Thursday, December 18

Trust But Verify

Yesterday, I posted on The Value of Security Audit and Bruce Schneir's recent writings on the topic. Today, Richard Stiennon posted on the topic in an expansion of his three security laws.

He writes (abbreviated):

"...the first two rules could be simplified to 1. Don’t trust the network. 2. Don’t trust end points. But that level of simplicity does not transfer to people. You have to trust your users. So, borrowing from Ronald Reagan’s immortal words Trust but verify, you have to apply the following...

1. Strong authentication and granular access controls.
2. A published policy on acceptable use of resources.
3. A monitoring and alerting system that informs the user of policy violations."
He continues and suggests that making security achievable requires all three. The idea that monitoring and alerting is required has finally become mainstream. More and more smart people seem to be listing it as a necessary component of a secure environment.

..our little baby is all grown up (sniff).

Wednesday, December 17

The Value of Security Audit

Bruce Schneir wrote in the Wall St. Journal last week:

Most security against crime comes from audit. Of course we use locks and alarms,but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit.
Wouldn't it be nice if the police got an email alert every time a gun was fired with the name of the person shooting, where it happened, time & date, what they hit, what type of gun, etc.? Schneir was obviously using an analogy to talk about information technology.

And in IT, these types of alerts are actually possible!

Also, earlier in the article, Schneir concisely sums up a related point:
Audit helps ensure that people don't abuse positions of trust.
So, yes – Audit to catch and deter evil doers (to use the term one last time) AND to ensure that system administrators' power is kept in check. And go for the fancy email alerts too.

Tuesday, December 16

Dixon on Identity, Context, Preference, and Persona

Yesterday, Mark Dixon offered a very clear and concise explanation of identity, context, preference, and persona. And I agree with his definitions. This would've been useful for my discussion with Marty on the Identity Reference Model. I was pretty much using the same definitions and making the case that in actual implementations, personas (which are more abstract in nature) are usually mapped 1-1 with specific user accounts.

Friday, December 12

Melding Identity Technology into Future Architecture

One of the really fun things about being in technology is thinking about what COULD BE in the future. By now, we've all heard the promises of SOA and Identity Federation technologies. We've them each implemented to some degree. We've discussed policy servers and XACML that enable systems to share authorization information. But I think we'd all agree that we're in the pretty early stages of figuring out how an enterprise could really use all this stuff together in the future.

Last month, Todd Clayton took an ambitious step toward doing just that. He took the concept of what we want to see in the future – systems communicating freely and sharing information – and mapped out how it can be achieved using today's technology.

I don't know if the FOA moniker is the right fit (many smart IT people still don't really understand the first use of federation – we probably shouldn't start using the term elsewhere.) But, the concept is really interesting.

Now, if only there were a few brave organizations who were willing to take a leap and build out their future architecture a little early... it would be really interesting to see what we'd learn from them.

Thursday, December 11

Small Orgs Hit by Economy - Maximize Your Budget

A new CIO article titled How to Maximize your IT Security Budget discusses how to make the most of your IT Security budget given current economic, regulatory, and threat conditions.

Cybercriminals are finding it easier to move downstream and target small to medium businesses... Regardless of whether you are... [smaller] face the same problems as a global enterprise when a breach occurs: potential fines, bad press, class-action lawsuits and customer attrition.
I have noticed recently that the affects of PCI-DSS are extending out of retail and into Healthcare and other verticals. HIPAA is extending into law firms and other organizations that somehow support healthcare rather than actually being healthcare.

So yes, the NEED to provide security and proof-of-security (audit) seems to be GROWING as BUDGETS to address the needs are SHRINKING.


...not an ideal scenario. So, what do you do?

Page 2 has the tips on how to maximize the budget. Basically, you need to look at efficiency, automation, and finding the right fit (rather than blowing the budget on something that attempts to cover everything). Think Operationalizing Security.

One thing I took away from SC World Congress was the fact that smart people are still recommending an approach that includes business alignment and risk analysis rather than a shotgun approach. Be a surgeon. Figure out your risks and find the right way to address them while balancing cost, approach, efficiency, etc. Don't just keep boarding up all the windows.

Friday, December 5

SC World Congress - NYC

I'm looking forward to a couple days in the city next week for SC World Congress. It's sort of my home turf, so I look forward to taking some visitors downtown for some food and drink - maybe falafel on MacDougal St? What events are happening after the show hours? Let me know if you'll be there - I always like to meet up in person. Feel free to leave a comment if you have a sponsored event or other happening in association with the event.

BTW - speaking of MacDougal, if you have nothing to do and like good live music, check out Cafe Wha? while you're there. It's a landmark.

Thursday, December 4

Industry's First Managed Service for Identity & Access Audit

Last week, I mentioned NetVision's new Managed Service Offering. Now, it's official. The press release is out.

I know you don't all want to hear me blabbering on about my products, but bear with me on this one for two reasons:

1 - It's what I do all day, so it's hard to NOT talk about it.

2 - This is REALLY interesting stuff. I'm not talking about a new feature or bug fixes. This is a new way of delivering solutions that really makes life easier and is more cost effective for our customers. Nobody else is doing this.

Here's what it boils down to:

Our software has gotten better over the years. It's been around for a decade and we have scars, battle wounds, lessons-learned, and the benefit of the collective experience of twelve years worth of customers. But, solution software isn't enough.

You need hardware, platform OS software, database and reporting software, and it all needs to be installed, configured, maintained, and integrated. Assuming all of that is done, to get the answers you need, you'll also need knowledge -- of the systems that you want to audit and of the requirements (what questions should you ask).

So let's say that you spend some consulting dollars to get the system setup, it's producing all the right answers, and you get knowledge transfer on how to use the system. What happens when requirements change? Or when the guy who was trained leaves the company or switches roles?

Systems are complex by nature. Understanding how to tie together directory, file system, database, reporting, takes a fair amount of knowledge -- especially when you think about re-configuring, tweaking settings and performance, troubleshooting issues, etc. And when you're doing it for the first time or it's not your primary job function, it can be inefficient to say the least.

So, we put our money where our mouth is. We will maintain the investment in expertise. Expertise in the systems we rely on, the systems we audit, our own system, and the requirements & best practices needed to coax out the right answers. We already do this stuff, so we decided to scale it out a bit and pass the economy of scale cost savings on to our customers.

We made improvements to the management interface, nailed down hardware requirements to an appliance, and put resources in place to provide the service and monitoring delivery.

I'd love to know what you think. I'm particularly interested in those of you who are setting up managed identity services businesses. This is something that can help you keep an eye on the effectiveness of the IAM solutions you manage. AND it can help your customers keep an eye on what changes you might be making to their environment. It's also a great solution for organizations that outsource IT and have no in-house directory expertise but want to monitor access rights and other directory or file system rights changes.

Visit our site for more info on Microsoft Active Directory solutions or Novell eDirectory solutions. I look forward to hearing what you think.