AuthenticationWorld Blog

I was just reading an article on Dark Reading "Ranum's Wild Security Ride" that got me thinking. The article is about Marcus Ranum, who helped create one of the first firewall. The article quotes ""Computer security is going to disappear after a while," he says." I couldn't agree more. That's the point of this blog.

Computer security today is all about other companies making products to compensate for the poor security design of other products. Further, enterprise system software, like ERP's, doesn't provide end to end security either.

About seven or eight years ago I saw that one day ERP vendors would "own" the security space for large enterprises. Their software would set business risk in a module and then using the risk, set the security policies around the identities, business and web processes automatically. They would control the enterprise firewall's security policies as well as integrate with physical security systems. The business risk module would also then determine the physical security authentication risk for specific physical locations.

Further, I also saw that independent application vendors would be forced, over time, to build good security into their products. I believed then that litigation lawsuits and regulatory pressure would, over time, force developers to change their coding practices from getting something out the door quickly ,to one of getting something out the door that also has good security built into it.

Is this a dream or not? I don't think so.

Today, the ERP vendors are being led by Oracle, who is quickly buying up middleware companies to build an end to end security driven product suite. Their recent acquisition of Bharosa is but one example of integrating authentication security into their architecture. They are also actively partnering with companies like QuantumSecure. This is the early beginning of integrating physical security into ERP architectures.

Is all of this going to happen overnight? No. Not even for the next ten years. However, at the large enterprise level, you can see the winds of change gently blowing towards integrating security into the core product development.

On the flip side of my vision, many people will say that having all your eggs in one ERP basket is also dangerous. I agree. There will be many twists and turns on a bumpy road from where we are today to one where the ERP product suite is robust. Many enterprises may believe the ERP sales rep's security spiels when they shouldn't.

My take is that the large enterprise market for security products will dwindle over the next ten years. I believe that the ERP vendors will own this section of the market. I also see that vendors like Google and others will slowly take over portions of the current Microsoft market. I think that since they are starting off without having to maintain backward compatibility to poorly securitized code which Microsoft has to support, that they will begin to introduce better security standards into the marketplace.

I don't want to put Google on a pedestal, since their own products have security holes as well. However, in the long run, I believe that, as we move towards a digital world where servers run and store most of the code and the desktop becomes a thin client, better security will slowly evolve.

That's why I too agree with Marcus Ranum. Over time, the security product market will slowly dwindle from the market it is today. They will become specialty firms addressing new attack vectors but won't be focusing on general protection as it is today.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This past week, Tim Wilson published a very interesting article in Dark Reading "
Quantum Research Could Threaten Encryption Schemes". In it he documents the recent research in Australia and China on photon computers that is able to deploy something called "Shor's Algorithm".

According to Tim's article he says "Using an experimental computer based on photonics, the researchers in Australia and China have independently been able to do a full-scale implementation of something called Shor's Algorithm, a non-linear method of factoring composite numbers. Shor's Algorithm breaks many of the rules of linear computing and therefore has no trouble finding the prime factors in any number, no matter how large.

The research shakes the foundation of all types of currently available encryption methods. If the quantum computer can factor any number of any size with equal ease, then, theoretically, no algorithm based on linear computing is safe. "

All of this should give CSO's and CIO's pause for consideration. It means that over the next ten or so years, as quantum computing comes into being, that most of their precious secrets and defense mechanisms relying upon encryption can be broken.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

There's a must read on Dark Reading "Report: Attacks on ISP Nets Intensifying". It refers to a report from Arbor Networks that outlines the increasing threat of denial of service attacks on ISPs.

As I have blogged about before, denial of service attacks are an increasing threat to enterprises large and small. As Dark Reading documents, the Arbor report showed that "While most large ISPs have upgraded their backbones to 10-Gbit/s speeds over the past two years, three respondents said they have experienced sustained attacks from 20- to 22 Gbit/s, and one hosting services provider in the survey reported a 24-Gbit/s DNS-targeted attack. The most powerful sustained attack previously was 17 Gbit/s, which was reported in last year's survey by Arbor."

Further, Dark Reading's article said "Not surprisingly, ISPs say botnets are the number one threat to their networks, and that these malicious networks are growing in size and sophistication. Botnets are used for DOS attacks (71 percent), sending spam (64 percent), as open proxies (34 percent), for storing ID theft information (16 percent), and as part of phishing systems (37 percent), according to respondents."

Most worrisome to me was the ending to the Dark Reading article: " There are a couple of vulnerable hotspots on service provider backbones: More than half said they had no way to detect or mitigate DNS attacks, and nearly 90 percent don't have the ability to protect VOIP."

As enterprises move to VOIP they are incurring a significant risk they probably are unaware of. A successful denial of service attack would not just bring down their internet web site BUT WOULD ALSO CURTAIL ALL PHONE ACTIVITY!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

I was talking to Phil Hunt from Oracle last week and he began to talk about "Enterprise 3.0". According to Phil:
"Identity 2.0 and Wed 2.0 have often been defined by "social" or person-to-person relationship systems. The social-networking phenomena. In Enterprise 3.0, consider what happens when businesses start building the kinds of dynamic relationships that individuals do. Example: in LinkedIn we see a ceremony where individuals can choose to be "linked" enabling a set of features and communication between individuals. But what are the possibilities if businesses chose to be linked? What we are talking about is a derivative of social networking being applied to business services networking."

I liked his idea and in this blog and others, I will lay out my thoughts for Enterprise 3.0. So, first let's begin with what Enterprise 3.0 will offer enterprises that currently doesn't exist:

* Use of mashups with appropriate security automatically applied (as opposed to today's world where mashups occur without security applied automatically for content providers and, automatic billing for content providers based on contracts)

* Easy use of videoconferencing to enterprise desktops and cellphones where enterprise authentication and authorization rules are automatically enforced and, also easily enforced in enterprise to enterprise interactions (as opposed to today's world where authentication and authorization need to be manually applied in many instances, or sort of created by having certain IP ports applied or, not applied at all)

* Ability to move around and direct existing user sessions to be passed from one device i.e. a laptop to a cellphone to another a desktop. Compare this to today's world where workers and management are tied to a device and unable to keep the existing user session, application and information going without logging off and logging on to the new device

* Passing of digital content within the enterprise and between enterprises with automatic enforcement of enterprise content management security policies for each piece of content (as opposed to today's world where content management policies are not usually enforced once they leave the enterprise content management silo)

* Increasing control of business processes by ERP's where the content flowing within the business process is automatically enforced with security policies (as opposed to today's world where ERP business processes control don't normally control all aspects of the business process. Further, they don't normally enforce enterprise security standards from risk management all the way to database security, especially when the business process is enterprise to enterprise)

* Integration of user centric social interaction models into the enterprise where the interactions are automatically enforced with enterprise business, social and security policies (as opposed to today's world where the use of things like Facebook and MySpace are done in enterprise silo's with little or no enforcement of enterprise social, business and security policies)

* More B to C interactions leveraging mashups, social interactions and provision of rich digital content with automatic billing and business process and security enforcement of the enterprise's content (as opposed to today's world where the interactions don't leverage the integration of the enterprise's digital content, the bringing in of other enterprise's digital content, the user's content, and the appropriate security, business and identity enforcement along with automatic billing where appropriate)

* Ability for enterprises to quickly pass security policies, digital content and files to different levels of trust between parties. I liken this to social interactions between individuals where levels of trust are established. However, this needs to be modeled on levels of trust between enterprises where different contractual models exist. Compare this to today's world where the establishment of levels of trust is very time, labor and lawyer intensive and is not quickly do-able beyond tightly defined borders.

So is Enterprise 3.0 a revolution? No. It's a evolution where portability, security, interchangeable content with security policies, worker and enterprise interaction are enriched. It's also a world where enterprise intellectual content is protected and automatic billable revenue streams made possible where enterprise content is reused. In separate blogs, I will dive into the details of the challenges required to create as well as the potential for each of these Enterprise 3.0 features.

Thanks for the idea Phil!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Earlier this month, Joanna Rutkowska published a blog updating the Blue Pill attack and the recent comments made at the last Black Hat conference. It's definitely worth a read.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Ryan Narine yesterday published a great blog "Can Microsoft ever stop kernel tampering in Vista?". He refers to the recent Black Hat conference and the presentation by Joanna Rutkowska and documents the almost impossible task of preventing kernel attacks on Microsoft's Vista. Add to this the development of Blue Pill attacks and the future looks scary from a defense perspective.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Dan Thies has a very interesting blog he published on August 16 "Google Proxy Hacking: How A Third Party Can Remove Your Site From Google SERPs". The blog documents his frustration at dealing with Google for the last year to fix the hacking of Google page ranks by the use of proxies. The challenge is that as page ranking becomes extremely valuable to businesses who do business online, criminals or hackers get involved to remove competitors from the Google search results.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

The last several weeks has seen very busy activity in the authentication community developing an API for Authentication. For clients, this means that there will be a simple way to publish and interact with protected data and also a simpler way to allow people to give you access to their data. On the server side, it allows users to not have to spread their passwords around the net to get access to the data. OAuth allows users to get access to their data while protecting their account credentials.

Stay tuned for more on this as the spec is released. It is built using much of OpenID.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Several years ago I had a vision for enterprise security management. In my vision I saw that security risk would be assigned by ERP modules. The risk would be assigned based on value of business processes, enterprise information capital, physical assets and identities. Once the risk was assessed, the ERP would then automatically create security policies. These policies would then be automatically enforced throughout the enterprise by the enterprise security/identity/physical access systems.

Further, I saw the problems that large enterprises were going to have understanding the security policies. In my vision, I saw that the ERP security module would display the enterprise graphically. A senior manager or Board member, would be able to slice and dice security visually. For example, enterprise assets could be displayed by levels of risk. This could then be displayed on a building by building basis. Then role access could be displayed overlaying this. The same thing could be done to display business processes by risk. All of this could then be displayed against real time.

At the time, I thought that this vision was not possible. The ERP vendors weren't players in the identity security space. There weren't any standards for identity access and authorization.

Today, the stage is becoming set to begin creating this vision into reality for several reasons:

1. There is the beginnings of an emergent identity data governance protocol in Liberty Alliance that would allow for intercommunication and enforcement of data security across disparate identity silos and identity protocols.
2. BPM and BPEL allow for protocols to manage business processes and tie this to security.
3. ERP vendors like Oracle and SAP are now players in the identity/security space.
4. Many physical access devices are now LDAP compliant allowing them to talk to the enterprise LDAP systems.
5. There is virtual directories allowing for rapid integration of enterprise databases into enterprise directories.

What's missing to complete the vision?

* No document management protocols allowing for interchange of document management security policies tied to identity management authentication and authorization protocols
* Lack of strong security modules in ERP that talk to the risk modules and the identity governance modules

I am quite optimistic that over the next three to four years, my vision will become reality.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

eWeek has a very interesting slide show "The Security of Biometrics: Two Screws and a Plastic Cover" which I strongly recommending viewing. The slide show shows, step by step, how to hack a biometric system.

One of the weak spots in many biometric systems is the use of Wiegand protocol. As the slide show says "The Wiegand protocol is, Franken said, a) in plain text, b) easily intercepted, c) easily replayed, d) includes output from biometric readers, and e) includes output from even strong crypto contactless smart card readers. This means the output, including all data pertaining to a card holder, can be captured on a hacked system."

Security is only as strong as the weakest link.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com