Tuesday, June 26

Good-Enough Compliance?

In this article from CIO magazine a few months ago, Allan Holmes discusses the challenge of surviving a regulatory audit. This excerpt sums it up:
"The dirty little secret here is that everybody tries to figure out how much risk they can assume without being embarrassed or caught,” says David Taylor, a former Gartner security analyst and now vice president for data security strategies for Protegrity, a security and privacy consultancy. “The people I regularly talk to are trying to figure out if [their security] fails, what’s the smallest amount they need to do to stay out of trouble and how they can blame someone else."
To make matters worse, different auditors interpret the regulations differently and enforcement metrics are open to interpretation. Holmes points to another article on the ROI of noncompliance in the mid market in which he quotes a PWC advisory partner as stating that "You can get 80 to 90 percent of what you need to find ...and that does a lot to comply." In a related article, back in September, CIO pointed out that executives across all industries are making slow but incremental improvements in deploying information security policies and technologies.

Looking at all of this information together, it seems that an extremely functional tool set that maximizes value on the dollar and gets an organization 80% down the road toward full compliance may be more compelling to many organizations than an all-encompassing solution that consumes a huge portion of the security budget (and effort) and gets them closer to 90% or 95% down that road.

I believe compliance is more shades-of-grey than all-or-none. But, how much so? Holmes seems to be suggesting that it's extremely open to interpretation and that executives are constantly looking to deploy a minimalist solution that will win the CYA game while exerting as few man-hours and dollars as possible. It's an interesting discussion to be sure. Thoughts?

See the Statue

An old friend has migrated to a new blog titled Marcus Lasance's Identity Management and Privacy blog and posted today about the relationship between identity and philosophy. It's a topic that immediately caught my attention because I was a philosopher before I was a techie. I did my undergraduate work in Philosophy at a small mountainside university and I often took long hikes up the mountain to reflect on life's big questions. That was back when I was a user - you know, one of those people that just logs in and uses a computer without thinking about what's happening under the hood. It's been a long time. Do you remember when you were a user? Enough digression.

For me, the take-away from Marcus' comments is that we should remind ourselves to remove our blinders as we envision a new system design or architecture. We all have blinders of one kind or another - whether it's prejudice against data redundancy or preconceived notions of identity. We ought always to start with the essense of what we're trying to build and work outward from there - like Michelangelo who saw the statue within the block of marble. The question you should be asking is: What are the business requirements that we want to solve? If they're unclear, start over and try again. If they are clear, make sure that your design decisions support the successful meeting of those requirements and don't get caught up in pre-existing ideas about Microsoft or databases or enterprise architecture. Thanks for the reminder Marcus!

Wednesday, June 13

More on LDAP and the Novell-Microsoft Bridge

While at Tech-Ed, I picked up some literature on the efforts of Novell and Microsoft to build bridges with each other toward interoperability. I found that they also have a web site on this topic where you can still read the original press releases and FAQs from November 2006. Conspiracy theories aside, interoperability is probably a good thing.

While I was looking for more info on their planned directory & identity interoperability, I came across an article titled Novell eDirectory vs. Microsoft Active Directory. I can assure you that it's not part of the interoperability literature. In fact, I wouldn't be surprised if it's soon taken off line to preserve the recently positive flow of energy between these two companies. While it's clearly and unapologetically written to sway would-be buyers toward Novell's directory product, it's quite an interesting read for those evaluating LDAP options. If you read my introduction to LDAP directories and are ready for a more thorough drill-down that doesn't require you to read the LDAP RFC, it's a good next step. Novell provides a thorough business level view of what to look for in a directory server.

Incidentally, I didn't find much on their plans for directory interoperability. From what I could find, it sounds like any identity interoperability will initially be at the user access layer and not at the data storage layer. If you have any more details, please comment!

Monday, June 11


I mentioned previously that 70% of electronic attacks originate inside the firewall. And 90% of attacks are perpetrated by technical employees with privileged access. These are FBI/Computer Security Institute stats. I don't have a link to the original source, but I've seen it quoted in numerous places across the web and by numerous organizations. I believe the original data should be at gocsi.com, but I didn't have luck getting that site to load.

This isn't just stats from a survey. This is real world. Even from our common experience, we know that Joe from accounting and Sally from Marketing aren't cracking the DBA password and writing the database information out to a private FTP server for sale on the black market. It's the DBA who already has access that realizes how easy it would be and figures what the heck. While at RSA, I talked to customers about the shift from perimeter-centric security to information-centric security. I primarily focused on authentication of users, access control to information and data protection via encryption technologies. My next move focuses on the same threat, but from a different angle.

NetVision is a company that's been around 12 years and has a strong legacy position in the Novell Netware solutions arena providing audit, reporting and monitoring of Netware environments. In 2003, when Novell purchased SUSE, the writing was on the wall. Netware may not be the operating system of the future. NetVision made the natural move and began to support eDirectory and SUSE Linux. Now, NetVision supports Active Directory environments as well.

So we now have the ability to provide audit, reporting and monitoring of Windows, Netware and SUSE Linux environments to ensure that organizational security objectives are being met. How does that relate back to the threat mentioned above? Well, in the identity management arena, your privileged users are the domain admins, enterprise admins and super users. If you're one of those privileged users and you want to hide your tracks, you can just create a new user, grant elevated rights, logon as that user to perform some actions, then remove the user from the system. In many environments, there's no way to prevent that or even know it's happening. NetVision can enforce security policies even amongst the system administrators. We can intercept an attempt to skirt the security policy, reverse the changes and send alerts to appropriate parties. And we can provide a nice audit trail of what changes were made, when and by whom. NetVision is solely focused on the identity space. Primarily, we're looking at data in AD or eDirectory, but also File Systems, Event Logs and more. What we're not looking at is Firewall or IDS logs -- we're not trying to be a solution that would consume logs from every device on the network. And that gives us a leg up when it comes to drilling down on identity information.

I think we're in a very important space and we're presented with a unique opportunity to bring identity management to the next level with regard to integrated policy enforcement. I know that sounds a bit theatrical, but I'm excited to be ahead of the curve on this one. I don't know the stats, but most companies are running Windows/AD or Novell. And some have started to implement IdM to the extent that user account creation and/or modifications are automated -- maybe they even keep an audit trail, but there's still a big need out there for the ability to provide reports on whether or not we're in compliance with our intended policies. And it's even better if we can prevent or reverse an attempt to purposely subvert policy. And we can. Ask for it wherever quality identity solutions are sold.

Tuesday, June 5

At Tech-Ed?

If you're in Orlando at Microsoft Tech-Ed, please stop by the NetVision booth tomorrow and say hello.