What I found is that the two providers were using entirely different means to format the events! The email provider calls ToString(bool, bool) on the event to ask it to format itself. But the EventLogWebEventProvider does its own formatting of individual fields of the event. Indeed, its ProcessEvent method has a big list of checks:

if (eventRaised is WebBaseErrorEvent)
    AddErrorStuff();
if (eventRaised is WebAuthenticationSuccessAuditEvent)
    AddLogonStuff();

So it seemed like a better approach would be to write my own provider. I left the event log provider alone, and I wrote a custom email provider to display errors in a more useful way. This also allowed me to drop some fields from the event report that aren't useful for us. And I was able to construct a much more concise and useful subject line (the subject line that SimpleMailWebEventProvider uses is rather clunky since it assumes it might be spitting out a whole bunch of buffered events in one go).

Not only does my provider include the stack traces for all of the exceptions in the chain, but in the subject line, I display the type of error that is at the root of the problem. So if I am formatting a TargetInvocationException, I drill into its InnerException chain until I find a different exception type, and display that exception type instead.

Oh, one other benefit of building the custom provider instead of using a custom WebEvent was that I was then able to remove the Error handler from global.asax. All I had to do was replace the SimpleMailWebEventProvider with my own provider, and I got the behavior I wanted. Now my email notifications include detailed stack traces.

I'll post the code for this provider once it's run for a little while in production and I'm satisfied that it works reasonably well.

ScienceLogic: What is “BSM Lite” and how is it different from “heavy” BSM?

Doug McClure: I think the concepts that Peter Sevcik from Net Forecast initially outlined in his blog post sum up what “BSM Lite” is all about: a simpler, less expensive, more responsive way of achieving the goals and objectives of Business Service Management (BSM).  He’s contrasted this nicely against what he termed “BSM Heavy” being the larger investments in time and resources to deploy domain specific tools and solutions each providing a view into the business service delivery with some aggregation and consolidation to tie up all of the disparate tool’s information into a concise end-to-end business service management story.

I’m pleased that he leveraged some of my thinking around a better working definition of what BSM really is from the BSM Defined page on my blog. Of course, these definitions are going to vary depending on whom you talk with and how they see the overall BSM Maturity Model.  I’ve created a BSM Maturity Model that aligns with the famous Gartner IT maturity model.  I’d like to think that a “BSM Lite” solution is one attacking the low hanging fruit, enabling one to achieve value quicker, and in a more tactical manner.  The “BSM Heavy” solutions are capable of the same, but span all along the BSM Maturity Model by adding additional point solutions, products and technologies from their broader portfolio. 

ScienceLogic: Does “BSM Lite” just refer to the tools, or can it refer to the process and methodology as well?

Doug McClure: I think that BSM is as much a philosophy as it is technology, process, people and methodology.  If we can get people to think, operate and respond differently than they do today with a focus on the business, customers, quality, revenue, or whatever else is most important to their business goals and objectives, than that is Business Service Management and could be “BSM Lite” if you will. 

Being that I work for IBM Tivoli, one of my personal objectives is to identify ways to use our key BSM enabling products in a more efficient, effective and BSM centric way. This was a huge driver for trying to hold DevCampTivoli focused on “Collaborative Development of End-to-End BSM Solutions”. 

In my opinion, we don’t make things very easy for our clients and the answer can’t be to “buy this product, module or widget” to fill in the gaps.  In my opinion, we must establish a BSM overlay within IBM Tivoli’s development and product management organization that ensures that we have clearly thought about how to enable BSM with the hundreds or products that we sell.  In my opinion, every product release must incorporate the fundamentals of enabling BSM in addition to the core domain specific functionality intended. I hope to keep this spirit alive and get our smartest IBMers and clients thinking about the best way to take a “BSM Heavy” solution and make it “lighter”. I hope to share more about my plans here and guidance for the industry in general soon.

That said, I am always interested in consulting with clients and collaborate with peers in the industry to figure out how to get the focus on the people, process and technology as key components of their BSM strategies.  I am absolutely convinced that without a documented BSM strategy, roadmap and top level sponsorship within the business and IT, the chances of BSM success greatly diminish.

ScienceLogic: Given the complexities involved in implementing a BSM strategy and dealing with the people and processes components of any business, how does “BSM Lite” really work? Should the expectations and outcomes be “lite” as well?

Doug McClure: Time will tell if “BSM Lite” will work.  I’m seeing emerging companies that are already breaking down some of the barriers to BSM success.  I do not expect that those choosing to begin with a “BSM Lite” approach should expect “lite” outcomes. 

The outcomes are the same regardless of the approach IF you’ve got a documented BSM strategy, roadmap and top level sponsorship in place before you begin. New features, capabilities and technologies will be needed as the needs of the business change and companies mature in BSM and fundamental IT management. This will likely force companies to move in more “BSM Heavy” directions to fill those gaps. 

In my opinion, this is the ideal scenario now as it gives “BSM Lite” vendors opportunities to grow their products and solutions. It also GREATLY improves the chances for success with a “BSM Heavy” solution because the organization would have already had matured enough to approach a “BSM Heavy” solution than if they hadn’t done a “BSM Lite” solution in the past.

ScienceLogic: Is “BSM Lite” more appropriate for a small or midsized organization, or does it apply equally to large companies? Is there an ideal profile for a company that can successfully implement a BSM strategy? Is there a different profile for “BSM Lite”?

Doug McClure: From an economic perspective, the concepts of “BSM Lite” are appropriate for all companies.  Remember, with “BSM Lite” we’re focused on identifying ways to make the goals and objectives of BSM easier to implement and in a more cost effective way.  Any company concerned about their IT cost overhead should care about this, especially when the risks of starting out with a “BSM Heavy” type deployment are much greater and the time to value generally much longer.

The “ideal” profile for any company is one where the BSM initiative begins by establishing top level buy in through creation of a formal BSM strategy for the company. This BSM strategy personalizes how the company defines what BSM is, what value the company expects from it, and how it will use BSM as a competitive differentiator for delivery of its business and IT services, products, etc.

The organizational “profile” I’ve seen most successful is when implementing a BSM strategy originates from within or actively includes a group that many companies have now that serves as a liaison or relationship management role between the various lines of business and IT. Sometimes this group is often seen as the gatekeeper to filter (and hinder) business driven requirements into the IT organization. In the ideal scenario, this group works very closely with the business and IT (usually staffed by business people and not IT people) to understand both the business side and IT side of complex business services and applications. 

Apart from the traditional IT components, what this group can do is help IT really understand the business perspective.  Analysis of the impact on the business in business terms is only possible by collaborating with a group such as this.  True value oriented BSM becomes attainable when we get to this level of IT and business alignment, cooperation, collaboration and communication.

If BSM is an IT only initiative, this will likely result in an IT centric perspective severely lacking in the necessary business perspective.  In these cases where IT doesn’t invest their BSM efforts with the business as an equal partner, the implementation ultimately becomes a “CYA” tool for IT and not achieve the desired value oriented expected.

To some degree “BSM Lite” may have an entirely different profile. If we see the price points, complexity and time to value change significantly we may see these types of deployments originate exclusively within the Line of Business. The possibility may exist where large enterprises operating in a shared IT services or IT outsourcing type model that the Line of Business brings in a “BSM Lite” solution to gain the visibility, checks and balances needed to ensure that the LoB’s needs are being met from the internal/external provider. I’d envision that “BSM Lite” may even be capable of operating within a “SaaS” model or other managed service type offering where the price points are below the signing levels triggering broader IT involvement and review.

To Be Continued…

ShareThis

"I wonder how much of the inability to secure sufficient funding and management buy-in is due to the approach of the security professionals themselves"

asks Andrew (through Rob)

One thing that could help is to improve the delivery method. Seth Godin and Guy Kawasaki (to name a few) are proponents of the visual delivery style, making great use of images to amplify delivered messages. Could this style improve the chances of communicating effectively security to business?

I am sure most will agree on which of the following presentation slides is most likely to bore the audience to death?

So, why not make your presentation a bit more colourful? A bit more visual? More concise? As Antoine de Saint-Exupéry said:

“Perfection is achieved not when you have nothing more to add, but when you have nothing left to take away”.

So, is it possible or indeed necessary to communicate all those complex security issues in a very simple form? Or would it be too simplistic?

Here is a couple of examples. Dragos Lungu used a very visual "emotional" style to present on E-Banking Web Application Security and so did we in Introducing Cronto Authentication Platform.

What do you think? What style do you use? Can you share your presentation? Could we build together a slide deck that could help everyone?

If you would like to share your presentation, I have setup a "securityDeck" group on Slideshare. If you upload your presentation there and join "securityDeck" group, you will be able to share your presentation with the group, hence making it easy to identify our slides collection from general presentations on security-related topics.

To share the presentation with the group, once you are a member, choose "Send this to group" from the list of options on the right side of the presentation (when viewing it).

GTAG’s

The Institute of Internal Auditors has been releasing a white paper series on issues related to IT Risk Management and Information Security. The paper’s are titled as GTAGs, which is an acronym for Global Technology Audit Guidance. The project is very ambitious, trying to break down major technical topics, the IT risks associated with them, and the controls that are available in a concise format accessible to senior risk executives.

Of the nine that have been released to date, several caught my eye. Here are the ones I would like to highlight:

• Auditing Application Controls
• Change and Patch Management Controls
• Identity and Access Management
• Information Technology Outsourcing
• Managing and Auditing Privacy Risks
• Managing and Auditing IT Vulnerabilities

You can find the library of papers at The IIA’s GTAG portal. New materials are released regularly.

In Other News…

Earlier this month I participated in a Webinar titled “Getting More Encryption for Less”. At the end of the call there were a few interesting questions during the Q and A session, one of which I wanted to recap here…

Question: Will Federal Privacy Regulations include Cryptography Standards for “Safe Harbors” ?

• Discuss what a Safe Harbor is, using California Security Breach Information Act (SB-1386) as an example
• Introduce NIST, FIPS, and FIPS 140-2

Cheers, Erik

Art of Information Security would love your feedback !

Art of Information Security Episode 002: GTAGs and Safe Harbors

These are a rather concise set notes that I've taken while looking over his code more closely. I created a wiki page to quickly hack up this list. Here's what it looks like now:

• Fx helps you implement a custom STS
  • STS can issue managed cards (see below)
  • Fx provides a base class for your STS, (it's currently called SecurityTokenService)
  • You derive from this base class and supply a "ScopeProvider" implementation which answers (at least) two questions:
    • What type of claims your STS can issue (you have to generate a list of claim URIs that you will be issuing)
      • This is helpful for issuing managed cards, which need to specify which claims an IdP supplies
    • What claims should be issued for a given user request, which consists of:
      • Information about the target relying party (AppliesTo), which is not always known (an auditing STS will know this, for example)
      • The AuthorizationContext for the user requesting the token (this gives you the incoming set of claims from the user)
      • The actual RST if you want to look at it (this is a WS-Trust thing)
      • The issuer's credentials (you need this to generate the claim set)
  • User authentication methods (an STS needs to authenticate the user before issuing a token)
    • Kerberos
    • X509 Certificates
    • SAML from personal cards
    • Username/Password
• Fx helps you expose your STS using WCF
  • Fx supplies a custom ServiceHostFactory (currently called WindowsInformationCardServiceHostFactory)
  • This allows you to create a .SVC file for a WCF endpoint to expose your STS
• Fx supplies an HttpModule for the traditional ASP.NET authentiation pipeline
  • According to Vittorio, this "automates a lot of the validation work in the framework". It's called FederatedAuthenticationModule, which gives a hint as to its function. It probably sets up HttpContext.User like a traditional authn module would. It's probably not specific to building an STS (remember the Fx is also used to build relying parties)
  • There's a custom config section that configures this module. Vittorio uses it to say, "use my SSL cert as my relying party cert". This is probably required in case the client wants to authenticate using a card.
• Issuing managed cards
  • Fx provides a function to generate a managed card, as well as a class that represents it (it's currently called InformationCard)
    • You can specify the default name and image for the card you issue, controlling what the client sees when she installs your card
    • Fx provides an information card serializer: InformationCard<-->XML (this is what the user installs into her identity selector - an XML representation of the card)
• Fx provides a utility to generate a PPID, which is a pretty complicated task!
  • Currently takes three inputs to gen a PPID for the relying party to use:
    • Client's AuthorizationContext
    • The relying party (AppliesTo)
    • Issuer's credentials
• Fx provides some helpers for reading claims from an AuthorizationContext
  • I notice a ClaimsContext class that allows you to write code like I show below, although I'm not sure how it figures out how it deals with multiple ClaimSets.

string email = myClaimsContext[ClaimTypes.Email]

• Fx provides a set of ASP.NET login controls (three right now):
  • FederatedPassiveSignIn (I'm guessing this is for doing traditional ADFS v1 style logons)
  • InformationCard (login control that accepts information cards)
  • SignInStatus (probably similar features to ASP.NET's LoginStatus)
• Fx helps you build relying parties
  • InformationCard login control
    • You can specify whether you want to accept personal or managed cards
    • If you accept managed cards, a wizard will take a card file as input to automatically configure the control (great idea, guys!)
    • Wizard shows claims supported by the managed card, and you can select which ones you want (either optionally or required)
    • There appears to be a SignInMode that you can use to establish a session. I'm guessing that this issues an ASP.NET Forms logon cookie or something equivalent. This is probably one of the things that the HttpModule deals with (reading that cookie and using it to configure HttpContext.User).
    • Here are the control's identity-related events:
      • SecurityTokenReceived
      • SecurityTokenValidated
      • SignedIn
      • SignInError
    • Here's a picture Vittorio shows that shows a number of the properties of the control if you want to try to guess more about what it's going to do: