06 Dec 2013
Deep dives into technology & architectures: The Identity & Access Management Experts Day is the place, where you meet with Identity & Access Management experts for in-depth discussion on the future of Identity Management, Cloud Computing and Information Security.
06 Dec 2013 3:30pm GMT
Kuppinger Cole: 06.02.2014: Managing Identities and Access to Information for Cloud, Mobile and Social Computing
Cloud Computing, Mobile Computing and Social Computing - each of these trends have been around for some time. But what we see now, is the convergence of those forces, creating strong new business opportunities and changing the way we use information technology to interact with our customers and to run our enterprises. It is all about the shift of control into the hands of users, far beyond of what we used to call consumerization. Identity and access is the key element in this paradigm shift...
06 Dec 2013 3:16pm GMT
Kuppinger Cole: 23.01.2014: Moving from Prohibition to Trust: Identity Management in the On Premises and Cloud Era
Managing and governing access to systems and information, both on-premise and in the cloud, needs to be well architected to embrace and extend existing building blocks and help organizations moving forward towards a more flexible, future-proof IT infrastructure. Join KuppingerCole APAC in this Breakfast Debate to find out how to best move from old school, prohibition based security to trust in access control.
06 Dec 2013 2:10pm GMT
According to IBM a consistent way to manage all types of risk is the key to success for financial services organizations. To support this IBM will be rolling out their Smarter Risk offering during Q1 2014. Failure to properly manage risk has been alleged to be the cause of the financial crisis and, to force financial services organizations to better manage risk, the regulators around the world are introducing tougher rules.
The underlying causes of the damaging financial crisis can be traced back to the management of risk. Financial services organizations need to hold capital to protect against the various forms of risk. The more capital they have to hold to cover existing risks the less the opportunity to use that capital in other ways. So fully understanding the risks faced is a key factor to organizational success.
According to Gillian Tett in her book Fool's Gold - the roots of the financial crisis can be traced back to the Exxon Valdez disaster in 1993. To cover the billions of dollars needed for the clean-up Exxon requested a credit line from its bankers J.P. Morgan and Barclays. The capital needed to cover this enormous credit line required the banks to set aside large amounts of capital. In order to release this capital J.P. Morgan found a way to sell the credit risk to the European Bank for Reconstruction and Development. This was one of the earliest credit default swaps and, while this particular one was perfectly understood by all parties, these types of derivatives evolved into things like synthetic collateralized debt obligations (CDOs) which were not properly understood and were to prove to be the undoing.
IBM believes that, in order to better manage risk, financial services organizations need to manage all forms of risk in a consistent way since they all contribute to the ultimate outcome for the business. These include financial risk, operational risk, fraud and financial crimes, as well as IT security. The approach they advise is to build trust through better and more timely intelligence, then to create value by taking a holistic view across all the different forms of risk. The measurement of risks is a complex process and involves many steps based on many sources of data. Often a problem that is detected at a lower level is not properly understood at a higher level or is lost in the noise. Incorrect priorities may be assigned to different kinds of risk or the relative value of different kinds of intelligence may be misjudged.
So how does this relate to IT security? Well security is about ensuring the confidentiality, integrity and availability of information. In this last week the UK bank RBS suffered a serious outage which led to its customers' payment cards being declined over a period of several hours. The reasons for this have not been published but the reputational damage must be great since this is the latest in a series of externally visible IT problems suffered by the bank. IBM provided an example of how they had used a prototype Predictive Outage Analytics tool on a banking application. This banking application suffered 10 outages, each requiring over 40 minutes recovery time, over a period of 4 weeks. Analysing the system monitoring and performance data the IBM team were able to show that these outages could have been predicted well in advance and the costs and reputational damage could have been avoided if appropriate action had been taken sooner.
So in conclusion this is an interesting initiative from IBM. It is not the first time that IT companies have told their customers that they need to take a holistic view to manage risk and that IT risk is important to the business. However, as a consequence of the financial crisis, the financial services industry is now subject to a tightening screw of regulation around the management of risk. Under these circumstances, tools that can help these organizations to understand, explain and justify their treatment of risks are likely to be welcomed. This holistic approach to the management of risk is not limited to financial organizations and many other kinds of organization could also benefit. In particular, with the increasing dependence upon cloud computing and the impact of social and mobile on the business, the impact of IT risk has become a very real business issue and needs to be treated as such.
06 Dec 2013 1:14pm GMT
05 Dec 2013
I have been working on a solution for a healthcare SaaS provider for a "reverse proxy" to help them migrate from a home grown web access management solution. The driver for the integration was supporting an important customer who required SAML authentication. However, SAML was not enough. The SaaS provider used the proxy as the … Read more >>
05 Dec 2013 9:00pm GMT
Access Risk Management Blog | Courion
On Tuesday December 10th at 11:00 a.m. Eastern, Nick Taylor, Senior Manager for Enterprise Risk Services at Deloitte will be joining us for a webinar titled, "Does Regulatory and Compliance Activity Actually Reduce Identity and Access Risk, or Is It a Rubber Stamp Exercise?" It's sure to be an interesting conversation, and is a convenient way to earn Continuing Professional Education credits (CPEs) towards your CISSP certification.
Click here to register now.
The top audit issues from years ago are still today's top audit issues - excessive access rights, removal of access after termination and lack of sufficient segregation of duties. Kind of makes you wonder why we bother preparing for and (hopefully) passing audits, given that breaches are becoming increasingly commonplace.
So does regulatory and compliance activity actually reduce risk? Join our panel to discuss:
- Providing least-privileged user access in an ever-changing environment
- Maintaining continuous compliance to get ahead of the audit
- Leveraging big identity and access data to uncover threats
If you register now and login on December 10th at 11:00, you'll be eligible to receive CPE credit towards your Certified Information Security Systems Professional (CISSP) certification.
05 Dec 2013 7:41pm GMT
Yesterday, I participated in an interesting discussion about the tension between a desire to keep data around for an extended period of time versus purging it quickly. On one hand, some people wanted to keep old email accounts active for an extended period of time, just in case an old email message might be needed. [...]
05 Dec 2013 9:16am GMT
04 Dec 2013
Many organizations have started their journey into the world of IAM several years ago.
04 Dec 2013 5:07pm GMT
In various discussions over the past month, mainly in the context of Privilege Management, I raised the (somewhat provocative) claim that shared accounts are a bad thing per se and that we must avoid these accounts. The counterargument I got, though, was that sometimes it is just impossible to do so.
There were various examples. One is that users in production environments need a functional account to quickly access PCs and perform some tasks. Another is that such technical user accounts are required when building n-tier applications to, for instance, access databases. Administrators commonly tend to groan when approaches for avoiding the use of shared accounts such as root are considered.
There are many more examples, but when you look at reality there are sufficient examples and reasons of how it is possible to avoid shared accounts (or at least their use). In many healthcare environments, fast user switching has been used for years now. The strict regulations in this sector frequently have led to implementing Enterprise Single Sign-On tools that allow for rapid authentication and access to applications with an individual account. These solutions frequently have replaced previously used shared functional accounts. So why shouldn't they work in other environments as well?
When looking at n-tier applications, it is worth it to dive somewhat deeper into end-to-end security. There are many ways to implement end-to-end security. Standards such as OAuth 2.0 make it far easier to implement such concepts. Provisioning tools have supported database systems and other systems for a number of years. Oracle has just "re-invented" database security in its Oracle Database 12c, with tight integration into IAM (Identity and Access Management). Aside from the argument that end-to-end security just does not work (which is wrong), I sometimes hear the argument that this is too complex to do. I don't think so. It is different to do. It requires a well-thought-out Application Security Infrastructure, something I was writing about years ago. It requires changing the way software architecture and software development are done. But in many, many cases technical accounts are primarily used due to convenience reasons - architects and developers just do not want to consider alternative solutions. And then there always is the "killer argument" of time to market, which is not necessarily valid.
When I look at administrators, I know about many scenarios where root or Windows Administrator accounts are rarely used, except for firefighting operations. The administrators and operators instead rely on functionally restricted, personal accounts they use aside of their other personal accounts they use for standard operations such as eMail access. That works well and it does not hinder them from doing a good job in administration and operations. But it requires thoroughly thinking about the concept for these accounts.
So there are many good reasons to get rid of shared accounts, but few, if any, valid ones to continue using them. Given that these accounts are amongst the single biggest security risks, it is worth starting to rethink their use and openly consider alternative solutions. Privilege Management tools are just helping with the symptoms. It is time to start addressing the cause of this security risk.
Have a look at our KuppingerCole reports. We will publish a new Leadership Compass on Privilege Management soon. Given that shared accounts are a reality and will not disappear quickly, you might need a tool to better secure these. Have a look at the new report, which will help you selecting the right vendor for your challenges.
04 Dec 2013 10:18am GMT
Welcome to the Executive Director's Corner. We verify Trusted ID systems actors, build markets, enable communities, influence stakeholders, and give our members competitive industry visibility. We share one common goal: to collaborate to develop and operate services that build markets that enable use of high-value trusted identity credentials. As Executive Director (ED) of Kantara Initiative, more...
04 Dec 2013 2:02am GMT
03 Dec 2013
We are currently evaluating the idea of incorporating the Asimba SAML platform on the Gluu Server (in addition to Shibboleth). SAML can be confusing, even to the experts. I worked on the diagram below as a simple overview of why a SAML proxy might be useful, and where it would fit in the Gluu open … Read more >>
03 Dec 2013 8:27pm GMT
KuppingerCole´s Identity, Cloud Risk & Information Security Summit is a highly interactive event offering the opportunity to you as an IT professional to discuss with your peers and with KuppingerCole Analysts about your most challenging topics and questions in a discrete environment - moderated by teams of practitioners and analysts. IRS is a dialog based event, not a speaker - delegate event. It consists of a series of dialogs around the key topics for a holistic view on your enterprise...
03 Dec 2013 5:37pm GMT
Information security in general and identity management in particular have become a critical, more and more sophisticated, and costly component for almost every online service. Developers must either invest a lot of effort to implement and maintain it or integrate a third party solution. Currently, the market for such solutions is very large and mature, but solutions from traditional vendors like Oracle, Microsoft or IBM are usually prohibitively expensive for smaller businesses and...
03 Dec 2013 4:49pm GMT
Radiant Logic joins Kantara Initiative Board of Trustees to drive contextual Identity Management as a business enabler. December 3rd, 2013, Piscataway, NJ - Kantara Initiative, a global identity initiative community, announced today that Radiant Logic has joined the Kantara Initiative Board of Trustees. Radiant Logic joins industry innovators on the Kantara Board Members from CA, more...
03 Dec 2013 4:10pm GMT
In my last post ("Dogged Determination") I briefly mentioned the FIDO alliance (Fast Identity Online) with the promise to take a closer look at the emerging internet password-replacing-authentication system this time. So I will.
But first, an aside. It's quite possible that the alliance chose the acronym "FIDO" first, then found words to fit the letters. Fido, at least in the US, is a generic name for a dog which came into general use in the mid 19th century when President Abraham Lincoln named his favorite dog Fido. Choosing a word associated with dogs harkens back to the internet meme "On the internet nobody knows you're a dog". With the FIDO system, no one except those you intended would know who you are. That's my theory and I'm sticking to it.
FIDO was in the news last week when it was announced that Fingerprint Cards (FPC) and Nok Nok Labs had announced an infrastructure solution for strong and simple online authentication using fingerprint sensors on smartphones and tablets. The two companies have initially implemented the joint solution utilizing Nok Nok Labs' client and server technology and commercially available Android smartphones using the FPC1080 fingerprint sensor in order to demonstrate readiness to support the emerging FIDO-based ecosystem.
That should give you an idea of the thrust of the Alliance.
The FIDO system doesn't require a biometric component, but it appears to be highly recommended. From the Alliance's literature:
"The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user's client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client's private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user's device."
FIDO is, first and foremost, about strong authentication. Two-factor authentication is a requirement. A biometric component (fingerprint, voiceprint, etc.) is highly recommended.
President of the Alliance is Michael Barrett, formerly CISO for PayPal, formerly president of the Liberty Alliance and before that VP, Security & Privacy Strategy for American Express. Interestingly, the VP of FIDO is Brett McDowell, currently Head of Ecosystem Security at PayPal, who was previously Executive Director of the Liberty Alliance and its successor, the Kantara Initiative. He also served as Management Council chair of the USA's NSTIC (National Strategy for Trusted Identities in Cyberspace) Identity Ecosystem Steering Group. These are two guys who know identity systems inside out.
PayPal (which is always looking for stronger authentication methods) and Nok Nok Labs (which is always looking for better ways to use biometrics as well as strong authentication) were two of the founders of the alliance which has now grown to over 50 members including such big names as Google, Blackberry, Lenovo, MasterCard and Yubico as well as just about everyone in the biometric device space.
It's a good cast of characters, but is that enough?
The impact of so many biometric friendly members means that the Alliance has to first answer (again) all the questions about the "problems" with biometric authentication. Now, if you know me at all you know that "I ♥ Biometrics" but getting others to like them is an uphill battle. In fact, the continuous (I've been involved in it for 15 years!) argument about the security of passwords is really a side issue for the FIDO Alliance. More important, I think, is its reliance on the Online Secure Transaction Protocol (OSTP).
OSTP is a protocol designed and issued by FIDO (they say they will turn it over to a public standards body once it is fully "baked"). It's explained in a white paper ("The Evolution of Authentication," this is a PDF file) where it's generally referred to as the "FIDO protocol". The heart of the system is the FIDO authenticator which the white paper explains:
"The FIDO Authenticator is a concept. It might be implemented as a software compo-nent running on the FIDO User Device, it might be implemented as a dedicated hard-ware token (e.g. smart card or USB crypto device), it might be implemented as soft-ware leveraging cryptographic capabilities of TPMs or Secure Elements or it might even be implemented as software running inside a Trusted Execution Environment.
The User Authentication method could leverage any hardware support available on the FIDO User Device, e.g. Microphones (Speaker Recognition), Cameras (Face Recognition), Fingerprint Sensors, or behavioral biometrics, see (M. S. Obaidat) (BehavioSec, 2009)."
As I said, biometrics strongly recommended.
Read the paper for more details of how it works.
Can the FIDO proposal succeed? Yes, it's a well thought-out system that does provide strong authentication with a high degree of confidence that the user is who they claim to be.
Will the FIDO proposal succeed? That's much more problematic. It requires that relying parties and Identity Providers (which can be the same entity) install specific server software and that users install specific client software. The client part could be an easier "sell" if it comes along with the biometric devices and services that FIDO members provide. Easier, certainly, in a smartphone environment, less so in a desktop/browser environment. History says that anything requiring users voluntarily install something or requiring relying parties to buy, install and maintain single purpose services is a long shot. And the FIDO solution requires both. Still, if the members of the FIDO alliance provide the software and compel their clients to install it a tipping point could be reached. If so, I'd applaud it.
I will note that a number of my colleagues believe I'm reading too much into the so-called "biometric requirements" of FIDO, noting that hardware tokens (represented by Yubico and other members) are an even easier implementation since most modern smartphones can handle a microSD card, which could act as a hardware token - or, at least, turn the phone into a hardware token. It would be protected by a PIN, which users are familiar with entering for all sorts of services.
While I do agree with all that, the typical PIN is 4 digits so there are 10,000 possible combinations (0000 to 9999). That's not strong enough for my taste. Brute force manual entry could try all possibilities within a few minutes, and - since some combinations (1234, 1111, 1379, 1397, etc.) are more popular than others it could be only a few seconds before the code is broken. Nevertheless, if this would increase the uptake in using the FIDO system, I'd be behind it - at least as a good beginning.
03 Dec 2013 3:46pm GMT
Last week, the German BSI (Bundesamt für Sicherheit in der Informationstechnik, the Federal Office for IT Security), published a document named "ICS-Security-Kompendium". ICS stands for "Industrial Control Systems". This is the first comprehensive advisory document published by the German BSI on this topic so far. The BSI puts specific emphasis on two facts:
- ICS are widely used in critical infrastructures, e.g. utilities, transport, traffic control, etc.
- ICS are increasingly connected - there is no "air gap" anymore for many of these systems
It is definitely worth having a look at the document, because it provides an in-depth analysis of security risks, best practices for securing such infrastructures, and a methodology for ICS audits. Furthermore it has a chapter on upcoming trends such as the impact of the IoT (Internet of Things) and the so-called "Industry 4.0" and of Cloud architectures in industrial environments. Industry 4.0 stands for the 4th industrial revolution, where factories are organizing themselves - the factory of the future.
As much as I appreciate such publication, it lacks - from my perspective - an additional view of two major areas that are tightly connected to ICS security:
- Aside from the ICS systems, there is a lot more of IT in manufacturing environments that frequently is not in scope with the corporate IT Security and Information Security departments. Aside from attacks to such systems, for instance in the area of PLM/PDM (Product Lifecycle/Data Management), there are standard PCs that might serve as entry point for attacks.
- This directly leads to the second aspect: It is not only about technical security, but about re-thinking the organizational approach to Information Security in all areas within an organization, i.e. a holistic view on all IT and information. Separating ICS and manufacturing IT from the "business IT" does not make sense.
The latter becomes clear when looking at new business cases such as the connected vehicle, smart metering, or simply remote control of HVAC (heating, ventilation, and air conditioning) and other systems in households (or industry). In all these scenarios, there are new business cases that lead to connecting both sides of IT.
Also have a look at our KuppingerCole research on these issues, such as the KuppingerCole report on critical infrastructures in finance industry (not about iCS) and the KuppingerCole report on managing risks to critical infrastructure.
03 Dec 2013 2:03pm GMT