me know if I missed your company and you'd like to be added to the list.

File System Audit

Anton Chuvakin of LogLogic posted today on some of the intricacies of Windows native file system audit. If you have a need for monitoring access or changes to files, beware of the do-it-yourself method. Chuvakin provides insight on some of the challenges.

One of the things that NetVision engineers brought to market long before I joined is a very slick file system monitoring solution. Slick mostly because you have extreme control over which events you want to capture. You can filter on server, folder, file, person acting, event type (read, create, modify, delete, ACL or attribute changes) – you can even specify times of day to activate a particular policy. And you can have different policies for different files or folders. You can also choose what to do when an event occurs. For some events, write it to a database or file. For others, send an email too or kick off another process. None of it relies on system logs and the reports are delivered in a nice web UI running on Crystal Reports. So the business people get relevant results without having to understand the tech stuff.

Some of our customers even use our filtering to narrow down the events that are then fed into an enterprise security event management or log management system (like LogLogic). It's File System audit made easy.

Improved Security on the Identity Infrastructure

I wanted to expand on my earlier post about Extending the ROI of Provisioning. Here's a visual aide to help the discussion:

There's nothing new in this illustration. It simply shows that the provisioning engine connects to multiple identity data stores. As we know, provisioning systems have the potential to do a very good job at providing work flow and business rules around creation and management of user accounts across multiple systems. They may even have some additional capabilities around Separation of Duties enforcement, user attestation, user self-service password management, reporting on rights (based on its view), and more.

The Gap

What it doesn't do, however, is protect the connected data stores against direct access. For example, the DBA still has direct access to the database and the Directory Administrator still has direct access to the directory. They can create new accounts, view information, and change permissions. The system may be able to see when new user accounts are created during its next scheduled run, but that capability isn't always enough. I'll give an example.

One of these LDAPs is not like the other

I purposely shaded the Network Directory so that it stands out from the others. That's because it is different. Since the market for the Network Directory consists almost entirely of just two vendors (Microsoft and Novell) and one has a much larger percentage of the market (Microsoft), I'll just use Microsoft's Active Directory (AD) as the example.

Now, back to the gaps:

• Scheduling: When provisioning systems connect to AD, the connection and sync processes are often scheduled. And AD has a time lag in replication (usually 15 minutes). S0, if the sync is done hourly against a particular DC, the total time that a new account may be in existence on a different DC without being noticed by the provisioning system is a little more than an hour. Can you do damage in an hour? I could create an account, make it a domain admin, log onto servers, change rights, access files, and remove my trail from the logs within an hour.


• Coverage Scope: The connection may be made to a particular portion of the AD tree. So, if you created an account in a portion of the tree that isn't monitored by the provisioning system, it wouldn't get picked up.


• Source: Some provisioning systems use AD as the source. So, in that scenario a new account in AD would potentially create accounts and/or rights across multiple other systems. So, by specifying rights or group memberships, an AD administrator could grant himself rights to other connected systems (perhaps in between attestation cycles).


• Account Type: Provisioning systems generally only look at user accounts based on object type. So, you could create an iNetOrgPerson instead of a User object.


• Activity Scope: Provisioning systems don't even try to monitor failed logon attempts or failed user creates at the local systems. They also don't watch file open activity or file changes. What if the provisioning system pulls a feed from a text file and someone modifies that file? There's no knowledge of activity other than a particular type of account being created.

All of these can be applied to other connected data stores as well. For example, scope is an issue for relational database tables. The provisioning system may only watch specific tables or may completely ignore local accounts in the RDBMS itself. Likewise, if AD is not the source, the HR database is likely the source which yields the same issue for the HR DBA.

Conclusion

My point isn't that provisioning systems are weak. They do what they do very well. But, you can improve the overall security posture of the environment by including localized protection on the connected data stores as well. Encrypt the database. Monitor DBA activity and Directory Administrator activity. Watch directories for failed attempts to create or modify accounts. Watch for failed authentication attempts. In a nutshell, ensure that accounts and permissions are being managed through the provisioning system into which you've built the business rules and work flow to ensure that rights are being managed effectively.

And if you have to respond to auditors for compliance reasons, you can say you're certain that accounts are only being created according to policy; instead of you hope that to be the case.

I've heard the argument that this might be overkill (admittedly an over-simplified characterization of the argument). OK. In some scenarios, maybe you don't need tighter security. You only care about work flow efficiency and cost cutting. Or you're OK with the level of improvement in your security posture that traditional user provisioning systems provide. I'm not saying that anyone should ignore the risk analysis process. But, if compliance is an issue and you want to prove compliance beyond reasonable doubt or just simplify the audit process, solutions that locally monitor the connected systems may provide value.

And if you can demonstrate that 100% of your user and rights management processes are funneled through the provisioning system with appropriate work flows, I think you could justify claiming a much improved ROI on the overall solution with minimal additional investment.

Disclaimer? Yes, NetVision can help with reporting and monitoring on your Network Directories (both major vendors) and related file systems. But that's no reason for me not to talk about it!

SAP Identity Management Consultant

Matt's back! Matt is an Identity Management consultant who had the pleasure of working with me at MaXware. (oops - should I have said that the other way around?) Matt has since went into the consulting world and MaXware has since been sold to SAP. SAP has a short white paper describing their SAP NetWeaver Identity Management capabilities. Matt is now focusing on providing Identity Management services to SAP customers. That sounds like a good place to be. If you're an SAP customer or an SAP consultancy looking for expertise in the old MaXware identity stack, you might want to introduce yourself to Mr. Pollicove and start reading his blog for interesting info on SAP identity issues (no pressure Matt). You can also look back in my archives (most of 2006) for more info and interesting uses of SAP's metadirectory, virtual directory and provisioning technologies.

I've spoken to at least two IdM consultancies who are considering building an SAP practice. I think it makes a lot of sense. If you're in this space or building an SAP identity practice, feel free to leave a comment here and let us know about it.

Digital Forensic Evidence Collector

I want to get me one of these. Microsoft provides law enforcement with a digital forensic evidence collector in the form of a USB thumb drive. And it's free. Maybe I'm out of touch, but I haven't heard of this before. Pretty cool.

Low Tech Breach

Probably could've been avoided with simple old manual deprovisioning. Or, even more likely – maybe they were using a shared account to access the system that held customer data.

Oh where
Oh where
Has my private data gone

And of course, this from a few days ago in Oklahoma.

Sometimes I think we assume that everyone in IT is reading the same books, articles and blogs as us. And they're not. Not even close. Whatever they're reading isn't about work.

Wow, what an endorsement

Thanks Trey. Remind me to put you on the payroll.