AuthenticationWorld Blog

Currently, many utilities and critical infrastructure industries are having to comply with NERC CIPS. The point of this blog is that I feel that this is eerily similar to SarBox in its early days.

When SarBox requirements came in, there was a mad scramble to figure out who was on financial systems and to ensure that identities were terminated. This brought into life attestation lists. I remember one company where the SVP had a executive assistant working nearly full-time on vetting the lists for the SVP.

Over the next few years, enterprises began to understand the significant effort, time and costs to produce the regulatory reports. This lead to many identity management projects with electronic attestation that significantly reduced costs, time and effort to comply.

NERC is of course different in that it pertains to critical assets, physical and logical systems. This past year, many consultants and employees have been scrambling with their spreadsheets, databases and lists to begin compliance. I see the same trend happening here re identity and access management as occurred with SarBox.

There are many challenges in NERC. Many large enterprises have many data stores of critical assets where the asset is identified differently in each store. (Sound familiar identity people? - It's a great application for virtual directories).

Then there is the physical and electronic access. Getting these lists put together takes time and money. These too are great applications for identity and access management.

I have written a couple of white papers on this (see the "Papers" section of www.authenticationworld.com) .

Over the next four years I predict that many utilities and critical infrastructure enterprises will adopt identity and access management to reduce their recurring costs.

Regards,
Guy

Many people have been telling me that identity budgets have been cut due to the tough economic recession we're in. In fact, when I hear this, I laugh inside. These people don't understand how identity management can help lift sales, reduce inventory and be an essential component in outsourcing to reduce costs.

Derek Small from Nulli Secundus and I wrote a paper this spring "Successfully selling identity management in tough economic times". It's a good read that emphasizes business benefits and doesn't view identity management as a technology.

Regards,
Guy

This blog will outline my thoughts two years ago that lead the development of "Train in a Flash".

As I was walking by the beach, I was thinking of new things to do. The first thought that popped into my mind was security awareness training. I realized how poorly I as a contractor and the employees of the enterprises I had worked in were trained on security awareness.

Most enterprises I had worked with:
* sent out emails which were not read
* had a boring intranet site buried deep within their intranet
* used canned modular courses that took 6-8 hours to complete (which I thought most workers were not going to sit through)
* used posters (which were a good idea if they were part of a recurring campaign)
* took their workers off their job for a half or full day course (which I thought wouldn't happen at most enterprises and even if they did, many workers would forget their training over a period of time)

I then thought what could I do about this? The solution I was looking for would contain the following:
* 4 minutes or less - we're talking about awareness not real training on security. My thought was I wanted to "stitch across a worker's forehead three or four points that they would likely remember and then quickly let them get on with their work)
* Available on every desktop (AdobeFlash is on 95% of the desktops)
* Was branded as if it came from the enterprise (get rid of modular generic courses and brand the enterprise)
* Had local contact information within it (make the information pertinent to the worker)
* Was in the language of the worker
* AND MOST IMPORTANTLY OF ALL...WAS INEXPENSIVE! (I wanted to produce something that was under $1,000 with unlimited user licenses internally)

Two years later I have produced "Train in a Flash" that does all of the above. Together with Munich Re Life in Toronto, we developed 24 security awareness programs. They love them! We currently produce them in 11 languages, brand them as if they come from your enterprise, insert local contact information within them, they're under 4 minutes to watch, and we also produce them as screen savers.

The price tag is $975 per program (Euros for Europe) and $1100 for screen savers. There is unlimited viewing licenses internally.

We are also producing a quarterly malware worker update service. Every three months we deliver a short update for workers letting them know about recent attacks and keeping malware in the front of their minds.

All the CIO's and CSO's I've shown them to, like them as well. They like the price tag, the customization and branding. They also like the screen savers since this is a way to keep the awareness in front of the workers' minds.

What didn't they like?
* They wanted to have a management module that would tell them what programs
their workers had watched
* Wanted to have measurement capability to indicate how effective the awareness training is
* Wanted to have approximately 50 programs such that every week they could change the screensavers

So, we're working on this now.

Since a picture is worth a thousand words, go to www.traininaflash.com and see for yourself. Then email me with your comments, criticism and suggestions.

Regards,
Guy
guy@hvl.net

Slowly physical and logical security integrations is creeping onto the radar screens of large enterprises and into vendors heads as well. While there is the beginning of a buzz around this, not many people have actually done this. I have twice at large enterprises.

At one, several years ago, I replaced all the physical access control (PAC) vendors with one that was LDAP compliant. We then wrote scripts from the enterprise directory to provision and deprovision the identities in the PAC. This was expensive to do and time consuming.

At another more recent project, at Toronto Hydro, I convinced and then paid the PAC vendor to implement SPML (Service Provisioning Markup Language) into their code. This is now in test phase. However, this took nearly two years to accomplish and while good, it doesn't exactly fit my model for the future. So what is it?

There are two areas where I think physical and logical security integration is very important:
* Provisioning, role change and deprovisioning of identities
* Integrated logical and physical security ops

Provisioning
in a perfect world, all PAC vendors will code SPML, XACML and LDAP into there products. This will then integrate with the enterprise's IAM systems. However, it is a very imperfect world at the moment.

Most enterprises don't have PAC vendors with this capability. To make matter worse they often have two, three or several different PACS in their enterprise. Finally, if they do have a IAM implementation, and they have a provisioning system, they almost certainly don't have all the identity types who are issued security badges in their enterprise directories. People like window washers, plant waterers, air conditioning repair men, cleaners, etc are not using IT systems.

Security Ops
Then there is the issue of security ops. Almost all the enterprises I know, currently have physical security monitored separately from IT and enterprise perimeter defence systems. This is folly in today's age since smart criminals and foreign enterprises will likely first penetrate the enterprise physically, and then commence their attacks internally.

This requires having an integrated command console and trained staff where they can see an overlay of physical security on top of logical security overlaid with a map of the planet, showing them where attacks are coming from, doors adjar, network ports, etc.

Getting all the different enterprise PACS integrated together is hard enough. Then creating this new interface, is something that doesn't really commercially exist at the moment.

If you read my papers in the Papers section of www.authenticationworld.com, you'll find a very detailed analysis of all the things that need to be considered for implementing a logical and physical security together.

Happy reading!

Regards,
Guy

After a two year absence I'm back. The past two years I have been developing "Train in a Flash". These are security awareness training that are 4 minutes or less in length, in Adobe Flash, branded as if they come from your enterprise, customized with your local contact information, in 11 languages and...they're very inexpensive! $975 (Euros for Europe) and $1100 for screen savers!

Since seeing is believing, you can learn more at www.traininaflash.com!

The next couple of blogs will focus on physical and logical security integration, ehealth and NERC compliance all as they relate to identity and access management.

Regards,
Guy

I was just reading an article on Dark Reading "Ranum's Wild Security Ride" that got me thinking. The article is about Marcus Ranum, who helped create one of the first firewall. The article quotes ""Computer security is going to disappear after a while," he says." I couldn't agree more. That's the point of this blog.

Computer security today is all about other companies making products to compensate for the poor security design of other products. Further, enterprise system software, like ERP's, doesn't provide end to end security either.

About seven or eight years ago I saw that one day ERP vendors would "own" the security space for large enterprises. Their software would set business risk in a module and then using the risk, set the security policies around the identities, business and web processes automatically. They would control the enterprise firewall's security policies as well as integrate with physical security systems. The business risk module would also then determine the physical security authentication risk for specific physical locations.

Further, I also saw that independent application vendors would be forced, over time, to build good security into their products. I believed then that litigation lawsuits and regulatory pressure would, over time, force developers to change their coding practices from getting something out the door quickly ,to one of getting something out the door that also has good security built into it.

Is this a dream or not? I don't think so.

Today, the ERP vendors are being led by Oracle, who is quickly buying up middleware companies to build an end to end security driven product suite. Their recent acquisition of Bharosa is but one example of integrating authentication security into their architecture. They are also actively partnering with companies like QuantumSecure. This is the early beginning of integrating physical security into ERP architectures.

Is all of this going to happen overnight? No. Not even for the next ten years. However, at the large enterprise level, you can see the winds of change gently blowing towards integrating security into the core product development.

On the flip side of my vision, many people will say that having all your eggs in one ERP basket is also dangerous. I agree. There will be many twists and turns on a bumpy road from where we are today to one where the ERP product suite is robust. Many enterprises may believe the ERP sales rep's security spiels when they shouldn't.

My take is that the large enterprise market for security products will dwindle over the next ten years. I believe that the ERP vendors will own this section of the market. I also see that vendors like Google and others will slowly take over portions of the current Microsoft market. I think that since they are starting off without having to maintain backward compatibility to poorly securitized code which Microsoft has to support, that they will begin to introduce better security standards into the marketplace.

I don't want to put Google on a pedestal, since their own products have security holes as well. However, in the long run, I believe that, as we move towards a digital world where servers run and store most of the code and the desktop becomes a thin client, better security will slowly evolve.

That's why I too agree with Marcus Ranum. Over time, the security product market will slowly dwindle from the market it is today. They will become specialty firms addressing new attack vectors but won't be focusing on general protection as it is today.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

This past week, Tim Wilson published a very interesting article in Dark Reading "
Quantum Research Could Threaten Encryption Schemes". In it he documents the recent research in Australia and China on photon computers that is able to deploy something called "Shor's Algorithm".

According to Tim's article he says "Using an experimental computer based on photonics, the researchers in Australia and China have independently been able to do a full-scale implementation of something called Shor's Algorithm, a non-linear method of factoring composite numbers. Shor's Algorithm breaks many of the rules of linear computing and therefore has no trouble finding the prime factors in any number, no matter how large.

The research shakes the foundation of all types of currently available encryption methods. If the quantum computer can factor any number of any size with equal ease, then, theoretically, no algorithm based on linear computing is safe. "

All of this should give CSO's and CIO's pause for consideration. It means that over the next ten or so years, as quantum computing comes into being, that most of their precious secrets and defense mechanisms relying upon encryption can be broken.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

There's a must read on Dark Reading "Report: Attacks on ISP Nets Intensifying". It refers to a report from Arbor Networks that outlines the increasing threat of denial of service attacks on ISPs.

As I have blogged about before, denial of service attacks are an increasing threat to enterprises large and small. As Dark Reading documents, the Arbor report showed that "While most large ISPs have upgraded their backbones to 10-Gbit/s speeds over the past two years, three respondents said they have experienced sustained attacks from 20- to 22 Gbit/s, and one hosting services provider in the survey reported a 24-Gbit/s DNS-targeted attack. The most powerful sustained attack previously was 17 Gbit/s, which was reported in last year's survey by Arbor."

Further, Dark Reading's article said "Not surprisingly, ISPs say botnets are the number one threat to their networks, and that these malicious networks are growing in size and sophistication. Botnets are used for DOS attacks (71 percent), sending spam (64 percent), as open proxies (34 percent), for storing ID theft information (16 percent), and as part of phishing systems (37 percent), according to respondents."

Most worrisome to me was the ending to the Dark Reading article: " There are a couple of vulnerable hotspots on service provider backbones: More than half said they had no way to detect or mitigate DNS attacks, and nearly 90 percent don't have the ability to protect VOIP."

As enterprises move to VOIP they are incurring a significant risk they probably are unaware of. A successful denial of service attack would not just bring down their internet web site BUT WOULD ALSO CURTAIL ALL PHONE ACTIVITY!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

I was talking to Phil Hunt from Oracle last week and he began to talk about "Enterprise 3.0". According to Phil:
"Identity 2.0 and Wed 2.0 have often been defined by "social" or person-to-person relationship systems. The social-networking phenomena. In Enterprise 3.0, consider what happens when businesses start building the kinds of dynamic relationships that individuals do. Example: in LinkedIn we see a ceremony where individuals can choose to be "linked" enabling a set of features and communication between individuals. But what are the possibilities if businesses chose to be linked? What we are talking about is a derivative of social networking being applied to business services networking."

I liked his idea and in this blog and others, I will lay out my thoughts for Enterprise 3.0. So, first let's begin with what Enterprise 3.0 will offer enterprises that currently doesn't exist:

* Use of mashups with appropriate security automatically applied (as opposed to today's world where mashups occur without security applied automatically for content providers and, automatic billing for content providers based on contracts)

* Easy use of videoconferencing to enterprise desktops and cellphones where enterprise authentication and authorization rules are automatically enforced and, also easily enforced in enterprise to enterprise interactions (as opposed to today's world where authentication and authorization need to be manually applied in many instances, or sort of created by having certain IP ports applied or, not applied at all)

* Ability to move around and direct existing user sessions to be passed from one device i.e. a laptop to a cellphone to another a desktop. Compare this to today's world where workers and management are tied to a device and unable to keep the existing user session, application and information going without logging off and logging on to the new device

* Passing of digital content within the enterprise and between enterprises with automatic enforcement of enterprise content management security policies for each piece of content (as opposed to today's world where content management policies are not usually enforced once they leave the enterprise content management silo)

* Increasing control of business processes by ERP's where the content flowing within the business process is automatically enforced with security policies (as opposed to today's world where ERP business processes control don't normally control all aspects of the business process. Further, they don't normally enforce enterprise security standards from risk management all the way to database security, especially when the business process is enterprise to enterprise)

* Integration of user centric social interaction models into the enterprise where the interactions are automatically enforced with enterprise business, social and security policies (as opposed to today's world where the use of things like Facebook and MySpace are done in enterprise silo's with little or no enforcement of enterprise social, business and security policies)

* More B to C interactions leveraging mashups, social interactions and provision of rich digital content with automatic billing and business process and security enforcement of the enterprise's content (as opposed to today's world where the interactions don't leverage the integration of the enterprise's digital content, the bringing in of other enterprise's digital content, the user's content, and the appropriate security, business and identity enforcement along with automatic billing where appropriate)

* Ability for enterprises to quickly pass security policies, digital content and files to different levels of trust between parties. I liken this to social interactions between individuals where levels of trust are established. However, this needs to be modeled on levels of trust between enterprises where different contractual models exist. Compare this to today's world where the establishment of levels of trust is very time, labor and lawyer intensive and is not quickly do-able beyond tightly defined borders.

So is Enterprise 3.0 a revolution? No. It's a evolution where portability, security, interchangeable content with security policies, worker and enterprise interaction are enriched. It's also a world where enterprise intellectual content is protected and automatic billable revenue streams made possible where enterprise content is reused. In separate blogs, I will dive into the details of the challenges required to create as well as the potential for each of these Enterprise 3.0 features.

Thanks for the idea Phil!

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Earlier this month, Joanna Rutkowska published a blog updating the Blue Pill attack and the recent comments made at the last Black Hat conference. It's definitely worth a read.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com