Security’s Baby New Years for 2010

As the ball drops on the 1st decade of the new millennium…

What will represent the Baby New Year of 2010 for Information Security?

Will our 2010 resolutions mitigate the threats or fall inevitably short?


Wikipedia defines Baby New Year as a “male baby wearing nothing more than a diaper, a top hat and a sash across his torso that shows the year he is representing. Sometimes he is holding an hourglass or is otherwise associated with one”.

Not too ominous at face value but this icon represents the anticipation, excitement, and uncertainty everyone feels in facing a new era. On the eve for 2010, the likely evolutions in Information Security (those foreseen and those yet unimagined) are certain to bring out the same feelings in CSO’s, CISO’s, CIO’s, CEO’s across the public and private sector.

Step 1: Learning from the past attacks

"Among all forms of mistake, prophecy is the most gratuitous.” - George Eliot
What was expected?

• Early predictions this decade anticipated that information security would be much better, more efficient, less complicated, with fewer attacks.
• Popular thinking was that vulnerabilities would flatten/decline, and so would breaches.
• Applications were expected to get simplified, smaller, less interdependent and less extensible
• Some even suggest that by 2010, a security Martin Luther would lead us through a class-action lawsuit that sparks a full-blown security reformation.
• In 1991, D. James Bidzos, then president of RSA created the buzz phrase “digital Pearl Harbor”; referring to a global InfoSec attack compounded by disrupted backup systems and leading to cascading failures and worldwide panic where the origin is later pinpointed to an avoidable vulnerability.
• Viruses and data breaches were seen as mischievous acts of disruptive individuals rather, not criminal enterprises.
• PKI was seen as the imminent solution to all authentication problems
• Reformers such as SEI’s Watts Humphrey, proposed solutions to software vulnerabilities through formalized software engineering best practices and requiring professional licensing, as within the medical field, to minimize threats by heightening quality and consistency.

“Whoops there it is!” - The Fresh Prince of Bel-Air
What wasn't expect?

• Hoaxes - For example, the Baby New Year Hoax of 2007 claimed a Baby New Year Virus had infected up to 42 million computers worldwide.
• Complexity - Instead of being simplified applications became more complicated, architectures more sophisticated through SOA, virtualization, SaaS, etc.
• Out Sourcing - Rather than becoming a highly regulated, licensed profession software development moved to an out sourcing model where vendors and customers build solutions through composite teams world wide
• Abstraction - Information Security moved to an abstraction model with shared/standard components across applications for authentication, authorization, provisioning, roles management, etc.
• Protocol flaws- For example, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS that allowed man-in-the-middle attacks.
• Security as a Facade – For example, Security2010 offering dummy security cameras and solar powered dummy security cameras
• Social Networking – 10 years ago we struggled with AOL IM, Yahoo Webmail, and peer-to-peer networks like Napster and focused on server port 80; but by the end of the decade, the top concerns were Facebook, Twitter, and other Web 2.0 applications.
• Worms – Unlike Oscar the Grouch friend Slimey, the 2005 Samy worm on MySpace or Facebook’s Koobface, demonstrated the risks in opening the web to malware contributions from users, innocent or malicious.
• Get Shorty - Twitter fans love of mini-URL’s lead to vulnerabilities of their own
• Mafiaboy to Organized Crime – The Feb 2000 Denial of Service attack from the Canadian teenage named Mafiaboy temporarily brought down sites including CNN, Dell, eBay, and Yahoo but by the close of the decade attacks were lead by well organized and funded criminals to produce data breaches at Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX and Iraq Shia fighters hijacking the security camera’s in drone airplanes
  
• Gone Phishing – Clever con artists leveraging fast flux to rapidly switch domains locations and sites that felt like known banking sites successfully extracted PII from users trying to log-in, update, or review their accounts.

Step 2: Anticipating future threats

“Never assume the obvious is true.” - William Safire
What can we foresee now?

• Jail Bait – Apple’s restrictive policies on “approving” applications and limiting user control of the device has lead to a large & growing sub-culture of “jailbroken” phones. While this gives the user more access it opens the device to vulnerabilities. Conversely security vendors like Symantec, McAfee, Sophos, etc. cannot develop antivirus applications for the iPhone as Apple blocks necessary low-level access to the device.
• Rock’m Sock’m Androids - Google's Android is a natural attack for 2010, as Google is more open in allowing applications, but this is open to abuse by seemingly desirable applications functioning as malware.
• Hey! You! Get off of my cloud – Cyber-criminals combining stolen credit cards and hosting cloud services like Amazon’s EC2 have already started to use the new platform for Bots-as-a-Service or Malware-as-a-Service. Not to mention the legal liability facing cloud services around protected data from PII to pornography being stored on their servers unbenounced to them.
• It’s getting blurry - As public and private organizations extend their use of smartphones, web 2.0, and social media to interact with clients, employees, and contractors, they blur the perimeters of the network. Organizations will need to shift the focus towards data protection beyond network/infrastructure security as the question shifts from “Who has access to what?” to “What are they doing with it?”
• MyCloud.gov - Government agencies are increasingly moving data and services of low or moderate risk to cloud services to attain cost savings, such as Nasa’s Nebula http://www.cloudbook.net/nebula-gov or from the Pentagon http://www.networkworld.com/news/2009/100509-pentagon-cloud-computing.html?page=2
• Enough is Enough – As with the recent bombing attempt, the continuous evolution towards heightened security at airports and long, uncomfortable security screenings for most passengers will likely lead to biometrics finally making it to prime time. Consumers will be willing to compromise privacy and bear the cost to simplify their life with everything from air travel to eliminating the 100+ passwords they have to remember or keep in a file on their computer or sitting on the desk.

“No question is so difficult to answer as that to which the answer is obvious.” - George Bernard Shaw
What can’t we anticipate?

• Greatest Thing Since Sliced Bread – As we have seen throughout the evolution of enterprise software, there seems to be a never ending flow of revolutionary architectures changing how we build products, deploy solution, and conduct business. This includes CORBA, P2P, SOA, SaaS, Virtualization, and Cloud Services just to name a few. As each new platform emerges there will be new vulnerabilities associated with them.
• What’s Old is New Again – Appliances keep coming back as vendors like Intel and AMD seek to drive high-use functions into the chip set and organizations look to reduce the cost and risk associated with major deployments through the use of packaged solutions. However each new wave of appliances has its own associated risks.
• The Perfect storm – Who knows, perhaps the combination of social networking, smart phones, and cloud services will lead to the “digital Pearl Harbor” that was predicted in 1991

How did we do compared to our predecessors projections, how will we be judged by those who come after us? Only time will tell.

The Next Cloud Security Frontier: DLP for the Cloud

While there is a growing consensus that security is the keystone to successfully leveraging Cloud Services and Composite Applications, filtering and securing the data being exchanged is a BIG problem facing us ahead.


Viruses and Malware are the STD's of the Internet and Identity Theft is the equivalent of virtual counterfeiting so as with every other issue/requirement that faces user interactions, SOA interactions face the same challenges.

Existing Cloud Security solutions have focused on authentication, entitlements, which is where Identity & Access Management for users started. However the next generation will need to address the “STD's” and Counterfeiting risks as well like Symantec, McAfee, Sophos, and others have done with DLP and desktop security.

Vordel has recognized this emerging requirement and started addressing it with DLP functionality in their recently announced Cloud Service Broker product that will allow customers to analyze content and act on it whether it is flowing into or out of their environment.

There are already legal precedents and implications which, if called into play, could have substantially negative financial and reputation effects on Cloud Service provides like SalesForce.com, Google Apps, and Oracle On-Demand as well as their clients. One example outlined in this article outlines how storage as a service introduces legal implications based on unchecked content within a packet containing personally identifiable information (PII) or other regulated data creates a liability for organizations that receive it.

Network World even references this as part of a likely growth trend for Enterprise Security in 2010


So how do we get ahead of the 8-Ball on this one?

What is the risk?

• All content sent to Cloud services must be analyzed for leaked data, in order to enable Data Loss Prevention.
• Content-level threats (viruses, malware, PII, MIIA, etc.) need to be identified and blocked, including application-level attacks at the API and payload level.
• It is not enough to know “Who has access to what?”; Enterprises need to know, and be able to demonstrate, what they are doing with it? Leaking PII or any regulated data creates a substantial risk to the enterprise.
• Receiving PII, ranging from social security numbers or unencrypted credit card accounts to child pornography creates just as much liability as leaking that data.

How should we address it?

• Architecture - Look for flexible SOA Security solutions and XML Gateway's that allow for seamless integration with content filtering and protection services.
• Don't spread STD's i.e. Viruses/Malware – Leverage proven tools for content inspection connected to active research labs to analyze the content of packets while it is open to minimize risk AND latency.
• Stop Counterfeiting i.e. Data Protection – Leverage the content analysis tools found in proven DLP solutions to review, quarantine, delete, protect, or stop information during the same packet inspection.
• Protect against Internal Threat with IRM – The same risks that exist with users are shared here for services. Lock it down with IRM to seal sensitive or regulated data before it goes out the door but still allowing business processes and services to function effectively.

As enterprises host and share data via software-as-a-service (SaaS) and Composite Applications with Public/Private Cloud services, they need to \consider the use of DLP, AV, and IRM technologies to protect themselves and the information being exchanged.

7 Secrets of Fraud & Identity Theft

Between the media attention and ever increasing security & audit requirements, here are some interesting points on what is behind all this.


#1 -- How broad is the impact?

• 10 million of US Citizens (1 in 10) were victims of ID Theft in 2008 (Javelin Strategy and Research, 2009).
• U.S. fraud totaled $31 billion in 2008 (Javelin Strategy and Research, 2009).
• Across the world businesses lost $221 billion a year due to identity theft (Aberdeen Group).
• Average vicitims lost $851 and $1,378 out-of-pocket trying to resolve identity theft (ITRC Aftermath Study, 2004).

# 2 -- How hard is it to fix?

• Almost 20% of victims don't learn that their identity has been stolen for four or more years (Identity Theft Resource Center Aftermath Study, 2004).
• 50.2 million Americans were using a credit monitoring service as of September 2008 (Javelin Strategy and Research, 2009).
• Taking up to almost 6,000 hours (Average 330), the equivalent of the time working 2 full-time jobs for a year, to correct the damage from ID theft (ITRC Aftermath Study, 2004).
• 25.9 million Americans carry identity theft insurance (as of September 2008, from Javelin Strategy and Research, 2009).
• After suffering identity theft, 46% of victims installed antivirus, anti-spyware, or a firewall on their computer. 23% switched their primary bank or credit union, and 22% switched credit card companies (Javelin Strategy and Research, 2009).

# 3 -- What are the Common Sense ways to avoid it?

• One of these things doesn't belong – Check your bills, question things that don't make sense and question charges or bills that are missing.
• WHY? Thieves may make a charge and reverse it just to test that the number is valid before stealing it. Also if you did not get the bill, it might be going to someone else that hijacked your account.
• Don't call us... - Never give out identity data to someone who called or emailed you, if your bank or credit provider needs info contact them on a known-good phone number or website
• WHY? Odds are they wouldn't ask if they knew, many thieves go on phising trips over the phone, web, or email often telling you they are from your bank and “here to help”.
• Pick up the phone – Frequently service providers will request that you write down and mail your credit card information, give it to them by phone instead.
• WHY? How hard is it for someone in the mail room to copy them.
• Somebody is watching you – They put those mirrors on ATM machines for a reason, watch out for someone looking over your shoulder in the real world or online.
• WHY? Ever take a Quiz on Facebook like “Which cat would I be? These can be loaded with questions that are also used as your secret questions to retrieve passwords with banks, credit cards, etc. Take a quiz, get your id hijacked.
  

#4 -- How are we getting attacked?

• Stolen wallets and physical paperwork accounts for almost half (43%) of all identity theft (Javelin Strategy and Research, 2009).
• Web/email attacks account for only 11% (Javelin Strategy and Research, 2009).
• Credit/Debit cards were stolen from 38% of victims (Javelin Strategy and Research, 2009).
• Social Security number were stolen from 37% (Javelin Strategy and Research, 2009).
• Name and phone for 36% (Javelin Strategy and Research, 2009).
• Financial account for 24% (Javelin Strategy and Research, 2009).
• 35 million+ records were compromised in corporate breaches in 2008 (ITRC).
• Racking up your phone bill with long distance calls, and not let you know until it's too late.
• Getting a replacement for your credit card just by making a phone call
• Starting a new life under a dead person's identity.
• Sell your home, or take out a mortgage against it, without your knowledge.
• Use up electricity and leave you with the bill.

# 5 -- Does Ice make it feel better?
Freezing your credit report won't always stop many ways of committing


# 6 -- Is there a Conference for this?

• Starting on the 19th of January 2010, will be the 12th annual IIR Fraud World conference
• Opening & Chairing the event will be Oracle's own Des Powley; Technology Director, Security & Identity for Oracle UK, Ireland, & Israel
• Des will also be delivering a session on “The Importance of Delivering Enhanced Identity Management, Fraud Detection & Risk Management”

#7 -- Can you watch the movie instead?

• The 2008 documentary "HACKERS ARE PEOPLE TOO" takes an honest look at the subculture and it original origin and the hijacking of the term “hacker”.
• The more theatrical version directed by Iain Softley from 1995 “Hackers” is also enjoyable.

Are Enterprises ready for Identity Management as a Service (IMaaS) ?

While solutions are available and the economics of the solution are desirable it is still early days.


Is the technology available?

• Recently Simeio Solutions launched their new version of DirectAXs software-as-a-service (SaaS) suite.
• In 2007, Oracle & Wipro announced Managed Identity Service
• If you do a Google search there is a seemingly endless list of options including startups looking to change the game such as “Symplified”

So why is it desirable?

• Pricing/Packaging - Pay-as-you-go or subscription pricing allows organizations to measure the direct ROI on an quarterly basis plus delivers lower upfront costs and assured service levels
• Deployment - Historically IAM implementations have been labor-intensive and create organizational headaches with change control and process engineering which can be costly.
• Integration - Disjointed products from multiple vendors, suites, or coming into an Enterprise through various acquisitions create incompatibilities but can be challenging to unwire/replace or merge.
• Governance - Provides an immediate/direct combination of identity and access management (IAM) with governance, risk and compliance (GRC) capabilities
• Hosting - Solutions can be fully hosted and remotely managed or on premise and managed externally managed
• Administration – Provides a centralized/unified management of IAM and GRC capabilities for a streamlined user experience with integrated reporting

So what is the problem?

• Multi-tenancy – Existing solutions/architectures require enhanced features for multiple customers to access the same console, provide for data partitioning, and filtering to prevent unauthorized data access.
• Converging Suites - As Identity Management becomes increasingly application centric the drive is towards suites that weave IAM into the fabric of the application framework as Oracle and SAP are moving towards
• Security Concerns - Heightened compliance and security regulations make identity and access management a critical component of today's enterprise, too sensitive to manage externally
• 1-Cloud-to-many-Applications - Enterprise deployments require 20-100 applications to be individually integrated into the IAM suite, connecting user provisioning, single sign on, role management and compliance to the single point of the cloud, across the web with each application creates throttling, latency, and SLA-priority challenges and diminishes the performance of the underlying applications and users.

The march towards dynamic, composite applications architectures is definite but the rate is uncertain and the challenges and risks for the early adopters are high.

Is Novell changing the game with Virtualization Security?

In an intriguing Network World Article today, “Novell grabs for big role in virtualization security”, Ellen Messmer previews Novell's plans to capture a big piece of the Virtualization “hype” by building on their established leadership in Identity Management, Linux, and Network Management.


But can they pull it off? I doubt it and here is why:


Identity and Access Management

• As arguably the inventor of modern Application User Provision with DirXML, a key tenant of Novell's strategy is leveraging their IAM leadership and hardwiring the technology into the VM Management and virtual appliance deployment.
• Having been closely involved in the early adoption of IAM technologies like SiteMinder at Netegrity and Entitlements at BEA, and User Provisioning at Oracle it is very clear that IAM technologies are highly sticky.
• Even when customers want to migrate solutions it is often too expensive, painful, or risky to do so. Therefore convincing non-Novell customers to move to their IAM suite will be challenging.

Building Virtual Appliances

• The initial product targeted for release is called “Workshop” to build/deploy workloads for Linux or Windows environments.
• However there has been an industry building these “micro kernels” for several years now, including much more comprehensive solutions for patch updates, live monitoring, etc. from players like rPath
  
• Even within the realm of SUSE Linux there is an existing solution “SUSE Studio”, called a quick/easy appliance builder
  

Change Management

• Novell's strategy also includes solutions PlateSpin "Bluestar" for to address requirements for physical server change and configuration management across platforms with monitoring
• However between CA, HP, and even BMC, there are well established solutions with large footprints and existing innovation on Virtualization

Market Share:

• While Zen VM has broad appeal and adoption, VMware continues to enjoy significant marketshare, tight relationships with Intel & Cisco.
• Additionally Microsoft and Oracle's position's within the Enterprise give them technical and sales advantages in addressing this market against Novell

I have great respect for Novell and their role as an innovator across the industry and across decades can not be over stated, however they have substantial barriers here.

BeyondTrust Suite for Privileged Password Management

You need to have strong security for privileged accounts too?


While good security practices dictate complex password rules that change frequently to protect the users, their accounts, and systems; we have collectively ignored the issue for our most sensitive accounts. Worse, since these accounts are frequently shared we have no forensics on who is doing what.

Why was this ignored?

• Databases, operating systems, ERP applications, etc. all have privileged or administrative accounts for “power users”.
• But these “Power Users” frequently are a group, sharing the accounts and dealing with changing responsibilities, projects, roles, locations, etc.
• Also these accounts are frequently needed for applications and they get hard coded into the application or its configuration and change management or industry certification requirements make it nearly impossible to update them.

So how do you address it?

• BeyondTrust PowerKeeper provides Automatic Password Management (APM) to any operating system, database or device via SSH/Telnet
• The solution addresses entitlements of users sharing the account with Automatic Authentication and Authorization (AAA)
• PowerKeeper is offered as a hardened physical appliance or as a secure virtual appliance
• PowerKeeper users and permissions from the enterprise’s LDAP or active Directory (AD) through group membership
• Automatically discovers and brings under management any computers found within Active Directory
• The solution prevents any direct access to the operating system and has FIPS-140-2 validated components for all encryption
• Includes support for single/two-factor authentication using LDAP, AD, Secure ID, and Safeword
• And detailed logging and reporting to directly address compliance requirements related to User/Approver/Requestor activities, Password maintenance activities, User and file entitlement (Rights), Internal diagnostics

Here is a visual to give you the idea:



To learn more check out:
www.beyondtrust.com

Forrester & PwC show where Information Security is going

Compelling reasons for focusing on Enterprise Security from independent analysts Forrester & PricewaterhouseCoopers

As illustrated recently in the CIO magazine article “Why Security Matters Now” By Bill Brenner, PwC's CIO Survey illustrates that while IT departments, CFO's, and CEO's are looking carefully for any opportunity to cut costs, they are still reluctant to slow spending increases in Information Security.

So why can't they curb spending growth on IT Security?

With the explosive growth in adoption of Social Networking sites/tools and Cloud Computing Services there is an ever growing threat for security risk and data security leak.

While these are the most compelling, innovative, and revenue driving technologies … they cause the biggest heart burn. Twitter, Facebook and LinkedIn drive collaboration, help organizations connect with customers, partners, etc. … But they also simplify fraud, data & identity theft, or just make it easier to make mistakes.

While leveraging virtualization & cloud services allows organizations to cut costs and simplify their physical IT infrastructure, it also opens up the pandora's box of new security and management issues. Driving your infrastructure towards the cloud has left you vulnerable to attacks and professional hackers have redoubled their endeavors to use these weaknesses against the big names like Google, Yahoo, etc. but also their enterprise customers.

So where is the good news?

Despite the arguably worst economic down turn in decades, organizations are spending more on in-house security solutions. Security budgets are holding steady, and more organizations are employing a chief security officer (CSO) and/or chief information security officer (CISO).

PwC's 7^th annual survey including input from nearly 7,300 executives worldwide across industried including financial services, health care, retail, government, and so on. The result was a clear indication that organizations are investing in data protection and authentication including:

1. Biometrics

2. Web content filters

3. Data leakage prevention

4. Disposable passwords/smart cards/tokens

5. Reduced or single-sign-on software

6. Voice-over-IP security

7. Web 2.0 security

8. Identity management

9. Encryption of removable media

So who are they turning to?

According to Forrester Research and their recently updated Wave Report on IAM, there is a clear preference for Oracle as the leader and innovator in the the space.

Their positioning of Oracle was driven by their leadership in product functionality/depth but also overall depth of the suite. They highlight how Oracle is the only vendor that has adopted an externalized Entitlements Solution and continues to deliver on it through Oracle Entitlements Server (OES), Formerly BEA AquaLogic Enterprise Security (ALES). Also the commitment to Risk-Based Authentication through Oracle Adaptive Access Manager (OAAM) and the integrated solution for Data Security, Oracle Information Rights Management (OIRM).

To see the CIO article

http://www.cio.com/article/504837/Why_Security_Matters_Now

To get the full PwC survery

http://www.pwc.com/gx/en/information-security-survey/index.jhtml

To read the Forrester’s IAM Wave Report

http://www.oracle.com/corporate/analyst/reports/infrastructure/sec/forrester-wave-iam.pdf

What's Up Doc?

Highlights from Oracle's 56th IDM Newsletter "News You Can Use"

Innovation Awards

Awards honor innovative use of Oracle IAM at Cisco and Visa

http://www.oracle.com/us/corporate/press/022542

Oracle Magazine salutes Information Secured

http://www.oracle.com/technology/oramag/oracle/09-sep/o59secure.html

Oracle Identity Federation (OIF) Wins 2009 Iddy Award

Oracle, along with NRI, and NTT have won an IDDY in the POC category for an application that demonstrates the possibility and practicality of achieving policy interoperability between OpenID and SAML. See the press release here for complete details.

Featured Partner

As noted in this blog, Oracle Information Rights Management and Symantec DLP version 10 integration announced, taking data protection to the next level by combining data discovery with policy-based application of Oracle IRM.

Oracle Identity Management 11g

Oracle was pleased to announce the release of the first phase of Oracle Identity Management 11g this past summer, including enhancements to Oracle Identity Federation, Oracle Internet Directory, and Oracle Virtual Directory:

http://www.oracle.com/us/corporate/press/020724

Oracle Identity Federation 11g

OIF 11g introduces the flexibility, performance and manageability enterprises require from federation solutions. Building on the FMW frameworks for audit, logging, monitoring and credential storage, OIF puts Oracle's first-class compliance, diagnostic and security tools at the administrator's fingertips.

Oracle Virtual Directory and Identity Publisher

OVD allows Identity Publisher feature for PeopleSoft HR, Siebel and Oracle Customer Hubs to make it possible to access identity information stored in these Oracle applications easily, in real-time without any additional synchronization.

Oracle Enterprise Single Sign-On Anywhere

ESSO Anywhere is the first comprehensive offering from a major vendor that lets enterprises host single tenant ESSO in a private cloud to provide users with secure access to heterogeneous enterprise resources from anywhere, anytime.

http://www.oracle.com/us/corporate/press/035509

F5 BIG-IP access solutions to be integrated with Oracle Access Manager

As noted on this Blog, solution will enable customers to centralize and unify application access control services across diverse network environments.

Qualcomm Discusses The Next-Generation Identity Management Solutions

Oracle Identity Management 11g provides the next level of cohesive management and deployment within a common console by allowing administrators to manage multiple parts of the stack. Watch the video to see more about how Qualcomm is using Oracle Identity Management.

http://www.oracle.com/us/products/middleware/identity-management/index.htm?section=VO&uid=8103894&refid=id_VO_8103894

State Of Delaware Goes "Green" By Implementing Oracle Identity Management

The State of Delaware provides online services to their citizens and employees. They selected Oracle Identity Management based on flexibility, security, and auditing capabilities. Please visit the link below to see the State of Delaware video.

http://www.oracle.com/us/products/middleware/identity-management/index.htm?section=VO&uid=8103899&refid=id_VO_8103899

Marc Chanliau discusses Security as a Service

Director Product Management, Marc Chanliau, discusses how “Oracle Fusion Middleware is highly predicated on service-oriented architecture (SOA) environments.”

To get the full details of the newsletter

• In PDF format

• In DOC format

Provisioning Cloud Services like Google Apps

“You must not blame me if I do talk to the clouds.”

Henry David Thoreau

While SaaS/Cloud/SOA services … pick your buzz word, are great alternatives for small to medium size organizations (SMB), using them requires Provisioning & Federated Security which are challenges even for large Info Sec departments in Fortune 100 organizations.

In particular Google Apps™ provide small businesses, universities, schools, and other organizations the option to outsource collaboration tools, etc. for low- or no-cost. But the issue of managing user access to those applications is still the responsibility of the organization.

So what is the solution?

• The Aegis Provisioning Appliance for Google Apps delivers the tools needed to automatically add, modify, and delete accounts by expanding organizations existing directory services and provisioning infrastructure.

• The appliance provides a full set of account management tools through real-time secure interfaces to Google Apps.

How does it work?

• Automates the creation, update, deleting of accounts based on actions in an organizations existing directory service (e.g. Microsoft Active Directory or LDAP)

• Provides delegated administration for defined users to add, update, delete accounts

• Creates predefines web-based workflows including approval chains

• Supports future expiration dates or renewal approvals

• Simplifies the use of contractor or guest accounts with access registration/sponsorship forms

What is the compliance impact?

• The Aegis Appliance ensures that account creation, updates, deletes are done in line with the organization’s policy.

• Rules can be easily applied (and demonstrated) so a contractor needing access to Gmail for one week and then automatically disabled.

• Allows organizations to start with Google Apps and scale into a full enterprise IAM deployment from Oracle

So how do I deal with the security issues?

• The Aegis Provisioning Appliance can be combined with the either Aegis Password Management Appliance or the Aegis SSO Appliance

• This provides users with a seamless login experience to their new Google accounts through either synchronization of passwords to Google, or web-based SSO.

Why are appliances beneficial to SMB's?

• AegisUSA Appliances are a revolutionary approach to IAM, providing enterprise-level functionality in an appliance form factor

• The 80/20 rule - This reduces cost through simplicity, removing the complexity by focusing on the most common use cases

• Higher time-to-value for an identity solution through lower implementation costs

• Provides a fully configured HW/SW environment, leveraging enterprise-class components

This is part of a broader evolution of IAM as SMB's are becoming a growing consumer of IAM technology which is the driver behind the AegisUSA strategy.

After all there are only more Cloud based services to come. As Judy Garland put it "Behind every cloud is another cloud.”

To learn more visit Aegis USA

Bridging Physical and Logical Security

OK, so I secured the applications but who walked into the building???

Why do I care?

• Same old reasons Audit & Compliance – Difficult to obtain

• Legal mandates (FDA, DEA, SOX, SAS70 etc..)

• Cardholder Access Rights and Global visit records

• duplicate records, not accepted by auditors - Multiple records in multiple Physical Access Control Systems (PACS)

• Ghost & Orphan accounts

• Managing “PACS & Access Changes” is Complex & Costly

• High Operational Cost - multiple manual processes

• Card Issue, Card De-activation, Lost or Stolen card

• Temporary cards, Visitor management

• New Hire, Termination, Changes in Role, Title, Department, Location, etc…

• Time & Attendance, Asset Check in/Check-out, etc.

• Multiple Silos of Physical Access Control Systems (PACS)

• Configurations in PACS are all different

• Different Door names, Access Privileges, Clearances,

• Concept of Global “Role or Groups” missing across PACS

• No Self-Service Console, No Global Administration

• Manually Driven & Error Prone process increases Cost

Not convinced yet? Here are the metrics...

• ROI Calculator Based on a large multinational organization

  • Current system cost: > $25yr per person on maintenance

  • Porting cost for acquisitions: > $35/yr per person

• Result: Over $20MM in savings, ROI in under 1 year!
  

But that is just on the physical security. Complexity costs, simplicity saves!

To learn more about this solution please check out their site:

http://www.quantumsecure.com/

Infinite Identities

What's with the title, "Infinite Identities"?



Ok, so mostly it was selected because it was available and sounded catchy. But the Network World article today, "Drowning in Passwords", really speaks to the origin of the name and the key challenges we all face as individuals and organizations trying to manage our seemingly infinite number of identities.

While we mostly talk about security and compliance, IAM is truly a management problem. Both in the real world and in the virtual one we all play many roles:

• Father, husband, brother, son, grandson, friend, son-in-law
• Litter Box cleaner, leaf raker, toilet plunger, bug-killer
• Surfing-buddy, lunch-meeting-friend

With matrixed organizations, overlapping projects, evolving priorities, and dynamic timeslines we equally have a complex identity in the office:

• Manager, employee, co-worker, partner, customer
• Internally as a client of HR, procurement, legal, expenses
• Externally as a client of the healthcare provider, 401k, gym, etc.
• Selling to customers, selling with/to partners or partners selling to you
• The lead on a FY planning project, contributor on a new product strategy, listener on a new marketing program

Each one of these roles has a unique identity, not just by itself but also in all their interactions. This makes the number of not only accounts and password endless, but truly makes our entitlements infinite.

The challenge is only further complicated when you layer in social networking, from blogs to Facebook and Twitter, our 1:1 interactions in one role gets mixed with our identities in another. For example many have learned to keep their work "friends" on linkedin and their personal "friends" on Facebook, and their family ... on email.

This increasing web of complexity fuels the continous need for new innovations, solutions, and ultimately integrations to address it.

With this Blog, Infinite Identities, we will look to highlight and promote the best practices and best solutions being driven by innovative partnerships in IAM.


Thanks for reading!
Brian

Identity Proofing with IDology and Oracle Adaptive Access Manager (OAAM)

Do you know who I am?

You may think so, but what if someone has hijacked my account, my identity, my computer, my web browser, my session, etc. With high impact/value transactions, this “What if?” can have major consequences.

Richard M. Nixon famously said “I know you believe you understand what you think I said, but I am not sure you realize that what you heard is not what I meant.”

The point here being, even when you believe you know the user you may not? In an era where accounts, machines, and identities are taken hostage there is a need for a technology that can verify that you are who you say you are.

When do I need this?

• Someone is trying to open a new bank or credit card account - stolen identities can be translated into thousands of dollars in lost merchandise, hurt your brand, and increase insurance or credit card rates.

• Bank Transfers – Hijacked accounts from malware/viruses can leverage existing legitimate sessions to transfer money out of customer accounts.

• Car Lease/purchase – Imagine someone walks off the lot with a car, but under a false identity. The retailers is unlikely to ever see the vehicle again.

• Cell Phone – Using stolen identities or credit cards, thieves can rack up thousands in international phone bills

• Medical Records – Employers could leverage inside information on potential employees to make hiring decisions based on potential health insurance cost from pre-existing conditions

• Customer Data – Sales person walks away from their desk and a soon-to-be-leaving employee downloads current pipeline information or customer data to bring to their future employer.

The list of examples is endless and applies across all types of organizations, from public sector to higher education, from Fortune 500 enterprises to financial services and health care.

So how does this work?

• Based on policy, type of transaction, or probability of Fraud calculated by OAAM's risk scoring engine in real time, users can be promoted to join an “Authentication Session”.

• Users will be asked a series of questions such as “Which one of these is a street you grew up on?” or “What is the make/model of your first car?

• Unlike traditional Knowledge Based Authentication (KBA) with IDology questions and answers are generated dynamically based on a combination of public/private data sources. This is called Dynamic KBA.

• Based on the users answers IDology creates a fraud score, and OAAM determines, based on the organizations defined policy, if it will allow the user to continue with the transaction.

• OAAM can also used other context information such as Geo Location data, or require secondary or step-up authentication from something like StrikeForce SMS, ActivIdentity, or Verisign VIP.

You want to see it in action:

Demo

Oracle / ArcSight – Providing Real Time Oversight of User Behavior

When IT infrastructure generates millions of events/logs daily, how do you do you know if there is an issue and who is causing it?

Traditionally SIEM (System Information & Event Management) products track events by what resources are employed, when, by whom and for what result. Unfortunately the “who” part changes in real time based on the process being used and for what purpose. But with IdentityView, ArcSight transfers identity and role information from Oracle Identity Manager into its Enterprise Security Manager so that it can correlate all the identity markers and privileges of a specific user.

Armed with this proverbial identity matrix, ArcSight ESM can then associate events with a specific person, independent of the various identities that he or she employs.

So why do we need this?

• To automate the correlation of compliance and policy violations with specific users

• To understand how your key users (admins to accountants) are using IT infrastructure

• Increase accuracy/productivity of your role engineering and provisioning process

• Respond to security and compliance issues before they damage the organization

• Provide business owners with information about policy and security violations in terms that they understand and can act on

• Provide visibility and assurance to C-level executives that policies are being enforced to conform with compliance regulations such as Sarbanes-Oxley, PCI, HIPAA, etc.

What are the benefits?

• Leverages the investment in OIM by linking users and roles to security problems, compliance violations, etc.

• Faster identification of security and compliance issues resulting in more rapid response and remediation

• Control/monitor access rights & IT usage (services, apps, data, etc.) requires correlating millions of real time alerts and logs with specific user activity

• Provide auditors with proof that controls are in place and effective

• Visibility into violations of corporate policies covering customer, employee and business-sensitive data

• Improved productivity via automation of required reports, summaries and auditor requests for information

So why now?

You already have this covered

• Many organizations have invested in home-grown event monitoring solutions, but the challenge is that problem continues to get bigger, with every new system (applications, devices, Cloud/SaaS solutions) added to the environment.

• ArcSight cleanly replaces those solutions and delivers more functionality at a lower cost.

  You can't face this now, maybe in the future

• SIEM solutions are now considered standard “due care” for auditors concerned with SOX compliance.

• PCI DSS #10 explicitly requires monitoring of the relevant IT infrastructure.

  You don't have the resources

• Budgeting for security and compliance is difficult but by combining ArcSight with Oracle Identity Manager, organizations can “double up” on their return on investment based on the synergy between the products.

• SIEM alone provides multiple solutions for the security group, compliance group, risk management, etc.

To learn more:

http://www.arcsight.com/products/products-identity/

Vordel Launches Cloud Service Broker

With the Cloud Service Broker, Vordel pledges to bring trust and reliability to Cloud Computing

So what does this mean?

• The solution aggregates multi-domain services across their enterprise, partners and 3^rd party cloud services such as Amazon EC2 and Google Apps

• Through bringing the services together, the Broker enables organisations to consistently define and manage policy across these services and report on them

• Through the Broker, composite applications can be built seamless while offering full visibility, trust and control".

So why do we need this?

• Organizations using Cloud services in conjunction with their own on-premises SOA face major issues related to reliability and trustworthiness.

• Very difficult to bring together services from across domains (i.e. on-premises, Public and Private Clouds, and B2B) into coherent composite services and applying policies to them.

Vordel CEO, Vic Morris, said "Many organizations see the value of incorporating Cloud Services into their IT infrastructure, but they also have concerns about the reliability and performance of these services outside their domain of control. The Vordel Cloud Service Broker addresses these issues by providing a trustworthy “

So how does it work?

• The Broker solves this problem by registering services from all three domains into a single repository, enabling monitoring, management and policy enforcement.

• Plus the Vordel Cloud Service Broker offers value added services like caching, acceleration, and transformation, delivering enterprises savings in time and money.

What is under the covers?

• Multi-Domain Registry Repository (MDRR) – This is where the Broker registers aggregated services across domains. This one-stop-shopping for compliance to Service Level Agreements, privacy and security mandates.

• Analytics – Providing the visibility through an independent audit trail including raw usage information, service quality, patterns of usage over time, and identity of users.

• Content Analysis – Content is analyzed to enable Data Loss Prevention (DLP), content-level threats, and application-level attacks at the API and payload level.

• Caching – Protecting against latency from the Cloud service, saving money by allowing some requests to be serviced by the broker itself.

• Composition – Allowing developers to link together local apps with Cloud-hosted apps via Web Services interfaces, database, or message schemes like MQ or JMS.

• Content transformation – Accelerated transformation for mediation between different applications or between REST API interfaces and SOAP, JMS, COBOL, etc.

• SLA Monitoring - Comprehensive monitoring of response time of Cloud services, and the entire transaction throughput time.

• Traffic Throttling – Vordel refers to this as the “surge protector”, protecting against apps making a high number of calls to a Cloud service by deflecting a portion to a back-up service, newly provisioned for this purpose.

• Event Alerting – Notification of events like Cloud outages so that remedial measures can be put into place.

• Extensibility to 3rd Party Valued Added Services – Traditionally very difficult/costly with non standard API's from competing solutions, but is made easy & pluggable here.

For more information:

View the PDF

Product Page

Company

Press Release

One More Time! Oracle Tops Gartners Provisioning List

Oracle Announced this morning that they were again named the leader in Gartner's "Magic Quadrant for User Provisioning".

The Gartner Magic Quadrant ranks vendors based on their completeness of vision and their ability to execute on that vision. This is indicative of a dramatic evolution in the Identity & Access Management Market over the nearly 5 years since CA announced their acquisition of Netegrity.

The move sparked a shift from focusing on Web Single Sign-On to end-to-end suites for Identity and Access Management and lead to the spending spree at Oracle which put together this leading suite of products and market vision. In total, Oracle brought together technology from 9 IAM innovators to develop this market leading technology suite:

• Phaos - Now Oracle Identity Federation (OIF)
• Oblix - Now Oracle Access Manager (OAM)
• Confluent - Now Oracle Web Services Manager (OWSM)
• Thor - Now Oracle Identity Manager (OIM)
• Bridgestream - Now Oracle Role Manager (ORM)
• Bharosa - Now Oracle Adaptive Access Manager (OAAM)
• PassLogix OEM - Now Oracle Enterprise SSO (OESSO)
• BEA ALES - Now Oracle Entitlements Server (OES)
• BEA WebLogic Security Services - Now OPSS

One of the pioneers in this evolution had this comment on the announcement;

"With roles, rules and policies continually evolving within the enterprise, organizations need strong user provisioning solutions to streamline security, achieve increasing levels of automation and efficiency and ensure sustainable compliances," said Amit Jasuja, vice president, Oracle Identity Management. "We are pleased to be recognized as a leader in Gartner's Magic Quadrant for User Provisioning, and remain committed to delivering the most secure, comprehensive and scalable solutions to customers."

Looking at the full Magic Quadrant for User Provisioning it is interesting to note that with Sun in the top 3 as well it is clear that this market is heading for further evolution but more importantly innovation that will directly benefit customers and technology providers leveraging an increasingly mature, standardized, IAM suite across each layer of the application stack regardless of the deployment model.

Here is the link to the
press release.

Persistent helps organizations say Bye-Bye to CA SiteMinder

Persistent Systems delivers a packaged solution for migrating from CA SiteMinder to Oracle Access Manager (OAM)

So why do we need a solution for this?

· Accelerated – Save time (i.e. $ on implementation)

· Lower Risk – Repeatable solution reduces project risk

· Proven – Well laid path by existing reference customers

· Turnkey – OOTB solution

Why do organizations want to migrate?

· CA SiteMinder has a very large & dissatisfied install base because of

o Poor investment in Dev and Support – There are substantially less engineers building/supporting SiteMinder then when it was part of Netegrity, while Oracle has increased the dev team on OAM

o Costly Support – CA support pricing model creates painfully high pricing (disproportionate with the rest of the market) in the mind of many organizations.

· Stack Limitations:

o As a stack, the Oracle IdM suite has dramatically out paced CA in completing the picture and innovating towards the future.

So who should consider this?

· SiteMinder users with Oracle products (DB, EBS, Apps, IdM…….) – i.e. those that will benefit from the Oracle IAM Suite and the broader Oracle Suite

· Customers who use both SiteMinder and OAM for different applications or business units – i.e. those hungry for actual SSO

· Customers who have SiteMinder environments through acquisitions – i.e. cost savings

· Anyone with a SiteMinder deployment

So why now? Why was this not done already?

· Legacy – SSO environments constitute several years of work/investment

· Perception – Migrations are seen as long, effort-intensive, expensive and risky

· Time – Typically ROI is too far away, but not in this case

Persistent Systems' SM2OAM solution addresses all these challenges!

Case in Point – At a large public technology provider (not ORCL), the migration time from SM to OAM was brought down from 24 months to 6 months!

OK, so how do we do this?

· Option 1 - Fully outsourced

o Turnkey Persistent solution includes ‘acceleration plus services’

o All phases delivered by Persistent

o Direct, subcontract and fixed fee options available

· Option 2 - Joint solution

o Persistent provides ‘acceleration’ for existing services team

o Phases in blue delivered by partner, rest delivered jointly by Persistent

o Fixed fee, markup and shared revenue options available

So who is Persistent Systems?

· Over a decade working on the backend doing OAM engineering

· Over 140 person years of engineering experience with Oracle IAM stack

· Ongoing implementation efforts – 20+ marquee customers

· Winner of Oracle's partner ‘Challenge’ – OID 2 billion benchmark, ‘last-mile’ solutions

· 20 years old, profitable, 5K people, hundreds of customers, Thousands of product releases

· Global presence – North America, Europe, UK and Asia

To get started contact:

Muneer Taskar

muneer_taskar@persistentsys.com