Midwest IT Survival

I am currently attending the Gartner Security and Risk Management Summit 2011. As the final day drew to a close, the sessions didn’t carry significant new material and the ones I was interested in tended to be a bit vendor sponsorship heavy. I blogged about day 1 here, day 2 here and day 3 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the fourth and final day.

The most noteworthy event that occurred on the final day was a conversation over coffee between myself, a senior security manager at Microsoft and a new to his role security manager at SC Johnson. They both shared that their security teams are getting an increase in funding and FTEs. But what I found most interesting was they each were adding security focused developers and engineers to their teams in reaction to shifting from pure security governance to security governance plus technical delivery. They each mentioned that they were now starting to build more security solutions rather than just recommending or auditing security for external teams.

This struck me as potentially an interesting trend. I’ve loosely observed the following trend in the banking industry related to security teams and technology (excludes other stuff like vendor management, disaster recovery, etc.):

90s = Security teams mostly handling granting/revoking access, password resets, operational security stuff.

late 90s/early 00s = Security teams adding more technical people to deliver specific security technology back to the IT teams (authentication, encryption, provisioning, some firewall/VPN, etc.) among other governance stuff like patching schedules, anti-virus, access control, web related security, etc.

Mid/late 00s = Security teams unable to add staff at the rate needed to function like a mini-IT shop within the larger IT organization, thus starting to “outsource” security technology back to IT and step up the audit, governance, compliance focus. They also start adding heavy technology assessment to their mix.

Early 10s to the present = Security teams pretty much 100% audit, governance, compliance, assessment focused. Little to no technology ownership/delivery maintained.

Thus, I described this trend to both individuals and went so far as to suggest that potentially, are we in banking approaching another pendulous swing back to security teams looking to re-in-source specific security related technologies that have been difficult to manage externally. They weren’t able to add a significant perspective since they were just absorbing technical delivery from being previously governance focused. Thus, I wonder if security technology delivery and ownership will oscillate between IT and security teams over time? I whipped up a crude graph to show, over time, the potential for such in-sourcing and out-sourcing of security ownership and delivery shift:

Thus, will bank security departments that have returned all security technology to IT find it challenging to audit and assess certain technology domains and thus re-absorb them over time? Will non-bank related firms that are just in-sourcing security technology delivery find they, like banks did, can’t scale and follow the recent banking IT trend and out-source? Is there ultimately a balance between governance and delivery of security technology? Clearly this isn’t Gartner level detailed analysis thus I would greatly appreciate others perspectives on my observation and trend suggestion.

authentication, cloud, delivery, ecert, ecert systems, fair game, federation, fim, Gartner, gartnersecurity, ibm, identity, mobile, mobile security, nac, nsa, provisioning, risk, SAML, SAML 2.0, secure web gateway, spml, summit, swg, technology, the cloud, web 2.0, xacml

I am currently attending the Gartner Security and Risk Management Summit 2011. As the third day is drawing to a close, the amount of new insights is being overshadowed by overlap from previous sessions. I blogged about day 1 here and day 2 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the sessions I attended on the third day.

The typical pattern to conference sessions is that as you approach the end of the conference, the sessions tend to start having ever increasing overlap with content from previous sessions. One can only talk about going ‘in the cloud’ so much before you start sounding a bit redundant. I’ll avoid covering what I’ve covered prior and only add new tidbits from today’s sessions. And to make things interesting, the session topics I was most interested in were, of course, all happening concurrently hence I had to make some hard choices and missed out on some very interesting sessions due to the overlap in scheduling.

Presentation:

Disaster ‘in the Cloud’ by Jay Heiser

Right off the bat I had to give Mr. Heiser credit (and tweeted as such during his session introduction) in that he was extremely pragmatic about the the hype/branding aspect of ‘the cloud’ versus the real new-ness from a security and risk perspective. Although he spends his analyst role invested in this topic, he wasn’t overly zealous about his specialty in his presentation. So, all in all, he was an excellent speaker and kept everyones attention through what most would find utterly boring: vendor disaster and contingency planning.

Gartner projection, by 2015, a major cloud failure costing millions of dollars and significant loss of data will occur.

He put up an interesting slide that listed recent, major ‘cloud’ related failures:

Aug. 2008, Linkup business fails after losing customer data

Feb. 2009, Onsite3 files for bankruptcy, all customers lose their hosted data

Mar. 2009, 7,000 Carbonite customers lose their backup data

Jun. 2009, LxLabs HyperVM is hacked

• 100,000 web sites experience data loss
• 1 month for Oracle and Sun to reconstruct the database

Dec. 2009, Palm Pre online backup fails

Jul. 2010, 6,327 Evernote customers lose four days worth of data

Dec. 2010, 17,000 Microsoft Hotmail accounts lose mail for four days

Feb. 2011, 35,000 Gmail users lose all data

• Four days to restore those users data or 0.2% of Gmail users affected

2011 Zodiac Island TV all episodes deleted by disgruntled admin

• Show’s creators sue Cyberlink over faulty backups

Apr. 2011, Amazon EC’s multi-day outage, some data loss

All complex systems fail, both in expected and unexpected ways

• All digital storage systems experience failure that require restoration and sometimes reconstruction
• Large networks periodically experience feedback loops resulting in cascading failures
• Clouds are vulnerable to single points of failure and may not be quickly restore-able

Session Theme = complexity of the cloud makes it higher risk of failure (brittleness)

Presentation:

BiTKOO

I stopped by the BiTKOO vendor booth to get the low down on their product prior to this presentation. They were advertising very heavily that they had a XACML based externalized entitlement engine for a variety of platforms. Similar to enterprise single sign-on and identity federation being the distributed application security externalization evolution to maturity of the previous decade, XACML and externalized authorization is the application security externalization challenge of this decade (confirmed by Gartner in a later session covered in this post). BiTKOO has a product called KeyStone that provides all the plug-ins to development platforms and the associated UI administration of XACML policies so that no one needs to really know anything about the underlying XACML or XML based details to externalize authorization.

In speaking with the CEO (you know when you are dealing with a startup when the ‘CEO’ is manning the vendor booth), the history is that the CEO and others worked for Disney and developed this authorization externalization framework for Disney’s applications. Disney allowed the tech team to spin off and form their own company. I assume Disney forever gets free licenses and free yttrium level support out of the deal. Thus, it is a great deal for both sides. Disney gets to turn a fixed cost into a variable cost on their balance sheet and these tech guys get for form their own company with a guaranteed big name customer and revenue stream to get started. I asked the CEO about VC funding and exit strategy and the claim was they have been profitable since their first quarter of being in business, have plenty of customers and no plans for VC funding nor acquisition. If he is a real CEO, he is trying to find the optimum time to grow via IPO or acquisition. With ‘the cloud’, they have the potential to command an even higher price if XACML becomes the standard for managing entitlements in ‘the cloud’. But I digress.

They had a small 30 minute session where they demonstrated their product and it was quite impressive. Of course, the CEO was doing the demo. BiTKOO is a company to watch. If XACML indeed becomes a standard in ‘the cloud’ for enterprise entitlement management, look for this company to either IPO or get acquired by CA, IBM, Oracle or some other security company for an undisclosed sum that has this techie CEO driving an F40 brand new off the lot.

Presentation:

I attended “The Mobile Security Brothers Traveling Roadshow” almost purely based on the name of the session. Some analysts took a humorous look at the challenges facing companies adopting secure mobile platforms. Nothing really new was covered but at one point, they showed video interviewed conference attendees who had upwards of four mobile devices with them. Some where company purchased, some were personal but linked to company email, etc. This session further confirmed there is no clear approach to a technically secure mobile solution.

Presentation:

Managing Identity ‘in the Cloud’ by Gregg Kreizman

I was hoping to hear of some standards adoption among cloud providers or some trends suggesting everyone is moving in a particular direction. Unfortunately, more of the same theme surrounding ‘the cloud’: vendors rushing to deliver functionality and gain market share and not investing in standards around things like user provisioning.

Good news is SAML 2.0 is being adopted by 20% of current cloud providers and growing rapidly. But OpenID and Oauth (the way you let applications interact with your Facebook, Twitter, Foursquare accounts) are gaining momentum. The challenge I see is similar to the BlueRay versus HD-DVD battle. While the battle is going, people invest in one or the other or both or none until one finally wins. The problem is it takes time to eventually figure out who will be the clear leader.

I was very disappointed to hear that SPML and XACML were not being aggressively adopted. This leaves all kinds of inefficient, one off ways of integration. One offs drive up costs and require unique security solutions that aren’t re-useable.

Below are some raw notes I took during the session:

Authenticating users to cloud systems:

Default ways = manually setup users

Batch upload of new accounts, still fairly manual

50% SaaS have provisioning API

Another option is directory sync

Federation, “just in time” provisioning (found rarely in the wild but it exists)

IAMaaS sell you on the value of having done it already

Federation is now the most prevalent way to get SSO to SaaS applications, Gartner recommended

Auditing users in the cloud:

Weakest place for standards is the audit/intelligence integration with SIEM, lack of standards

IAMaaS market is very volatile in general

Gartner, by 2015, one out of three IAM solution providers will be new to the IAM market, predominantly in managed, cloud based.

Gartner, IAMaaS solutions will account from 20% for all new IAM sales by end of 2012, compared with less than 5% in 2011.

Federation = SAML 2.0

SPML not really appearing in the cloud

OpenID established by gov at Level 1 (no assurance of identity)

Oauth 2.0 has password auth built in, might replace OpenID

UMA, give users access to photos ahead of time

AD Federation Services 2.0 supports some SAML

CardSpace 2.0 cancelled by Microsoft, but now investing in U-Prove (interest in EU)

Trends:

Hybrid cloud-enterprise models will rule for a long time

SCIM potential new SaaS provisioning standard (more confusion/distraction)

OpenID/OAuth stack has momentum, but work in progress

Including security requirements in cloud service procurements is an immature practice but maturing

Recommendations:

Partner with business to include security/IAM assessments as part of procurement process.

Judge enterprise readiness with IAMaaS based on corporate risk goals.

Understand your costs for providing internal IAM compared to cloud.

Plan for 3 years before any standard IAM security assessment standards emerge.

20% SaaS providers support SAML and will grow rapidly. Concern is OpenID/OAuth will impact/distract/confuse.

Not seeing Microsoft implementing FIM for IaaS access.

All in all, another good day of interesting perspectives on the security landscape. Look for a summary of the final day 4 tomorrow.

authentication, cloud, ecert, ecert systems, fair game, federation, fim, Gartner, gartnersecurity, ibm, identity, mobile, mobile security, nac, nsa, provisioning, risk, SAML, SAML 2.0, secure web gateway, spml, summit, swg, the cloud, web 2.0, xacml

I am currently attending the Gartner Security and Risk Management Summit 2011. After only the second day, I can honestly say this has been one of the better Gartner conferences I’ve attended. I blogged about day 1 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the sessions I attended on the second day.

Well, let’s get the less interesting stuff out of the way … I sat in on some “the cloud” related presentations on risks and vendor selection and found the material not particularly useful. As you can imagine, “the cloud” has predictable security and vendor selection challenges that have been around for years when working with vendors. Thus, the marketing/branding hype around “the cloud” is more helpful to give vendors a new way to position products and service offerings to customers rather than create significantly new challenges for security professionals. I’ve written recently about “the cloud” in more detail here.

Presentation:

New Trends in Fraud Detection: Grappling with the Enemies Within and Without, Gartner Analyst Avivah Litan

Long title. Great presentation.

Instead of the usual fear/scare commentary on fraud, Ms. Litan described recent specific fraud patterns that represent a more complex scenarios of today. A new pattern she described is bulleted below:

1. Hacker setups up/rents technology infrastructure for attack (“the cloud”)
2. Prepare to target the victim with email, such as using Linked In to determine who is in accounts payable at a particular company
3. Prepare by stealing “Knowledge Based Authentication” or KBA or “Challenge Questions” via collecting from aggregators (compromise the companies offering KBA services) and/or phishing emails to get people to spill information. Go so far as to get the phone company to forward smallbiz phone to the hacker’s phone.
4. Send spear phishing email to victim that includes specific malware program to get installed on their PC.
5. Hacker waits for the malware to see a login to their bank. The malware gets the “One Time Password” or OTP such as a physical token (RSA, Vasco, etc.) with either a browser redirect to the hacker’s site to collect the OTP or allow the victim to perform some transactions but capture the session information and forward to the hacker and deny the logout. The user thinks they logged out but the hacker now has the user’s session and keeps accessing the bank as the user.
6. Hacker executes a fraudulent transaction. The bank confirms the odd payment via phone but since the hacker re-routed the phone to himself plus he has the KBA information, he can confirm the odd payment and thus the bank allows the odd payment to process.

She indicated this pattern was used on the Catholic Diocese of Des Moines, Iowa (more details on that attack here).

Her claim is that current bank on-line “strong” authentication is not enough to handle these new and sophisticated attack patterns. I’ve commented similarly below here based on her blog post earlier here.

In support of the recent increase in attacks against non-banking institutions such as Sega, Sony, FBI, CIA, RSA, US Congress, etc. reported by the media recently, she indicates that enterprises that aren’t banks don’t have the security measures in place compared to banks that get attacked regularly. The typical company is monitoring activity but has no existing real-time blocking capabilities for attacks.

She then shares some statistics that indicate 86% of surveyed companies were attacked by malware but indicated that those same companies are investing in other areas of security where attacks were admittedly less prevalent. I took a picture of the slide of stats but it came out so blurry I can’t share further details. The gist is companies are being attacked by malware but investing in identifying/block other attacks that are actually happening less frequently.

She concluded with recommended “best practices”:

Strategy and Policy + Operations + Technology = Solving fraud and misuse problems

She presented five layers of protection to implement after authenticating a user on-line and granting them access to a web site:

Level 1 = end point centric (secure browsing, out of band auth, transaction auth)

Level 2 = navigation centric, analyze, profile of user activity, comparing

Level 3 = user and account centric by channel, user business patterns, what credit card folks do

Level 4 = Level 3 but across all channels, online then call center, etc.

Level 5 = Entity link analysis, end of the day dump of details and see cross customer, cross account transaction details

She quoted a Gartner statistic that by 2014, 15% of enterprise will adopt layered fraud detection to compensate for weak authenticating of on-line users. Virtualized, on-demand secure browsers will be available by 2014 reducing the need for such layers. The current risk is that companies won’t invest in the anti-fraud layers.

No authentication method alone will stop fraud, need additional layers. Enterprises consider malware the #1 threat.

Technical approaches to address each level:

Level 1 = “Secure” browser can block malware. Existing vendors include: Crealogix, Ironkey, TrustDefender, Trusteer OR plugins through browser plugins (block API’s into that session with bank)

Level 1 = Client device identification, traditional profiling stuff, all can be beaten (per Gartner), Browser Mining (JavaScript) best for grabbing all kinds of stuff including clock time down to the milliseconds (looking at time differentials helps determine session take overs),

Level 1 = Also, mobile location services, linking activity to (browser location vs. mobile phone location), GPS or mobile proximity to MSC code in towers, lat/long of device via cell tower best is the using aggragetor’s of the mobile provider’s location of devices. I logged in from a PC in Cleveland but my mobile phone is in Florida. The bank should take extra steps to confirm things are a-ok.

Level 2 = Biggest investment is the ability to check on page to page rates to compare human versus malware (human takes random seconds between pages where as programs take predictive milliseconds)

Level 3 = Invest in profiling users, accounts, devices, transactions.

Level 4 = Do what you are doing in Level 3 but do it across all channels.

Level 5 = Invest in entity link analysis. Example = HIV tests in demographic that normally has none. Dr. that does one procedure starts billing Medicare for new procedures. 10 to 1 return on investment (per Gartner) if implemented comprehensively. Medical billing fraud seems to benefit immediately from this approach.

All in all, a very data based (rather than hype based as most anti-fraud presentations can be) session.

I asked her the question: Does Gartner have any data to suggest the most effective place within a bank payment application to implement transaction verification. At new payee add or when a payment transaction is being requested but before confirming/processing? I must have not been clear because she didn’t understand the question. I approached her afterwards and tried to re-explain. She didn’t seem to have that detailed perspective on where to implement such out-of-band confirmation to maximum effort. Thus, I’ll continue to dig on that topic.

All in all, an excellent detailed presentation based on data rather than the typical anti-fraud stuff you come across.

Presentation:

Secure Web Gateways: Intelligently Defending Against the Web 2.0 Threat

First, I congratulate them on working Web 2.0 into the title with so many others preferring “the cloud”. This session was on the traditional security applied to company web surfing or why you can’t seem to access Facebook or Twitter from your work PC.

Since the demand is for malware protection, the presentation indicated the ways secure web gateway or SWG vendors can approach this with Gartner’s levels of success:

Low – Signature based filtering (ClamAV/Snort)

Med – Multifeed Signatures+Vendor Enhancements, more sophisticated, BotNet command-n-control lists, vendor signatures, reputation feeds, send request to the cloud to analyze request

High – Real-time in path signature-less detection, active code analysis, exploit signature detection, sand-boxing, traffic pattern analysis

The market today, per Gartner, is at the medium level.

Future = cloud-based secure web gateway as a service, signature-less malware protection, fine-grained app and social media control (example, control Facebook, only allow certain simple/safe features)

Cloud-based SWG projected to grow faster than in house hosted solutions (14% to 15% in-house growth rate). 2015, 25% will migrate to SWG as a service currently only 10% of the market.

Cloud-based SWG has the typical challenges, authenticating users, directory integration (saml?), geographic coverage as well as location of origin, reporting might be job over night rather than instant data.

Gartner claim, next generation firewalls will not replace SWG before 2015.

Gartner claim, blocking web sites alone does not materially reduce malware exposure as some might think.

Vendors:

Additionally, I spent some time with IBM product managers to understand what their latest security products will be offering in the near future.

I’ll conclude with an interesting discussion I had with some people from Ecert. They represent a very interesting service offering. Their customers are both the major email service providers (think Gmail, Yahoo, Comcast, Time Warner, etc.) as well as companies that get phished regularly (think banks, PayPal, eBay, American Greetings, etc.). They are trying to combine email authentication to allow phished companies to notice when non-known sources of email are sending out messages (likely spam/phishing) along with giving major email providers a way to ignore phishing emails and provide an indication to their users that an email from a phished company is actually legit. They are endorsed by BITS which is a non-profit financial services round table of the top 100 US banks. They appear to offer a very unique service that is successful the more banks join and the more email providers join. They offer take down services and well as other fraudulent email related services that have the potential to really add value in the authentication of email messaging.

All in all, another good day of interesting perspectives on the security landscape. Look for a summary of day 3 tomorrow.

authentication, Avivah Litan, cloud, ecert, ecert systems, fair game, Gartner, gartnersecurity, ibm, mobile, mobile security, nac, nsa, risk, secure web gateway, summit, swg, the cloud, web 2.0

I am currently attending the Gartner Security and Risk Management Summit 2011. After the first full day, I can honestly say this has been one of the better first day of a Gartner conference I’ve attended. I blogged about last year’s Gartner Identity and Access Management Summit 2010 here, here and here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. For some reason, the energy and sheer number of different sessions covering the whole gambit of security topics, seemed more pervasive than recent conferences I’ve attended. Maybe it is the 1,800+ people claimed to be in attendance. Maybe it is the recent up-tick in media coverage of world wide security events (such as recent on-line bank fraud which I covered here). Or maybe it is the tepid increase in corporate spend on security related initiatives that has given security professionals and vendors a reason to get excited. In any case, below are some of the tidbits of knowledge I captured from the sessions I attended on the first day.

Presentation:

Debora Plunkett, Director of the Information Assurance Directorate, National Security Agency (bio)

The demand for security assistance from government agencies is greater than what the NSA can currently supply.

For 60 years, the government has developed its own security technology solutions.

In the last 5 years, there has been a shift of focus to commercially available products.

The government still plans to build security technology solutions, thus not a 100% focus on commercial products, but in general, significant switch in focus.

Some additional strategic challenges with focusing on “consumer of the shelf” or COTS solutions:

Assumption is COTS have security holes.

Thus, focus on layering in multiple products.

Additionally, consider “good enough” security which means that not everything has to protected at a level/tier 1 protection strength.

Major focus, mobile security solution. Seemingly simple use case: allow NSA personnel to have a portable tablet and when walking through the NSA campus, be able to read/send email and then dock tablet back at ones desk to continue working. Additionally, be able to use a mobile device to securely view all levels of confidential material.

In short, the NSA, working with a number of COTS vendors still hasn’t left the testing phase of the solution building effort (not PoC, no pilot, still testing). She did share that in order to have a secure solution, the current approach involves creating a MVNO (Mobile Virtual Network Operator) similar to OnStar or what Amazon uses for the Kindle. My understanding is this is similar to having a VPN-ish lay on top of existing carrier technology to secure inter-device/system communications. This is something not available in the wide variety of consumer mobile devices and thus already suggests corporate/enterprise mobile computing is not easily achievable with current consumer platforms. She also shared that the NSA is waiting on requested features to be developed by COTS involved. This further suggests there isn’t a comprehensive, existing coupling of vendor solutions to produce an enterprise secure mobile computing environment currently and in the near future.

Additionally, she indicated the NSA is working on establishing a “Unified Gold Master” approach to centrally securing a standard image for PC/laptop computing devices. I believe most mid to large companies have been doing this for years (heck, I remember BP creating the “Common Operating Environment” for a world wide Windows 95 deployment back in 1994). She mentioned the base build is:

• Windows 7 64bit
• Internet Explorer 8
• Office 2007

The Air Force has already adopted it and layered their additional needs on top and called it the “Air Force Standard Desktop”. The Army has done the same and called it the “Army Golden Master”.

A bit unclear on if Microsoft is the clear vendor choice or if other vendors and platforms will be an option. The speaker indicated there would be support for multiple vendors. Then she said the Microsoft combo was the singular standard suggesting no other vendor options. Then a question from the audience asked if Microsoft was the only platform and the speaker was emphatic that the NSA is not locked into one vendor. My notes were no help in clarifying further.

There was some light mention of the NSA switch from a previous risk ranking/scoring/monitoring approach to a continuous process that improved risk mitigation by 100-300 times faster than prior but no explanation of what was prior nor real details about the new approach other than it was developed by the Continuous Monitoring Working Group.

Lastly, the speaker indicated one of the biggest challenge to switching to COTS was the long procurement cycle: on average 25 months from start to finish. By removing redundancy the new process is 50% less for some vendor classifications and only 30% less for others. Still working to improve the procurement process to on-board COTS products quicker.

Presentation:

Keynote = Previous Secretary of Homeland Security, Michael Chertoff

Very interesting perspectives on the previous decade’s security challenges from the speaker’s position, but no real note worthy take aways. Just the following notes:

Goal = manage not eliminate risk (nothing new)

Top three security recommendations:

1. Have a plan (described how the federal government didn’t have a plan for being the first responder to a local disaster, hence the response to hurricane Katrina was so poor)
2. Need strong communication, real-time and actively engage the media. Interesting revelation: lack of media engagement with Katrina allowed for the media to over blow the city violence. The over blown coverage meant bus companies were pushing back on assisting with transporting people to safety.
3. Decisive decision making.

Last bit of information I took down turning the presentation:

Cyber warfare is real.

A few people via Twitter (#GartnerSecurity) made comments the Mr. Chertoff was really giving just enough information in his speech to convince people to buy his book which he was conveniently having a book signing later in the day.

Presentation:

Emerging Technology for Mobile Security

This session was of interest to me given the rise in demand for employees (think executives) that want to use their consumer mobile device (iPhone, iPad, tablets, netbooks, etc.) to locally and remotely access company information such as email and web applications. In summary: the various device manufacturers are so focused on consumers and delivering fun, flexible solutions to consumers that there is no common framework anything to use to secure devices for safe, personal and co-mingled corporate use.

Notes from the session:

Thematic Gap = people need versus company need security-wise

“Bring Your Own Device” or BYOD is becoming the norm, even if officially not sanctioned. Message = Need to support BYOD.

3-5 year need to support range of devices. Gartner predicting to no device convergence in the near future.

Security lags business needs by 4 to 10 years, in general, Gartner opinion.

Variety in platforms is a challenge to malware as well. Malware must be developed for variety of devices, app store acts as potential throttle.

User higher expectations for mobile convenience (example = token for PC access, ok. Token for mobile access, no way)

By 2014, 80% of professionals will use at least 2 personal devices. Hands in the room confirmed the stat.

More realistic attacks: targeted trojan, device theft with data, config errors, social malware.

Need good encryption and authentication with biggest challenge being configuration management.

Authentication challenges = limited device password access, no smart card support, no universal solution due to vendor restrictions (some only offer a four digit number password). RIM only smartcard support for mobile. Gartner no great perspective on how to solve except separate device password from data access password.

Secure Mobile Gateways gaining in popularity. Active web filtering. Zscaler was mentioned.

Gartner Authentication options (strength) = Improved KBA (low), typing rhythm (medium), no clear solution for high assurance (accept bad UX and use hardware tokens)

AuthenWare considered closest to complete transparency but case study only implemented on Windows, iPhones, iPad for data access (gateway) via Spanish government use case.

Fingerprint becoming even less attractive, failure rate high.

Securing the device options:

• platform level is inconsistent across all platforms, multiple vulnerabilities, tamper checking/jailbreaking. Encryption inconsistent. Example = jailbreak iphone/ipad = get admin pwd = get encryption key
• App sandbox, Good Tech,
• Self-defending apps, re-compiling to take advantage of emerging security features

Protection Framework for Corporate BYOD Use:

Employee must opt into MDM (mobile device management) with secure mobile gateway recommended

If not, recommend OWA with attachments being blocked or Cytrix

If no self-defending apps, look at sandboxing and portal access to control access to higher-risk systems.

Consider picking a date and requiring a cert for access to company stuff (ability to know what devices are accessing) [No discusion on cross-device compatibility, universal approach, etc.]

Presentation:

Network Access Control, Lawrence Orans

Gartner’s analyst covering NAC presented a very high level, 30 minute look at network access control today. Below are my notes:

Theme, NAC = policy

NAC trend:

• 2003-6 patches/anti-virus confirmation
• 2006-10 device authentication, are you one of us?
• 2011+ what is on my network?

Statistical claims:

Botnet compromised 4 to 8% of corporate managed PCs

20 to 30% consumer PCs

Thru 2013, 80% of enterprises with BYOD programs will see 100% increase or twice as bad in that Botnet compromise rate.

Where are companies presently look at NAC?

• What is this device (drop device on regular or guest network) 75%
• Endpoint baselining (patches, antivirus, firewall?) 15%
• Identity-aware network 5% (policy on user not on the device)
• Quarantine/Containment, patch mgmt. 5% (people moving away from this)

Claim is corporate networks will look more like university networks in the near future (multi device support but quarantine when not behaving according to policies/etc.)

Successful NAC project must:

• Step 1, prioritize user cases
• Step 2, develop a Roadmap (of course, want to do everything, break into phases, etc.)
  • Example, go device policy versus user policy but not mutually exclusive arriving at quarantine/containment
• Step 3, select technology
• Step 4, analyze vendors

Presentation:

Fair Game

At the end of the day, they had a fascinating session with Valerie Plame and Joseph Wilson. They were such good speakers I actually didn’t notice they were really pitching their book and supporting the movie about their ordeal. Throughout they were making very critical claims of the previous US presidential administration which goes beyond the intent of this blog and given my lack of political knowledge and experience, I’ll pass on trying to capture any of the commentary on this session. The one hour session was just fascinating and I could have listened for easily another hour even though they were scheduled to end at 6pm. Yes, they were having a book signing after the session.

Look forward to similar coverage on day 2 tomorrow.

fair game, Gartner, gartnersecurity, joseph wilson, mobile, mobile security, nac, nsa, risk, summit, valerie plame

It seems no IT related blog can exist without providing some commentary on cloud computing. Hence, I just had to post something on “the cloud”. Is “the cloud” really a full blown IT revolution? I am not convinced. Thus, I considered making the title “hey kids, get off my lawn” but I didn’t want to turn away potential “cloud is superior” readers so soon in my article without offering some evidence to support my claim.

Seriously, there has been a venerable ton of material recently suggesting a total IT revolution is underway with the advent of cloud computing. Even Microsoft and Apple are making direct marketing pitches involving “the cloud” to non-technical consumers in the mainstream media rather than burying the message in niche technology blogs. I was reading Eric D. Brown’s recent article on cloud computing and I felt compelled to respond in more depth than can usually be afforded in a blog comment. Hence the real impetus for this article.

Mr. Brown claims that “Cloud computing is both evolutionary and revolutionary.” He also references a post by Christian Verstraete, HP’s Chief Technologist for the Cloud. Both Mr. Brown and Mr. Verstraete offer credible evidence for suggesting that “the cloud” is an evolution of pre-cloud IT constructs. The applications that are available via the cloud today are the next evolutionary step from the ASP or Application Service Providers of the near recent past. By re-branding existing hosted application service offerings, companies can ride the marketing wave of “the cloud” to further tout how the latest version of their software is more cutting edge and more buzz-worthy. If “the cloud” label didn’t exist, those application service offerings would still offer ever increasing levels of additional functionality based on customer feedback and market demand. The same applies to “the cloud” for more platform/infrastructure based service offerings. Without “the cloud”, would we have the alternative: I moved my commodity servers out of my data center to “the grid”. It seems “the cloud” is even more hip, cool and expansive than “the grid” from a marketing/branding perspective. Thus, “the cloud” is evolutionary. I buy it because of the linear progression of ever increasing functionality being delivered by “cloud” offerings.

“Hey kids, get off my lawn”

I am struggling with saying “the cloud” is truly revolutionary. Mr. Brown makes the statement in support of his position: “Revolutionary in the sense that there’s no longer a need to spend thousands or hundreds of thousands of dollars on hardware to get a website and/or product running.” and “There’s cost savings there that haven’t been available in years past to the small to medium sized business.” In years past, ISP’s were offering small business packages that included registering domain names, hosted collaboration solutions (email, calendaring, shared contact management/address books) as well as uniquely branded web sites with graphic design , on-line ordering/shopping carts and tiered data storage options. Yahoo Business has provided similar packages if one didn’t find their ISP’s offering met their needs for over a decade. Thus, I believe businesses had pre-cloud options to drive down costs through outsourcing their IT needs to pre-cloud, cloud-like options relative to the functional demands of the time. The farther you go back in time the more immature (relative to today) those offerings were. Or, stated another way, at any given time, the level of integration, sophistication of outsource-ability was reflective of the market demand and evolution of the provider’s technical offering. In the late 90′s, businesses were scrambling to come up with an “Internet Strategy” to figure out how to use this new, cool thing called the “World Wide Web”. The businesses of the late 90′s, small, medium or large, weren’t in a position to create immediate demand for the level of auto-provisioned, virtual capacity on demand that is available today. Hence, where Mr. Brown says “revolution”, I’m not compelled to do that far and thus stick with “evolution”.

Mr. Verstraete concludes that the ASP/grid computing to “the cloud” has been an evolution but he suggests Web 2.0 is what makes “the cloud” revolutionary. Sure, the gigantic surge in Internet usage across all generations in all countries has created a significant demand on service providers. If you were offering an application to the business community in the late 90s, you could initially have your data model reflect a co-mingling of all your individual customer’s data. As SOX, HIPAA and the increase in on-line security breaches had customer’s demanding secure data management back at the start of the previous decade. Thus. provider’s implemented separate application and supporting data instances for customers. Visualized environments allowed this trend to continue without the provider having to purchase millions of physical servers as their customer list grew. Managing all those virtual servers and copies of application code became labor intensive, thus adjusting data models to leverage “multi-tenancy” coupled with advancement in database engine data partitioning capabilities became the next wave of opportunity for providers to service more customers with secure and operationally efficient offerings. Those providers that didn’t advance their architectures found their costs exponentially increasing while the competition, that did advance, easily able to offer similar services at a much lower price point. This sounds like evolution to me.

So, is “the cloud” a total revolutionary way to offer computing services? I am just not convinced that we have a revolution but rather the next evolution coupled with a branding label “the cloud” that increases the appeal and the hype. Providers and vendors can easily jump on the labeling band wagon to get more time and attention from their prospective customers. Customers get the next version or upgrade of their favorite on-line products and services with even more functional integration and ease of use. Plus, they can set up meetings and engage consultants to help formulate a “cloud strategy”. And who doesn’t want to talk about new and emerging technology trends over having the same cost reduction problem solving discussions that have been talked to death?

Oh yeah, and kids, get off my lawn.

apple, application service provider, asp, clod computing, cloud, evolution, grid computing, icloud, microsoft, revolution, the cloud, web 2.0, yahoo

It seems lately, no one can’t escape the media coverage of high profile security breaches. A day doesn’t pass without some well known company admitting that they are a victim of a security breach. One constant target has been bank’s on-line systems ever since banks began offering on-line banking web sites back in the late nineties. With the advent of on-line bill payment and payroll capabilities as well as account to account or person to person payments complementing the traditional wire transfer transactional options, fraudsters have an attractive target for monetary gains. It seems as banks have implemented stronger and stronger on-line authentication systems, fraudsters have developed ever more sophisticated attacks. In the media coverage deluge recently of security breaches cross-industry, one court recommendation that was published on May 27^th of this year has the potential to jump start the banking and security industry similar to what the original FFIEC authentication guidance did back in late 2005.

In the case of Patco Construction Company, Inc. versus People’s United Bank d/b/a Ocean Bank, the court essentially finds that the bank did implement all “commercially reasonable security” measures as outlined by the original FFIEC guidance as well as subsequent court rulings defined. Yet, the bank’s security was determined to not be optimal:

“It is apparent, in the light of hindsight, that the Bank’s security procedures in May 2009 were not optimal.”

Thus, in a complete guttural paraphrase of the recommendation document:

The bank met the minimum requirements thus the bank is not liable for returning any of the customer’s fraudulently stolen funds. Yet, at the same time, the bank’s security was sub-optimal. So, the bank met it’s sub-optimal regulatory obligations yet, the customer still lost their money.

What is the big deal? What appears to be implied to me in the recommendation is that the current FFIEC guidance is flat out not up to today’s threats. And, banks are legally off the hook to do anymore than with is contained in the outdated FFIEC guidance guidelines. As one industry analyst wrote “Businesses: at your own risk”

If the lead up to the 2005 FFIEC guidance was that banks weren’t doing enough to address on-line threats, have we reached the next precipice of more regulatory guidance?

In my opinion the answer is: Yes. Even non-banking Internet giants Facebook and Google have added stronger authentication solutions to their offers which I’ve covered before here and here.

The FFIEC was planning on updating their original 2005 guidance at the end of last year but it appears the five regulatory agencies couldn’t all agree on the final documented guidance. I believe the heat has now been turned up on the FFIEC to reach consensus and establish more up to date guidelines. Once updated and published, I believe we will experience another infusion of demand for more sophisticated security technology given the increase in regulatory backed bank demand. Stronger regulations will tip the on-line product budget priority to enhancing security over new features and functions.

Which startup will become the next Bharosa, Cyota or PassMark of this next wave of on-line authentication technology investment?

authentication, FFIEC, FFIEC guidance, fraud, fraudster, guidance, key logging, man-in-the-middle, Ocean Bank, on-line, Patco, Peoples United Bank, security