I've been pretty focused recently on Access Governance and specifically how large organizations can get their arms around the problem of access as it relates to unstructured data (mostly file systems and SharePoint). Most of the people I speak to who have responsibility for answering the related tough questions are simply overwhelmed by the sheer size and complexity of the challenge.
It led me to consider that there are a different set of tasks I'd recommend to those people than I might to someone who has a somewhat more mature access governance program. So, I started documenting an Access Governance Continuum; a maturity model of sorts that discusses how to tell where you stand and what the ideal next steps might be. A whitepaper is in the works, but essentially it looks something like this:
Confused > Planning > Cleaning > Maintaining
To illustrate a few examples:
In the Confused stage, you might want to run scans to identify open file shares. In the Planning stage, you'd be identifying data owners / custodians for those shares. In the Cleaning phase, you'd be working to clean up trouble spots and diving deeper based on what you've found. And in the Maintenance stage, you'd be automating some of the cleanup based on business rules.
This is all based on real-world projects, what has worked for the world's largest organizations, and how that knowledge translates to a mid-market need for pragmatic solutions.
...more to come.
Security for the Digital Transformation: Cloud, Data, Identity & Access.
Sunday, January 22
Friday, November 11
Identity Solutions and Unstructured Data
Being in the space for so long, I'm always looking for ways to provide new, interesting functionality. To date, identity (IAM) solutions have no insight into the usage of unstructured data. And it would be really cool if they did.
IAM vendors have only recently begun thinking about unstructured data at all. Some have the ability to look across file system permissions and perhaps include rights information in reports along with basic user and group data. I don't think any do a great job of including a view across file system, Sharepoint, SQL Server, and Exchange Public Folders. But regardless of platform, the capability seems to stop at reporting on rights as they exist at some point in time.
The next logical step would be to watch user activity and be able to provide recommendations and reporting on usage along with permissions. Then, you could make better decisions. Think about this: IAM gives department managers the ability to manage security groups. Maybe they know what the group should access. And maybe they have some idea of what users should be in the group. But, there's no easy way to see which members of the group have exercised those rights and actually accessed the resources in question. Or even whether those resources are actually still relevant. (Have they been accessed? By who? How does that affect the concept of 'least privilege'?)
I'd love to hear your thoughts.
BTW, this isn't purely rhetorical. But, you'll have to be patient if you want more details. ;)
IAM vendors have only recently begun thinking about unstructured data at all. Some have the ability to look across file system permissions and perhaps include rights information in reports along with basic user and group data. I don't think any do a great job of including a view across file system, Sharepoint, SQL Server, and Exchange Public Folders. But regardless of platform, the capability seems to stop at reporting on rights as they exist at some point in time.
The next logical step would be to watch user activity and be able to provide recommendations and reporting on usage along with permissions. Then, you could make better decisions. Think about this: IAM gives department managers the ability to manage security groups. Maybe they know what the group should access. And maybe they have some idea of what users should be in the group. But, there's no easy way to see which members of the group have exercised those rights and actually accessed the resources in question. Or even whether those resources are actually still relevant. (Have they been accessed? By who? How does that affect the concept of 'least privilege'?)
I'd love to hear your thoughts.
BTW, this isn't purely rhetorical. But, you'll have to be patient if you want more details. ;)
Wednesday, September 14
The Most Powerful Voices in Security
It's been almost a week since SYS-CON Media's Jim Kaskade included me in their list of the 100 Most Powerful Voices in Security. Since then, as you might imagine, it's been an absolute media circus for me. People are calling and emailing to ask my advice and there are young security analysts camped outside my home. But, I'd like to take this opportunity to point out that it's not a list of the most knowledgeable practitioners of security. This is essentially acknowledgement of having a "powerful voice". Growing up, people phrased it differently as "you've got a big mouth".
Levity aside, I think the list is a great idea. It's always good to consolidate disparate information. But the formula for MPV, as Kaskade writes, is based on reach and not knowledge, usefulness of analysis, or trustworthiness. I'd like to dream that I might end up on one of those lists some day.
Kaskade's use of the word 'influencers' brought me right back to Gladwell's book The Tipping Point and made me wonder if this is really a list written for marketers rather than for security decision makers. Even if that is the case, then it's probably a good idea to follow the people on the list as they might identify emerging trends - perhaps by analysis, but as Gladwell points out, perhaps by causation (whether intentional or not).
Being a first attempt, Kaskade has already identified a few omissions and I'm sure everyone has opinions on others that should be included. For example, Art Coviello of RSA gives the opening keynote address at the biggest conference in the security industry every year and runs the security division of one of the world's biggest data storage and management companies. That's reach. And I can call almost anyone I know in the Identity space and they'll know what topic was covered in Dave Kearns' last NetworkWorld newsletter. A niche, perhaps, but certainly reach.
Having said all that, I'm still honored that anyone would consider me in such a list. Being included in any list with that group of individuals is humbling to say the least. It makes me feel like I need to work harder to earn the spot.
What's your take?
Levity aside, I think the list is a great idea. It's always good to consolidate disparate information. But the formula for MPV, as Kaskade writes, is based on reach and not knowledge, usefulness of analysis, or trustworthiness. I'd like to dream that I might end up on one of those lists some day.
Kaskade's use of the word 'influencers' brought me right back to Gladwell's book The Tipping Point and made me wonder if this is really a list written for marketers rather than for security decision makers. Even if that is the case, then it's probably a good idea to follow the people on the list as they might identify emerging trends - perhaps by analysis, but as Gladwell points out, perhaps by causation (whether intentional or not).
Being a first attempt, Kaskade has already identified a few omissions and I'm sure everyone has opinions on others that should be included. For example, Art Coviello of RSA gives the opening keynote address at the biggest conference in the security industry every year and runs the security division of one of the world's biggest data storage and management companies. That's reach. And I can call almost anyone I know in the Identity space and they'll know what topic was covered in Dave Kearns' last NetworkWorld newsletter. A niche, perhaps, but certainly reach.
Having said all that, I'm still honored that anyone would consider me in such a list. Being included in any list with that group of individuals is humbling to say the least. It makes me feel like I need to work harder to earn the spot.
What's your take?
Friday, August 19
Mobile Apps for Health
Jennifer Flynn (same family) who is a health field professional has a bog called Health & Productivity Thinker where she posted yesterday on Mobile Apps for Health. She asks "what type of app would you want to use for your health?"
As a security professional, I'm very interested in the answer. As an industry, we spend a lot of time focused on information privacy and health information is among the most talked about types.
Health organizations spend a fortune on personal health information protection (perhaps primarily in an effort to comply with HIPAA). Johns Hopkins and similar organizations have reported spending $4-5 Million in their early HIPAA compliance efforts. Earlier this year, the HHS fined one provider in MD $4.3M for a privacy violation. CVS paid over $2M in 2009 and Rite Aid $1M in 2010. Walgreens is currently being investigated. Early on, Gartner estimated that the industry would spend near $4B per year on HIPAA and the HHS estimated it would cost the industry $18B in the first decade. (I couldn't find current/actual numbers)
So, protection of consumer health information is a big deal. A lot of time, money, and energy is expended in the process. But do people really care? If someone gave you an app for your phone that enabled you to carry around your complete medical history for easy distribution to doctors and health providers -- and it meant you'd never have to fill out another form in a doctor's office waiting room -- would you use it? My guess is that most people would. If it makes life easier, it will get used regardless of the privacy risk.
We all know that our phones and computers are susceptible to privacy breaches, eavesdropping, and other data leakage, but would that stop you from using an app that improved your health? Made life easier? I'd love to know, so if 2000 of you would please go answer Jennifer's question, I'd appreciate the info.
As a security professional, I'm very interested in the answer. As an industry, we spend a lot of time focused on information privacy and health information is among the most talked about types.
Health organizations spend a fortune on personal health information protection (perhaps primarily in an effort to comply with HIPAA). Johns Hopkins and similar organizations have reported spending $4-5 Million in their early HIPAA compliance efforts. Earlier this year, the HHS fined one provider in MD $4.3M for a privacy violation. CVS paid over $2M in 2009 and Rite Aid $1M in 2010. Walgreens is currently being investigated. Early on, Gartner estimated that the industry would spend near $4B per year on HIPAA and the HHS estimated it would cost the industry $18B in the first decade. (I couldn't find current/actual numbers)
So, protection of consumer health information is a big deal. A lot of time, money, and energy is expended in the process. But do people really care? If someone gave you an app for your phone that enabled you to carry around your complete medical history for easy distribution to doctors and health providers -- and it meant you'd never have to fill out another form in a doctor's office waiting room -- would you use it? My guess is that most people would. If it makes life easier, it will get used regardless of the privacy risk.
We all know that our phones and computers are susceptible to privacy breaches, eavesdropping, and other data leakage, but would that stop you from using an app that improved your health? Made life easier? I'd love to know, so if 2000 of you would please go answer Jennifer's question, I'd appreciate the info.
Friday, July 29
FireFox Sync: Ease of Use and Security Implications
Although, I most often cover business-related identity issues, this post is going to focus on an issue for home users (that also applies to business). In the past, I wrote about the differences between Web SSO and ESSO. And I recently wrote about Mozilla's BrowserID which is focused on home users but is more closely aligned to Web SSO than today's topic.
I've used a variety of browsers over the years from Netscape 2 and IE 3 through today's versions of Chrome and FireFox. Although it was considered uncool by many, I primarily used IE for a number of years. But today, I almost exclusively use FireFox 5. It's fast, intuitive, good security features, control over privacy, extensible via plugins, etc. But one of the killer features for me is FireFox Sync.
I have all my bookmarks and preferences synced across multiple computers and my smart phone. It's extremely convenient and even encouraged me to finally organize my bookmarks - something I hadn't really done in the 15 years I've been online. But, there's an aspect to Sync that's incredibly dangerous.
It's dangerous because it makes life so darned easy. It's a fantastic feature from a user perspective. Sync includes browser-stored passwords. So, sign in at home and get automatic logon from work and mobile without needing to remember or re-type passwords. I can't count the number of times I was mobile and couldn't access a site from my phone because I didn't have the password. With Firefox Sync, my passwords can be automatically sync'ed across all my devices saving time and making life easy. My typical blog audience should already know where I'm going with this.
When you organize your sites in bookmarks and auto-save passwords, you make it very easy for anyone who accesses your workspace to get quick access to ALL of your favorite sites. How likely is it that someone could get a hold of your smart phone or laptop? Well, it's not unlikely. Here are some stats. Losing a phone used to mean shelling out a few bucks for a new one. Today, it means someone could get immediate access to every site you use with your own credentials. You've made it way too easy. You even have a folder for your banking sites so they know where to quickly find all your account information.
The above scenario (which makes the user experience seamless and easy) is the security equivalent of leaving cash on your dashboard with the car unlocked, the windows rolled down, while you walk around the mall handing out maps that show how to find your car.
Firefox Sync raises your risk profile and should only be used in combination with locked down devices, smart selection of which sites you'll include in your bookmarks, discipline to not store sensitive passwords, and you should set a master password so everything isn't left wide open. The tech security industry is getting better with each new release, but we're still in the infancy. We need to stay alert.
Happy surfing.
I've used a variety of browsers over the years from Netscape 2 and IE 3 through today's versions of Chrome and FireFox. Although it was considered uncool by many, I primarily used IE for a number of years. But today, I almost exclusively use FireFox 5. It's fast, intuitive, good security features, control over privacy, extensible via plugins, etc. But one of the killer features for me is FireFox Sync.
I have all my bookmarks and preferences synced across multiple computers and my smart phone. It's extremely convenient and even encouraged me to finally organize my bookmarks - something I hadn't really done in the 15 years I've been online. But, there's an aspect to Sync that's incredibly dangerous.
It's dangerous because it makes life so darned easy. It's a fantastic feature from a user perspective. Sync includes browser-stored passwords. So, sign in at home and get automatic logon from work and mobile without needing to remember or re-type passwords. I can't count the number of times I was mobile and couldn't access a site from my phone because I didn't have the password. With Firefox Sync, my passwords can be automatically sync'ed across all my devices saving time and making life easy. My typical blog audience should already know where I'm going with this.
When you organize your sites in bookmarks and auto-save passwords, you make it very easy for anyone who accesses your workspace to get quick access to ALL of your favorite sites. How likely is it that someone could get a hold of your smart phone or laptop? Well, it's not unlikely. Here are some stats. Losing a phone used to mean shelling out a few bucks for a new one. Today, it means someone could get immediate access to every site you use with your own credentials. You've made it way too easy. You even have a folder for your banking sites so they know where to quickly find all your account information.
The above scenario (which makes the user experience seamless and easy) is the security equivalent of leaving cash on your dashboard with the car unlocked, the windows rolled down, while you walk around the mall handing out maps that show how to find your car.
Firefox Sync raises your risk profile and should only be used in combination with locked down devices, smart selection of which sites you'll include in your bookmarks, discipline to not store sensitive passwords, and you should set a master password so everything isn't left wide open. The tech security industry is getting better with each new release, but we're still in the infancy. We need to stay alert.
Happy surfing.
Friday, July 22
Introducing FishEye Group
Two weeks ago, I updated and re-announced my Identity Management list and since then I've added a dozen or so more entries. Among the new ones, I had the pleasure to add a newcomer to the Identity Management space. My good friend and long time colleague Kishan Malineni has finally incorporated on his own and will bring his talents to the identity industry as FishEye Group. Full disclosure: He asked if I would assist with business strategy and I accepted an unpaid position on the board. And I'm excited to help.
If you don't know Kishan, it's because he hasn't spent much time blogging, tweeting, or hitting the conference circuit. He has spent 50+ hours a week for the past decade hands-on actually building identity management solutions (and winning the hearts of CIOs and project sponsors). Everybody that has worked with him has positive things to say about his technical skills, integrity, work ethic, and positive attitude. Most recently, he has earned an excellent reputation as one of the industry's leading integrators of Oracle's OIM 11g. In a previous role, he developed the first real-world implementation in the higher education vertical (possibly globally) of Oracle Identity Manager 11g. He also developed the industry's first set of cloud connectors for OIM.
FishEye Group has hit the ground running with it's first project already underway and is in the process of putting partnerships in place and placing a number of additional projects on the calendar.
If you're looking for assistance with OIM 11g, product evaluations, identity management strategy, or other identity-related services, please give Kishan a shout and hear what he has to say. His pragmatic approach and enthusiasm for the technology will no doubt win you over.
If you don't know Kishan, it's because he hasn't spent much time blogging, tweeting, or hitting the conference circuit. He has spent 50+ hours a week for the past decade hands-on actually building identity management solutions (and winning the hearts of CIOs and project sponsors). Everybody that has worked with him has positive things to say about his technical skills, integrity, work ethic, and positive attitude. Most recently, he has earned an excellent reputation as one of the industry's leading integrators of Oracle's OIM 11g. In a previous role, he developed the first real-world implementation in the higher education vertical (possibly globally) of Oracle Identity Manager 11g. He also developed the industry's first set of cloud connectors for OIM.
FishEye Group has hit the ground running with it's first project already underway and is in the process of putting partnerships in place and placing a number of additional projects on the calendar.
If you're looking for assistance with OIM 11g, product evaluations, identity management strategy, or other identity-related services, please give Kishan a shout and hear what he has to say. His pragmatic approach and enthusiasm for the technology will no doubt win you over.
Monday, July 18
BrowserID a Threat to Individual Freedom?
The folks at Mozilla recently introduced BrowserID. You can compare it to OpenID, but there are some key differences. The basic idea - a single set of authentication credentials across multiple sites and simplified logon to each as facilitated by the browser. Ian Yip took an interesting look at BrowserID from the an Identity Management industry perspective and how it relates to what we call identity federation. For more details on how it works, check Lloyd Hilaiel's post.
But that's not what I wanted to write about. I'm more interested in SC Magazine's article headlined Mozilla BrowserID "seriously flawed" and Roger Clarke's Reaction to Mozilla's BrowserID Proposal, which was the subject of the SC Mag article. My first point is simply: go read it. It gives you a lot to think about. My second point, though, is a little more complex.
Clarke makes some interesting and compelling arguments about Internet privacy and individual freedom. I can't say that his logic is incorrect or that his points are invalid, because they're not. But his anger (characterized by phrases like "seriously flawed 'identity management' schemes" and "its design is seriously threatening to individual freedoms") may be a bit misplaced.
I agree with Richard that BrowserID is not THE solution to solve the Internet's authentication and privacy problem. But that's not the challenge that Mozilla has sought to solve. Not every site that requires a logon is a major privacy risk. I have probably 50 or more web site accounts to manage and I welcome solutions to my credential management problem. I'm a security guy but I will gladly introduce some level of risk to make life easier when browsing a large number of those sites. We all do to a degree. e.g.) It's less risky to go to a library anonymously to look something up in a book but the Internet at home is just so much more convenient that we risk being eavesdropped or introducing malware to our systems every time we use it.
It reminds me of the old argument that two-factor authentication is useless because it's susceptible to MITM attacks. BrowserID won't be a silver bullet for all authentication scenarios and maybe not even for ANY scenarios that require high security or strong assertions about the user, but it could still be a useful way for end-users who want to simplify the logon process. Claiming that BrowserID is seriously flawed because it doesn't address issues outside of its own scope just seems wrong and even somewhat irresponsible. The IT industry's version of media sensationalism maybe?
I don't mean to pick on SC Mag - the title got me to read Richard's article, which is the purpose of a strong title, but I'm pulling for one of these solutions (OpenID, CardSpace, BrowserID) to make it into the mainstream so that my life will be a little easier. And creating hysteria and FUD around them doesn't help with user adoption.
But that's not what I wanted to write about. I'm more interested in SC Magazine's article headlined Mozilla BrowserID "seriously flawed" and Roger Clarke's Reaction to Mozilla's BrowserID Proposal, which was the subject of the SC Mag article. My first point is simply: go read it. It gives you a lot to think about. My second point, though, is a little more complex.
Clarke makes some interesting and compelling arguments about Internet privacy and individual freedom. I can't say that his logic is incorrect or that his points are invalid, because they're not. But his anger (characterized by phrases like "seriously flawed 'identity management' schemes" and "its design is seriously threatening to individual freedoms") may be a bit misplaced.
I agree with Richard that BrowserID is not THE solution to solve the Internet's authentication and privacy problem. But that's not the challenge that Mozilla has sought to solve. Not every site that requires a logon is a major privacy risk. I have probably 50 or more web site accounts to manage and I welcome solutions to my credential management problem. I'm a security guy but I will gladly introduce some level of risk to make life easier when browsing a large number of those sites. We all do to a degree. e.g.) It's less risky to go to a library anonymously to look something up in a book but the Internet at home is just so much more convenient that we risk being eavesdropped or introducing malware to our systems every time we use it.
It reminds me of the old argument that two-factor authentication is useless because it's susceptible to MITM attacks. BrowserID won't be a silver bullet for all authentication scenarios and maybe not even for ANY scenarios that require high security or strong assertions about the user, but it could still be a useful way for end-users who want to simplify the logon process. Claiming that BrowserID is seriously flawed because it doesn't address issues outside of its own scope just seems wrong and even somewhat irresponsible. The IT industry's version of media sensationalism maybe?
I don't mean to pick on SC Mag - the title got me to read Richard's article, which is the purpose of a strong title, but I'm pulling for one of these solutions (OpenID, CardSpace, BrowserID) to make it into the mainstream so that my life will be a little easier. And creating hysteria and FUD around them doesn't help with user adoption.
Wednesday, July 13
Security Policy vs. Operational Needs
I've written a number of times about human behavior and end users. My point has been that security needs to be: (1) easier or cheaper (2) built-in and transparent and (3) continuous / not periodic. Yesterday, I heard the problem described in an interesting way.
I had the opportunity to sit in on a webinar provided by LogicTrends and CA. The topic was privileged accounts and compliance. I believe it was LogicTrends' CTO Phil Lentz who described part of the problem as this (paraphrased):
What I believe he meant is that system administrators ignore security policies for tactical reasons. They are almost forced to breach policy in an effort to get their jobs done more efficiently. I don't think that's anything new, but I've traditionally chalked it up to human behavior. Lentz's description lead me to think the problem was more systemic.
It wouldn't matter how disciplined the person sitting behind the keyboard is. There is an inherent disconnect between the person's operational duties and the organization's security policies. It's an interesting perspective and may indicate that there's hope. By creating more synergy between policy and operational procedure, the human-nature problem can be at least muted if not eliminated. Again, not a new concept, but a new angle by which to see it.
I had the opportunity to sit in on a webinar provided by LogicTrends and CA. The topic was privileged accounts and compliance. I believe it was LogicTrends' CTO Phil Lentz who described part of the problem as this (paraphrased):
Security Policy doesn't always match operational needs or expectations.
What I believe he meant is that system administrators ignore security policies for tactical reasons. They are almost forced to breach policy in an effort to get their jobs done more efficiently. I don't think that's anything new, but I've traditionally chalked it up to human behavior. Lentz's description lead me to think the problem was more systemic.
It wouldn't matter how disciplined the person sitting behind the keyboard is. There is an inherent disconnect between the person's operational duties and the organization's security policies. It's an interesting perspective and may indicate that there's hope. By creating more synergy between policy and operational procedure, the human-nature problem can be at least muted if not eliminated. Again, not a new concept, but a new angle by which to see it.
Subscribe to:
Posts (Atom)