tag:blogger.com,1999:blog-219954152024-03-06T23:13:54.750-05:00Matt Flynn: Information Security | Identity & Access Mgmt.Security for the Digital Transformation: Cloud, Data, Identity & Access.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.comBlogger275125tag:blogger.com,1999:blog-21995415.post-71919291369849721332021-11-30T10:15:00.001-05:002021-11-30T10:15:24.147-05:00Introducing OCI IAM Identity Domains<p style="margin-bottom: 8px;">A little over a year ago, I switched roles at Oracle and joined the Oracle Cloud Infrastructure (OCI) Product Management team working on Identity and Access Management (IAM) services. It's been an incredibly interesting (and challenging) year leading up to our release of <a href="https://www.oracle.com/security/cloud-security/identity-cloud/" target="_blank">OCI IAM identity domains</a>. </p><p style="margin-bottom: 8px;">We merged an enterprise-class Identity-as-a-Service (IDaaS) solution with our OCI-native IAM service to create a cloud platform IAM service unlike any other. We encountered numerous challenges along the way that would have been much easier if we allowed for customer interruption. But we had a key goal to not cause any interruptions or changes in functionality to our thousands of existing IDaaS customers. It's been <span class="ILfuVd"><span class="hgKElc">immeasurably </span></span>impressive to watch the development organization attack and conquer those challenges.<br /></p><p style="margin-bottom: 8px;">Now, with a few clicks from the OCI admin console, customers can create self-contained IDaaS instances to accommodate a variety of IAM use-cases. And this is just the beginning. The new, upgraded OCI IAM service serves as the foundation for what's to come. And I've never been more optimistic about Oracle's future in the IAM space.</p><p style="margin-bottom: 8px;">Here's a short excerpt from our blog post <a href="https://blogs.oracle.com/cloudsecurity/post/introducing-oci-iam-identity-domains" target="_blank">Introducing OCI IAM Identity Domains</a>:<br /></p><p style="margin-bottom: 8px;"></p><blockquote><p style="margin-bottom: 8px;">"Over the past five years, Oracle Identity
Cloud Service (IDCS) has grown to support thousands of customers and
currently manages hundreds of millions of identities. Current IDCS
customers enjoy a broad set of Identity and Access Management (IAM)
features for <strong>authentication</strong> (federated, social, delegated, adaptive, multi-factor authentication (MFA)), <strong>access management</strong>, manual or automated <strong>identity lifecycle and entitlement management</strong>, and <strong>single sign-on</strong> (SSO) (federated, gateways, proxies, password vaulting).</p>
<p>In addition to serving IAM use cases for workforce and consumer
access scenarios, IDCS has frequently been leveraged to enhance IAM
capabilities for <a href="https://www.oracle.com/cloud/" target="_blank"><strong>Oracle Cloud Infrastructure</strong></a> (OCI) workloads. The <strong><a href="https://www.oracle.com/security/cloud-security/identity-cloud/" target="_blank">OCI Identity and Access Management (OCI IAM)</a></strong>
service, a native OCI service that provides the access control plane
for Oracle Cloud resources (networking, compute, storage, analytics,
etc.), has provided the IAM framework for OCI via authentication, access
policies, and integrations with OCI security approaches such as <strong><a href="https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm" target="_blank">compartments and tagging</a></strong>.
OCI customers have adopted IDCS for its broader authentication options,
identity lifecycle management capabilities, and to provide a seamless
sign-on experience for end users that extends beyond the Oracle Cloud.</p>
<p>To better address Oracle customers’ IAM requirements and to simplify
access management across Oracle Cloud, multi-cloud, Oracle enterprise
applications, and third-party applications, Oracle has merged IDCS and
OCI IAM into a single, unified cloud service that brings all of IDCS’
advanced identity and access management features natively into the OCI
IAM service. To align with Oracle Cloud branding, the unified IAM
service will leverage the OCI brand and will be offered as <strong>OCI IAM.</strong> Each instance of the OCI IAM service will be managed as <strong>identity domains</strong> in the OCI console."</p></blockquote><p></p><p style="text-align: left;"><a href="https://blogs.oracle.com/cloudsecurity/post/introducing-oci-iam-identity-domains" target="_blank">Learn more about OCI IAM identity domains</a> <br /></p>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-1082260326080731712021-06-09T19:53:00.000-04:002021-06-09T19:53:03.399-04:00Bell Labs, the Colonial Pipeline and Multi-Factor Authentication (MFA)<p class="MsoNormal"><i>A simple technology invented by Bell Labs over 20
years ago (and widely used today) could have prevented the Colonial Pipeline attack.</i></p>
<p class="MsoNormal"></p>
<p class="MsoNormal">In 1880, the French government awarded Alexander Graham Bell
roughly the equivalent of $300K as a prize for inventing the telephone. He used
the award to fund the research laboratory that became colloquially known as
Bell Labs. If you’re not familiar with Bell Labs, you should be. In the 140+ years
that followed, researchers at <a href="https://www.bell-labs.com/">Bell Labs</a>
invented radio astronomy, transistors, lasers, solar cells, information theory,
and UNIX, just to name a few of the many accomplishments. Among the many
prestigious <a href="https://www.bell-labs.com/about/awards/">awards</a>
granted to Bell Labs researchers are nine Nobel prizes and twenty-two IEEE
Medals of Honor.</p>
<p class="MsoNormal">In 1998, I joined <a href="https://about.att.com/sites/labs_research">AT&T Labs</a>, which was a
research group that the company retained when they spun out most of Bell Labs
to Lucent Technologies in 1996. I was a Web Application developer; one of the
least technical roles in the Labs. If I ever thought for a moment that I knew technology,
I was quickly humbled when I built an app that tracked the Labs' <i>actually</i> <i>important</i>
projects. The experience of working in the Labs stuck with me in the form of humility
and curiosity. I accepted that I may never be the foremost expert in any given technology
and I assumed the mindset of a forever student. Even today, I constantly question
what I think I know because there are always holes in my knowledge or perspectives
that I haven’t seen.</p>
<p class="MsoNormal">1998 was the same year that researchers at AT&T Labs were issued a patent (filed in 1995) for
what became known in our industry as Multi-Factor Authentication (MFA). As a Product
Manager at a tech firm, I don’t review patents for legal reasons. But I recently saw an excerpt
of the abstract for the AT&T patent and there was one line that I found entertaining:
“<i>A preferred method of alerting the customer and receiving a confirmation to
authorize the transaction back from the customer is illustratively afforded by
conventional two-way pagers.</i>” Not much has changed in 23 years. Pagers have
been largely replaced by SMS but text messaging through the telecom provider’s
network remains one of the most popular delivery mechanisms for MFA (despite some
<a href="https://www.nist.gov/blogs/cybersecurity-insights/questionsand-buzz-surrounding-draft-nist-special-publication-800-63-3">potential
security flaws</a>). </p><p class="MsoNormal">I have no personal insight into AT&T’s
motivations at the time, but I read Kevin Mitnick’s book a few years ago (<a href="https://www.mitnicksecurity.com/ghost-in-the-wires">Ghost in the Wires</a>)
and can’t help but wonder if AT&T was at the forefront of developing
security technologies because they were such a target of hackers for so many years. I also reached out to Steve Greenspan, one of the inventors named in the patent to get his thoughts on the project. He noted:<br /></p><p class="MsoNormal" style="margin-left: 40px; text-align: left;">"<i>Two-way pagers had just come out (1994-1995), and our cybersecurity
friends were debating whether quantum computing would undermine
password-based security. The goal was to explore business applications for
two-way pagers and to put humans in-the-loop for secure access."</i> <br /></p><p class="MsoNormal">Quantum computing is a a pretty interesting business driver for MFA, especially in the mid-1990's. The concern is even more relevant today as we inch closer to quantum compute becoming a practical reality. Today's authentication systems <i>should</i> store password data in non-reversible hashes (theoretically preventing the quantum threat), but it's clear that credentials are being stolen all the time (often via large databases that are just left unprotected) and MFA remains a top solution to mitigate the damage. Steve and team were clearly on the right track when they dreamed up out-of-band authentication and deserve some credit and recognition for the foresight.<br /></p>You may be wondering how this relates to the pipeline attack
that led to fuel shortages across the U.S. East Coast. Bloomberg <a href="https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password">reported</a>
that the Colonial Pipeline, which is the largest fuel pipeline in the country,
was taken down by a single compromised password. That should never happen given the variety of tools available to limit and control access, starting with MFA – a
relatively simple solution that would likely have prevented the attack. The
entry point to the system was a Virtual Private Network (VPN) account. If you’re using a VPN and expose anything
sensitive inside the VPN, you should implement strong authentication that includes
at least two authentication factors (something you know, something you have, something you are). These are widely available technologies
that are very effective against lost or stolen credentials.
<p class="MsoNormal">Of course, authentication isn’t the end of the story. Today’s
widely distributed and highly dynamic environments require multiple layers of
security. We all know how popular email and phishing attacks have become. It only
takes one person inside a network to open an email, click a link, or logon to a
phishing site to give an adversary a foothold in the network. We have to assume
that will happen and build layers of strong security between any one user and
the potential targets.</p>
<p class="MsoNormal">To illustrate the point, here’s a quick example:</p>
<p class="MsoNormal" style="margin-left: 0.5in;"><i>Grocery stores who sell small, high-value
items have traditionally struggled with theft. (Ask me over a beer sometime about how I helped take down a recurring thief when I worked at a grocery store.) If the only answer was to authenticate
users (check ID) on the way into the store, it wouldn't be enough. Once inside, someone
can still pocket items and walk out without paying. If you walk into a
grocery store today, you’ll see cameras in the healthcare aisle where small, expensive
medications line the shelves. But that’s not enough either. Each item is also
locked in an anti-theft device that’s removed at the register. And some items
are found in a locked cabinet that requires employee assistance. Theft still
happens, but each layer reduces the risk. Our IT environments are much more
complicated in terms of the various pathways to theft and our responses to
reduce risk typically require more than a few layers of security.</i></p>
<p class="MsoNormal">Sensitive data should only be stored in a secure area of the
network with access controls and <i>Least Privilege</i> enforcement. Access
should be limited to specific hosts or networks. Data should be encrypted (inside
the file when possible - so if the file is stolen, the data is still unusable). There
should be strong authentication to get into the network and monitoring of all
activity. There should be alerts on unusual behavior and Data Loss Prevention
(DLP) to evaluate the sensitivity of data moving across the network. The environment
should be scanned regularly for vulnerabilities and misconfigurations. And on
and on. Any one of these security mechanisms alone is not enough. This multi-layered
approach to security is critical in developing a strong security posture that minimizes
risk.</p>
<p class="MsoNormal">We could argue about where to start or which security
controls are most important. But, it seems like a no-brainer to implement MFA
for employees accessing corporate data and applications. Microsoft, who deals
with 300 million fraudulent sign-in attempts daily <a href="https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/">concluded</a>
that “<i>MFA can block over 99.9 percent of account compromise attacks.”</i>
That sounds about right. While targeted attacks have increased in prevalence, most
attacks are not targeted at specific companies or individuals. Most start with automated
scripting or broad-scale phishing attacks that span across potentially thousands
of companies and/or millions of people at the same time. When a foothold is found
(a script finds a vulnerability or an open port, a user enters credentials into
the phishing site, etc.), the attack begins. Implementing a few simple security technologies
like automated vulnerability scanning and MFA can prevent most attacks before
they begin. Even if a sophisticated phishing attack succeeds despite MFA, the
credentials will not be very useful beyond the initial session (which should be
limited in scope by other controls).</p>
<p class="MsoNormal">No single technology will solve all cybersecurity problems.
But, implementing MFA is low-cost, easy-to-implement, and highly effective. It
may even make life easier for end-users. Password requirements can be loosened because
there’s less risk associated with cracked passwords. And there are numerous implementations
of passwordless authentication that, while they may not always meet the strict
definition of MFA, provide similar (sometimes higher) levels of security as MFA
without requiring a password. Combined with context-aware adaptive security (that
verifies device, network, location, time-of-day, etc.), these passwordless
authentication options may provide the right level of balance between security
and user experience. At this point, this isn’t scare tactics or FUD. Attacks on National infrastructure or other high-profile targets can impact the lives of millions with a single execute
command. MFA is an easy layer to add to improve security and it’s
commonly included with authentication solutions, so there’s really no excuse.
It’s time to get it done.</p>
Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-14509655745688624022021-02-08T09:56:00.002-05:002021-02-08T09:56:45.092-05:00Comprehensive Identity-as-a-Service (IDaaS): Protect all your apps with cloud access management<p class="selectionShareable" style="text-align: left;"><b>Comprehensive Identity-as-a-Service (IDaaS): Protect all your apps with cloud access management</b></p>
<p class="selectionShareable" style="text-align: left;"><span style="font-weight: normal;">
Over a decade ago, the need for quicker SaaS onboarding led to Siloed IAM for early IDaaS adopters. For many, IDaaS evolved to a Hybrid IAM approach. Today, Oracle’s IDaaS provides comprehensive coverage for enterprise apps. </span></p><p class="selectionShareable" style="text-align: left;"><span style="font-weight: normal;">"IDaaS has matured quite a bit over the last several years and no longer relies as much on SAML or pre-built app templates.
Today, Oracle <a href="https://www.oracle.com/security/cloud-security/identity-cloud/" name="cta=External Link Click" style="color: #2f6f7a; text-decoration: underline;" target="_blank">Identity Cloud Service</a> helps manage access to virtually any enterprise target. To accomplish that, we’ve introduced several technical approaches to bringing more applications into the IDaaS fold with less effort. These approaches, combined, provide the easiest path toward enabling the service to manage access for more systems and applications."</span></p><p class="selectionShareable" style="text-align: left;"><span style="font-weight: normal;">Read more on the <a href="https://blogs.oracle.com/cloudsecurity/">Oracle Cloud Security Blog</a> > </span><span style="font-weight: normal;"><a href="https://blogs.oracle.com/cloudsecurity/comprehensive-identity-as-a-service-idaas-protect-all-your-apps-with-cloud-access-management">Comprehensive Identity-as-a-Service (IDaaS): Protect all your apps with cloud access management</a>.<br /></span></p>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-55978866723790486822020-12-22T15:00:00.017-05:002021-02-08T10:39:02.107-05:00Oracle Strengthens Interoperability and User Experience with General Availability of FIDO2 WebAuthn Support for Cloud Identity<p>"Given the distributed nature of today’s technology environment, zero trust has become the standard for security. Every interaction must be authenticated and validated for every user accessing every system or application every time. To that end, interoperability is more important than ever.To that end, interoperability is more important than ever. FIDO2 Web Authentication (WebAuthn) is quickly emerging as an important interoperability standard that enables users to select and manage an authenticator of their own (security keys, or built-in platform authenticators, such as a mobile device) that works with their web browser of choice (Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, etc.) for secure access to any websites or applications that support the WebAuthn standard."<br /><br />"Oracle is happy to announce the general availability of FIDO2 WebAuthn for our cloud identity service. This means that websites and applications that are protected by Oracle can enable their audience of users to authenticate with FIDO2 authenticators for multi-factor authentication (MFA) as well as passwordless authentication. This simplifies the user experience and may reduce the number of authenticators that users need to access the variety of web applications they interact with on a regular basis. Ultimately, this gives users more choice, more control, and a frictionless user experience.</p><p><span style="font-weight: normal;">Read more on the <a href="https://blogs.oracle.com/cloudsecurity/">Oracle Cloud Security Blog</a> > </span><span style="font-weight: normal;"><a href="https://blogs.oracle.com/cloudsecurity/oracle-strengthens-interoperability-with-fido2-webauthn-support-for-cloud-identity">Oracle Strengthens Interoperability and User Experience with General Availability of FIDO2 WebAuthn Support for Cloud Identity</a>.</span></p>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-46246016084832240702020-11-24T17:17:00.000-05:002020-11-24T17:17:07.443-05:00Modernization of Identity and Access Management<p>From the <a href="https://blogs.oracle.com/cloudsecurity/modernization-of-identity-and-access-management">Oracle IAM blog</a>:<br /></p><p>"Oracle has been in the IAM business for more than 20 years and we’ve seen it all. We’ve addressed numerous IAM use-cases across the world’s largest, most complex organizations for their most critical systems and applications. We’ve travelled with our customers through various highs and lows. And we’ve experienced and helped drive significant technology and business transformations. But as we close out our second decade of IAM, I’m too distracted to be nostalgic. I’m distracted by our IAM team’s enthusiasm for the future and by the impact we’ll have on our customers’ businesses in the decade to come. Central to that is the focus to respect our customer's identity and access journey and meet them with solutions that fit their individual needs."</p><p> </p>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-16048359613595506512020-08-24T09:50:00.002-04:002020-08-24T09:58:38.886-04:00Addressing the Cloud Security Readiness Gap<p>Cloud security is about much more than security functionality. The top cloud providers all seem to have a capable suite of security features and most surveyed organizations report that they see all the top cloud platforms as generally secure. So, why do 92% of surveyed organizations still <a href="https://www.oracle.com/cloud/cloud-threat-report/" target="_blank">report</a> a cloud security readiness gap? They’re not comfortable with the security implications of moving workloads to cloud even if they believe it’s a secure environment and even if the platform offers a robust set of security features. </p><p>Two contributing factors to that gap include:</p><ul style="text-align: left;"><li>78% reported that cloud requires different security than on-prem. With security skills at a shortage, the ability to quickly ramp up on a new architecture and a new set of security capabilities can certainly slow progress.<br /></li><li>Only 8% of respondents claimed to fully understand the cloud security shared responsibilities model; they don’t even know what they’re responsible for; never mind how to implement the right policies and procedures, hire the right people, or find the right security technologies.</li></ul><p>I recently posted about how Oracle is addressing the gap on the <a href="https://blogs.oracle.com/cloudsecurity/dao-research-examines-how-oracle-is-addressing-the-cloud-security-readiness-gap" target="_blank">Oracle Cloud Security blog</a>. There's a link in the post to a new whitepaper from Dao Research that evaluates the cloud security capabilities offered by Amazon AWS, Google Cloud Platform, Microsoft Azure, and Oracle Cloud Infrastructure.</p><p>Oracle took some criticism for arriving late to the game with our cloud infrastructure offering. But, several years of significant investments are paying off. Dao's research concludes that “<i>Oracle has an edge over Amazon, Microsoft, and Google, as it provides a more centralized security configuration and posture management, as well as more automated enforcement of security practices at no additional cost. This allows OCI customers to enhance overall security without requiring additional manual effort, as is the case with AWS, Azure, and GCP.</i>”<br /></p><p>A key take-away for me is that sometimes, the competitive edge in security in delivered through simplicity and ease of use. We've <a href="https://www.schneier.com/news/archives/2012/12/complexity_the_worst.html" target="_blank">heard</a> over and over for several years that complexity is the enemy of security. If we can remove human error, bake-in security by default, and automate security wherever possible, then the system will be more secure than if we're relying on human effort to properly configure and maintain the system and its security.<br /></p><p><a href="https://blogs.oracle.com/cloudsecurity/dao-research-examines-how-oracle-is-addressing-the-cloud-security-readiness-gap" target="_blank">Click here to check out the post and the Dao Research whitepaper</a>.<br /></p>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-50338259877491962702018-10-15T09:36:00.002-04:002022-03-23T16:29:15.360-04:00Improve Security by Thinking Beyond the Security Realm<p>It used to be that dairy farmers relied on whatever was growing in the area to feed their cattle. They filled the trough with vegetation grown right on the farm. They probably relied heavily on whatever grasses grew naturally and perhaps added some high-value grains like barley and corn. Today, with better technology and knowledge, dairy farmers work with nutritionists to develop a personalized concentrate of carbohydrates, proteins, fats, minerals, and vitamins that gets added to the natural feed. The result is much healthier cattle and more predictable growth.<br />
<br />
We’re going through a similar enlightenment in the security space. To get the best results, we need to fill the trough that our Machine Learning will eat from with high-value data feeds from our existing security products (whatever happens to be growing in the area) but also (and more precisely for this discussion) from beyond what we typically consider security products to be.</p><p>In the post, I make the case that "we shouldn’t limit our security data to what has traditionally been in-scope for security discussions" and how understanding <i>Application Topology</i> (and feeding that knowledge into the security trough) can help reduce risk and improve security.</p><p>
Here's an excerpt:</p><p></p><p></p><p>We’re all guilty of thinking myopically at times. It’s easy to get
caught up thinking about the objects in our foreground and to lose our
sense of depth. We forget about the environment and the context and we
focus too narrowly on some singular subject. It’s not always a bad
thing. Often, we need to focus very specifically to take on challenges
that would otherwise be too big to address. For example, security
professionals spend a lot of time thinking about specific attack vectors
(or security product categories). And each one perhaps necessarily
requires a deep level of focus and expertise. I’m not arguing against
that. But I’d like to suggest that someone on the team should expand
their focus to think about the broader environment in which cyberattacks
and security breaches take place. When you do, I suspect that you’ll
find that there are data points from outside of the typical security
realm that, if leveraged correctly, will dramatically improve your
ability to respond to threats within that realm.</p>
<p>I posted recently about the importance of <u><strong><a href="https://blogs.oracle.com/cloudsecurity/convergence-security" target="_blank">convergence</a></strong></u>
(of security functionality). I noted that “Security solutions are
evolving toward cloud, toward built-in intelligence via Machine
Learning, and toward unified, integrated-by-design platforms.” I went on
to suggest that forward-looking security platforms are autonomous and
operate with minimal human intervention. I believe that’s where we’re
heading. But to better enable <em>machine learning</em> and <em>autonomous security</em>,
we need to feed as much relevant data as possible into the system. We
need to feed the machine from an expanding trough of data. And with
Internet scale as an enabler, we shouldn’t limit our security data to
what has traditionally been in-scope for security discussions.</p>
<p>As an example, I’m going to talk about how understanding <em>Application Topology</em> (and feeding that knowledge into the security trough) can help reduce risk and improve your security posture.</p>
<p><strong>What is Application Topology?</strong></p>
<p>As you likely know, modern applications are typically architected
into logical layers or tiers. With web and mobile applications, we’ve
traditionally seen a presentation layer, an application or middleware
tier, and a backend data tier. With serverless compute and cloud
microservice architectures, an application’s workload may be even more
widely distributed. It’s even common to see core application functions
being outsourced to third parties via the use of APIs and open
standards. Application Topology understands all the various parts of an
application and how they’re interrelated. Understanding the App Topology
means that you can track and correlate activity across components that
may reside in several different clouds.</p>
<p><strong>How does Application Topology impact security?</strong></p>
<p>Consider an application that serves a package delivery service. It
has web, mobile, and API interfaces that serve business line owners,
delivery drivers, corporate accounts, and consumer customers. It’s core
application logic runs on one popular cloud platform while the data
storage backend runs on another. The application leverages an identity
cloud service using several authentication techniques for the several
audiences. It calls out to a third-party service that feeds traffic
& weather information and interacts with other internal applications
and databases that provide data points such as current pricing based on
regional gas prices, capacity planning, and more. Think about what it
means to secure an application like this.</p>
<p>Many popular security tools focus only on one layer or one component.
A tool may scan the web application or the mobile app but probably not
both. An app like this might have a few different security products that
focus on securing APIs and a few others that focus on securing
databases. Even if all components feed their security events into a
common stream, there’s not likely a unified view of the risk posture for
the application as a whole. None of the security tools are likely to
understand the full application topology. If the app owner asked for a
security report for the entire application, would you be able to provide
it? How many different security products would you need to leverage?
Would you be able to quantify the impact of a single security
configuration issue on the application as a whole?</p>
<p>If a security solution fully understands the application topology and
incorporates that knowledge, here are a few of the benefits: You can
generate a holistic report on the application to the app owner that
covers all components whether on-premises, in the cloud, or via
third-parties. You can monitor user activity at one tier and understand
how that impacts your risk posture across other tiers. You can monitor
for security configuration changes at all components via a unified
service and automatically adjust risk scores accordingly. In other
words, a deep understanding of the IT infrastructure underneath the
application yields a more robust understanding of security issues and an
increased ability to respond quickly and automatically.</p>
<p><strong>Summary</strong></p>
<p>Challenge yourself to expand the scope of which data points might be
useful for improving security. Are security appliance event logs and
threat feeds enough? As we enter an era dominated by AI and Machine
Learning, we need to add as much high-value data as possible into the
security trough. ML performs better as it incorporates more information.
And as Larry Ellison famously said, the threats are becoming
increasingly more sophisticated. “It can't be our people versus their
computers. We're going to lose that war. It's got to be our computers
versus their computers.” We must rely on Machine Learning and we have to
feed it with as much intelligence from as many sources as possible.</p><p></p>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-30094849856736782742018-09-18T09:05:00.002-04:002022-03-23T16:27:44.517-04:00Convergence is the Key to Future-Proofing Security<p>I published a new article today on the <a href="https://blogs.oracle.com/cloudsecurity/" target="_blank">Oracle Security blog</a> that looks at the benefits of convergence in the security space as the IT landscape grows more disparate and distributed.<br />
<br />
Security professionals have too many overlapping products under management and it's challenging to get quick and complete answers across hybrid, distributed environments. It's challenging to fully automate detection and response. There is too much confusion about where to get answers, not enough talent to cover the skills requirement, and significant hesitation to put the right solutions in place because there's already been so much investment.<br />
<br />
Here's an excerpt:</p><p><em>The whole of your security portfolio should provide significantly more value than the sum of its parts.</em></p>
<p>The challenge facing security professionals seems to grow bigger and
more complex by the hour. New threats and risk factors are constantly
emerging while the IT landscape continuously evolves. At times, it feels
like we’re patching holes on a moving target that’s endlessly
shape-shifting. One of the major contributing factors to those feelings
of chaos and disorder is the sheer quantity of security products that we
rely on to cover our vast IT landscapes.</p>
<p>The <u><strong><a href="https://www.oracle.com/cloud/cloud-threat-report.html" target="_blank">Oracle and KPMG Cloud Threat Report 2018</a></strong></u>
found that cybersecurity professionals manage an average of 46
different security products. 7% of respondents reported being personally
responsible for managing over 100 different products. 100 different
security products! I don’t imagine that those folks can possibly have a
complete understanding of what’s happening across 50 or 100 different
security products or what value each of those products is contributing
to reducing their risk. This quantity of products alone contributes to
the overall challenge in several ways, including:</p>
<ul><li><strong>Product Overlap:</strong> Security products often have
significant functional overlap. In an environment with several security
products, it quickly becomes unclear which product will answer which
questions. The result is wasted time and effort and longer delays
getting critical answers. When addressing an on-going attack or a
breach, the speed of the response effort is critical. The longer it
takes, the broader the damage will be.</li><li><strong>Skills Shortage:</strong> Organizations spend too much time
finding or developing talent across security products. It’s rare for
security professionals to have the exact mix of skills and experience
that an organization needs. And with an on-going skills shortage, it’s
difficult to retain top talent over long periods of time. Again, not
having the right expertise in place means that you’re more likely to
miss the signals of developing attacks or on-going breaches and to
demonstrate longer response times to security events.</li><li><strong>Delays in Addressing Gaps:</strong> Nobody likes wasted money or <em>shelfware</em>.
When a gap is found in an organization’s security posture, security
professionals are less likely to find and deploy the right solution if
they have numerous other security solutions in place that may (or may
not) fix the problem. Of course, without a complete understanding of
where the limits are on each of those products, it could take months to
sort through them and to formulate an approach. It’s the classic human
response of freezing in indecision when there are too many factors to
consider. When it comes to addressing information security issues, the
last thing you want to do is freeze.</li></ul>
<p>So, what can be done and how can we address the issue?</p>
<p>Here’s the good news: Security solutions are evolving toward cloud,
toward built-in intelligence via Machine Learning, and toward unified,
integrated-by-design platforms. This approach eliminates the issues of
product overlap because each component is designed to leverage the
others. It reduces the burden related to maintaining skills because
fewer skills are needed and the system is more autonomous. And, it
promotes immediate and automated response as opposed to indecision.
While there may not be a single platform to replace all 50 or 100 of
your disparate security products today, platforms are emerging that can
address core security functions while simplifying ownership and
providing open integration points to seamlessly share security
intelligence across functions.</p>
<p>For example, you know that you need an identity and access component
for addressing access management needs across numerous SaaS applications
and IaaS services. And you need a <u><strong><a href="https://www.oracle.com/cloud/paas/casb-cloud-service.html" target="_blank">Cloud Access Security Broker (CASB)</a></strong></u>
to scan SaaS applications and Cloud Infrastructures for insecure
configurations and to monitor user activity. But, for the most part,
these functions are silo’ed today. One doesn’t talk to the other. But
they can. And they should.</p>
<p>Understanding what a user is doing across cloud applications
(visibility often provided by CASB) enables you to create a risk score
for that user that can then be used by the Identity function to make
decisions and take actions such as stepping up authentication,
requesting approvals, initiating an access review, or denying access.
Understanding that a target system’s configuration was modified recently
or that it doesn’t conform to the organization’s security policies also
increases risk. And there are numerous sources of additional risk data:
identity, CASB, security configuration scanning, SIEM, UEBA, external
threat feeds, session context, etc.</p>
<p>Forward-looking security platforms will leverage hybrid cloud
architecture to address hybrid cloud environments. They’re autonomous
systems that operate without relying on human maintenance, patching, and
monitoring. They leverage risk intelligence from across the numerous
available sources. And then they rationalize that data and use Machine
Learning to generate better security intelligence and feed that improved
intelligence back to the decision points. And they leverage built-in
integration points and orchestration functionality to automate response
when appropriate.</p>
<p>In other words, your security platform should serve as a central
brain that doesn’t only import the various security data points but also
makes sense of it without relying on human eyes to catch potential
threats. And it adds intelligence, identifies patterns, recognizes
anomalies, and responds appropriately and within seconds. This is much
more advanced than the old SIEM model which simply aggregates data from
numerous sources and tries to raise alerts for humans to evaluate. This
is a system that thinks for you and leverages advanced analytics to make
decisions across those numerous disparate systems. It’s a cloud service
so you don’t need to administer and manage it. You become a user; a
consumer of its benefits rather than a caretaker. And the result is much
more value and further reduced risk than you’d get from the parts
alone.</p>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-83423223463625347732018-01-30T09:12:00.004-05:002022-03-23T16:24:58.026-04:00New World, New Rules: Securing the Future State<p>I published an article today on the <a href="https://blogs.oracle.com/cloudsecurity" target="_blank">Oracle Cloud Security blog</a> that takes a look at how approaches to information security must adapt to address the needs of the <i>future state</i> (of IT). For some organizations, it's really the current state. But, I like the term <i>future state</i> because it's inclusive of more than just cloud or hybrid cloud. It's the universe of Information Technology the way it will be in 5-10 years. It includes the changes in user behavior, infrastructure, IT buying, regulations, business evolution, consumerization, and many other factors that are all evolving simultaneously.<br />
<br />
As we move toward that new world, our approach to security must adapt. Humans chasing down anomalies by searching through logs is an approach that will not scale and will not suffice. </p><p>Here's an excerpt:<br />
<br /></p><section class="rc84 rc84v1">
<p style="text-align: center;"><b>If you never change tactics, you lose <br />the moment the enemy changes theirs</b><br /></p><p>While chasing down a domestic terrorist, FBI Agent Will Brody found
himself in an unfamiliar and dangerous environment. (Brody is the
protagonist in Marcus Sakey's 2017 novel <em>Afterlife</em>.) To survive
in its perilous conditions, its residents commit to two simple rules:
(1) pull your own weight and (2) only kill in self-defense. These rules
have kept them safe from the obvious imminent threats around them for
decades. But Brody sees a change happening in the environment that
others don't yet see and warns his new community: "If you never change
tactics, you lose the moment the enemy changes theirs." His mantra
becomes <strong>"New World, New Rules."</strong> In other words, you must adapt to changing threats or face the consequences.</p>
<p>As Information Security professionals, we find ourselves in a similar
situation. Our environment is transforming rapidly. The assets we're
protecting today look very different than they did just a few years ago.
In addition to owned data centers, our workloads are being spread
across multiple cloud platforms and services. Users are more mobile than
ever. And we don’t have control over the networks, devices, or
applications where our data is being accessed. It’s a vastly distributed
environment where there’s no single, connected, and controlled network.
Line-of-Business managers purchase compute power and SaaS applications
with minimal initial investment and no oversight. And end-users access
company data via consumer-oriented services from their personal devices.
<strong>It's grown increasingly difficult to tell where company data
resides, who is using it, and ultimately where new risks are emerging.</strong>
This transformation is on-going and the threats we’re facing are
morphing and evolving to take advantage of the inherent lack of
visibility.</p>
<p>Organizations are in varying stages of migration toward this <strong><em>future state</em> of IT</strong>
where we have massive distribution and where visibility is elusive. But
we all seem to be moving in the same direction. So, we simply can't
live by the same old rules. We can’t rely on old security techniques. <em>New World, New Rules.</em></p>
<p style="text-align: center;"><b>The old SIEM approach won't suffice <br />in the future state. </b><br /></p><p>Traditionally, security professionals have relied heavily on SIEM
(Security Information and Event Management) solutions to track activity
in their environments. The SIEMs resided somewhere on the network and
collected logs and event information from other network-connected
systems and devices. SIEMs measured themselves by their ability to
ingest data from anything and everything on the network. <strong>But SIEM users have struggled to translate that event data into <em>actionable intelligence</em>.</strong>
In many cases, because of the enormous quantity of event data and the
inability to parse it quickly and efficiently, SIEM solutions became
forensic tools; used after-the-fact to research what may have happened
after a breach was detected. The old SIEM approach won't suffice in the
future state.</p>
<p>Although many organizations report struggling with the complexity and
cost of SIEM solutions, the SIEM market continues to expand. This is
because the need for visibility has only grown more urgent with
increasing regulations and more aggressive and sophisticated attack
techniques. But you want more. <strong>Traditional SIEM approaches aren't enough.</strong>
There simply aren't enough hands-on-deck to rely on manual processes
for investigating event data or identifying on-going attacks.</p><p style="text-align: center;"><b>The technologies that have exacerbated the <br />problem can also be used to address it </b><br /></p><p>Here's the good news: The technologies that have exacerbated the
problem can also be used to address it. On-premises SIEM solutions based
on appliance technology may not have the reach required to address
today's IT landscape. But, an integrated SIEM+UEBA designed from the
ground up to run as a cloud service and to address the massively
distributed hybrid cloud environment can leverage technologies like
machine learning and threat intelligence to provide the visibility and
intelligence that is so urgently needed.</p>
<p><strong><a href="https://blogs.oracle.com/cloudsecurity/machines-vs-machines-how-adaptive-intelligence-can-save-you-from-a-breach">Machine Learning (ML)</a> mitigates the complexity</strong>
of understanding what's actually happening and of sifting through
massive amounts of activity that may otherwise appear to humans as
normal. Modern attacks leverage distributed compute power and ML-based
intelligence. So, countering those attacks requires a security solution
with equal amounts of intelligence and compute power. As Larry Ellison
recently said, "It can't be our people versus their computers. We're
going to lose that war. It's got to be our computers versus their
computers."</p>
<p>But to effectively secure the future state, you need more than a SIEM
designed for cloud. Here are a few other innovations that we should
demand from our security platform:</p>
<ul><li><strong>Application Topology Awareness:</strong> Detect multi-tier application attacks and lateral movement indicators. Alert application owners not server administrators.</li><li><strong>Threat Stage Awareness:</strong> Map potential and
in-progress threats to well understood attack stages to provide better
contextual data on how to respond. See developing threats before they
happen.</li><li><strong>Data-Deep Visibility:</strong> Detect data access anomalies for any user, database or application.</li><li><strong>Broad Data Capture:</strong> Don't rely solely on security logs. Leverage operational logs, threat feeds, embedded reputation data, and more.</li><li><strong>User Attribution:</strong> Report the identity even if the user context is missing via composite identity awareness and rich user baselines.</li><li><strong>Configuration Change Awareness:</strong> Inject configuration drift context into threat detection.</li><li><strong>Orchestration:</strong> Respond to threats immediately and with precision via REST, scripts, or 3rd party automation frameworks.</li></ul>
<p>Obviously, we're writing about this for a reason. These features are built into Oracle's <strong><a href="https://cloud.oracle.com/en_US/security-analytics">Security Monitoring and Analytics</a></strong>
service (SMA). When we say that our SIEM was designed from the ground
up for cloud, we're not just talking about the product architecture.
We're talking about its features and functionality. It was designed to
address the complexity and peril of distributed cloud environments.<strong> It was designed to secure the future state; to be the new rules for the new world.</strong></p>
<p>SMA is built on Oracle’s unified platform for future-state security that also includes <strong><a href="https://cloud.oracle.com/en_US/identity">Identity</a></strong>,<span style="color: red;"> </span><strong><a href="https://cloud.oracle.com/en_US/casb">CASB</a>,</strong> and<span style="color: red;"> </span><strong><a href="https://cloud.oracle.com/en_US/compliance">Configuration Compliance</a></strong>.
It was built 100% in the cloud to address the security needs of hybrid,
multi-cloud environments. Traditional SIEMs lack Identity, CASB, and
Configuration Compliance functions. And they typically only layer UEBA
on top of their legacy SIEM architecture. They lack advanced features
like data-deep visibility, user attribution, <strong><a href="https://cloud.oracle.com/en_US/orchestration">orchestration</a></strong>, and awareness of threat stages and application topology. Leveraging these innovations, <strong>Oracle's approach enables shorter investigations and faster response times</strong> while accommodating for all the complexity of the future state.</p><p style="text-align: center;"><b>Oracle simplifies management and <br />security for the future state. </b><br /></p><p>And, to top it off, Oracle's security services are built on <strong><a href="https://cloud.oracle.com/en_US/management">Oracle Management Cloud</a></strong><span style="color: red;"> </span>which,
in addition to security, provides a single pane of glass for IT
monitoring, management, and analytics. Oracle simplifies management and
security for the future state, reducing cost and effort, and providing
richer intelligence across increasingly complex environments.</p>
<p>Learn more about how Oracle is addressing these security concerns and
incorporating machine learning into adaptive intelligence by reading
our whitepaper, <a href="http://www.oracle.com/us/solutions/cloud/future-of-cyber-security-4302684.pdf"><strong>"Machine Learning-Based Adaptive Intelligence: The Future of Cybersecurity."</strong></a></p>
</section>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-77279367344941986062017-09-25T11:13:00.000-04:002017-09-25T11:13:03.095-04:00Hyperbole in Breach ReportingWhile reading the news this morning about yet another successful data breach, I couldn't help but wonder if the hyperbole used in reporting about data breaches is stifling our ability to educate key stakeholders on what they really need to know.<br />
<br />
Today's example is about a firm that many rely on for security strategy, planning, and execution. The article I read stated that they were "targeted by a sophisticated hack" but later explains that the attacker compromised a privileged account that provided unrestricted "access to all areas". And, according to sources, the account only required a basic password with no two-step or multi-factor authentication. That doesn't sound too sophisticated, does it? Maybe they brute-forced it, or maybe they just guessed the password (or found it written down in an office?)<br />
<br />
It reminded me of an attack on a security vendor back in 2011. As I recall, there was a lot of talk of the sophistication and complexity of the attack. It was called an Advanced Persistent Threat (and maybe some aspects of it were advanced). But, when the facts came out, an employee simply opened an email attachment that introduced malware into the environment - again, not overly sophisticated in terms of what we think a hack to be.<br />
<br />
The quantity, availability, and effectiveness of attack techniques are enough to make anyone uncomfortable with their security posture. I previously <a href="http://360tek.blogspot.com/2017/04/layered-database-security-in-age-of.html">wrote</a> about a German company who, in a breach response, wrote that it is "virtually impossible to provide viable protection against organized, highly professional hacking attacks." CISOs are being told that they should <i>expect</i> to be breached. The only questions are about when and how to respond. It makes you feel like there's no hope; like there's no point in trying. <br />
<br />
However, if you look at the two examples above that were described as <i>highly sophisticated</i>, they may have been avoided with simple techniques such as employee education, malware detection, and multi-factor authentication. I don't mean to over-simplify. I'm not saying it's all easy or that these companies are at-fault or negligent. I'm just calling for less hyperbole in the reporting. Call out the techniques that help companies avoid similar attacks. Don't describe an attack as overly sophisticated if it's not. It makes people feel even more helpless when, perhaps, there are some simple steps that can be taken to reduce the attack surface.<br />
<br />
I'd also advocate for more transparency from those who are attacked. Companies shouldn't feel like they have to make things sound more complicated or sophisticated than they are. There's now a growing history of reputable companies (including in the security industry) who have been breached. If you're breached, you're in good company. Let's talk in simple terms about the attacks that happen in the real world. An "open kimono" approach will be more effective at educating others in prevention. And again, less hyperbole - we don't need to overplay to emotion here. Everyone is scared enough. We know the harsh reality of what we (as security professionals) are facing. So, let's strive to better understand the real attack surface and how to prioritize our efforts to reduce the likelihood of a breach.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-68172197437423607652017-09-20T19:26:00.000-04:002017-09-20T19:26:14.156-04:00Encryption would NOT have saved EquifaxI read a few articles this week suggesting that the big question for Equifax is whether or not their data was encrypted. The State of Massachusetts, <a href="https://www.cnbc.com/2017/09/19/massachusetts-equifax-hack-exposed-more-than-half-state-to-risk.html">speaking about the lawsuit it filed</a>, said that Equifax "didn't put in safeguards like encryption that would have protected the data." Unfortunately, encryption, as it's most often used in these scenarios, would not have actually prevented the exposure of this data. This breach will have an enormous impact, so we should be careful to get the facts right and provide as much education as possible to law makers and really to anyone else affected.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsyB0OYqndLnG8HDrhvOA0n2-8UmvEhrkiWh6-7VRwkDcTiHZvYg0VgDPdl_7p-aIiJkxHJlOw0LQhJNE6Oc23jlQQoluveWn7C8nw4PVjkUqejBESu96RvzMaExxi1yRYs4Yd/s1600/3tierapp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="628" data-original-width="438" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsyB0OYqndLnG8HDrhvOA0n2-8UmvEhrkiWh6-7VRwkDcTiHZvYg0VgDPdl_7p-aIiJkxHJlOw0LQhJNE6Oc23jlQQoluveWn7C8nw4PVjkUqejBESu96RvzMaExxi1yRYs4Yd/s320/3tierapp.png" style="margin: 10px 10px;" width="223" /></a></div>
<br />
We <a href="https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832">know</a> that the attack took advantage of a flaw in <a href="https://struts.apache.org/primer.html">Apache Struts</a> (that should have been patched). Struts is a framework for building applications. It lives at the application tier. The data, obviously, resides at the data tier. Once the application was compromised, it really doesn't matter if the data was encrypted because the application is allowed to access (and therefore to decrypt) the data.<br />
<br />
I won't get into all the various encryption techniques that are possible but there are two common types of data encryption for these types of applications. There's encryption of data in motion so that nobody can eavesdrop on the conversation as data moves between tiers or travels to the end users. And there's encryption of data at rest that protects data as it's stored on disk so that nobody can pick up the physical disk (or the data file, depending on how the encryption is applied) and access the data. Once the application is authenticated against the database and runs a query against the data, it is able to access, view, and act upon the data even if the data was encrypted while at rest.<br />
<br />
Note that there is a commonly-applied technique that applies at-rest encryption at the application tier. I don't want to confuse the conversation with too much detail, but it usually involves inserting some code into the application to encrypt/decrypt. I suspect that if the application is compromised then app-tier encryption would have been equally unhelpful.<br />
<br />
The bottom line here is that information security requires a broad, layered defense strategy. There are numerous types of attacks. A strong security program addresses as many potential attack vectors as possible within reason. (My use of "within reason" is a whole other conversation. Security strategies should evaluate risk in terms of likelihood of an attack and the damage that could be caused.) I already wrote about a <a href="http://360tek.blogspot.com/2017/04/layered-database-security-in-age-of.html">layered approach</a> to data protection within the database tier. But that same approach of layering security applies to application security (and information security in general). You have to govern the access controls, ensure strong enough authentication, understand user context, identify anomalous behavior, encrypt data, and, of course, patch your software and maintain your infrastructure. This isn't a scientific analysis. I'm just saying that encryption isn't a panacea and probably wouldn't have helped at all in this case.<br />
<br />
<a href="https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832">Equifax says</a> that their "security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure." Clearly, humans need to rely on technology to help identify what systems exist in the environment, what software is installed, which versions, etc. I have no idea what tools Equifax might have used to scan their environment. Maybe the tool failed to find this install. But their use of "at that time" bothers me too. We can't rely on point-in-time assessments. We need continuous evaluations on a never ending cycle. We need better intelligence around our IT infrastructures. And as more workloads move to cloud, we need a unified approach to IT configuration compliance that works across company data centers and multi-cloud environments.<br /><br />
100% protection may be impossible. The best we can do is weigh the risks and apply as much security as possible to mitigate those risks. We should also all be moving to a <i>continuous compliance</i> model where we are actively assessing and reassessing security in real time. And again... layer, layer, layer. Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-16606249646372235912017-04-10T16:17:00.000-04:002017-04-10T16:23:35.589-04:00Layered Database Security in the age of Data Breaches<div class="MsoNormal">
We live in a time of daily breach notifications. One recently affected organization in Germany put out a <a href="https://www.thyssenkrupp.com/en/newsroom/dataprotection/" rel="nofollow">statement</a> which said: "The incident is not attributable to security deficiencies." and "Human error can also be ruled out." They went on say that it is "virtually impossible to provide viable protection against organized, highly professional hacking attacks." It's a tough climate we find ourselves in. It just feels too hard or impossible at times. And there's some truth to that. There are way too many potential attack vectors for comfort.
<br />
<br />
Many breaches occur in ways that make it difficult to pinpoint exactly what might have prevented it. Or, the companies involved hide details about what actually happened or how. In some cases, they lie. They might claim there was some Advanced Persistent Threat on the network when in reality, it was a simple phishing attack where credentials were simply handed over.
<br />
<br />
In one recent case, a third party vendor apparently uploaded a database file to an unsecured Amazon AWS server. A media outlet covering the story called out that it was not hacking because the data was made so easily available. Numerous checkpoints come to mind that each could have prevented or lessened the damage in this scenario. I’d like to paint a picture of the numerous layers of defense that should be in place to help prevent this type of exposure.
<br />
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Layer 1: Removing Production Data</b></div>
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span style="color: #c00000;">The data should have been long removed from the database.</span></i></div>
<div class="MsoNormal">
Assuming this is a non-production database (<i style="mso-bidi-font-style: normal;">and I sure hope it is</i>), it should have been fully masked before it was even saved as a file. Masking data means completely removing the original sensitive data and replacing it with fake data that looks and acts real. This enables safe use of the database for app development, QA, and testing. Data can be masked as it’s exported from the production database (most secure) or in a secure staging environment after the initial export. Had this step been done, the database could safely be placed on an insecure AWS server with limited security concerns because there’s no real data. An attacker could perhaps use the DB schema or other details to better formulate an attack on the production data, so I’m not recommending posting
masked databases publicly, but the risk of data loss is severely limited once the data is masked.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Layer 2: Secure Cloud Server Configuration</b></div>
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span style="color: #c00000;">The researcher should never have been able to get to the
file.</span></i></div>
<div class="MsoNormal">
A security researcher poking around the web should never have been able to access this database file. Proper server
configuration and access controls should prevent unauthorized access to any files (including databases). In addition to documenting proper security configuration, certain Cloud Security Access Brokers can be used to continuously monitor AWS instances to ensure that server configurations match the corporate guidelines. Any instances of configuration drift can be auto-remediated with these solutions to ensure that humans don’t accidentally misconfigure servers or miss security settings in the course of daily administration. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Layer 3: Apply Database Encryption</b></div>
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span style="color: #c00000;">Even with access to the database file, the researcher should not have been able to access the data.</span></i></div>
<div class="MsoNormal">
At-rest data encryption that is built into the database protects sensitive data against this type of scenario. Even if someone has the database file, if it were encrypted, the file would essentially be useless. An attacker would have to implement an advanced crypto attack which would take enormous resources and time to conduct and is, for all intents and purposes, impractical. Encryption is a no-brainer. Some organizations use disk-layer encryption, which is OK in the event of lost or stolen disk. However, if a database file is moved to an unencrypted volume, it is no longer protected. In-database encryption improves security because the security stays with the file
regardless of where it’s moved or exported. The data remains encrypted and inaccessible without the proper encryption keys regardless of where the database file is moved.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Layer 4: Apply Database Administrative Controls</b></div>
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span style="color: #c00000;">Even with administrative permissions to the database, the researcher should not have been able to access the sensitive data.</span></i></div>
<div class="MsoNormal">
I’m not aware of similar capabilities outside of Oracle database, but Oracle Database Vault would have also prevented this breach by implementing access controls within the database. Database Vault effectively segregates roles
(enforces Separation of Duties) so that even an attacker with DBA permissions and access to the database file and encryption keys cannot run queries against the sensitive application data within the database because their role does not allow it. This role-based access, enforced within the database, is an extremely effective control to avoid accidental access that may occur throughout the course of daily database administration.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">Layer 5: Protect Data Within the Database</b></div>
<div class="MsoNormal">
<i style="mso-bidi-font-style: normal;"><span style="color: #c00000;">Even with full authorization to application data, highly
sensitive fields should be protected within the database.</span></i></div>
<div class="MsoNormal">
Assuming all of the other layers break down and you have full access to the unencrypted database file and credentials that are authorized to access the sensitive application data, certain highly sensitive fields should be protected via application-tier encryption. Social Security Numbers and Passwords, for example, shouldn’t be stored in plain text. By applying protection for these fields at the app layer, even fully authorized users wouldn’t have access. We all know that passwords should be hashed so that the password field is only useful to the individual user who enters their correct password. But other fields, like SSN, can be encrypted at the app layer to protect against accidental exposure (human error), intentional insider attack, or exposed credentials (perhaps via phishing attack).</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Maybe the vendor didn’t follow the proper protocols instituted by the organization. Maybe they made a human error; we all make mistakes. But, that’s why a layered approach to database security is critical on any database instances
where sensitive production data resides. Security protocols shouldn’t require humans to make the right decisions. They should apply security best practices by default and without option. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Assuming this was a non-production database, any sensitive data should have been fully masked/replaced before it was even made available. And, if it was a production DB, database encryption and access control protections that stay with the database during export or if the database file is moved away from an encrypted volume should have been applied. The data should have been protected before the vendor's analyst ever got his/her hands on it. Oracle Database Vault would have prevented even a DBA-type user from being able to access the sensitive user data
that was exposed here. These are not new technologies; they’ve been around for many years with plentiful documentation and industry awareness. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Unfortunately, a few of the early comments I read on this particular event were declarations or warnings about how this proves that cloud is less secure than on-premises deployments. I don’t agree. Many cloud services are configured with security by default and offer far more protection than company-owned data centers. Companies should seek cloud services that enable security by default and that offer layered security controls; more security than their own data centers. It’s more than selecting the right Cloud Service Provider. You also need to choose the right service; one that matches the specific needs (including security needs) of your current project. The top CSPs offer multiple IaaS and/or PaaS options that may meet the basic project requirements. While cloud computing grew popular because it’s easy and low cost, ease-of-use and cost are not always the most important factors when choosing the right cloud
service. When sensitive data is involved, security needs to be weighed heavily
when making service decisions.<br />
<br />
I'll leave you with this. Today's computing landscape is extremely complex and constantly changing. But security controls are evolving to address what has been called the <i>extended enterprise</i> (which includes cloud computing
and user mobility among other characteristics). Don't leave security in the hands of humans. And apply security in layers to cover as many potential attack vectors as possible. Enable security by default and apply automated checks to ensure that security configuration guidelines are being followed.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: x-small;"><b>Note: </b><i>Some of the content above is based on my understanding of Oracle security products (encryption, masking, CASB, etc.) Specific techniques or advantages mentioned may not apply to other vendors’ similar solutions.</i></span>
</div>
Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-45652918896644977842016-02-19T16:01:00.000-05:002016-02-19T16:05:26.782-05:00Next Generation IDaaS: Moving From Tactical to StrategicToday, I posted a blog entry to the <a href="https://blogs.oracle.com/OracleIDM/" target="_blank">Oracle Identity Management blog</a> titled <i><a href="https://blogs.oracle.com/OracleIDM/entry/next_generation_idaas_moving_from" target="_blank">Next Generation IDaaS: Moving From Tactical to Strategic</a></i>.
In the post, I examine the evolution of IDaaS and look toward the next generation of Enterprise Identity and Access Management. I believe that the adoption of IDaaS by enterprises has typically been a reactive, tactical response to the quick emergence of SaaS (and the associated loss of control). The next generation of IDaaS will be more strategic and carefully planned to better meet evolving enterprise requirements.<br />
<br />
Note that I'm not talking about the technology. Nor am I talking about consumer use-cases or developer adoption of outsourced authentication. In this post, I'm looking at IDaaS from the perspective of enterprise IAM and the on-going <i>Digital Transformation</i>.<br />
<br />
Here's a few quotes that capture the essence:<br />
<blockquote class="tr_bq">
First generation Identity as a Service (IDaaS) was a fashion statement
that’s on its way out. It was cool while it lasted. And it capitalized
on some really important business needs. But it attempted to apply a
tactical fix to a strategic problem.<br />
<br />
Security functions are coalescing into fewer solutions that cover more
ground with less management overhead. Digital Enterprises want more
functionality from fewer solutions.<br />
<br />
The next generation of IAM is engineered specifically for Digital
Business providing a holistic approach that operates in multiple modes.
It adapts to user demands with full awareness of the value of the
resources being accessed and the context in which the user is operating.
Moving forward, you won’t need different IAM products to address
different user populations (like privileged users or partners) and you
won’t stand up siloed IDaaS solutions to address subsets of target
applications (like SaaS).<br />
<br />
Next generation IDaaS builds on all the promises of cloud computing but
positions itself strategically as a component of a broader, more
holistic IAM strategy. Next-gen IDaaS fully supports the most demanding
Digital Business requirements. It’s not a stop-gap and it’s not a
fashion statement. It’s an approach enabling a new generation of
businesses that will take us all further than we could have imagined.</blockquote>
<a href="https://blogs.oracle.com/OracleIDM/entry/next_generation_idaas_moving_from" target="_blank">Continue Reading</a> Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com2tag:blogger.com,1999:blog-21995415.post-4796475810457835182014-10-30T10:02:00.001-04:002014-10-30T10:02:17.221-04:00A Few Thoughts on Privacy in the Age of Social MediaEveryone already knows there are <a href="https://www.privacyrights.org/social-networking-privacy-how-be-safe-secure-and-social" target="_blank">privacy issues</a> related to social media and new technologies. Non-tech-oriented friends and family members often ask me questions about whether they should avoid Facebook messenger or flashlight apps. Or whether it's OK to use credit cards online in spite of recent breach headlines. The mainstream media writes <a href="http://www.cnn.com/2014/10/02/showbiz/celebrity-news-gossip/nude-celeb-photos-google-hack/" target="_blank">articles</a> about leaked personal photos and <i><a href="http://www.huffingtonpost.com/2014/10/13/snapchat-hacked_n_5977334.html" target="_blank">the Snappening</a></i>. So, it's out there. We all know. We know there are bad people out there who will attempt to hack their way into our personal data. But, that's only a small part of the story. <br />
<br />
For those who haven't quite realized it, there's no such thing as a free service. Businesses exist to generate returns on investment capital. Some have said about Social Media, "if you can't tell what the product is, it's probably you." To be fair, most of us are aware that Facebook and Twitter will monetize via advertising of some kind. And yes, it may be personalized based on what we <i>like</i> or <i>retweet</i>. But, I'm not sure we fully understand the extent to which this personal, potentially sensitive, information is being productized.<br />
<br />
Here are a few examples of what I mean:<br />
<br />
<b>Advanced Profiling</b><br />
<br />
I recently viewed a product marketing <a href="https://www.youtube.com/watch?v=WqzYPnPak1Y" target="_blank">video</a> targeted to communications service providers. It describes that massive adoption of mobile devices and broadband connections suggesting that by next year there will be 7.7 billion mobile phones in use with 15 billion connections globally. And that "All of these systems produce an amazing amount of customer data" to the tune of 40TB per day; only 3% of which is transformed into revenue. The rest isn't monetized. (Gasp!) The pitch is that by better profiling customers, telcos can improve their ability to monetize that data. The thing that struck me was the extent of the profiling.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL4xkM07iRfpgxQIO0b-VISAtmcWWd-A7cVdL7vlH4PPnSeCjzY6xEe-etfbvQUxRK5qTzLbWcV5Xc6I4QsyLgCgIG4fJzfTtJy5X95F-Z0s_oQdgK0Cv_R5nHry8qBd75NAGQ/s1600/hp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL4xkM07iRfpgxQIO0b-VISAtmcWWd-A7cVdL7vlH4PPnSeCjzY6xEe-etfbvQUxRK5qTzLbWcV5Xc6I4QsyLgCgIG4fJzfTtJy5X95F-Z0s_oQdgK0Cv_R5nHry8qBd75NAGQ/s1600/hp.jpg" height="220" width="400" /></a>
<br />
<br />
As seen in the screen capture, the user profile presented extends beyond the telco services acquired or service usage patterns into the detailed information that flows through the system. The telco builds a very personal profile using information such as favorite sports teams, life events, contacts, location, favorite apps, etc. And we should assume that favorite sports team could easily be religious beliefs, political affiliations, or sexual interests.<br />
<br />
<b>IBM and Twitter</b><br />
<br />
On October 29, IBM and Twitter <a href="https://blog.twitter.com/ibm" target="_blank">announced</a> a new relationship that enables enterprises to "incorporate Twitter data into their decision-making." In the announcement, Twitter describes itself as "an enormous public archive of human thought that captures the ideas,
opinions and debates taking place around the world on almost any topic
at any moment in time." And now all of those thoughts, ideas, and opinions are available for purchase through a partnership with IBM.<br />
<br />
I'm not knocking Twitter or IBM. The technology behind these capabilities is fascinating and impressive. And perhaps Twitter users allow their data to be used in these ways by accepting the Terms of Use. But, it feels a lot more invasive to essentially provide any third party with a siphon into the massive data that is our Twitter accounts than it would be to, for example, insert a sponsored tweet into my feed that may be selected based on which accounts I follow or keywords I've tweeted. <br />
<br />
<b>Instagram Users and Facebook</b><br />
<br />
I recently opened Facebook to see an updated list of <i>People I may know</i>. Most Facebook users are familiar with the feature. It can be an easy way to locate old friends or people who recently joined the network. But something was different. The list was heavily comprised of people who I sort of recognize but have never known personally.<br />
<br />
I realized that Facebook was trying to connect me with many of the people behind the accounts I follow on Instagram. Many of these people don't use their real names, talk about their work, or discuss personal family matters on Instagram. They're photographers sharing photos. Essentially, they're artists sharing their art with anyone who wants to take a look. And it feels like a safe way to share.<br />
<br />
But now I'm looking at a profile of someone I knew previously only as "Ty_Chi the landscape photographer" and I can now see that he is actually Tyson Kendrick, retail manager from Chicago, father of three girls and a boy. Facebook is telling me more than Mr. Kendrick wanted to share. And I'm looking at Richard Thompson, who's a marketing specialist for one of the brands I follow. I guess Facebook knows the real people behind brand accounts too. It started feeling pretty creepy.<br />
<br />
<b>What does it all mean?</b><br />
<br />
Monetization of social media goes way beyond targeted advertising. Businesses are reaching deep into any available data to make connections or discover insights that produce better returns. Service providers and social media platforms may share customer details with each other or with third parties to improve their own bottom lines. And the more creative they get, the more our sense of privacy erodes.<br />
<br />
What I've outlined here extends only slightly beyond what I think most people expect. But, we should collectively consider how far this will all go. If companies will make major financial decisions based on Twitter user activity, will there be well-funded campaigns to change user behavior on Social Media platforms? Will the free-flow exchange of ideas and opinions become more heavily and intentionally influenced?<br />
<br />
<b><i>The sharing/exchanging of users' personal data is becoming institutionalized. It's not a corner case of hackers breaking in. It's a systemic business practice that will grow, evolve, and expand.</i></b><br />
<br />
I have no recipe to avoid what's coming. I have no suggestions for users looking to hold onto to the last threads of their privacy. I just think it's worth thinking critically about how our data may be used and what that may mean for us in years to come.
Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-19441232436504454072014-07-28T16:21:00.001-04:002014-07-28T16:21:18.234-04:00BMWs and Bicycles: The Value of ComplexityIf your ideas about Oracle Identity & Access solutions start and end with the word <b>complexity</b>, you're missing the big picture. Contrary to what competitors might be telling you, Oracle's current IAM solution looks nothing like a conglomeration of distinct, aging products. If you want to know about today's Oracle IAM solutions, consider concepts like: <i>common data model, consolidated feature set, shared services, unified admin and operational consoles, and a lower TCO than managing multiple point solutions</i>.<br /><br />It didn't happen by accident. Oracle has a large, diverse, and talented team of engineers and developers. I'm consistently impressed by the level of talent roaming the halls at Oracle. And the team knew years ago that continued innovation was important. They intentionally expended significant effort to rationalize the product backend so that it's <b>not simply multiple integrated products</b>. Did you know that Oracle uses a <b>single connector</b> for user provisioning, access governance, and privileged account management? Did you know that Oracle's provisioning product also provides access requests, risk scoring, and entitlement reviews in a <b>single product</b>? (not a license bundle - a single installed product)<br /><br />Can the entire solution be downloaded onto a smartphone and installed in 3-5 minutes? No. But, the solution can meet any <b>current or future</b> Identity & Access requirement with a modular, unified approach to Identity & Access for<b> legacy, enterprise, cloud, mobile, and social</b> use-cases. And there are numerous customer case studies that demonstrate Oracle's IAM technology has already been implemented in mobile, consumer, and IoT scenarios with <b>extreme scale</b>. Claiming that Oracle can't handle third platform use-cases is <b>either ignorant or deceitful</b>. Which it is depends on who you're talking to.<br /><br />That's not to say that there aren't IAM solutions on the market that offer less complexity. But let's investigate complexity for a moment. <br /><br /><b>Is complexity good or bad? </b><br /><br />If you already answered, you're missing the point. The reality is that complexity should be commensurate with your needs and the optimal amount of complexity will depend on the context.<br /><br />A BMW is more complex than a bicycle. If your goal is take a leisurely ride through a park to enjoy the weather while getting some exercise, then a bicycle may be a great fit. And a BMW will miss the mark entirely. If the goal is to find a vehicle for your daily commute to work, you might still opt for a bicycle but you'll be balancing the desire for less complexity with the BMW's feature advantages of getting you there quicker, shielding you from the weather, and requiring less effort. If your intended use-cases involve cross-country trips or travel in severe weather, the complexity of BMW engineering becomes a thing of desire. And if you fall in love with the way a BMW handles corners at speed, well... let's just say you may stop thinking about complexity altogether.<br /><br />Getting back to IAM, here are some <b>IAM features</b> to consider:<br />
<ul>
<li>Enterprise Access Mgt - Context-Aware Adaptive Access and Fraud Detection</li>
<li>Enterprise Access Mgt - API Security and Protocol Translation</li>
<li>Enterprise Access Mgt - Social Logon and Identity Validation</li>
<li>Enterprise Access Mgt - Mobile App for Strong Authentication</li>
<li>Enterprise Access Mgt - Enterprise Single Sign On</li>
<li>Mobile Security - Secure App Management and Endpoint Data Protection</li>
<li>Mobile Security - True SSO to backend applications from the mobile device</li>
<li>Mobile Security - Apps integrated with Enterprise Access Mgt</li>
<li>Identity Governance - Integrated Access Requests and Provisioning</li>
<li>Identity Governance - Entitlement Certifications</li>
<li>Identity Governance - Single point of audit across cloud, mobile, and enterprise</li>
<li>Privileged Account Management - Proxied Access, Session Management</li>
<li>Privileged Account Management - Session Recording</li>
<li>Privileged Account Management - Emergency Access</li>
</ul>
When you begin to think about how these capabilities can be used to enable <b>new business opportunities</b>, it starts to feel like a BMW approaching a corner. And you'll be glad you're not on a bicycle.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-76706367075505632052014-04-02T16:54:00.000-04:002016-02-19T16:05:51.756-05:00The Evolution of Mobile SecurityToday, I posted a blog entry to the <a href="https://blogs.oracle.com/OracleIDM/" target="_blank">Oracle Identity Management</a> blog titled <a href="https://blogs.oracle.com/OracleIDM/entry/when_mdm_and_mam_are" target="_blank">Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements</a>. In the post, I walk through a quick history of mobile security starting with MDM, evolving into MAM, and providing a glimpse into the next generation of mobile security where access is managed and governed along with everything else in the enterprise. It should be no surprise that's where we're heading but as always I welcome your feedback if you disagree.<br />
<br />
Here's a brief excerpt: <br />
<blockquote class="tr_bq">
Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models. </blockquote>
<blockquote class="tr_bq">
Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.</blockquote>
<a href="https://blogs.oracle.com/OracleIDM/entry/when_mdm_and_mam_are" target="_blank">Continue Reading</a> Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-36194709373454492102014-02-24T14:00:00.000-05:002014-02-24T14:00:13.820-05:00Deep Data GovernanceOne of the first things to catch my eye this week at RSA was a <a href="http://www.stealthbits.com/press/item/107-stealthbits-puts-sensitive-information-into-the-data-access-governance-mix-with-stealthaudit-6-3" target="_blank">press release by STEALTHbits</a> on their latest Data Governance release. They're a long time player in DG and as a former employee, I know them fairly well. And where they're taking DG is pretty interesting.<br />
<br />
The company has recently merged its enterprise Data (files/folders) Access Governance technology with its DLP-like ability to locate sensitive information. The combined solution enables you to locate servers, identify file shares, assess share and folder permissions, lock down access, review file content to identify sensitive information, monitor activity to look for suspicious activity, and provide an audit trail of access to high-risk content.<br />
<br />
The STEALTHbits solution is pragmatic because you can tune where it looks, how deep it crawls, where you want content scanning, where you want monitoring, etc. I believe the solution is unique in the market and a number of IAM vendors agree having chosen STEALTHbits as a partner of choice for gathering Data Governance information into their Enterprise Access Governance solutions.<br />
<br />
Learn more at the <a href="http://www.stealthbits.com/index.php" target="_blank">STEALTHbits website</a>.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-58143231420210429842014-02-24T12:26:00.000-05:002014-02-24T14:01:49.533-05:00RSA Conference 2014I'm at the RSA Conference this week. I considered the point of view that perhaps there's something to be said for abstaining this year but ultimately my decision to maintain course was based on two premises: (1) RSA didn't know the NSA had a backdoor when they made the arrangement and (2) The conference division doesn't have much to do with RSA's software group.<br />
<br />
Anyway, my plan is to take notes and blog or <a href="https://twitter.com/matthewflynn" target="_blank">tweet</a> about what I see. Of course, I'll primarily be looking at Identity and Access technologies, which is only a subset of Information Security. And I'll be looking for two things: <b>Innovation</b> and <b>Uniqueness</b>. If your company has a claim on either of those in IAM solutions, please try to catch my attention.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-54496091303296565222014-02-06T11:41:00.000-05:002016-02-19T16:06:26.538-05:00IAM for the Third PlatformAs more people are using the phrase "<b>third platform</b>", I'll assume it needs no introduction or explanation. The
mobile workforce has been mobile for a few years now. And most organizations have moved critical services to cloud-based offerings. <b>It's not a prediction, it's here.</b><br />
<br />
The two big components of the third platform are <b>mobile and cloud</b>. I'll talk about both.<br />
<br />
<b>Mobile</b><br />
<br />
A few months back, I posed the question "<a href="http://360tek.blogspot.com/2013/11/is-mam-identity-and-access-managements.html" target="_blank">Is MAM Identity and Access Management's next big thing?</a>" and since I did, it's become clear to me that the answer is a resounding YES!<br />
<br />
Today, I came across a blog entry explaining why <a href="https://www.foursys.co.uk/Pages/Article/why-android-devices-are-a-security-nightmare-for-compaines" target="_blank">Android devices are a security nightmare for companies</a>. <b>The pain is easy to see.</b> OS Updates and Security Patches are slow to arrive and user behavior is, well... questionable. So organizations should be concerned about how their data and applications are being accessed across this sea of devices and applications. As we know, locking down the data is not an option. In the <b>extended enterprise</b>, people need access to data from wherever they are on whatever device they're using. So, the challenge is to <b>control the flow of information</b> and restrict it to proper use.<br />
<br />
So, here's a question: is MDM the right approach to controlling access for mobile users? Do you really want to <b>stand up a new technology silo</b> that manages end-user devices? Is that even practical? I think certain technologies live a short life because they quickly get passed over by something new and better (think electric typewriters). MDM is one of those. Although it's still fairly new and good at what it does, I would make the claim that <b>MDM is antiquated technology</b>. In a BYOD world, people don't want to turn control of their devices over to their employers. The age of enterprises controlling devices went out the window with Blackberry's market share.<br />
<br />
<b>Containerization is where it's at.</b> With App Containerization, organizations create a secure virtual workspace on mobile devices that enables corporate-approved apps to access, use, edit, and share corporate data while protecting that data from escape to unapproved apps, personal email, OS malware, and other on-device leakage points. For enterprise use-case scenarios, this just makes more sense than MDM. And many of the top MDM vendors have validated the approach by announcing MAM offerings. Still, these solutions maintain a technology silo specific to remote access which doesn't make much sense to me.<br />
<br />
As an alternate approach, let's build MAM capabilities directly into the existing Access Management platform. <b>Access Management for the third platform must accommodate for mobile device use-cases. </b>There's no reason to have to manage mobile device access differently than desktop access. It's the same applications, the same data, and the same business policies. User provisioning workflows should accommodate for provisioning mobile apps and data rights just like they've been extended to provision Privileged Account rights. You don't want or need separate silos.<br />
<br />
<b>Cloud </b><br />
<br />
The same can be said, for cloud-hosted apps. <b>Cloud apps are simply part of the extended enterprise</b> and should also be managed via the enterprise Access Management platform.<br />
<br />
There's been a lot of buzz in the IAM industry about managing access (and providing SSO) to cloud services. There have even been a number of niche vendors pop-up that provide that as their primary value proposition. But, the core technologies for these stand-alone solutions is nothing new. In most cases, it's basic federation. In some cases, it's ESSO-style form-fill. But <b>there's no magic to delivering SSO to SaaS apps</b>. In fact, it's typically easier than SSO to enterprise apps because SaaS infrastructures are newer and support newer standards and protocols (SAML, REST, etc.)<br />
<br />
<b>My Point</b><br />
<br />
I guess if I had to boil this down, I'm really just trying to <b>dispel the myths about mobile and cloud solutions</b>. When you get past the marketing jargon, we're still talking about <i>Access Management</i> and <i>Identity Governance</i>. Some of the new technologies are pretty cool (containerization solves some interesting, complex problems related to BYOD). But in the end, I'd want to manage enterprise access in one place with one platform. <b>One Identity, One Platform.</b> I wouldn't stand up a IDaaS solution just to have SSO to cloud apps. And I wouldn't want to introduce an MDM vendor to control access from mobile devices.<br />
<br />
<b>The third platform simply extends the enterprise beyond the firewall.</b> The concept isn't new and the technologies are mostly the same. As more and newer services adopt common protocols, it gets even easier to support increasingly complex use-cases. An API Gateway, for example, allows a mobile app to access legacy mainframe data over REST protocols. And modern Web Access Management (WAM) solutions perform device fingerprinting to increase assurance and reduce risk while delivering an SSO experience. Mobile Security SDKs enable organizations to build their own apps with native security that's integrated with the enterprise WAM solution (this is especially valuable for consumer-facing apps).<br />
<br />
And all of this should be delivered on a single platform for Enterprise Access Management. <b>That's third-platform IAM</b>.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-28780205638402393712013-11-21T10:46:00.003-05:002013-11-21T10:52:14.531-05:00Is MAM Identity and Access Management's next big thing?Mobile Application Management is <a href="http://techcrunch.com/2013/11/18/to-drum-up-byod-business-oracle-quietly-acquires-enterprise-security-startup-bitzer-mobile/" target="_blank">making waves</a>. Recent news from Oracle, IBM, and Salesforce highlight the market interest. It's a natural extension of what you've been hearing at Identity trade shows over the past few years (and this year's Gartner IAM Summit was no exception). The <a href="http://www.idc.com/research/Predictions13/downloadable/238044.pdf" target="_blank">third platform</a> of computing is not a future state. It's here. And Identity and Access solutions are adapting to accommodate the new use case scenarios. ...onward and upward.<br />
<br />
[Update - <a href="https://blogs.oracle.com/OracleIDM/entry/the_technology_stack_of_mobile" target="_blank">interesting discussion</a> of the IAM technology stack for mobile by SIMIEO] Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-55395506642579629262013-07-02T10:20:00.000-04:002013-07-02T10:20:39.820-04:00Identity OfficerThis morning, Dave Kearns of KuppingerCole <a href="http://blogs.kuppingercole.com/kearns/2013/07/02/do-you-need-an-identity-officer/" target="_blank">revived an old conversation</a> started by <a href="http://idm-thoughtplace.blogspot.com/2006/06/identity-ownership.html" target="_blank">my friend Matt Pollicove</a> of CTI back in 2006 about the potential need for an <i>Identity Officer</i>. I had <a href="http://360tek.blogspot.com/2006/06/chief-identity-officer.html" target="_blank">some comments then</a>, but I wanted to add another thought now that I'm older and a little wiser.<br />
<br />
One of the things I've noticed over recent years is that big, brand name companies who are well-respected for their primary business and their ability to execute on internal IT projects have many little "messes" related to technology that nobody talks about. A mess could be a mistake (bad purchase, wrong implementer) or it could be something that started out OK and grew into a mess over time. One of the common messes out there is related to interconnectivity of various IAM solutions.<br />
<br />
It looks like this: One group within the company bought Oracle or IBM for user account management and built a complex infrastructure around it that they're afraid to touch. Another bought SailPoint or Aveksa - maybe both - and incorporated 40% of the intended applications then the project stalled out. A third group is using Ping for Federation with partners while a fourth runs Microsoft FIM and ADFS to support other partners.<br />
<br />
I recently spoke to the "Lead Architect for IAM" at one of the world's top banks. With a title like that, I figured he'd be in the middle of orchestrating the various interdependencies between IAM systems. When I mentioned an IAM brand name that I knew they had deployed, he said something like, "oh no, that's a different group". He knew it existed but didn't know much more about it.<br />
<br />
In the above scenario, one obvious consideration is that there's time and money spent purchasing and implementing these technologies which have overlapping functionality. It's wasteful and inefficient. But there's a bigger problem with that scenario than cost and maintenance.<br />
<br />
When the business wants to enable some new venture (new partnership, new regulation, M&A, etc.) it's extremely difficult to adapt to new requirements because of all the little messes that would need to be cleaned up. And which group should lead the effort? The access certification system is the newest and its owners have some political pull. But the provisioning system is larger, more established, and now supports the desired certification scenarios. Each of the four or five IAM systems has valuable data. How do you bring it all together to meet the immediate need?<br />
<br />
I probably don't need to spell out where an Identity Officer could have made a positive impact in the above scenario. Reduced cost, reduced overhead, greater flexibility, speed to implement. I think Dave is on to something by reviving this topic. As a doctor of IAM, he's taking a holistic look at the identity needs of organizations. It's not just about technology or workflows. It's also about understanding executive ownership and aligning IAM with business needs. Organizational structure is a big part of that conversation.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com2tag:blogger.com,1999:blog-21995415.post-3538044318233485782013-01-29T22:20:00.000-05:002013-01-29T22:20:02.938-05:00Virtual Directory as Database SecurityI've written <a href="http://360tek.blogspot.com/search/label/virtual%20directory" target="_blank">plenty of posts</a> about the various use-cases for virtual directory technology over the years. But, I came across another today that I thought was pretty interesting.<br />
<br />
Think about enterprise security from the viewpoint of the CISO. There are numerous layers of overlapping security technologies that work together to reduce risk to a point that's comfortable. Network security, endpoint security, identity management, encryption, DLP, SIEM, etc. But even when these solutions are implemented according to plan, I still see two common gaps that need to be taken more seriously.<br />
<br />
One is control over unstructured data (file systems, SharePoint, etc.). The other is back door access to application databases. There is a ton of sensitive information exposed through those two avenues that aren't protected by the likes of SIEM solutions or IAM suites. Even DLP solutions tend to focus on perimeter defense rather than <i>who has access</i>. <a href="http://www.stealthbits.com/" target="_blank">STEALTHbits</a> has solutions to fill the gaps for unstructured data and for Microsoft SQL Server so I spend a fair amount of time talking to CISOs and their teams about these issues.<br />
<br />
While reading through some IAM industry materials today, I found an interesting write-up on how Oracle is using its virtual directory technology to solve the problem for Oracle database customers. Oracle's IAM suite leverages Oracle Virtual Directory (OVD) as an integration point with an Oracle database feature called Enterprise User Security (EUS). EUS enables database access management through an enterprise LDAP directory (as opposed to managing a spaghetti mapping of users to database accounts and the associated permissions.)<br />
<br />
By placing OVD in front of EUS, you get instant LDAP-style management (and IAM integration) without a long, complicated migration process. Pretty compelling use-case. If you can't control direct database permissions, your application-side access controls seem less important. Essentially, you've locked the front door but left the back window wide open. Something to think about.Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com2tag:blogger.com,1999:blog-21995415.post-78910298361718628132013-01-16T09:10:00.001-05:002013-01-16T09:10:05.073-05:00Performing Clean Active Directory Migrations and Consolidations<br />
<h3>
Active Directory Migration Challenges</h3>
Over the past decade, Active Directory (AD) has grown out of control. It may be due to organizational mergers or disparate Active Directory domains that sprouted up over time, but many AD administrators are now looking at dozens of Active Directory forests and even hundreds of AD domains wondering how it happened and wishing it was easier to manage on a daily basis.<br /><br />One of the top drivers for AD Migrations is enablement of new technologies such as unified communications or identity and access management. Without a shared and clearly articulated security model across Active Directory domains, it’s extremely difficult to leverage AD for authentication to new business applications or to establish the related business rules that may be based on AD attributes or security group memberships.<br /><br />Domain consolidation is not a simple task. Whether you're moving from one platform to another, doing some AD security remodeling, or just consolidating domains for improved management and reduced cost, there are numerous steps, lots of unknowns and an overwhelming feeling that you might be missing something. Sound familiar?<br /><br />One of the biggest fears in Active Directory migration projects is that business users will lose access to their critical resources during the migration. To reduce the likelihood of that occurring, many project leaders choose to enable a <i>dirty</i> migration; they enable <i>historical SIDs</i> which carry old credentials and group memberships from the source domain and apply them to the new domain. Unfortunately, enabling historical SIDs proliferates one of the main challenges that initially drove the migration project. The dirty migration approach maintains the various security models that have been implemented over the years making AD difficult to manage and near impossible to understand who has what rights across the environment.<br />
<h3>
Clean Active Directory Migrations</h3>
The alternative to a dirty migration is to disallow historical SIDs and thereby enable a <i>clean</i> migration where rights are applied as-needed in an easy-to-manage and well articulated security model. Security groups are applied on resources according to an intentional model that is defined up-front and permissions are limited to a least-privilege model where only those who require rights actually get them.<br /><br />All consolidation or migration projects aren't the same. The motivations differ, the technologies differ, and the Active Directory organizational structure and assets differ wildly. Most solutions on the market provide point A to point B migrations of Active Directory assets. This type of migration often contributes to making the problem worse over time. There's nothing wrong with using an Active Directory tool to help you perform an AD forest or domain migration, but knowing which assets to move and how to structure or even restructure them in the target domain is critical.<br /><br />Enabling a clean migration and transforming the Active Directory security model requires a few steps to be followed. It starts with assessment and cleanup of the source Active Directory environments. You should assess what objects are out there, how they’re being used, and how they’re currently organized. Are there dormant user accounts or unused computer objects? Are there groups with overlapping membership? Are there permissions that are unused or inappropriate? Are there toxic or high-risk conditions in the environment? This type of intelligence enables visibility into which objects you need to move, how they're structured, how the current domain compares to the target domain, and where differences exist in GPO policies, schema, and naming conventions. The dormant and unused objects as well as any toxic or high-risk conditions can be remediated so that those conditions aren’t propagated to the target environment.<br /><br />Once the initial assessment and cleanup is complete, a gap-analysis should be performed to understand where the current state differs from the intended model. Where possible, the transformation should be automated. Security groups can be created, for example, based on historical user activity so that group membership is determined by actual need. This is a key requirement for numerous legal regulations.<br /><br />The next step is to perform a deep scan into the Active Directory forests and domains that will be consolidated and look at server-level permissions and infrastructure across Active Directory, File Systems, Security Policies, SharePoint, SQL Server, and more. This enables the creation of business rules that will transform existing effective permissions into the target model while adhering to new naming conventions and group utilization. Much of this transformation should be automated to avoid human error and reduce effort.<br />
<h3>
Maintaining a Clean Active Directory</h3>
Once the migration or consolidation project is complete and adherence to the intended security model has been enforced, it’s vital that a program is in place to maintain Active Directory in its current state. There are a few capabilities that can help achieve this goal. <br /><br />First, a mandatory periodic audit should be enforced. Security Group owners should confirm that groups are being used as-intended. Resource owners should confirm that the right people have the right level of access to their resources. Business managers should confirm that their people have access to the right resources. These reviews should be automated and tracked to ensure that these reviews are completely thoroughly and on-time. <br /><br />Second, tools should be implemented that provide visibility into the environment answering questions as they come up. When a security administrator needs to see how a user is being granted rights to something they should perhaps not have, they’ll need tools that provide answers in a timely fashion.<br /><br />Third, a system-wide scan should be conducted regularly to identify any toxic or high-risk conditions that occur over time. For example, if a user account becomes dormant, notification should be sent out according to business rules. Or if a group is nested within itself perhaps ten layers deep, you want an automated solution to discover that condition and provide related reporting.<br /><br />Finally, to ensure adherence to Active Directory security policies, a real-time monitoring solution should be put in place to enforce rules, prevent unwanted changes via event blocking, and to maintain an audit trail of critical administrative activity.<br /><br />Complete <a href="http://www.stealthbits.com/stealthaudit-management-platform/directory-services/active-directory-unification" target="_blank">visibility across the entire Active Directory infrastructure</a> enables a clean <a href="http://www.stealthbits.com/by-it-issue/ad-domain-consolidation" target="_blank">AD domain consolidation</a> while making life easier for administrators, improving security, and enabling adoption of new technologies <br />
<h4>
About the Author</h4>
<span style="font-size: x-small;"><i>Matt Flynn has been in the Identity & Access Management space for more than a decade. He’s currently a Product Manager at<a href="http://www.stealthbits.com/" target="_blank"> STEALTHbits Technologies</a> where he focuses on <a href="http://www.stealthbits.com/stealthaudit-management-platform/data-a-access-governance" target="_blank">Data & Access Governance</a> solutions for many of the world’s largest, most prestigious organizations. Prior to STEALTHbits, Matt held numerous positions at NetVision, RSA, MaXware, and Unisys where he was involved in virtually every aspect of identity-related projects from hands-on technical to strategic planning. In 2011, SYS-CON Media added Matt to their list of the most powerful voices in Information Security.</i></span>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-63071378335874150062013-01-16T09:01:00.000-05:002013-01-16T09:02:04.493-05:00Reduce Risk by Monitoring Active DirectoryActive Directory (AD) plays a central role in securing networked resources. It typically serves as the front gate allowing access to the network environment only when presented with valid credentials. But Active Directory credentials also serve to grant access to numerous resources within the environment. For example, AD group memberships are commonly used to manage access to unstructured data resources such as file systems and SharePoint sites. And a growing number of enterprise applications leverage AD credentials to grant access to their resources as well.<br />
<h3>
Active Directory Event Monitoring Challenges</h3>
Monitoring and reporting on Active Directory accounts, security groups, access rights, administrative changes, and user behavior can feel like a monumental task. Event monitoring requires an understanding of which events are critical, where those events occur, what factors might indicate increased risk, and what technologies are available to capture those events.<br />
<br />
Understanding which events to ignore is as important and knowing which are critical to capture. You don't need immediate alerts on every AD User or Group change which takes place but you want visibility into critical high-risk changes: Who is adding AD user accounts? ...adding a user to an administrative AD group? ...making Group Policy (GPO) changes?<br />
<br />
Active Directory administrators face a complex challenge that requires visibility into events as well as infrastructure to ensure proper system functionality. A complete AD monitoring solution doesn't stop at user and group changes. It also looks at Domain Controller status: which services are running, disk space issues, patch levels, and similar operational and infrastructure needs. There are numerous technical requirements to get that level of detail.<br />
<br />
AD administrators require full access in the environment which presents another set of challenges. How do you enable administrators to do their job while controlling certain high-risk activity such as snooping on sensitive data or accidentally making GPO changes to important security policies? Monitoring Active Directory effectively includes either preventing unintended activities through change blocking or deterring activities through visible monitoring and alerting.<br />
<h3>
Monitoring Active Directory Effectively</h3>
Effective audit and monitoring solutions for Active Directory address the numerous challenges discussed above by providing a flexible platform that covers typical scenarios out-of-the-box without customization but also allows extensibility to accommodate the unique requirements of the environment.<br />
<br />
Data collection is the cornerstone of any Active Directory monitoring and audit solution. Collection must be automated, reliable, and non-intrusive on the target environment. Data that can be collected remotely without agents should be. But, when requirements call for at-the-source monitoring, for example when you want to see WHO did it, what machine they came from, capture before-and-after values, or block certain activities, a real-time agent should be available to accommodate those needs. The data collection also needs to scale to the environment’s size and performance requirements.<br />
<br />
Once data has been collected, both batch and real-time per-event analysis are required to meet common requirements. For example, you may want an alert on changes to administrative groups but you don’t want alerts on all group changes. Or you may want a report that highlights all empty groups or groups with improper nesting conditions. This analysis should provide intelligence out-of-the-box based on industry expertise and commonly requested reporting. But it should also enable unique business questions to be answered. Every organization uses Active Directory in unique ways and custom reporting is an extremely common requirement.<br />
<br />
Finally, once data collection and analysis phases have been completed, AD monitoring solutions should provide a flexible reporting interface that provides access to the intelligence that has been cultivated. As with collection and analysis, the reporting functionality should include commonly requested reports with no customization but should also enable report customization and extensibility. Reporting should include web-accessible reports, search and filtering, access to the raw and post-analysis data, and email or other alerting.<br />
<br />
An effective Active Directory monitoring solution provides deep insight on all things Active Directory. It should enable user, group and GPO change detection as well as reporting on anomalies and high-risk conditions. It should also provide deep analysis on users, groups, OUs, computer objects, and Active Directory infrastructure. Because the types of reports required by different teams (such as security and operations) may differ, it may be prudent to provide slightly different interfaces or report sets for the various intended audiences.<br />
<br />
When real-time monitoring of Active Directory Users, Groups, OUs, and other changes (including activity blocking) are important, the solution should provide advanced filtering and response on nearly all Active Directory events as well as an audit trail of changes and attempts with all relevant information.<br />
<h3>
Benefits of Active Directory Monitoring </h3>
The three most common business drivers for Active Directory monitoring are improved security, improved audit response, and simplified administration. Active Directory audit and monitoring solutions make life easier for administrators while improving security across the network environment. This is especially important as AD becomes increasingly integrated into enterprise applications.<br />
Some common use-cases include:<br />
<ul>
<li><a href="http://www.stealthbits.com/stealthintercept/directory-authority" target="_blank">Monitor Active Directory</a> user accounts for create, modify and delete events. Capture the user account making the change along with the affected account information, changed attributes, time stamp, and more. This monitoring capability acts independent of the Security Event log and is non-reputable.</li>
<li>Monitor Active Directory group memberships and provide reports and/or alerts in real time when memberships change on important groups such as the Domain Admins group.</li>
<li>Report on failed attempts in addition to successful attempts. Filter on specific types of events and ignore others.</li>
<li><a href="http://www.stealthbits.com/stealthaudit-management-platform/directory-services/active-directory" target="_blank">Report on Active Directory</a> dormant accounts, empty groups, unused groups, large groups, and other high-risk conditions to empower administrators with actionable information.</li>
<li>Automate event response based on policy with email alerts, remediation processes, or record the event to a file or database.</li>
</ul>
Active Directory Monitoring and Reporting doesn't need to feel complicated or overwhelming. Solutions are available to simplify the process while providing increased security and reduced risk.<br />
<h4>
About the Author</h4>
<span style="font-size: x-small;"><i>Matt Flynn has been in the Identity & Access Management space for more than a decade. He’s currently a Product Manager at<a href="http://www.stealthbits.com/" target="_blank"> STEALTHbits Technologies</a> where he focuses on <a href="http://www.stealthbits.com/stealthaudit-management-platform/data-a-access-governance" target="_blank">Data & Access Governance</a> solutions for many of the world’s largest, most prestigious organizations. Prior to STEALTHbits, Matt held numerous positions at NetVision, RSA, MaXware, and Unisys where he was involved in virtually every aspect of identity-related projects from hands-on technical to strategic planning. In 2011, SYS-CON Media added Matt to their list of the most powerful voices in Information Security.</i></span>Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com0tag:blogger.com,1999:blog-21995415.post-36326505647024692672012-12-06T18:07:00.000-05:002012-12-06T18:07:15.326-05:00Gartner IAM NotesIn case you missed all the live tweeting <a href="https://twitter.com/matthewflynn" target="_blank">by me</a> and <a href="https://twitter.com/search?q=%23GartnerIAM" target="_blank">others</a>, here are some notes from this week's Gartner IAM Summit:<br />
<ul>
<li>There seemed to be a common theme that the primary driver
for IAM projects has shifted from operational (early) to compliance (recent) to
business enablement (now). </li>
<li>Communication to the business stakeholders is key. (not new, but as important as ever)</li>
<li>IAM and IAG seem to be converging.</li>
</ul>
<!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">(from Chris Howard’s keynote)</b></div>
<br />
<ul>
<li><span style="mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>The CIO’s business goals are to increase
business growth, attract new customers, and reduce cost.</li>
<li>The CIO’s IT goals are to deliver solutions,
manage infrastructure, reduce cost of IT, and expand analytics.</li>
</ul>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">(from Jeff Wheatman’s
session on DG)</b></div>
<br />
<ul>
<li><span style="mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>Despite increasing requirements, less than 10%
of orgs will get above maturity level 1 by 2015.</li>
<li>Solutions that help identify ownership and
accountability are very immature.</li>
</ul>
<br />
<div class="MsoNormal">
Customers will look at solutions that can:</div>
<br />
<ul>
<li><span style="mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>3. Prevent situations (most difficult &
expensive)</li>
<li>2. Alert & Notify upon high-risk situation</li>
<li>1. Document & Accept risk (which is OK for
many – least costly)</li>
</ul>
<br />
<div class="MsoNormal">
Unstructured data remains a very big problem.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b style="mso-bidi-font-weight: normal;">(from Lori Rowland’s
session on Selling IAM with Perry Carpenter and Tom Scholtz)</b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
ROI is impossible to demonstrate. Business cases are based
on:</div>
<br />
<ul>
<li><span style="mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>Efficiency: Any perceived time savings</li>
<li><span style="mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>Effectiveness: Improved audit, tracking, regulatory</li>
<li><span style="mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-fareast-font-family: Calibri; mso-hansi-font-family: Calibri;"><span style="mso-list: Ignore;"><span style="font: 7.0pt "Times New Roman";"></span></span></span>Enablement: enhance business opps, reduce
friction, integrate networks, etc.</li>
</ul>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
You must continuously show value to the business by
communicating success and building credibility with regular, honest feedback.
You can do this by stating goals clearly up front and tracking toward them. One
great example was to send a survey to stakeholders on where their pain lies.
Measure their pain (1-10). Track progress on pain level improvements to show progress
and success.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Roughly 45% of attendees reported that IAM was sponsored
by CIO and 45% by CISO. Two things everyone has in common as drivers: <b>Time
& Money</b>.</div>
Matt Flynnhttp://www.blogger.com/profile/09902381553517250020noreply@blogger.com3