Security for the Digital Transformation: Cloud, Data, Identity & Access.
Friday, July 24
Contest for AD Admins
NetVision is running a contest for AD administrators. There's a relatively good chance to win $1000 if you can come up with a good caption for the cartoon provided. The idea here is simple. We're looking for some feedback and perspective from administrators. In exchange, we're giving away some cash. No tricks. Instead of paying for advertising that reaches the wrong audience half the time, we're paying the audience directly. Please pass it along to your AD admin friends.
Thursday, July 23
Identity in the Cloud
Over the past year, there have been a number of identity management solutions popping up that aim to help companies deal with identities in Software-as-a-Service (SaaS) / Cloud applications. Here's a list of the solutions that I've encountered:
Cloud Identity - SaaS Identity and Access Management solution. Provides provisioning, workflow, audit reporting, and SSO. Leverages existing enterprise credentials. [more info]
Conformity - SaaS Identity and Access Management solution. Provides provisioning, workflow, and audit reporting for select cloud applications. Leverages Active Directory (or other on-premise repository) accounts as the source. [more info]
Identropy IC2 - Identity Management solution for SaaS applications. Leverages existing Identity infrastructure and work flow to provision accounts to cloud applications via the IC2 SPML gateway. [more info]
MyOneLogin - SaaS Identity and Access Management solution. Provides SSO and Secure Logon to cloud applications and web sites. Enables Account Management for select SaaS applications. Tracks SaaS application usage across apps from a single location. [more info]
Nordic Edge Opacus - SaaS Identity and Access Management solution. Provides Secure Logon to cloud applications. Synchronizes accounts from on-premise repository to cloud systems. Enables delegated user administration for cloud applications. [more info]
PingConnect - SaaS SSO solution for Salesforce CRM, Google Apps, and 60+ other SaaS applications. Leverages existing enterprise credentials, Google Apps Logon ID, or Salesforce credentials. [more info]
SecurAct - SaaS Identity and Access Management solution. Provides provisioning, work flow, SSO, and audit reporting for both local and cloud applications. Leverages Active Directory accounts as the source. [more info]
Symplified - SaaS Identity and Access Management solution. Provides provisioning, audit reporting, authentication, and SSO across local and cloud apps. Leverages existing enterprise credentials. Can also prevent side-door access. [more info]
NOTE TO VENDORS - please feel free to reach out if my description above is incorrect. I'm happy to make corrections where appropriate or provide additional differentiators. I also encourage comments that help identify how products stand apart from the others by end-users or vendors.
[Updated Aug 04, 2009]
[Updated Jul 29, 2009]
Cloud Identity - SaaS Identity and Access Management solution. Provides provisioning, workflow, audit reporting, and SSO. Leverages existing enterprise credentials. [more info]
Conformity - SaaS Identity and Access Management solution. Provides provisioning, workflow, and audit reporting for select cloud applications. Leverages Active Directory (or other on-premise repository) accounts as the source. [more info]
Identropy IC2 - Identity Management solution for SaaS applications. Leverages existing Identity infrastructure and work flow to provision accounts to cloud applications via the IC2 SPML gateway. [more info]
MyOneLogin - SaaS Identity and Access Management solution. Provides SSO and Secure Logon to cloud applications and web sites. Enables Account Management for select SaaS applications. Tracks SaaS application usage across apps from a single location. [more info]
Nordic Edge Opacus - SaaS Identity and Access Management solution. Provides Secure Logon to cloud applications. Synchronizes accounts from on-premise repository to cloud systems. Enables delegated user administration for cloud applications. [more info]
PingConnect - SaaS SSO solution for Salesforce CRM, Google Apps, and 60+ other SaaS applications. Leverages existing enterprise credentials, Google Apps Logon ID, or Salesforce credentials. [more info]
SecurAct - SaaS Identity and Access Management solution. Provides provisioning, work flow, SSO, and audit reporting for both local and cloud applications. Leverages Active Directory accounts as the source. [more info]
Symplified - SaaS Identity and Access Management solution. Provides provisioning, audit reporting, authentication, and SSO across local and cloud apps. Leverages existing enterprise credentials. Can also prevent side-door access. [more info]
NOTE TO VENDORS - please feel free to reach out if my description above is incorrect. I'm happy to make corrections where appropriate or provide additional differentiators. I also encourage comments that help identify how products stand apart from the others by end-users or vendors.
[Updated Aug 04, 2009]
[Updated Jul 29, 2009]
Labels:
authentication,
Cloud,
federation,
identity,
identity management,
Provisioning,
SSO
Tuesday, June 30
Nobody gets fired for buying IBM
I liked this article about how some corporate IT departments are reacting to the economic downturn. "We're using smaller, lighter and cheaper technologies..." says one CIO.
Being that my employer is a small, nimble, innovative software company, I especially liked this quote from CPS Energy CIO Christopher Barron:
Don't get me wrong - I know that many large businesses are run on big name solutions from IBM, SAP, Oracle and the like, but I think we need to be clear that the adage is not an axiom. That is, it's not self-evident. In fact, to some, it might even be nonsensical. Why would it make sense to spend 4x the amount of money to decrease your risk of over-expenditure?
What do you think? Does the adage hold up in today's economy? Will it hold up when we recover? Is it simply a question of finding the right solution for the job, or should it be part of a CIO's objective to put cost out in front of the decision?
Being that my employer is a small, nimble, innovative software company, I especially liked this quote from CPS Energy CIO Christopher Barron:
"With software from smaller vendors, it can take 20% to 40% less time to implement, and if it works, it could save you between three and eight times as much. The catch, of course, is that it doesn't always work. But even failing seems to be cheaper than going with the big guys."I've always heard the adage that 'Nobody gets fired for buying IBM', meaning that even if you spend a little more, you're playing it safe by going with a trusted, well-known name. But the only projects I've ever heard becoming a colossal failure involve solutions from big name vendors with multi-million dollar price tags. And the really cool success stories you hear involve someone accomplishing something great with minimal budget.
Don't get me wrong - I know that many large businesses are run on big name solutions from IBM, SAP, Oracle and the like, but I think we need to be clear that the adage is not an axiom. That is, it's not self-evident. In fact, to some, it might even be nonsensical. Why would it make sense to spend 4x the amount of money to decrease your risk of over-expenditure?
What do you think? Does the adage hold up in today's economy? Will it hold up when we recover? Is it simply a question of finding the right solution for the job, or should it be part of a CIO's objective to put cost out in front of the decision?
Wednesday, June 24
Online Identity Privacy - Users Don't Take Precautions
One of my tenets for online privacy is:
I was looking through the form submissions to my company's web site. There is consistently some percentage of submissions that are auto-submitted SPAM. Sometimes, it's obvious and sometimes not.
Today, I was researching one submission and googled her name and email. The search brought me to a page that listed a spreadsheet of form submissions to another site - complete with names, email, phone numbers, and comments. Some obvious spam, but others obviously real.
They're showing up because of a technical glitch or security issue on the site. The google search brought me directly to the site's administrative page with no logon.
What makes this story interesting is that the site is a Las Vegas escort service and some of the form submissions read as follows:
Two lessons:
btw - Who thinks this privacy breach will be reported?
Don't do anything online that you absolutely want to keep private.Case in point:
I was looking through the form submissions to my company's web site. There is consistently some percentage of submissions that are auto-submitted SPAM. Sometimes, it's obvious and sometimes not.
Today, I was researching one submission and googled her name and email. The search brought me to a page that listed a spreadsheet of form submissions to another site - complete with names, email, phone numbers, and comments. Some obvious spam, but others obviously real.
They're showing up because of a technical glitch or security issue on the site. The google search brought me directly to the site's administrative page with no logon.
What makes this story interesting is that the site is a Las Vegas escort service and some of the form submissions read as follows:
- From a student (@uwec.edu) - "very interested"
- From a student (@wvu.edu) - "I need a price on ____"
- From someone claiming to work at Microsoft - "Hi, I'm planning a trip to Vegas with my fiance but I wanna get away from her for one night. What is the limit to your services and who would you recommend? I need a girl with _____. Thank you for your time." (how polite) ...he may not have put his real company, but another quick search found his email address with a profile telling me that he lives in Seattle(!)
- From a Web Developer in MN - "I am interested in an escort to accompany me to dinner" - (I found his LinkedIn profile because he provided his real company name)
Two lessons:
- First, the obvious one - don't trust web sites to keep your information private.
- Second, (to the security practitioners who read this blog) - don't underestimate how willing people are to give up their personal information to even the most suspect organizations.
btw - Who thinks this privacy breach will be reported?
Monday, June 15
Quick Reference Guides for Windows and AD admins
Active Directory UserAccountControl – Common values related to access rights.
Windows File System Permissions – As labelled in the Windows Security dialog with descriptions for both folders and files.
Windows File System Permissions – As labelled in the Windows Security dialog with descriptions for both folders and files.
Labels:
Active Directory,
AD,
audit,
compliance,
insider threat,
IT security
Wednesday, June 10
Obama Stimulates Compliance Spend
from HIPAA.com:
A new requirement (one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009) will have business associates of covered entities required to comply with the Security Rule safeguard standards, beginning February 17, 2010.
from the article:
Interesting. I need to track down the source docs to see what's real and what is interpretation.
A new requirement (one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009) will have business associates of covered entities required to comply with the Security Rule safeguard standards, beginning February 17, 2010.
from the article:
Covered entities are required to have in place audit controls to(emphasis added)
monitor activity on their electronic systems that contain or use electronic protected health information. In addition, they have to have a policy in place for regularly monitoring and reviewing of audit records to ensure that activity on those electronic systems is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits, and any security incidents.
Monitoring and review of audit trails must be as close to real time as possible to be useful. There is no benefit in discovering a problem days or weeks after it has occurred. How a covered entity sets its policies and procedures will be based on outcomes of the covered entity’s risk analysis. If a security incident occurs, failure to exercise this audit control standard may be proof in an inquiry that a covered entity had the capability of knowing what was occurring, but failed to exercise timely corrective action.
Interesting. I need to track down the source docs to see what's real and what is interpretation.
Wednesday, May 13
The SOFT Insider Threat
I've written a lot about the insider threat and what it means to me. A while back, I spoke to IT Business Edge about my opinion that non-malicious insiders pose a greater risk of causing a breach than malicious insiders. Many in the industry still claim that insiders should not be a major cause for concern and that external threats should get the lion's share of attention.
It's fairly easy to see that malicious attacks cause immediate and expansive financial harm. But, the unintentional or at least non-malicious insider breaches, which I'll call the Soft Insider Threat, occurs far more often – perhaps hundreds of times every day.
Today, I read a story in NetworkWorld titled Inside a Data Leak Audit that illustrates my story.
The IT Director at a pharmaceutical firm facilitated a data leakage audit for his company. Before the audit, the firm believed they "were in good shape". They "had done internal and external audits" and "extensive penetration testing". They had intrusion detection and prevention solutions, laptop encryption, and employee training. What they found out is that "you can do all that and it's just not enough."
The audit, conducted by Networks Unlimited, revealed gaping holes, including:
I call them soft breaches because they're not intended to be harmful and may not ever cause harm or get noticed. But if they happen 10,000 times over the course of two weeks, that's 260,000 security violations each year. And those are real breaches that may violate HIPAA or PCI-DSS, expose employee and customer information, violate business contracts, and otherwise cause potential for harm. It should be pretty apparent that if this happens 260,000 times each year, that's a pretty big attack surface.
As the author and auditor say in the article, don't leave security in the hands of end-users. Automate the important stuff and track activity on a regular basis to ensure that your attack-surface is in-line with your risk tolerance. Don't ignore the soft insider threat just because it gets overlooked. That's the exact reason why you need to address it.
It's fairly easy to see that malicious attacks cause immediate and expansive financial harm. But, the unintentional or at least non-malicious insider breaches, which I'll call the Soft Insider Threat, occurs far more often – perhaps hundreds of times every day.
Today, I read a story in NetworkWorld titled Inside a Data Leak Audit that illustrates my story.
The IT Director at a pharmaceutical firm facilitated a data leakage audit for his company. Before the audit, the firm believed they "were in good shape". They "had done internal and external audits" and "extensive penetration testing". They had intrusion detection and prevention solutions, laptop encryption, and employee training. What they found out is that "you can do all that and it's just not enough."
The audit, conducted by Networks Unlimited, revealed gaping holes, including:
- 700 leaks of critical information, such as Social Security numbers, pricing, financial information and other sensitive data in violation of the PCI-DSS standards.
- Over 4,000 incidents that ran counter to HIPAA and Defense Department Information Assurance Certification rules.
- More than 1,000 cases of unencrypted password dissemination, such as to access personal, Web-based e-mail accounts.
- Employees sent ZIP files and attachments of confidential documents in unencrypted emails.
- An employee attached a clinical study report in an unencrypted email to an outside vendor.
- An employee sent sensitive employee compensation data to an outside survey company inc. salary, bonuses, sales quota, stock options, granted share price and more.
I call them soft breaches because they're not intended to be harmful and may not ever cause harm or get noticed. But if they happen 10,000 times over the course of two weeks, that's 260,000 security violations each year. And those are real breaches that may violate HIPAA or PCI-DSS, expose employee and customer information, violate business contracts, and otherwise cause potential for harm. It should be pretty apparent that if this happens 260,000 times each year, that's a pretty big attack surface.
As the author and auditor say in the article, don't leave security in the hands of end-users. Automate the important stuff and track activity on a regular basis to ensure that your attack-surface is in-line with your risk tolerance. Don't ignore the soft insider threat just because it gets overlooked. That's the exact reason why you need to address it.
Monday, May 11
Defining the Cloud
I just read another definition of Cloud Computing. It was a pretty good one, similar to what I submitted to the non-geek definition conversation. To save you the suspense and extra clicks, Andre Yee defined Cloud Computing as:
In thinking further, I think we should remove applications from the definition. Applications are delivered As a Service or On Demand. But it is infrastructure that is provided 'in the Cloud'. When we talk about Cloud Computing, we're talking about shared infrastructure (hardware, OS, security mechanisms, backup, etc.). I personally wouldn't use cloud terminology to describe what salesforce.com has made famous.
Salesforce isn't sharing infrastructure with other software providers. They're just including the infrastructure as part of the value they provide to customers. Their delivery mechanism internally looks a lot like what cloud computing providers offer, but they're offering it to their own customers.
Cloud Computing is a service for software or solution developers that can reduce cost by leveraging a shared infrastructure that is billed based on use. Those developers then offer their solution As A Service. But, they can also offer their solution As A Service without utilizing a Cloud infrastructure. They can, as Salesforce did, build their own infrastructure.
What do you think? Worthwhile distinction? Clear?
An on-demand delivery model for IT services or applications with the characteristics of multi-tenant hosting, elasticity (variable capacity) and utility based billing.My version was:
Shared computing infrastructure over the web that distributes cost across participants and lowers the cost for each.I actually like Yee's better than mine. I was focused more on the business purpose than actually describing what it is.
In thinking further, I think we should remove applications from the definition. Applications are delivered As a Service or On Demand. But it is infrastructure that is provided 'in the Cloud'. When we talk about Cloud Computing, we're talking about shared infrastructure (hardware, OS, security mechanisms, backup, etc.). I personally wouldn't use cloud terminology to describe what salesforce.com has made famous.
Salesforce isn't sharing infrastructure with other software providers. They're just including the infrastructure as part of the value they provide to customers. Their delivery mechanism internally looks a lot like what cloud computing providers offer, but they're offering it to their own customers.
Cloud Computing is a service for software or solution developers that can reduce cost by leveraging a shared infrastructure that is billed based on use. Those developers then offer their solution As A Service. But, they can also offer their solution As A Service without utilizing a Cloud infrastructure. They can, as Salesforce did, build their own infrastructure.
What do you think? Worthwhile distinction? Clear?
Subscribe to:
Posts (Atom)