Midwest IT Survival

I am currently attending the Gartner Security and Risk Management Summit 2011. As the final day drew to a close, the sessions didn’t carry significant new material and the ones I was interested in tended to be a bit vendor sponsorship heavy. I blogged about day 1 here, day 2 here and day 3 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the fourth and final day.

The most noteworthy event that occurred on the final day was a conversation over coffee between myself, a senior security manager at Microsoft and a new to his role security manager at SC Johnson. They both shared that their security teams are getting an increase in funding and FTEs. But what I found most interesting was they each were adding security focused developers and engineers to their teams in reaction to shifting from pure security governance to security governance plus technical delivery. They each mentioned that they were now starting to build more security solutions rather than just recommending or auditing security for external teams.

This struck me as potentially an interesting trend. I’ve loosely observed the following trend in the banking industry related to security teams and technology (excludes other stuff like vendor management, disaster recovery, etc.):

90s = Security teams mostly handling granting/revoking access, password resets, operational security stuff.

late 90s/early 00s = Security teams adding more technical people to deliver specific security technology back to the IT teams (authentication, encryption, provisioning, some firewall/VPN, etc.) among other governance stuff like patching schedules, anti-virus, access control, web related security, etc.

Mid/late 00s = Security teams unable to add staff at the rate needed to function like a mini-IT shop within the larger IT organization, thus starting to “outsource” security technology back to IT and step up the audit, governance, compliance focus. They also start adding heavy technology assessment to their mix.

Early 10s to the present = Security teams pretty much 100% audit, governance, compliance, assessment focused. Little to no technology ownership/delivery maintained.

Thus, I described this trend to both individuals and went so far as to suggest that potentially, are we in banking approaching another pendulous swing back to security teams looking to re-in-source specific security related technologies that have been difficult to manage externally. They weren’t able to add a significant perspective since they were just absorbing technical delivery from being previously governance focused. Thus, I wonder if security technology delivery and ownership will oscillate between IT and security teams over time? I whipped up a crude graph to show, over time, the potential for such in-sourcing and out-sourcing of security ownership and delivery shift:

Thus, will bank security departments that have returned all security technology to IT find it challenging to audit and assess certain technology domains and thus re-absorb them over time? Will non-bank related firms that are just in-sourcing security technology delivery find they, like banks did, can’t scale and follow the recent banking IT trend and out-source? Is there ultimately a balance between governance and delivery of security technology? Clearly this isn’t Gartner level detailed analysis thus I would greatly appreciate others perspectives on my observation and trend suggestion.

authentication, cloud, delivery, ecert, ecert systems, fair game, federation, fim, Gartner, gartnersecurity, ibm, identity, mobile, mobile security, nac, nsa, provisioning, risk, SAML, SAML 2.0, secure web gateway, spml, summit, swg, technology, the cloud, web 2.0, xacml

I am currently attending the Gartner Security and Risk Management Summit 2011. As the third day is drawing to a close, the amount of new insights is being overshadowed by overlap from previous sessions. I blogged about day 1 here and day 2 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the sessions I attended on the third day.

The typical pattern to conference sessions is that as you approach the end of the conference, the sessions tend to start having ever increasing overlap with content from previous sessions. One can only talk about going ‘in the cloud’ so much before you start sounding a bit redundant. I’ll avoid covering what I’ve covered prior and only add new tidbits from today’s sessions. And to make things interesting, the session topics I was most interested in were, of course, all happening concurrently hence I had to make some hard choices and missed out on some very interesting sessions due to the overlap in scheduling.

Presentation:

Disaster ‘in the Cloud’ by Jay Heiser

Right off the bat I had to give Mr. Heiser credit (and tweeted as such during his session introduction) in that he was extremely pragmatic about the the hype/branding aspect of ‘the cloud’ versus the real new-ness from a security and risk perspective. Although he spends his analyst role invested in this topic, he wasn’t overly zealous about his specialty in his presentation. So, all in all, he was an excellent speaker and kept everyones attention through what most would find utterly boring: vendor disaster and contingency planning.

Gartner projection, by 2015, a major cloud failure costing millions of dollars and significant loss of data will occur.

He put up an interesting slide that listed recent, major ‘cloud’ related failures:

Aug. 2008, Linkup business fails after losing customer data

Feb. 2009, Onsite3 files for bankruptcy, all customers lose their hosted data

Mar. 2009, 7,000 Carbonite customers lose their backup data

Jun. 2009, LxLabs HyperVM is hacked

• 100,000 web sites experience data loss
• 1 month for Oracle and Sun to reconstruct the database

Dec. 2009, Palm Pre online backup fails

Jul. 2010, 6,327 Evernote customers lose four days worth of data

Dec. 2010, 17,000 Microsoft Hotmail accounts lose mail for four days

Feb. 2011, 35,000 Gmail users lose all data

• Four days to restore those users data or 0.2% of Gmail users affected

2011 Zodiac Island TV all episodes deleted by disgruntled admin

• Show’s creators sue Cyberlink over faulty backups

Apr. 2011, Amazon EC’s multi-day outage, some data loss

All complex systems fail, both in expected and unexpected ways

• All digital storage systems experience failure that require restoration and sometimes reconstruction
• Large networks periodically experience feedback loops resulting in cascading failures
• Clouds are vulnerable to single points of failure and may not be quickly restore-able

Session Theme = complexity of the cloud makes it higher risk of failure (brittleness)

Presentation:

BiTKOO

I stopped by the BiTKOO vendor booth to get the low down on their product prior to this presentation. They were advertising very heavily that they had a XACML based externalized entitlement engine for a variety of platforms. Similar to enterprise single sign-on and identity federation being the distributed application security externalization evolution to maturity of the previous decade, XACML and externalized authorization is the application security externalization challenge of this decade (confirmed by Gartner in a later session covered in this post). BiTKOO has a product called KeyStone that provides all the plug-ins to development platforms and the associated UI administration of XACML policies so that no one needs to really know anything about the underlying XACML or XML based details to externalize authorization.

In speaking with the CEO (you know when you are dealing with a startup when the ‘CEO’ is manning the vendor booth), the history is that the CEO and others worked for Disney and developed this authorization externalization framework for Disney’s applications. Disney allowed the tech team to spin off and form their own company. I assume Disney forever gets free licenses and free yttrium level support out of the deal. Thus, it is a great deal for both sides. Disney gets to turn a fixed cost into a variable cost on their balance sheet and these tech guys get for form their own company with a guaranteed big name customer and revenue stream to get started. I asked the CEO about VC funding and exit strategy and the claim was they have been profitable since their first quarter of being in business, have plenty of customers and no plans for VC funding nor acquisition. If he is a real CEO, he is trying to find the optimum time to grow via IPO or acquisition. With ‘the cloud’, they have the potential to command an even higher price if XACML becomes the standard for managing entitlements in ‘the cloud’. But I digress.

They had a small 30 minute session where they demonstrated their product and it was quite impressive. Of course, the CEO was doing the demo. BiTKOO is a company to watch. If XACML indeed becomes a standard in ‘the cloud’ for enterprise entitlement management, look for this company to either IPO or get acquired by CA, IBM, Oracle or some other security company for an undisclosed sum that has this techie CEO driving an F40 brand new off the lot.

Presentation:

I attended “The Mobile Security Brothers Traveling Roadshow” almost purely based on the name of the session. Some analysts took a humorous look at the challenges facing companies adopting secure mobile platforms. Nothing really new was covered but at one point, they showed video interviewed conference attendees who had upwards of four mobile devices with them. Some where company purchased, some were personal but linked to company email, etc. This session further confirmed there is no clear approach to a technically secure mobile solution.

Presentation:

Managing Identity ‘in the Cloud’ by Gregg Kreizman

I was hoping to hear of some standards adoption among cloud providers or some trends suggesting everyone is moving in a particular direction. Unfortunately, more of the same theme surrounding ‘the cloud’: vendors rushing to deliver functionality and gain market share and not investing in standards around things like user provisioning.

Good news is SAML 2.0 is being adopted by 20% of current cloud providers and growing rapidly. But OpenID and Oauth (the way you let applications interact with your Facebook, Twitter, Foursquare accounts) are gaining momentum. The challenge I see is similar to the BlueRay versus HD-DVD battle. While the battle is going, people invest in one or the other or both or none until one finally wins. The problem is it takes time to eventually figure out who will be the clear leader.

I was very disappointed to hear that SPML and XACML were not being aggressively adopted. This leaves all kinds of inefficient, one off ways of integration. One offs drive up costs and require unique security solutions that aren’t re-useable.

Below are some raw notes I took during the session:

Authenticating users to cloud systems:

Default ways = manually setup users

Batch upload of new accounts, still fairly manual

50% SaaS have provisioning API

Another option is directory sync

Federation, “just in time” provisioning (found rarely in the wild but it exists)

IAMaaS sell you on the value of having done it already

Federation is now the most prevalent way to get SSO to SaaS applications, Gartner recommended

Auditing users in the cloud:

Weakest place for standards is the audit/intelligence integration with SIEM, lack of standards

IAMaaS market is very volatile in general

Gartner, by 2015, one out of three IAM solution providers will be new to the IAM market, predominantly in managed, cloud based.

Gartner, IAMaaS solutions will account from 20% for all new IAM sales by end of 2012, compared with less than 5% in 2011.

Federation = SAML 2.0

SPML not really appearing in the cloud

OpenID established by gov at Level 1 (no assurance of identity)

Oauth 2.0 has password auth built in, might replace OpenID

UMA, give users access to photos ahead of time

AD Federation Services 2.0 supports some SAML

CardSpace 2.0 cancelled by Microsoft, but now investing in U-Prove (interest in EU)

Trends:

Hybrid cloud-enterprise models will rule for a long time

SCIM potential new SaaS provisioning standard (more confusion/distraction)

OpenID/OAuth stack has momentum, but work in progress

Including security requirements in cloud service procurements is an immature practice but maturing

Recommendations:

Partner with business to include security/IAM assessments as part of procurement process.

Judge enterprise readiness with IAMaaS based on corporate risk goals.

Understand your costs for providing internal IAM compared to cloud.

Plan for 3 years before any standard IAM security assessment standards emerge.

20% SaaS providers support SAML and will grow rapidly. Concern is OpenID/OAuth will impact/distract/confuse.

Not seeing Microsoft implementing FIM for IaaS access.

All in all, another good day of interesting perspectives on the security landscape. Look for a summary of the final day 4 tomorrow.

authentication, cloud, ecert, ecert systems, fair game, federation, fim, Gartner, gartnersecurity, ibm, identity, mobile, mobile security, nac, nsa, provisioning, risk, SAML, SAML 2.0, secure web gateway, spml, summit, swg, the cloud, web 2.0, xacml

I am currently attending the Gartner Security and Risk Management Summit 2011. After only the second day, I can honestly say this has been one of the better Gartner conferences I’ve attended. I blogged about day 1 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the sessions I attended on the second day.

Well, let’s get the less interesting stuff out of the way … I sat in on some “the cloud” related presentations on risks and vendor selection and found the material not particularly useful. As you can imagine, “the cloud” has predictable security and vendor selection challenges that have been around for years when working with vendors. Thus, the marketing/branding hype around “the cloud” is more helpful to give vendors a new way to position products and service offerings to customers rather than create significantly new challenges for security professionals. I’ve written recently about “the cloud” in more detail here.

Presentation:

New Trends in Fraud Detection: Grappling with the Enemies Within and Without, Gartner Analyst Avivah Litan

Long title. Great presentation.

Instead of the usual fear/scare commentary on fraud, Ms. Litan described recent specific fraud patterns that represent a more complex scenarios of today. A new pattern she described is bulleted below:

1. Hacker setups up/rents technology infrastructure for attack (“the cloud”)
2. Prepare to target the victim with email, such as using Linked In to determine who is in accounts payable at a particular company
3. Prepare by stealing “Knowledge Based Authentication” or KBA or “Challenge Questions” via collecting from aggregators (compromise the companies offering KBA services) and/or phishing emails to get people to spill information. Go so far as to get the phone company to forward smallbiz phone to the hacker’s phone.
4. Send spear phishing email to victim that includes specific malware program to get installed on their PC.
5. Hacker waits for the malware to see a login to their bank. The malware gets the “One Time Password” or OTP such as a physical token (RSA, Vasco, etc.) with either a browser redirect to the hacker’s site to collect the OTP or allow the victim to perform some transactions but capture the session information and forward to the hacker and deny the logout. The user thinks they logged out but the hacker now has the user’s session and keeps accessing the bank as the user.
6. Hacker executes a fraudulent transaction. The bank confirms the odd payment via phone but since the hacker re-routed the phone to himself plus he has the KBA information, he can confirm the odd payment and thus the bank allows the odd payment to process.

She indicated this pattern was used on the Catholic Diocese of Des Moines, Iowa (more details on that attack here).

Her claim is that current bank on-line “strong” authentication is not enough to handle these new and sophisticated attack patterns. I’ve commented similarly below here based on her blog post earlier here.

In support of the recent increase in attacks against non-banking institutions such as Sega, Sony, FBI, CIA, RSA, US Congress, etc. reported by the media recently, she indicates that enterprises that aren’t banks don’t have the security measures in place compared to banks that get attacked regularly. The typical company is monitoring activity but has no existing real-time blocking capabilities for attacks.

She then shares some statistics that indicate 86% of surveyed companies were attacked by malware but indicated that those same companies are investing in other areas of security where attacks were admittedly less prevalent. I took a picture of the slide of stats but it came out so blurry I can’t share further details. The gist is companies are being attacked by malware but investing in identifying/block other attacks that are actually happening less frequently.

She concluded with recommended “best practices”:

Strategy and Policy + Operations + Technology = Solving fraud and misuse problems

She presented five layers of protection to implement after authenticating a user on-line and granting them access to a web site:

Level 1 = end point centric (secure browsing, out of band auth, transaction auth)

Level 2 = navigation centric, analyze, profile of user activity, comparing

Level 3 = user and account centric by channel, user business patterns, what credit card folks do

Level 4 = Level 3 but across all channels, online then call center, etc.

Level 5 = Entity link analysis, end of the day dump of details and see cross customer, cross account transaction details

She quoted a Gartner statistic that by 2014, 15% of enterprise will adopt layered fraud detection to compensate for weak authenticating of on-line users. Virtualized, on-demand secure browsers will be available by 2014 reducing the need for such layers. The current risk is that companies won’t invest in the anti-fraud layers.

No authentication method alone will stop fraud, need additional layers. Enterprises consider malware the #1 threat.

Technical approaches to address each level:

Level 1 = “Secure” browser can block malware. Existing vendors include: Crealogix, Ironkey, TrustDefender, Trusteer OR plugins through browser plugins (block API’s into that session with bank)

Level 1 = Client device identification, traditional profiling stuff, all can be beaten (per Gartner), Browser Mining (JavaScript) best for grabbing all kinds of stuff including clock time down to the milliseconds (looking at time differentials helps determine session take overs),

Level 1 = Also, mobile location services, linking activity to (browser location vs. mobile phone location), GPS or mobile proximity to MSC code in towers, lat/long of device via cell tower best is the using aggragetor’s of the mobile provider’s location of devices. I logged in from a PC in Cleveland but my mobile phone is in Florida. The bank should take extra steps to confirm things are a-ok.

Level 2 = Biggest investment is the ability to check on page to page rates to compare human versus malware (human takes random seconds between pages where as programs take predictive milliseconds)

Level 3 = Invest in profiling users, accounts, devices, transactions.

Level 4 = Do what you are doing in Level 3 but do it across all channels.

Level 5 = Invest in entity link analysis. Example = HIV tests in demographic that normally has none. Dr. that does one procedure starts billing Medicare for new procedures. 10 to 1 return on investment (per Gartner) if implemented comprehensively. Medical billing fraud seems to benefit immediately from this approach.

All in all, a very data based (rather than hype based as most anti-fraud presentations can be) session.

I asked her the question: Does Gartner have any data to suggest the most effective place within a bank payment application to implement transaction verification. At new payee add or when a payment transaction is being requested but before confirming/processing? I must have not been clear because she didn’t understand the question. I approached her afterwards and tried to re-explain. She didn’t seem to have that detailed perspective on where to implement such out-of-band confirmation to maximum effort. Thus, I’ll continue to dig on that topic.

All in all, an excellent detailed presentation based on data rather than the typical anti-fraud stuff you come across.

Presentation:

Secure Web Gateways: Intelligently Defending Against the Web 2.0 Threat

First, I congratulate them on working Web 2.0 into the title with so many others preferring “the cloud”. This session was on the traditional security applied to company web surfing or why you can’t seem to access Facebook or Twitter from your work PC.

Since the demand is for malware protection, the presentation indicated the ways secure web gateway or SWG vendors can approach this with Gartner’s levels of success:

Low – Signature based filtering (ClamAV/Snort)

Med – Multifeed Signatures+Vendor Enhancements, more sophisticated, BotNet command-n-control lists, vendor signatures, reputation feeds, send request to the cloud to analyze request

High – Real-time in path signature-less detection, active code analysis, exploit signature detection, sand-boxing, traffic pattern analysis

The market today, per Gartner, is at the medium level.

Future = cloud-based secure web gateway as a service, signature-less malware protection, fine-grained app and social media control (example, control Facebook, only allow certain simple/safe features)

Cloud-based SWG projected to grow faster than in house hosted solutions (14% to 15% in-house growth rate). 2015, 25% will migrate to SWG as a service currently only 10% of the market.

Cloud-based SWG has the typical challenges, authenticating users, directory integration (saml?), geographic coverage as well as location of origin, reporting might be job over night rather than instant data.

Gartner claim, next generation firewalls will not replace SWG before 2015.

Gartner claim, blocking web sites alone does not materially reduce malware exposure as some might think.

Vendors:

Additionally, I spent some time with IBM product managers to understand what their latest security products will be offering in the near future.

I’ll conclude with an interesting discussion I had with some people from Ecert. They represent a very interesting service offering. Their customers are both the major email service providers (think Gmail, Yahoo, Comcast, Time Warner, etc.) as well as companies that get phished regularly (think banks, PayPal, eBay, American Greetings, etc.). They are trying to combine email authentication to allow phished companies to notice when non-known sources of email are sending out messages (likely spam/phishing) along with giving major email providers a way to ignore phishing emails and provide an indication to their users that an email from a phished company is actually legit. They are endorsed by BITS which is a non-profit financial services round table of the top 100 US banks. They appear to offer a very unique service that is successful the more banks join and the more email providers join. They offer take down services and well as other fraudulent email related services that have the potential to really add value in the authentication of email messaging.

All in all, another good day of interesting perspectives on the security landscape. Look for a summary of day 3 tomorrow.

authentication, Avivah Litan, cloud, ecert, ecert systems, fair game, Gartner, gartnersecurity, ibm, mobile, mobile security, nac, nsa, risk, secure web gateway, summit, swg, the cloud, web 2.0

It seems no IT related blog can exist without providing some commentary on cloud computing. Hence, I just had to post something on “the cloud”. Is “the cloud” really a full blown IT revolution? I am not convinced. Thus, I considered making the title “hey kids, get off my lawn” but I didn’t want to turn away potential “cloud is superior” readers so soon in my article without offering some evidence to support my claim.

Seriously, there has been a venerable ton of material recently suggesting a total IT revolution is underway with the advent of cloud computing. Even Microsoft and Apple are making direct marketing pitches involving “the cloud” to non-technical consumers in the mainstream media rather than burying the message in niche technology blogs. I was reading Eric D. Brown’s recent article on cloud computing and I felt compelled to respond in more depth than can usually be afforded in a blog comment. Hence the real impetus for this article.

Mr. Brown claims that “Cloud computing is both evolutionary and revolutionary.” He also references a post by Christian Verstraete, HP’s Chief Technologist for the Cloud. Both Mr. Brown and Mr. Verstraete offer credible evidence for suggesting that “the cloud” is an evolution of pre-cloud IT constructs. The applications that are available via the cloud today are the next evolutionary step from the ASP or Application Service Providers of the near recent past. By re-branding existing hosted application service offerings, companies can ride the marketing wave of “the cloud” to further tout how the latest version of their software is more cutting edge and more buzz-worthy. If “the cloud” label didn’t exist, those application service offerings would still offer ever increasing levels of additional functionality based on customer feedback and market demand. The same applies to “the cloud” for more platform/infrastructure based service offerings. Without “the cloud”, would we have the alternative: I moved my commodity servers out of my data center to “the grid”. It seems “the cloud” is even more hip, cool and expansive than “the grid” from a marketing/branding perspective. Thus, “the cloud” is evolutionary. I buy it because of the linear progression of ever increasing functionality being delivered by “cloud” offerings.

“Hey kids, get off my lawn”

I am struggling with saying “the cloud” is truly revolutionary. Mr. Brown makes the statement in support of his position: “Revolutionary in the sense that there’s no longer a need to spend thousands or hundreds of thousands of dollars on hardware to get a website and/or product running.” and “There’s cost savings there that haven’t been available in years past to the small to medium sized business.” In years past, ISP’s were offering small business packages that included registering domain names, hosted collaboration solutions (email, calendaring, shared contact management/address books) as well as uniquely branded web sites with graphic design , on-line ordering/shopping carts and tiered data storage options. Yahoo Business has provided similar packages if one didn’t find their ISP’s offering met their needs for over a decade. Thus, I believe businesses had pre-cloud options to drive down costs through outsourcing their IT needs to pre-cloud, cloud-like options relative to the functional demands of the time. The farther you go back in time the more immature (relative to today) those offerings were. Or, stated another way, at any given time, the level of integration, sophistication of outsource-ability was reflective of the market demand and evolution of the provider’s technical offering. In the late 90′s, businesses were scrambling to come up with an “Internet Strategy” to figure out how to use this new, cool thing called the “World Wide Web”. The businesses of the late 90′s, small, medium or large, weren’t in a position to create immediate demand for the level of auto-provisioned, virtual capacity on demand that is available today. Hence, where Mr. Brown says “revolution”, I’m not compelled to do that far and thus stick with “evolution”.

Mr. Verstraete concludes that the ASP/grid computing to “the cloud” has been an evolution but he suggests Web 2.0 is what makes “the cloud” revolutionary. Sure, the gigantic surge in Internet usage across all generations in all countries has created a significant demand on service providers. If you were offering an application to the business community in the late 90s, you could initially have your data model reflect a co-mingling of all your individual customer’s data. As SOX, HIPAA and the increase in on-line security breaches had customer’s demanding secure data management back at the start of the previous decade. Thus. provider’s implemented separate application and supporting data instances for customers. Visualized environments allowed this trend to continue without the provider having to purchase millions of physical servers as their customer list grew. Managing all those virtual servers and copies of application code became labor intensive, thus adjusting data models to leverage “multi-tenancy” coupled with advancement in database engine data partitioning capabilities became the next wave of opportunity for providers to service more customers with secure and operationally efficient offerings. Those providers that didn’t advance their architectures found their costs exponentially increasing while the competition, that did advance, easily able to offer similar services at a much lower price point. This sounds like evolution to me.

So, is “the cloud” a total revolutionary way to offer computing services? I am just not convinced that we have a revolution but rather the next evolution coupled with a branding label “the cloud” that increases the appeal and the hype. Providers and vendors can easily jump on the labeling band wagon to get more time and attention from their prospective customers. Customers get the next version or upgrade of their favorite on-line products and services with even more functional integration and ease of use. Plus, they can set up meetings and engage consultants to help formulate a “cloud strategy”. And who doesn’t want to talk about new and emerging technology trends over having the same cost reduction problem solving discussions that have been talked to death?

Oh yeah, and kids, get off my lawn.

apple, application service provider, asp, clod computing, cloud, evolution, grid computing, icloud, microsoft, revolution, the cloud, web 2.0, yahoo