Midwest IT Survival

With all of the IT punditry talking about how everyone who is anyone is “moving to the cloud”, I thought I would take a serious look at what Amazon’s Amazon Web Services (AWS) has to offer for hosting applications in the cloud. Since I’ve already written about my perspective that “the cloud” is evolutionary rather than revolutionary, I thought I would roll up my sleeves and challenge myself to interact directly with some “cloud” services. What also helped propel me forward was discovering that AWS has a free “get starting” package that includes the ability to provision a server with Internet access, storage and all the AWS development packages and libraries pre-setup.

[Feel free to skip down to the source code if you aren't interested in the next section on business context]

Business Context

Now if you have read any of my articles on this blog you know I mostly cover the challenges of working in a large, corporate IT environment both from a staff and management perspective. So, this is a bit off the beaten path for me. But the rate of business groups pushing corporate IT to implement cloud solutions, especially in the on-line product space, is on a significant up tick. Now, especially in financial services, integrating on-line products with “cloud/SaaS/ASP” hosted applications as product extensions is nothing new. It seems almost as soon as financial firms had an on-line application, they were looking to integrate with existing partners that also were standing up on-line versions of their service offerings: think on-line banking and viewing statements electronically, etc.

The trend difference I’ve observed from the late 90s and early 00s of “ASP” integration to the present is the non-traditional “cloud” companies looking to work with banks. Prior, companies that were already working with banks to provide outsourced off-line services progressed to offer on-lines services. Thus, the maturity of the pre- and post-sales process was familiar to both parties. The ASP providers knew how to address data protection, regulatory compliance and complex/unique technology integrations. The new “cloud” application service providers are using all of the cloud infrastructure as a service (here is the tie-in with AWS) offerings to produce new robust products, but they are completely unfamiliar with how to architect a complete product and service solution for financial services. Thus, many are having to address retrofitting their solutions to be akin to the needs of regulated, conservative banking institutions including all of the security assurance overhead needed (think SAS 70s, penetration tests, security standards and procedures, site visits, lengthy contracts, etc.).

What does all this mean?

In summary, current cloud service providers such as AWS, offer a great suite of building blocks to stand up a robust application. But choose your technologies strategically, especially if you are planning to integrate your product in any way with financial services customers. Be prepared to have to transition to company owned and managed application infrastructure including data storage for the foreseeable future until cloud providers, such as AWS, are universally accepted by the financial services security community as “secure”.

Technical Stuff

Ok, now for a bit more fun technical stuff, I went ahead and signed up for the free AWS package which was incredibly easy. Just a few mouse clicks and I am sitting in the AWS web based management console. Without any serious investigation, I was off creating my own “bucket” of storage in their Simple Storage Service (S3). Next step was to provision a server to host my application experiment. The Elastic Compute Cloud (EC2) tab was equally easy to click through a wizard of picking basic server configuration options. I opted for the Amazon Linux Micro Instance (specifically the Amazon AIM platform as I assumed it would be optimized for using AWS services) in order to stay within the “free” parameters. At the conclusion I was provided all the pertinent remote connection details including a client/user certificate and literally the ssh command syntax to cut/paste and connect.

Since I am clearly taking AWS for a spin years after it first came on the market, I am assuming I am benefiting from significant end user functional improvements made within that time duration. It has been over a decade since any server I built or any code I wrote actually was deployed in a corporate production environment, so to say I have been relegated to a tinkerer in my technical career would be an understatement. But the simple wizard based configuration of the server and storage provisioning clearly allows even a novice technician to be exceedingly productive within AWS.

The Goal – Functional Application Running in AWS

Now that I have cloud storage and a cloud server I needed an application development challenge to solve. So after some thought, here is what I came up with:

Java based application service that will replicate my Dropbox files into my new AWS S3 storage “bucket”.

Note: Yes, Dropbox uses AWS as it’s back-end storage platform so I’m really duplicating my data within the same storage cloud so what am I gaining? Ok, real world, not much gained but this is a throw away experiment to begin with so just permit me this architectural short-sighting.

This experiment involves:

• Installing the Dropbox GUI-less client on the Linux Micro Instance
• Connecting all the Java AWS libraries together to access my S3 storage “bucket”
• Scheduling the application to periodically replicate the Dropbox files to my S3 “bucket”

By using AWS’s example “S3Sample.java” code from their Java SDK, in a matter of a few hours (those hours mostly spent getting all the correct jars linked together in the classpath), I was able to start copying files. Of course, after I reverse engineered how their sample program worked I ran across this article on AWS’s blog that hand holds you through everything.

I was able to follow the directions provided on Dropbox’s site I was able to download and install the Dropbox client on my Linux Micro Instance without a single hick-up.

As I mentioned above, it has been quite a long time since I cracked open an editor and started coding, so any comments on the lack-o-elegance of my Java is most likely very accurate. Plus, I didn’t go so far as add any mechanism to traverse directory trees to copy nested files. Additionally, all I achieved was a one way copy of all files rather than a true sync or any date/time check to see if a file even needs to be re-copied if it already exists.

Goal Achieved!

Here is a link to my (lame, err, not production ready) Java source here.

I welcome any comments around reader’s thoughts on cloud application development and AWS specifically.

amazon, aws, cloud, cloud computing, ec2, java, s3, saas

For any of those in the Cleveland/Akron, Ohio, USA area the week of 1/22, I’ll be speaking at the University of Akron on the topic of Identity Management in “the cloud” and general career opportunities in the Information Security industry.  More specifically, the title of the presentation is “Identity and Access Management Reference Architecture for Cloud Computing” and I’ve already published the slides on SlideShare here.

I’m looking forward to good interaction with the students and faculty.  If you are in attendance, please stop by and say hello!

cloud, iam, identity management, speaking

As I mentioned in my previous post, I had the opportunity to present at the 9^th annual Information Security Summit 2011. The full title of my presentation was “Identity and Access Management Reference Architecture for Cloud Computing” and just about filled the room with attendees. I was impressed with the turnout given I was in the last speaking slot on the first day up against three other speakers with very interesting topics.

For those interested, I’ve placed my slides on SlideShare:

All in all, it was a great conference attracting mostly local security and audit professionals. Given my tenure in the area, I ran into all kinds of familiar faces going back at least 10+ years. It was great to catch-up with all those of which I’ve crossed paths.

 

cloud, iam, identity, identity and access management, information security summit, infosecsummit11, oauth, openid, saas, SAML, scim, security, speaking, spml, SSO, xacml

There are plenty of great resources on the Internet that offer excellent perspectives on management and leadership that can be readily applied to those working in corporate IT. And one would think with the vast amount of excellent free advice, all managers would excel at their jobs. Alas, today the demands on IT management make readily putting that advice into practice exceedingly challenging. Recently I’ve been contemplating on how to best articulate what I feel is the dichotomous role a corporate IT professional has in today’s workplace.

Dichotomous Role:

1. Deliver on what your manager of the moment expects
2. Deliver on what your role is expected to deliver to the organization

Why “dichotomous”? More often than not, what your manager expects can be incongruent with what the organization expects.

One might think all you have to do is understand your job description, your department/team/personal goals and objectives and go off every day and do your job. And for some they maybe enjoying this straight forward, obvious job function clarity. But for most, I would feel confident in saying that seeking this expectation clarity can consume a significant number of brain cycles everyday with varying degrees of success. Frequently, your manager’s expectations differ with what the organization expects. What forces are at play creating this dichotomy and what can you do to stay sane over time?

Biggest Contributors to Role Dichotomy? Lagging Goals + Manager Shuffling

First, Lagging Goals

I know of no study or statistical evidence to support my claim, but I feel rather confident in saying that the rate of change in IT has increased dramatically in recent compared to prior years. Step back and take a sample of recent IT management articles. How many are asking the CIO role to change? How many are saying you have to have a mobile work force, outsource development or leverage “the cloud” or risk falling behind? With all that rapid change, in my opinion, pragmatically, gone are the days of SMART goals. Recently, Pawel Bordzinski posted an article similarly calling SMART goals into question here. Sure, MBA academics and management blog pundits will tout the benefits of clearly articulated goals leading to reports having increased delivery success and improved job satisfaction.

Let me be clear up front; I am not contradicting the sound fundamentals of solid goal setting. But unfortunately, with corporate fiscal cycles starting/ending and thus “trickle down” goals trailing six months or more from the cycle start, the average corporate IT employee is lucky to get written goals if they get any goals at all. In looking back over my last five years I probably can point to only two situations where I actually was given documented goals for my job role. In both cases, the fiscal year had already been underway for a good five or six months before I got those written goals.

Why the lag in goal delivery when all sound management principles suggest timeliness equals improved organizational success? In a phrase:

The current corporate business climate expects IT change at such a rapid rate that lagging goals can’t easily, if at all, keep up with the organizational change and subsequent overlapping vision changes.

These typical corporate IT scenarios may seem extremely similar to many and they help illustrate my point. Consider how established goals would need to be handled in each case:

1. The company hires a new “chief marketing officer” who has a new chunk of budget to spend on a “mobile strategy”. Suddenly, new IT projects are kicked off to deliver mobile solutions.
2. An IT Director of the “something” department retires and a new Director is hired from outside the organization. Managers reporting to the previous Director either start reporting to new areas of the organization or start leaving the company. The new Director starts hiring replacement mangers from his prior company.

In the first scenario, assuming managers, teams and individuals had goals that reflected pre-CMO priorities, all now have to wind down a bit on what was previously being worked on and wind up on what the new CMO sponsored projects entail. Sticking to pre-CMO priorities are just not an option. The company clearly has a strategic gap hence the CMO was hired in the first place. Thus, ignoring the CMO’s “high priority” projects because they don’t fit nicely into prior communicated priorities and goals is effectively ignoring the business needs of the company.

In typical corporate IT fashion, the priority of these new CMO projects has been communicated from the top of the house down thus the entire IT delivery management structure is trying to figure out how to reshuffle in-flight work in order to accommodate them. The crisis of the moment has shifted from whatever was the previous crisis to the new CMO project delivery crisis. The company wasn’t strategic enough to see the need for a CMO earlier as new media outlets were creating new demand, what is to say the organization is strategic in addressing new IT project priorities? Lastly, with IT departments cut staff and budget-wise due to the recent recession, what management structure is going to stop and revise all previously documented goals? The demand for flexibility, agility and rapid change makes it next to impossible to be able to cleanly re-write goals as priorities shift.

If the goal setting challenge faced a stagnant organizational chart, then there might be some HR efficiencies all could leverage, but on top of priorities changing, org structures rarely stay static for more than a few months. The second part of this article will dive into what compounds the goal problem for corporate IT employees: rapid organization and management reporting structure changes.

cloud, cloud computing, CMO, competing priorities, corporate IT, goals, priorities, project, role, smart, smart goals

I am currently attending the Gartner Security and Risk Management Summit 2011. As the final day drew to a close, the sessions didn’t carry significant new material and the ones I was interested in tended to be a bit vendor sponsorship heavy. I blogged about day 1 here, day 2 here and day 3 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the fourth and final day.

The most noteworthy event that occurred on the final day was a conversation over coffee between myself, a senior security manager at Microsoft and a new to his role security manager at SC Johnson. They both shared that their security teams are getting an increase in funding and FTEs. But what I found most interesting was they each were adding security focused developers and engineers to their teams in reaction to shifting from pure security governance to security governance plus technical delivery. They each mentioned that they were now starting to build more security solutions rather than just recommending or auditing security for external teams.

This struck me as potentially an interesting trend. I’ve loosely observed the following trend in the banking industry related to security teams and technology (excludes other stuff like vendor management, disaster recovery, etc.):

90s = Security teams mostly handling granting/revoking access, password resets, operational security stuff.

late 90s/early 00s = Security teams adding more technical people to deliver specific security technology back to the IT teams (authentication, encryption, provisioning, some firewall/VPN, etc.) among other governance stuff like patching schedules, anti-virus, access control, web related security, etc.

Mid/late 00s = Security teams unable to add staff at the rate needed to function like a mini-IT shop within the larger IT organization, thus starting to “outsource” security technology back to IT and step up the audit, governance, compliance focus. They also start adding heavy technology assessment to their mix.

Early 10s to the present = Security teams pretty much 100% audit, governance, compliance, assessment focused. Little to no technology ownership/delivery maintained.

Thus, I described this trend to both individuals and went so far as to suggest that potentially, are we in banking approaching another pendulous swing back to security teams looking to re-in-source specific security related technologies that have been difficult to manage externally. They weren’t able to add a significant perspective since they were just absorbing technical delivery from being previously governance focused. Thus, I wonder if security technology delivery and ownership will oscillate between IT and security teams over time? I whipped up a crude graph to show, over time, the potential for such in-sourcing and out-sourcing of security ownership and delivery shift:

Thus, will bank security departments that have returned all security technology to IT find it challenging to audit and assess certain technology domains and thus re-absorb them over time? Will non-bank related firms that are just in-sourcing security technology delivery find they, like banks did, can’t scale and follow the recent banking IT trend and out-source? Is there ultimately a balance between governance and delivery of security technology? Clearly this isn’t Gartner level detailed analysis thus I would greatly appreciate others perspectives on my observation and trend suggestion.

authentication, cloud, delivery, ecert, ecert systems, fair game, federation, fim, Gartner, gartnersecurity, ibm, identity, mobile, mobile security, nac, nsa, provisioning, risk, SAML, SAML 2.0, secure web gateway, spml, summit, swg, technology, the cloud, web 2.0, xacml

I am currently attending the Gartner Security and Risk Management Summit 2011. As the third day is drawing to a close, the amount of new insights is being overshadowed by overlap from previous sessions. I blogged about day 1 here and day 2 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the sessions I attended on the third day.

The typical pattern to conference sessions is that as you approach the end of the conference, the sessions tend to start having ever increasing overlap with content from previous sessions. One can only talk about going ‘in the cloud’ so much before you start sounding a bit redundant. I’ll avoid covering what I’ve covered prior and only add new tidbits from today’s sessions. And to make things interesting, the session topics I was most interested in were, of course, all happening concurrently hence I had to make some hard choices and missed out on some very interesting sessions due to the overlap in scheduling.

Presentation:

Disaster ‘in the Cloud’ by Jay Heiser

Right off the bat I had to give Mr. Heiser credit (and tweeted as such during his session introduction) in that he was extremely pragmatic about the the hype/branding aspect of ‘the cloud’ versus the real new-ness from a security and risk perspective. Although he spends his analyst role invested in this topic, he wasn’t overly zealous about his specialty in his presentation. So, all in all, he was an excellent speaker and kept everyones attention through what most would find utterly boring: vendor disaster and contingency planning.

Gartner projection, by 2015, a major cloud failure costing millions of dollars and significant loss of data will occur.

He put up an interesting slide that listed recent, major ‘cloud’ related failures:

Aug. 2008, Linkup business fails after losing customer data

Feb. 2009, Onsite3 files for bankruptcy, all customers lose their hosted data

Mar. 2009, 7,000 Carbonite customers lose their backup data

Jun. 2009, LxLabs HyperVM is hacked

• 100,000 web sites experience data loss
• 1 month for Oracle and Sun to reconstruct the database

Dec. 2009, Palm Pre online backup fails

Jul. 2010, 6,327 Evernote customers lose four days worth of data

Dec. 2010, 17,000 Microsoft Hotmail accounts lose mail for four days

Feb. 2011, 35,000 Gmail users lose all data

• Four days to restore those users data or 0.2% of Gmail users affected

2011 Zodiac Island TV all episodes deleted by disgruntled admin

• Show’s creators sue Cyberlink over faulty backups

Apr. 2011, Amazon EC’s multi-day outage, some data loss

All complex systems fail, both in expected and unexpected ways

• All digital storage systems experience failure that require restoration and sometimes reconstruction
• Large networks periodically experience feedback loops resulting in cascading failures
• Clouds are vulnerable to single points of failure and may not be quickly restore-able

Session Theme = complexity of the cloud makes it higher risk of failure (brittleness)

Presentation:

BiTKOO

I stopped by the BiTKOO vendor booth to get the low down on their product prior to this presentation. They were advertising very heavily that they had a XACML based externalized entitlement engine for a variety of platforms. Similar to enterprise single sign-on and identity federation being the distributed application security externalization evolution to maturity of the previous decade, XACML and externalized authorization is the application security externalization challenge of this decade (confirmed by Gartner in a later session covered in this post). BiTKOO has a product called KeyStone that provides all the plug-ins to development platforms and the associated UI administration of XACML policies so that no one needs to really know anything about the underlying XACML or XML based details to externalize authorization.

In speaking with the CEO (you know when you are dealing with a startup when the ‘CEO’ is manning the vendor booth), the history is that the CEO and others worked for Disney and developed this authorization externalization framework for Disney’s applications. Disney allowed the tech team to spin off and form their own company. I assume Disney forever gets free licenses and free yttrium level support out of the deal. Thus, it is a great deal for both sides. Disney gets to turn a fixed cost into a variable cost on their balance sheet and these tech guys get for form their own company with a guaranteed big name customer and revenue stream to get started. I asked the CEO about VC funding and exit strategy and the claim was they have been profitable since their first quarter of being in business, have plenty of customers and no plans for VC funding nor acquisition. If he is a real CEO, he is trying to find the optimum time to grow via IPO or acquisition. With ‘the cloud’, they have the potential to command an even higher price if XACML becomes the standard for managing entitlements in ‘the cloud’. But I digress.

They had a small 30 minute session where they demonstrated their product and it was quite impressive. Of course, the CEO was doing the demo. BiTKOO is a company to watch. If XACML indeed becomes a standard in ‘the cloud’ for enterprise entitlement management, look for this company to either IPO or get acquired by CA, IBM, Oracle or some other security company for an undisclosed sum that has this techie CEO driving an F40 brand new off the lot.

Presentation:

I attended “The Mobile Security Brothers Traveling Roadshow” almost purely based on the name of the session. Some analysts took a humorous look at the challenges facing companies adopting secure mobile platforms. Nothing really new was covered but at one point, they showed video interviewed conference attendees who had upwards of four mobile devices with them. Some where company purchased, some were personal but linked to company email, etc. This session further confirmed there is no clear approach to a technically secure mobile solution.

Presentation:

Managing Identity ‘in the Cloud’ by Gregg Kreizman

I was hoping to hear of some standards adoption among cloud providers or some trends suggesting everyone is moving in a particular direction. Unfortunately, more of the same theme surrounding ‘the cloud’: vendors rushing to deliver functionality and gain market share and not investing in standards around things like user provisioning.

Good news is SAML 2.0 is being adopted by 20% of current cloud providers and growing rapidly. But OpenID and Oauth (the way you let applications interact with your Facebook, Twitter, Foursquare accounts) are gaining momentum. The challenge I see is similar to the BlueRay versus HD-DVD battle. While the battle is going, people invest in one or the other or both or none until one finally wins. The problem is it takes time to eventually figure out who will be the clear leader.

I was very disappointed to hear that SPML and XACML were not being aggressively adopted. This leaves all kinds of inefficient, one off ways of integration. One offs drive up costs and require unique security solutions that aren’t re-useable.

Below are some raw notes I took during the session:

Authenticating users to cloud systems:

Default ways = manually setup users

Batch upload of new accounts, still fairly manual

50% SaaS have provisioning API

Another option is directory sync

Federation, “just in time” provisioning (found rarely in the wild but it exists)

IAMaaS sell you on the value of having done it already

Federation is now the most prevalent way to get SSO to SaaS applications, Gartner recommended

Auditing users in the cloud:

Weakest place for standards is the audit/intelligence integration with SIEM, lack of standards

IAMaaS market is very volatile in general

Gartner, by 2015, one out of three IAM solution providers will be new to the IAM market, predominantly in managed, cloud based.

Gartner, IAMaaS solutions will account from 20% for all new IAM sales by end of 2012, compared with less than 5% in 2011.

Federation = SAML 2.0

SPML not really appearing in the cloud

OpenID established by gov at Level 1 (no assurance of identity)

Oauth 2.0 has password auth built in, might replace OpenID

UMA, give users access to photos ahead of time

AD Federation Services 2.0 supports some SAML

CardSpace 2.0 cancelled by Microsoft, but now investing in U-Prove (interest in EU)

Trends:

Hybrid cloud-enterprise models will rule for a long time

SCIM potential new SaaS provisioning standard (more confusion/distraction)

OpenID/OAuth stack has momentum, but work in progress

Including security requirements in cloud service procurements is an immature practice but maturing

Recommendations:

Partner with business to include security/IAM assessments as part of procurement process.

Judge enterprise readiness with IAMaaS based on corporate risk goals.

Understand your costs for providing internal IAM compared to cloud.

Plan for 3 years before any standard IAM security assessment standards emerge.

20% SaaS providers support SAML and will grow rapidly. Concern is OpenID/OAuth will impact/distract/confuse.

Not seeing Microsoft implementing FIM for IaaS access.

All in all, another good day of interesting perspectives on the security landscape. Look for a summary of the final day 4 tomorrow.

authentication, cloud, ecert, ecert systems, fair game, federation, fim, Gartner, gartnersecurity, ibm, identity, mobile, mobile security, nac, nsa, provisioning, risk, SAML, SAML 2.0, secure web gateway, spml, summit, swg, the cloud, web 2.0, xacml

I am currently attending the Gartner Security and Risk Management Summit 2011. After only the second day, I can honestly say this has been one of the better Gartner conferences I’ve attended. I blogged about day 1 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the sessions I attended on the second day.

Well, let’s get the less interesting stuff out of the way … I sat in on some “the cloud” related presentations on risks and vendor selection and found the material not particularly useful. As you can imagine, “the cloud” has predictable security and vendor selection challenges that have been around for years when working with vendors. Thus, the marketing/branding hype around “the cloud” is more helpful to give vendors a new way to position products and service offerings to customers rather than create significantly new challenges for security professionals. I’ve written recently about “the cloud” in more detail here.

Presentation:

New Trends in Fraud Detection: Grappling with the Enemies Within and Without, Gartner Analyst Avivah Litan

Long title. Great presentation.

Instead of the usual fear/scare commentary on fraud, Ms. Litan described recent specific fraud patterns that represent a more complex scenarios of today. A new pattern she described is bulleted below:

1. Hacker setups up/rents technology infrastructure for attack (“the cloud”)
2. Prepare to target the victim with email, such as using Linked In to determine who is in accounts payable at a particular company
3. Prepare by stealing “Knowledge Based Authentication” or KBA or “Challenge Questions” via collecting from aggregators (compromise the companies offering KBA services) and/or phishing emails to get people to spill information. Go so far as to get the phone company to forward smallbiz phone to the hacker’s phone.
4. Send spear phishing email to victim that includes specific malware program to get installed on their PC.
5. Hacker waits for the malware to see a login to their bank. The malware gets the “One Time Password” or OTP such as a physical token (RSA, Vasco, etc.) with either a browser redirect to the hacker’s site to collect the OTP or allow the victim to perform some transactions but capture the session information and forward to the hacker and deny the logout. The user thinks they logged out but the hacker now has the user’s session and keeps accessing the bank as the user.
6. Hacker executes a fraudulent transaction. The bank confirms the odd payment via phone but since the hacker re-routed the phone to himself plus he has the KBA information, he can confirm the odd payment and thus the bank allows the odd payment to process.

She indicated this pattern was used on the Catholic Diocese of Des Moines, Iowa (more details on that attack here).

Her claim is that current bank on-line “strong” authentication is not enough to handle these new and sophisticated attack patterns. I’ve commented similarly below here based on her blog post earlier here.

In support of the recent increase in attacks against non-banking institutions such as Sega, Sony, FBI, CIA, RSA, US Congress, etc. reported by the media recently, she indicates that enterprises that aren’t banks don’t have the security measures in place compared to banks that get attacked regularly. The typical company is monitoring activity but has no existing real-time blocking capabilities for attacks.

She then shares some statistics that indicate 86% of surveyed companies were attacked by malware but indicated that those same companies are investing in other areas of security where attacks were admittedly less prevalent. I took a picture of the slide of stats but it came out so blurry I can’t share further details. The gist is companies are being attacked by malware but investing in identifying/block other attacks that are actually happening less frequently.

She concluded with recommended “best practices”:

Strategy and Policy + Operations + Technology = Solving fraud and misuse problems

She presented five layers of protection to implement after authenticating a user on-line and granting them access to a web site:

Level 1 = end point centric (secure browsing, out of band auth, transaction auth)

Level 2 = navigation centric, analyze, profile of user activity, comparing

Level 3 = user and account centric by channel, user business patterns, what credit card folks do

Level 4 = Level 3 but across all channels, online then call center, etc.

Level 5 = Entity link analysis, end of the day dump of details and see cross customer, cross account transaction details

She quoted a Gartner statistic that by 2014, 15% of enterprise will adopt layered fraud detection to compensate for weak authenticating of on-line users. Virtualized, on-demand secure browsers will be available by 2014 reducing the need for such layers. The current risk is that companies won’t invest in the anti-fraud layers.

No authentication method alone will stop fraud, need additional layers. Enterprises consider malware the #1 threat.

Technical approaches to address each level:

Level 1 = “Secure” browser can block malware. Existing vendors include: Crealogix, Ironkey, TrustDefender, Trusteer OR plugins through browser plugins (block API’s into that session with bank)

Level 1 = Client device identification, traditional profiling stuff, all can be beaten (per Gartner), Browser Mining (JavaScript) best for grabbing all kinds of stuff including clock time down to the milliseconds (looking at time differentials helps determine session take overs),

Level 1 = Also, mobile location services, linking activity to (browser location vs. mobile phone location), GPS or mobile proximity to MSC code in towers, lat/long of device via cell tower best is the using aggragetor’s of the mobile provider’s location of devices. I logged in from a PC in Cleveland but my mobile phone is in Florida. The bank should take extra steps to confirm things are a-ok.

Level 2 = Biggest investment is the ability to check on page to page rates to compare human versus malware (human takes random seconds between pages where as programs take predictive milliseconds)

Level 3 = Invest in profiling users, accounts, devices, transactions.

Level 4 = Do what you are doing in Level 3 but do it across all channels.

Level 5 = Invest in entity link analysis. Example = HIV tests in demographic that normally has none. Dr. that does one procedure starts billing Medicare for new procedures. 10 to 1 return on investment (per Gartner) if implemented comprehensively. Medical billing fraud seems to benefit immediately from this approach.

All in all, a very data based (rather than hype based as most anti-fraud presentations can be) session.

I asked her the question: Does Gartner have any data to suggest the most effective place within a bank payment application to implement transaction verification. At new payee add or when a payment transaction is being requested but before confirming/processing? I must have not been clear because she didn’t understand the question. I approached her afterwards and tried to re-explain. She didn’t seem to have that detailed perspective on where to implement such out-of-band confirmation to maximum effort. Thus, I’ll continue to dig on that topic.

All in all, an excellent detailed presentation based on data rather than the typical anti-fraud stuff you come across.

Presentation:

Secure Web Gateways: Intelligently Defending Against the Web 2.0 Threat

First, I congratulate them on working Web 2.0 into the title with so many others preferring “the cloud”. This session was on the traditional security applied to company web surfing or why you can’t seem to access Facebook or Twitter from your work PC.

Since the demand is for malware protection, the presentation indicated the ways secure web gateway or SWG vendors can approach this with Gartner’s levels of success:

Low – Signature based filtering (ClamAV/Snort)

Med – Multifeed Signatures+Vendor Enhancements, more sophisticated, BotNet command-n-control lists, vendor signatures, reputation feeds, send request to the cloud to analyze request

High – Real-time in path signature-less detection, active code analysis, exploit signature detection, sand-boxing, traffic pattern analysis

The market today, per Gartner, is at the medium level.

Future = cloud-based secure web gateway as a service, signature-less malware protection, fine-grained app and social media control (example, control Facebook, only allow certain simple/safe features)

Cloud-based SWG projected to grow faster than in house hosted solutions (14% to 15% in-house growth rate). 2015, 25% will migrate to SWG as a service currently only 10% of the market.

Cloud-based SWG has the typical challenges, authenticating users, directory integration (saml?), geographic coverage as well as location of origin, reporting might be job over night rather than instant data.

Gartner claim, next generation firewalls will not replace SWG before 2015.

Gartner claim, blocking web sites alone does not materially reduce malware exposure as some might think.

Vendors:

Additionally, I spent some time with IBM product managers to understand what their latest security products will be offering in the near future.

I’ll conclude with an interesting discussion I had with some people from Ecert. They represent a very interesting service offering. Their customers are both the major email service providers (think Gmail, Yahoo, Comcast, Time Warner, etc.) as well as companies that get phished regularly (think banks, PayPal, eBay, American Greetings, etc.). They are trying to combine email authentication to allow phished companies to notice when non-known sources of email are sending out messages (likely spam/phishing) along with giving major email providers a way to ignore phishing emails and provide an indication to their users that an email from a phished company is actually legit. They are endorsed by BITS which is a non-profit financial services round table of the top 100 US banks. They appear to offer a very unique service that is successful the more banks join and the more email providers join. They offer take down services and well as other fraudulent email related services that have the potential to really add value in the authentication of email messaging.

All in all, another good day of interesting perspectives on the security landscape. Look for a summary of day 3 tomorrow.

authentication, Avivah Litan, cloud, ecert, ecert systems, fair game, Gartner, gartnersecurity, ibm, mobile, mobile security, nac, nsa, risk, secure web gateway, summit, swg, the cloud, web 2.0

It seems no IT related blog can exist without providing some commentary on cloud computing. Hence, I just had to post something on “the cloud”. Is “the cloud” really a full blown IT revolution? I am not convinced. Thus, I considered making the title “hey kids, get off my lawn” but I didn’t want to turn away potential “cloud is superior” readers so soon in my article without offering some evidence to support my claim.

Seriously, there has been a venerable ton of material recently suggesting a total IT revolution is underway with the advent of cloud computing. Even Microsoft and Apple are making direct marketing pitches involving “the cloud” to non-technical consumers in the mainstream media rather than burying the message in niche technology blogs. I was reading Eric D. Brown’s recent article on cloud computing and I felt compelled to respond in more depth than can usually be afforded in a blog comment. Hence the real impetus for this article.

Mr. Brown claims that “Cloud computing is both evolutionary and revolutionary.” He also references a post by Christian Verstraete, HP’s Chief Technologist for the Cloud. Both Mr. Brown and Mr. Verstraete offer credible evidence for suggesting that “the cloud” is an evolution of pre-cloud IT constructs. The applications that are available via the cloud today are the next evolutionary step from the ASP or Application Service Providers of the near recent past. By re-branding existing hosted application service offerings, companies can ride the marketing wave of “the cloud” to further tout how the latest version of their software is more cutting edge and more buzz-worthy. If “the cloud” label didn’t exist, those application service offerings would still offer ever increasing levels of additional functionality based on customer feedback and market demand. The same applies to “the cloud” for more platform/infrastructure based service offerings. Without “the cloud”, would we have the alternative: I moved my commodity servers out of my data center to “the grid”. It seems “the cloud” is even more hip, cool and expansive than “the grid” from a marketing/branding perspective. Thus, “the cloud” is evolutionary. I buy it because of the linear progression of ever increasing functionality being delivered by “cloud” offerings.

“Hey kids, get off my lawn”

I am struggling with saying “the cloud” is truly revolutionary. Mr. Brown makes the statement in support of his position: “Revolutionary in the sense that there’s no longer a need to spend thousands or hundreds of thousands of dollars on hardware to get a website and/or product running.” and “There’s cost savings there that haven’t been available in years past to the small to medium sized business.” In years past, ISP’s were offering small business packages that included registering domain names, hosted collaboration solutions (email, calendaring, shared contact management/address books) as well as uniquely branded web sites with graphic design , on-line ordering/shopping carts and tiered data storage options. Yahoo Business has provided similar packages if one didn’t find their ISP’s offering met their needs for over a decade. Thus, I believe businesses had pre-cloud options to drive down costs through outsourcing their IT needs to pre-cloud, cloud-like options relative to the functional demands of the time. The farther you go back in time the more immature (relative to today) those offerings were. Or, stated another way, at any given time, the level of integration, sophistication of outsource-ability was reflective of the market demand and evolution of the provider’s technical offering. In the late 90′s, businesses were scrambling to come up with an “Internet Strategy” to figure out how to use this new, cool thing called the “World Wide Web”. The businesses of the late 90′s, small, medium or large, weren’t in a position to create immediate demand for the level of auto-provisioned, virtual capacity on demand that is available today. Hence, where Mr. Brown says “revolution”, I’m not compelled to do that far and thus stick with “evolution”.

Mr. Verstraete concludes that the ASP/grid computing to “the cloud” has been an evolution but he suggests Web 2.0 is what makes “the cloud” revolutionary. Sure, the gigantic surge in Internet usage across all generations in all countries has created a significant demand on service providers. If you were offering an application to the business community in the late 90s, you could initially have your data model reflect a co-mingling of all your individual customer’s data. As SOX, HIPAA and the increase in on-line security breaches had customer’s demanding secure data management back at the start of the previous decade. Thus. provider’s implemented separate application and supporting data instances for customers. Visualized environments allowed this trend to continue without the provider having to purchase millions of physical servers as their customer list grew. Managing all those virtual servers and copies of application code became labor intensive, thus adjusting data models to leverage “multi-tenancy” coupled with advancement in database engine data partitioning capabilities became the next wave of opportunity for providers to service more customers with secure and operationally efficient offerings. Those providers that didn’t advance their architectures found their costs exponentially increasing while the competition, that did advance, easily able to offer similar services at a much lower price point. This sounds like evolution to me.

So, is “the cloud” a total revolutionary way to offer computing services? I am just not convinced that we have a revolution but rather the next evolution coupled with a branding label “the cloud” that increases the appeal and the hype. Providers and vendors can easily jump on the labeling band wagon to get more time and attention from their prospective customers. Customers get the next version or upgrade of their favorite on-line products and services with even more functional integration and ease of use. Plus, they can set up meetings and engage consultants to help formulate a “cloud strategy”. And who doesn’t want to talk about new and emerging technology trends over having the same cost reduction problem solving discussions that have been talked to death?

Oh yeah, and kids, get off my lawn.

apple, application service provider, asp, clod computing, cloud, evolution, grid computing, icloud, microsoft, revolution, the cloud, web 2.0, yahoo