Friday, September 19

Identity-Based NAC or UTM

While walking the floor at Interop in NYC this week, I stopped to chat with the guys at the Cyberoam booth. Cyberoam provides a security appliance that provides identity-based Unified Threat Management (UTM). Similar to most Network Access Control (NAC) devices, the solution grants and denies access to systems and resources based on the IP+port destination address. Typically, this is done at the network layer by enforcing policies based on the requesting machine's MAC address (laptop X is allowed to access application Y on server Z).

Cyberoam's messaging is that they are identity-based. This means that the appliance (the red box below) doesn't enforce policies strictly based on MAC address (the user's hardware). It is identity-aware in that it knows who is logged onto the desktop, verifies policies and access rights against the network directory (Microsoft's Active Directory, for example) and grants access to the user rather than to the machine. This is a level of protection and intelligence above purely hardware-driven NAC solutions.
I can't vouch for Cyberoam as a solution. I haven't used it and don't know more than was told to me in a five minute conversation. But, I immediately recognized a use-case scenario for NetVision.

If access to systems and assets across the network is based on data held within Active Directory, then you better be able to monitor changes to that data and get immediate alerts if there's a policy breach. If it's true that 88% of IT admins would steal from their employers or snoop around the network, then an environment that puts the keys to the kingdoms in the hands of the Active Directory administrators needs a comprehensive ability to audit and monitor administrative activity.

So, if you are a Cyberoam customer or if you have a similar NAC or UTM solution that relies heavily on the network directory, please let me know. Even if you're not interested in finding a monitoring solution, I'll buy you a cup of coffee and maybe lunch if you're willing to tell me about your environment, the business challenges, how it's going, what risks you see, etc..

Tuesday, September 16

Building a Central Identity Store

The folks at SECUDE Consulting, who are SAP ERM specialists, have an identity practice that focuses on (among other things) SAP NetWeaver Identity Management solutions (the former MaXware products). Matt P, part of SECUDE's IAM team, recently authored a white paper titled Strategies for Creating an Authoritative Store.

If you are building a provisioning system, deploying SAP NetWeaver Identity Management, or designing an enterprise identity store, you should review this paper. Matt discusses terminology like source repositories and target systems, discusses data join techniques, and introduces the concept of layering. The paper provides an overall road map for designing an enterprise identity store, which can be a critical component of a provisioning solution.

You can get a copy via the links or contact info in Matt's blog post about the paper.

Monday, September 15

Situational Awareness in Logs & Events

Anton Chuvakin put together a great list of reading on logs. Are they useful? Are they painful? And more. Included in the list is Michael Baum's brilliantly titled post Life after SIEM. Situational Awareness is next. Baum discusses SIEM technologies and the next evolution. I love his idea of bringing situational awareness into the equation. It's a great way to describe what happens when your monitoring solution does more than compile data. When it is intelligent.

At NetVision, one way that we're working to achieve intelligent monitoring is to limit our scope to the core network platforms. This is where your employees authenticate each morning and their entry point into the network. I see the network authentication as the launchpad into the network. And once you're in, you have potential access to systems and assets.In the real world, this usually means Microsoft Active Directory or Novell eDirectory (and their respective file systems). These core systems are incredibly strategic to overall information systems security. And I posit that they deserve more careful consideration than simple log scraping. Many of our customers agree. They feed our data into their enterprise SIEM or log management solution.

In many smaller organizations (SMEs), full-blown SIEMs and massive log management solutions may not be necessary. For them, full insight into the core network system (often Active Directory and Windows) provides answers to most of their security audit questions. This is especially true if Active Directory is considered strategic and is used by other systems for authentication or authorization (as is often the case with Sharepoint). And also true in environments that rely on Active Directory to feed accounts, attributes, or group memberships into a provisioning system.

To get back to the point, the more an organization leverages Active Directory strategically, the more valuable the concept of situational awareness can be within the monitoring solution. For us, it means having different business rules depending on event variables or policies that update in real time based on environmental changes.

I don't agree that SIEMs are dead. But organizations seem to want more than stockpiles of data. And it's extremely important to use context when processing events from core systems.

Understanding the Identity Reference Model

I mentioned that Marty and others are working on an Identity Reference Model. I came to the conversation late and am trying to understand the progress they've made so far so I might be able to contribute to the discussion. Marty's latest post adds context around what they're trying to do. My original reply to this post was via email, but so that others can read along, I'm providing the email content below (Marty is the "you" I refer to).

--

The context you provided is helpful. It gives me an idea of what you are intending to accomplish, which is a model for identifying identity data, right?

So, this isn't about modeling the authentication process or provisioning process. This is just about identifying the types of information that is used to represent an identity. Correct?

I'm still unclear about the differences between entity, subject, persona, and account. The way I see it, a "persona" is like a mask (or character being played by an actor). So, if I am an "entity", I could have multiple "personas" and would use each based on situational context. In our current-day real-world, personas tend to manifest themselves as "user accounts". With information cards, I see each card as being representative of a persona. So, an entity (me) would have numerous personas. Each persona will likely have its own account, but the account seems to be something that doesn't need to be represented on this model.

I see "account" as a digital representation of a particular persona. But, that's melding "model world" with "implementation world". In the model, I think persona captures the idea that people (entities) will have subsets of information about themselves for various contexts. I know you said there was already a lot of discussion about accounts.

Each persona could have entitlements, roles, etc. I'm not sure why a sponsor would be relevant to this model? If the model is intended to illustrate the universe of information about an identity (an entity, its personas, and its entitlements), sponsor seems erroneous. Sponsor is important in the provisioning process, but is not part of the identity data itself.

I also don't get the difference between an entity and a subject. It seems to me that when you show the model in-line (when an entity is trying to access a resource), the entity is doing so AS A PARTICULAR PERSONA. Otherwise, there's no context for the policy decision point. So, it would be an instantiation of a persona that makes the request and the policy decision point would query the identity store for attributes and roles that relate to a particular persona. It wouldn't even know about the entity's other personas.

What do you think? Am I missing some of the terminology?

Friday, September 12

DIDW 2008

I saw, heard, and did a lot of interesting things this week at DIDW in Anaheim.

First, thank you Ping Identity for a good mid-week party at the HoB. (We should all publicly thank Ping and give them reason to continue hosting such events.)

We had a bloggers meet-up, though you won't hear too many others talk about that (maybe Ash). I did get to meet a number of folks who I've only previously met online. And I had many good conversations.

I heard more about the consulting (and other) capabilities of companies like Identropy, CoreBlox, and Optimal IdM – all worth a conversation if you need some Identity consulting help. And each has unique strengths. I wonder if you would all benefit from some kind of cooperative network rather than having the perception of competition. I'll have to think about that.

We gave away a lot of sticky eye balls. One became known as the eye in the sky.

I learned about important things like:
And heard a lot of interesting discussions and tidbits, including:
  • The US Treasury Dept transfers more than $1 Billion each day via PKI
  • There seems to be consensus that enterprises will be affected by market forces on consumer identity and Web 2.0. ...perhaps TPS reports will be replaced by Twitter.
  • Searching on "Identity Management" has declined throughout 2006, 2007, and 2008. My own research reveals that searching on "Microsoft", "Oracle" and "Active Directory" have all declined at a similar rate. So, it may mean nothing.
  • One interesting case for synchronization vs. virtualization: If you front-end data that you don't own (and therefore can't control), you should replicate data and sync rather than using a totally virtual approach. It sounded like someone learned that the hard way.
  • Not all Virtual Directories are created equal. I heard a panelist ask vendors for a feature that I know exists in at least two Virtual Directory products.
  • Virtual Directories might be able to fill a gap in the real-time link between physical and logical security (grant access only when employee is swiped in).
On the flight back, a crazy thing happened. I heard a horrible scream outside the window of the airplane and when I looked outside, I saw something that seemed to be flying past us at a close distance. I quickly grabbed my camera and got a shot of it. (OK - you probably had to be at DIDW to appreciate that.) If you weren't, use this short waste of your time as inspiration to go check out Symplified and see what they're doing with SaaS-based Web Access Management. Pretty cool stuff. Their model removes a lot of the pain that gave Identity Management a bad name in its early days. And no, that's not Che.

I guess that's it for my DIDW update. For now.

Two Cool Security Technologies

Today, I came across this review of two very cool technologies working together. I unfortunately gave away my MXI USB device when I left RSA. I thought someone else at RSA might want to use it to help sell MXI's solution (which is why the folks at MXI gave it to me in the first place). So, I did the right thing. But if anyone at MXI wants to send me another, I'm available to receive it. It's biometric, encrypted, storage, RSA token, private browsing, and portable.

I haven't personally experimented with MojoPac, but I have played around with Moka5, which is similar. I setup the 2GB SanDisk USB device that was included in the participant package at the 2008 RSA Conference with a fully functional Linux desktop environment. Now, I just plug it in wherever I am and I have an office suite, browser, graphics editor, etc. in a secure and portable package.

Good stuff.

Sample A. Sample

I just got an email from my credit card company offering an indulgent golf getaway. It's a cross-marketed card from a hotel chain and financial org with points, rewards, etc.. The email was addressed to:

Sample A. Sample

I realize that was probably human error, but with all of the cross-brand marketing that's happening, it's a shame that they didn't look at my past history to see that:

- I don't golf very often (I've never used this card for anything Golf related)
- I spend most of my rewards points on electronics

We talk a lot about privacy, but there is some value in these two companies looking at the information I have already given them to provide a better product for me. At a minimum, though, get my name right.

Sincerely,
Sample A. Sample

Saturday, September 6

89% of Security Incidents in 2007 Unreported

I've been saying for the past few years that most security breaches go unreported, but I had no hard data to back it up.  I just believed it by instinct and some anecdotal evidence.  Now, we have a survey to point to with supporting data that claims 89% of data leakage incidents in 2007 went unreported.  I've also talked a lot about non-malicious insider breaches which is listed as the #2 security challenge by respondents of this survey.  I haven't seen that question asked very often.  Interesting data points.  Data leakage, lost devices, insider threats continue to be a major concern (along with email attachments, malware and phishing).

Thursday, September 4

Cyber-Ark Study: 88% of IT admins would steal

From the press release:
Of the 88 percent that said they would take valuable information with them, one third of devious IT administrators would take the privilege password list which would give them access to all the other sensitive and valuable documents and information such as financial reports, accounts, and HR records.
Also:
The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people's personal emails, board meeting minutes and other personal information that they were not privy to. They did this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.
I guess if you're hiring an IT admin, you might ask if they participated in the Cyber-Ark study and if so, there's an 88% chance that you shouldn't hire them. I know the criticism about surveys like this, but is it really that hard to believe? Seems like human nature to me.

DIDW 2008 Bloggers Meet & Greet

We're on for a quick bloggers' meet and greet! If you blog on Digital Identity or want to say hello to those that do, please join us for this very informal event. I had a few suggestions to take the party upstairs, but we can play that by ear. This will just be a chance to put names with faces, shake some hands, and say hello.

WHEN
6pm Monday night during the Exhibit Reception

WHERE
Inside of the Exhibit in front of the main exhibit doors (near booth 102 and 103). 103 is one of two big 20x20 booths (Microsoft or Novell).

Thanks for all the responses! See you there!