[SecurityRatty] tag: cohesive

Interop NY Keynotes: BlackBerry

Wed, 17 Sep 2008 11:07:39 +0000

David Yach, Chief Technology Officer of Software at Research in Motion rounded out the final keynotes of the morning as part of the Mobile Business Expo (MBX). David focused on how enterprise and mobility are tied together today.

Which of the following initiatives are likely to be a major telecommunications technology related priority for 2007? Mobility is a huge issue.

We’re starting to see traction with mobility.

The evolution of enterprise mobility:
- Voice –> messaging –> e–mail –> web, –> business applications –> instant messaging/presence –> what’s next?
Cell phone to Smartphone:
- 1G –> 2G –> 3G

Converging IT Responsibilities

Collaboration, Web/Internet, Desktop Computer, Deskphone/PBX, Mobile Phone and Applications. All of this is under the umbrella of IT. IT departments are not a single cohesive unit where everyone gets along. They have different motivations, budgets, goals, etc.

BlackBerry manages all of these responsibilities in one, forcing these departments to collaborate and work together. This is key for interoperability between these systems, knowing how they work together.

Desktop capabilities are expected in mobility:

Information
Collaboration
Voice
Transactions
Presence
Application

Mobile devices are fundamentally changing the pace of which we all work. You can reach anybody at anytime. This changes business.

All of this is working with data that is behind a corporate firewall.

The big change in IT is that for almost any industry now, the data that you have and you manage is a core corporate asset. It doesn’t matter whether you’re in manufacturing, logistics, or a bakery. Information is king. This has the benefit of moving IT up to a C-level position. You are a core part of your business success. This has benefits, and also added stress.

Voice is still the “killer app” for mobility. Deskphones and smartphones need to overlap into a mobile voice system.

Another up and coming technology is the mobilization of enterprise applications. This provides the ultimate user experience. For example, Blackberry has mobilized the SAP Business Suite on BlackBerry smartphones. SAP CRM access is as seamless and intuitive as email on BlackBerry and incorporates push, alerting, security, GPS, Wi-Fi and media.

Enterprise grade platforms will extend core competencies of enterprise systems to mobile environments.

Secure
Reliable
Manage
Control
Administration
Standardize

Conclusion:

Putting it together: integrating the wireless capabilities of today into the business tools of tomorrow.

It Was Sposed to Be So Eaaasy

Wed, 10 Sep 2008 03:12:42 +0000

Earlier this year, I gave a talk with on Breaking Web Services with Brian Chess at RSA. We pointed out that adding security into Web services is an exercise left to the implementer, the standards bodies and vendors give you some primitives, but it is still up to you to figure out all of the items on the Web services security checklist should work together in a cohesive system. Needless to say, there are many ways to shoot yourself in the foot.

So during our talk, someone from Oracle stands up and says, "hey, you guys are making this stuff sound hard. Its not hard we support WS-Security..." etc. Again, the whole point of our presentation was *not* that there are not very interesting general purpose security capabilities in Web services, our point was that you need to figure out the architecture yourself, and then bend the tools to your will. Oh, and deliver on time.

So imagine my surprise, when I read this article "Digitally Signing and Verifying Messages in Web Services" which talks about using Oracle's WSM tools to sign Web service messages and verify signatures in Web service messages, but only addresses integrity - absolutely nowt on authenticity! Integrity is important, but there are lots of times when it is not enough. Many times your service needs to be concerned with replay attacks, authentication policies and so on. To deal with those things, we would typically add policies and capabilities for timestamps, nonces and other primitives into the signature block, but the article is silent on those things. (Rad Mark O'Neill's post on this as well)

Its not about _can_ the standards do something or other, I mean given the right resources the standards can put a monkey on the moon, its about what use cases have they engineered in and what is supported in the tools today. I firmly believe SAML has such great adoption across the industry because they have a use case centric view and so gave the vendors something to engineer and optimize for. I think we'll still get there in WS-Security and other areas as well, but the use cases are not built into the spec (as with SAML) and so its taking longer.

One of our points in the talk was - we want you vendors to do your job better and instead of shipping a box Legos, ship a Lego gas station, a Lego airport, and so on. Connect some dots for your customers.

What I see in training on this topic, is sort of the following - 1) Do I need Web service security? 2) Oh ok, well can I get by with SSL? 3) Oh wait that doesn't actually protect my assets, can I just use WS-Security? 4) Oh wait, WS-Security isn't just a checkbox for security, I need to figure out timestamps, nonces, signatures, encryption policies and so on. And finally 5) How do I accomplish this?

Once we get to step 5 then the real work can begin. Its not easy to get a lot of developers through all of this, and again this is before the real work begins. Even once the lead developers and architects figure this out, there is still the little matter of transitioning it to the rest of the team.

I remember I was working with an enterprise architect several years ago, and he bought a Web service XML gateway like Vordel to add WS-Security support into his Web services apps, but he didn't even buy it as a runtime tool, he bought it as Security API, the runtime enforcement in his opinion was a bonus! He said in effect, well I know I need to do this, but I can't expose all these security primitives directly to my developers.

So yeah, I wish it was easier, but in my experience its not right now. Its not about raw capabilities its about use case realization. I think learning from what has worked well is the way to go. SAML's use case centric approach is one that has.

SSO Summit Wrap Up

Fri, 25 Jul 2008 09:41:07 +0000

More notes from SSO Summit - to recap I can't stress enough how a 50-200 person conference comprised of around 50-60% enterprise folk (instead of just vendors and *cough* consultants) is ideal. Real, in depth conversations instead of just "where is the party" a la RSA. Also, this conference has a laser focus on SSO, so all 150 of us are able to look through the prism from lots of angles.

Some additional takeaways

Dave Kearns has serious moderator skillz.

You can tell all the Mac users because they have to have their laptops plugged in at all times (Mr. Jobs paging Mr. Clayton Christensen)

Eve Maler can really sing

One of the prettiest drives through Colorado is here

I did my presentation on Security Token Servers today. Bob Brandt from 3M spoke on Federation at 3M, its quite interesting to think about the mix of all these technologies the same way 3M's products are composed from a grid of technologies. I see STS playing role here, enabling us to get interop across multiple token types. Bob also mentioned that the business doesn't _ask_ for SSO any more; they expect it. He mentioned (and I have seen the same) much greater SAML adoption and awareness by customers and partners. And I quite liked his quote - "If you are a SAAS vendors and you are not supporting SAML you won't be in business very long."

Kent Beck says programs are not things, they are shadows of communities. If you look at a big vendors' IDENTITY AND ACCESS MANAGEMENT SUITE - its not a cohesive product so much as a shadow of the big vendors' Visio org chart. Ping's SSO community is fast, light and Ninja; SSO functionality enabling real pros to get stuff done for real use cases.

Its a lot of fun to be at a 1.0 conference, I am pretty sure this will be 2x-3x next year.

Taming of the Information Security

Wed, 09 Jul 2008 02:33:00 +0000

In many mid-size to large organizations, information security grows up to become an unmanageable complex beast. In some cases, this happens consciously where information security goes out of control, but in other cases this happens unconsciously where there is a slow but incremental increase in the complexity of information security which leads to chaos.

The information security field is not yet fully mature; there is a lack of cohesive interoperable framework. The rapidly evolving landscape adds to the existing problem. There are several examples: Intrusion Detection System (IDS) was quickly overtaken by Intrusion Prevention System (IPS). On the Firewall arena: the focus has moved from perimeter security to end point security. There are some security visionaries who are preaching inside-out security approach i.e. building products with information security in mind from the beginning.

Threats are moving higher up in the OSI stack making it harder to detect. Hackers are becoming more sophisticated – there are powerful free open source hacking tools available at their disposal. Security managers driving security initiatives without co-ordination can result in pieces of puzzle that don't fit well. Agency problem i.e. security managers thinking more about their personal advancement rather than security of the company is bad for the company’s security initiative. Security leaders who do not have a clear vision of

security at the component level, the administration level and the strategy level can only make information security even more convoluted. The CISO and acting CIO of US Dept of Veteran affairs resigned after the breach in May, 2006 where personal data of 26 million veterans and more than 2 million service members was stolen. This clearly demonstrates the accountability and visibility of security leadership.

The attitude of IT security leaders and security team members has a significant impact on security. Reckless buying of information security technology can result in wasteful expenditure and very little gain in efficiency. Not understanding the business perspective of security issues or security perspective of business issues can lead to poor security decisions. Using security as a mechanism to gain control rather than using it as a tool to reduce risk can only diminish the perceived value of security initiative. Implementing security as an afterthought rather than building it into the framework not only result in poor architectural decision. Security investment is more like buying insurance. Thinking security as a vehicle providing an ROI can result in wrong expectation and lead poor decision. The business in which a company operates contributes largely to the perceived importance to security. Financial institutions usually have a higher bar on security because of the very nature of their business and their exposure legal liability. It is a good idea for many technology companies to emulate financial institutions to raise their information security bar.

It could be a pipedream to accomplish complete information security but accomplishing a well managed information security program is an attainable possibility.

Security Function as a Business Enabler

Fri, 27 Jun 2008 16:50:00 +0000

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.

Security Evolution

Mon, 19 May 2008 13:42:16 +0000

We have been in a world of faith based security for far too long. Probably the biggest factor is a lack of innovation and dynamism in the discipline of information security. Consider this rough timeline of software development progress since the dawn of the web.

People pretty quickly realized that plain HTML was not enough, so developers invented CGI/PERL for more dynamic sites. Once they wanted to scale and pool they built out ASP and JSP, then to deliver middle tier components they developed EJB, J2EE, and DCOM. After that there were a lot of heterogeneous systems that needed to talk to each other so SOAP and XML came along to address that. This path diverged into ultra-simple (REST) and more powerful but baroque (SOA), and finally, the user side got some love with Web 2.0 technologies. That's a heck of a lot of engineering and innovation by the software development community for plus or minus 8 years.

Now lets' check in with the developer's brethren over in information security. Well, once the web came along the information security community quickly realized that network address translation was going to be important, and further that encrypting the communication channel between the browser and the web server was also crucial. And then, they addressed all the security issues ASP, JSP, EJB, J2EE, DCOM, SOAP, XML, REST, SOA, and Web 2.0 with....umm...more of the same!

That's a pretty poor showing for innovation considering the enterprise investment into information security. Sure the software developers' have a bigger budget, but come on infosec - show some pride!

Infosec types like to throw developers under the bus for security issues, but its a collective failure. Sure developers need to learn more about secure coding, but as the table above shows - security is not keeping pace, and the gap is getting bigger.

Here is another dimension to the problem - attackers *do* evolve. The new technologies provide far greater attack surface (data, method and channels) for the attacker's to exploit and/or launch attacks from.

Because the defenses have not evolved its a simple evolutionary adaptation for attackers to go around or through the 1995 defenses. Its not about SOAP going through the firewall, its about never bothering to secure the apps and the data. Its like saying to your opponent, remember the how the Detroit Lions played defense in a certain game in 1995, we were just going to do that.

So with the software developer's latest evolution we get Mr. O'Reilly's famous Web 2.0 meme map

but where is the co-evolution in infosec? there is non. There is co-evolution in the attacker space. here is a sample web 2.0 attacker meme map

So the firewall offers great protection if your adversary is using Visio, but otherwise its mostly useless.

So we would want to see two things happen - developers start writing more high assurance code and second - infosec needs to evolve its security services to form fit to that which they are protecting. Hint - it ain't a Visio diagram.

The thing is - we are getting getter tools. Static analysis is a very powerful tool to improve your software security from a bottom up perspective and it can scale. These tools continue to get better. We are are getting better standards - WS-Security, WS-Trust, and company enable fundamentally new security architectures. And we're getting better primitives, especially in the identity space - SAML, Cardspace, and friends will one day let us live in a world where users are not typing username and password into a web browser to do online banking.

So maybe the innovation tide is turning, but there is a lot of ground to catch up, infosec about a decade behind the developers and probably close to that far behind the attackers. Its going to take something special to catch up, but is there any other way? I think a big part of catching up is putting together a realistic pragmatic blueprint to evolve your security architecture - a roadmap that addresses your people, processes, and technology. There are standards, primitives, and tools to leverage, but by themselves they are just pieces, they have to be brought together into a cohesive design. Its not an overnight thing to realize this, but the point is for infosec to *begin* the evolutionary process. Now. For real use cases. Using the security protocols, mechanisms, and skills we have available now.

The Road goes ever on and on,
Down from the door where it began.

Now far ahead the Road has gone,

And I must follow, if I can,

Pursuing it with eager feet,

Until it joins some larger way

Where many paths and errands meet.

And whither then? I cannot say.

-J.R.R. Tolkien,The Hobbit

Evolution of IT Security to Risk; driving IT GRC acceptance?

Thu, 24 Apr 2008 17:32:00 +0000

Great summary by Michael Rasmussen of Corporate Integrity on the 2008 State of the GRC market was posted earlier this month.

I believe the title of one of the sections itself summarizes one of the biggest benefits of GRC, "GRC is About Organization Collaboration." He is 100% correct from my perspective - independent of the people, technology and process - GRC solutions are about using software automation to help enterprises collaborate to reduce their exposure to the big three buzz areas each of those letters in the acronym represent (Governance, Risk, Compliance).

Now, GRC solutions can't and won't solve these problems alone. They are part of an overall ecosystems of technical control products, best practice processes and people communication/expertise. You still need your Vulnerability, SIEM, IDS/IPS, Firewalls and other security products. You still need your COBIT, ISO, ITIL and other best practice processes. And of course, you still need the people who should know the overall business goals and priorities and then apply their expertise on how IT can help achieve those goals. GRC as mentioned before is the organization collaboration construct that can successfully bring all these complex areas together into a tight and cohesive Governance, Risk and Compliance strategy.

Another article I came across starts to highlight how some organizations are starting to elevate beyond operational security to strategic risk centric in culture. Tim Wilson over at Dark Reading just put out this great write-up yesterday titled; Market's Message to Security Pros: Adapt or Die.

-snip-
"...the question now is not how precarious the security manager's job is, but what it may evolve into, Schmidt observed. "As it becomes more about risk, security is not necessarily an IT problem. More and more, you see companies creating positions such as chief risk officer, who may report to a chief operating officer, and in some cases, the CSO might report to the [risk officer]."
-snip-

This trend points directly at GRC solutions that can provide the common construct to help all aspects of the organization collaborate. A decent analogy may be what ERP was to the CFO, GRC is to the CRO.

One last article that also points towards the trend around moving operational security tasks back into IT operations and thus security analysts evolving into internal Risk Consultants to the IT organization would be this blog from Trent Henry over at Burton Group. Once these "Risk Consultants" are created, GRC provides the collaborative platform to conduct their more strategic initiatives mentioned; policy, risk & compliance monitoring, assessment program development, etc.