If you haven't already listened to Mike Rothman's ebizQ podcast front and center on ebizQ this Friday morning, I implore you to check it out, where he talks database security with Rich Mogull of Securosis. It's an enlightening discussion, and Mike introduces a rather interesting aspect of podcasting, where he throws out a word and asks for the first response that comes to Mogull's mind. I have to say, the podcast is actually fun to listen to, and almost qualifies as infotainment (I remember David Letterman using that term a lot).

Mike Rothman also has a feature article coming up next week which will be a must read. So this is a good time for me to remind you to sign-up for the ebizQ Security Newsletter, where you get all the security news you need to know right in your in-box. You can sign-up right here.

Hope you have yourself a great weekend.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

In yesterday's blog, many of the folks I met with at the Gartner IAM show in LA answered what they thought was the biggest challenge for Identity and Access Management in 2008. The next question I asked was what they thought would be the biggest trend for IAM in 2008.

Also, in yesterday's blog, I offered proof that IAM was the hottest thing around. I offer that proof at the very bottom.

So the answers to the biggest trend for IAM in 2008 follow:

Brandon Whichard, Product Line Manager, Identity Management, Sun Microsystems:

The main trend for IAM in 2008 will be the proliferation of Business Role Lifecycle Management, which represents the next evolutionary phase of Identity and Access Management by creating additional efficiencies through compliant provisioning and further reducing IT and help desk costs.

Howard Ting of Securent:

With most enterprise identity houses in order, addressing the authorization challenge seems like the logical next big thing.

Mark L. Feldman, Ph.D., Alert Enterprise:

2008 will see serious efforts to introduce rules-based, intelligent systems capable of co-relating events and identifying a broad cross-section of potential risks (from access to environmental health and safety) in time to prevent and mitigate dangers.

Martin Ryan, Vice President Worldwide Sales and Marketing of e-DMZ:

We see a strong trend towards strong auditing. Being able to answer the questions, who had access, when they had access, where they had access and most importantly what they did.

Omar Hussain, President and CEO of Imprivata:

IAM products, particularly those that help address password management and network authentication, will cross the CHASM and become a necessity like firewalls, VPN, and SPAM filters. It will be hard to imagine companies not addressing security, compliance and user convenience issues and continuing to live with the cost and pain that can be easily addressed with IAM solutions.

Mark Ford, CISSP, Principal, Leader, National Identity & Access Management of Deloitte & Touche LLP:

We are seeing a significant up-take of IAM technology and services by major corporations currently. This should drive more capital into the IAM market, and provide for more innovative IAM technology to emerge in 2008. We will also see the continued consolidation of IAM technology into the major business application technology companies.

David Fusari, Vice President, CTO of Sentillion:

I think for IAM in 2008 we will see growth in role-based identity management projects. We will also continue to see projects around access management like SSO but with the additional use of context information to refine user access.

Jackson Shaw, the Sr. Product Manager of Quest:

The main trend in 2008 for IAM will be around authorization and identity-based web services. Companies and vendors will start thinking about how to best solve these two significant problems.

Venkat Raghavan, Director, IBM Tivoli Security Market Management:

Businesses are moving beyond the traditional model of inflexible business processes to a more flexible, more accessible and reusable approach known as Web services. To that end, we'll continue to see the fusion of technologies like Identity & Access Management (IAM) and Security Information and Event Management (SIEM) as clients start to elevate IT security to a broader risk management discipline. Clients will start to deploy layered security controls and automated compliance controls around people and business processes and sensitive data to address various compliance regimes like SOX, PCI, Basel II, etc.

Patrick Parker, CEO of The Dot Net Factory:

With the pace of acquisitions in the fine-grained entitlement management and roles management spaces, look for the platform vendors to fold this functionality into their next-generation SOA platforms, like Microsoft's "Oslo" initiative.

Also, yesterday I promised proof that IAM is HOT HOT HOT. Well, as the ebizQ team all arrived at the Hyatt in Century City to start our two days of meetings, who was sitting right by us but one of the stars of Grey's Anatomy, Mr. McSteamy.

Is there any more proof needed that Identity and Access Management is the hot sector of security. I've included a picture of McSteamy sitting in the lobby of the IAM Summit LA just for proof. What's next, I ask: information security paparazzi?

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

It was two weeks ago today that I set sail for Gartner's Identity and Access Management summit in L.A. For the two days I was there, I was able to meet with many exciting and excited people, all who kept echoing that it really felt like something big was going on with IAM this year.

In my two days of meetings, I asked everyone two questions. The first question was: what do you think will be the biggest challenge for IAM in the coming year? The answers follow:

Venkat Raghavan, Director, IBM Tivoli Security Market Management:

The biggest challenge will be the evolution of IAM from discrete point products to IAM delivered within a service oriented architecture as a set of "reusable services" that can be easily integrated into applications and business processes, middleware and data interactions.

Jackson Shaw, the Sr. Product Manager of Quest:

I believe the biggest challenge for IAM in the coming year will be twofold: How companies can obtain a bigger and faster ROI on their identity management initiatives; and, what we can do to further protect the consumer from identity theft and enhance their trust of Internet-based e-commerce.

Patrick Parker, CEO of The Dot Net Factory:

Human and organizational issues will pose the biggest challenge to the industry in 2008 as businesses realize that teams working on SOA and IAM initiatives need to be fused under a common vision.

Omar Hussain, President and CEO of Imprivata:

Making products easier and simpler to install and maintain. The market opportunity and demand for IAM solutions is no longer just with the Fortune 1000 companies but with the broader market that can't always afford to pay 4x to 6x the license cost to get IAM products up and running. Until IAM solutions can become more productized they will
remain solutions that only the few can afford.

Howard Ting of Securent:

The biggest challenge will be sorting through the myriad of emerging IAM technologies and determining priorities for investment.

David Fusari, Vice President, CTO of Sentillion:

I think the biggest challenge for IAM will be for organizations to treat IAM as a strategic initiative instead of just solving a tactical issue.

Mark Ford, CISSP, Principal, Leader, National Identity & Access Management of Deloitte & Touche LLP:

I believe that one of the biggest challenges for the IAM community will be to effectively fit into the broader market leading issues around Governance, Risk and Compliance (GRC).

Martin Ryan, Vice President Worldwide Sales and Marketing of e-DMZ:

The biggest challenge for IAM in the coming year will be delivering, meeting and maintaining compliance requirements. Compliance seems to be a continually moving target with areas of audit focus changing each year.

Mark L. Feldman, Ph.D., Alert Enterprise:

There is no bigger or more important challenge in the coming year than tackling the convergence of access to logical systems and physical access systems, while integrating ERP data for comprehensive security intelligence.

Brandon Whichard, Product Line Manager, Identity Management, Sun Microsystems

The biggest IAM challenge companies will face in the coming year centers around how to cost-effectively manage auditing and compliance; in the context of SOX and other regulations, companies have no choice but to implement the appropriate controls and policies that ensure regulatory compliance and can stand the test of an audit.

Well, that's it for today, check back tomorrow to see what all these luminaries think will be the main trend for IAM in the coming year. Also, tomorrow I will show absolutely conclusive proof that IAM is the hottest thing going in the security sector.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

An interesting discussion has broken out on Christopher Hoff's Rational Survivability blog about how hard it is to effectively determine the true ROI of all the various tools needed to maintain an organization's security.

This inquiry kicked off with Hoff at a meeting in France, where Hoff was asked about the business value of the information security department, or what the other person termed the "No Department."

The simple question was: Why can't you InfoSec folks quite simply come to your constituent customers -- the business -- and tell them that your efforts will make me x% more or less profitable?

As Hoff points out, this is not about risk management, which security often encompasses, but a direct question about ROI. And the trouble with discussing profit in terms of security is that security is often just a cost center, and many security apps like firewalls and antivirus and application security don't enter into the profit equation (one exception is identity and access management, which can often improve efficiency).

To answer the question, Hoff went so far as to create a new term for ROI, which he termed RROI, meaning Reduction of Risk on Investment. But the problem of taking a pure risk approach to security is that many business folks are quite used to dealing with risk and will simply opt to accept the risk instead of spending 10,000 dollars to protect only a hundred dollars worth of assets.

Back in my days with Message Partners, which is an email security platform, our product was email middleware, and very often made it much easier for ISPs to introduce new email offerings (at an added price, or to remain competitive), so we were glad to bring up ROI in our discussions.

But still, most security is just cost against loss, and costs not tied to ROI are often the first to go in a downturn (or even in an upturn). But barring stopping all security efforts in order to set a base cost/benefit, a simple way to at least determine a loss that hasn't happened yet is to set the bare minimum of $90 dollars per record compromised, which in no way factors in loss of reputation which can result in loss of business (but I hear people are still shopping quite happily at TJ Maxx).

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Today's security news is rife with seemingly continuous bad news about one massive data breach after another occurring because of a lost or stolen mobile device. And as mobile devices continue to get smaller and smaller, they only become bigger targets for today's crooks.

According to the 2007 CSI Computer Crime and Security Survey and found on Network Computing, half of all respondents indicated they had a laptop or mobile device stolen in the past year. That's why government has stepped in and in 35 states users must be notified if their customer or personal information has been divulged in one of these breeches.

So what to do? First of all, corporate policy should clearly limit the amount of sensitive data stored on mobile devices and should instead rely on secure remote access. And for data that must be kept on mobile devices, company policy should clearly define what data needs to be protected as well as the different safeguards that need to be applied.

And let's face it, encryption is still difficult and inconvenient, but because of the added vulnerabilities of mobile devices, limited encryption should definitely be considered. As Avi Baumstein writes at Network Computing:

"Building the capability into corporate data systems to exclude sensitive data from export, or even better, make it difficult to output to a portable format, perhaps by requiring managerial approval, is key to compliance. A database extrusion prevention system like those we recently reviewed can help here."

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 9:15 minute podcast below:

Download file

What follows is my podcast with Barak Engel, the Tripwire PCI expert. Barak has over fifteen years of experience in IT and information security and is a member of the advisory board of the Center for Information Security, and in this podcast we discuss the problems and solutions of protecting data at the point-of-sale (POS).

I've heard that as many of eighty percent of data breeches occur at the point of sale. Can you give me an example of one of these point-of-sale data breeches?

Before I do that, the eighty percent number is an interesting one. Depends on who you ask and how you look at it. A lot of the breeches can start there but not necessarily occur at the point-of-sale itself, simply because, in many cases, the point of sale does not actually hold many transactions. Those that do, of course, become very, very attractive targets.

As far as an example of a point-of-sale breech -- I'll give you a recent one. I don't know how well publicized this was, so I won't tell you who the merchant is. But the idea is that the group that was attacking this particular merchant went into a couple of their stores and distracted the gentleman that was working at the cash register and, while he was distracted, they needed only about ten to twelve seconds to do this, took out the little swipe machine that is sitting right there, the one you put your credit card into in order to authorize a transaction with the screen that you sign on, with one of theirs that looked exactly the same. Left it there for a couple of weeks, used that to both recall transactions and to attack a further system inside of that merchant's back office, if you will, use that as an entry point to their back end systems as well.

In two weeks, they came back, they got what they needed, they replaced it back in the exact same tactic and proceeded from there.

How would Tripwire help prevent against one of these point-of-sale security breeches?

Well, the main point is that Tripwire gives you highly reliable auditing reports of any changes and, any time that a data breech occurs, unless it's a fully completely passive one where you're only sitting there, you know, a skimming attack you know is completely passive, nothing can really catch that. But the moment you create an attack that opens an attack vector, you have to make some changes to the system that you are attacking. And those changes have to be at the level that will be detected by a tool like Tripwire, in particular. That attempts to monitor these kinds of changes to systems.

The good thing about Tripwire is the fact that once you have configured it properly, all you will get are those highly reliable exception reports and you will get them on a regular basis. And you will be able to detect if a breech is occurring and stop it before it causes a lot of damage.

I guess this next question is more of a scaling question. I'd imagine a large department store would have a lot of these point-of-sale systems. How would Tripwire help oversee a system as large and complex as that?

Well, simply because it's so scalable, you can install Tripwire literally on tens of thousands of machines and go through the process of doing this regular audit report as well as an exception report. The one thing about even large department stores that do this, they tend to have relatively standardized types of point-of-sale systems and they all report to centralized machines that perform initial reconciliation that concentrates data from a region, from a segment of the stores or what-have-you. In many cases, then they send it over to a back office machine or back end machine or merchandising system of some sort that centralizes everything.

You have a lot of points along the way where changes would have to occur as part of an attack vector. Again, as we spoke before, and with a tool like Tripwire, you get visibility to all of these at all points of the chain. So when something like that happens, it's very easy to detect, usually if you can configure Tripwire properly, within 24 hours, you will know that something unusual has happened. You can start an investigation and you may stop a breech from going beyond a few thousand cards to several tens of millions as we've seen recently with TJX. You can end up stopping it when only, say, 5000 cards were breeched -- a much better result.

How would Tripwire have handled something like TJX, as you brought up, which was picked up via wifi?

Again, it's the same story. The attack vector -- so, yes, wifi was the entry point but then they had to make changes to, essentially to open a doorway for themselves or a pathway for themselves into those centralized systems. It could have detected it all the way up to the networking device that may have been changed, or it could have detected it at any point along the chain. And alerted if something was going on. If somebody was actually monitoring those reports for things that are weird, they would have figured out that something was going on and started an investigation.

That point of alert, that thing that says, "Look, this is kind of funny, go see what it is," is usually the most critical one. And you want to be able to catch it anywhere you can.

What are some of the common mistakes people make when trying to secure point-of-sale systems?

Number one, data retention. Point of sale systems really shouldn't be keeping data. Some of them let data go away daily. That's, I would say, that's probably a good compromise between the needs of the merchant as a business and the end security. Some of them use flash devices or flash memory and they don't actually go through the process of removing transactions from that terminal on a regular basis, meaning that it continues to accumulate it. It could happen as well in that back office PC that centralizes those transactions if the terminals don't have their own memory.

In one case that we were working on, with merchants we were working with, they had exactly that kind of set-up, the POS terminals were no danger in the sense that they did not have transactions stored on them. But that back office machine never went and removed all their transaction. So they have been stored there for many, many years and it was a very attractive target for any potential hacker who discovered that particular flaw in design.

So that's definitely is number one. And there's no reason why those terminals should store just that data transaction. There simply is no business reason behind that. The next one is authentication into those terminals usually is done in a way that is easy to get around. There are many reasons for that but sometimes it becomes almost egregious as to how it's implemented. The main reason, of course, is that it has to be usable for the employees who are coming in and out. It's a seasonal industry in many cases, explaining complex security approaches is usually a little bit more difficult.

In addition to that, those transactions have to be stored in a format that is at least an encrypted format on those terminals and in many cases that I've seen, in all the terminals in particular, that is not the case. So once you bypass the very, very easy authentication method, the transactions are completely available to you. You don't have to make any effort in getting them out of the device at that point. There are a few others, but these are the most common, if you will.

What do you think will be the future for POS in terms of vulnerability and security?

Well, what I think is one thing, what I hope is that the data retention issue that I mentioned previously becomes much more critical in terms of design. Again, if you reduce the exposure at that point, it means that the risk of any breech, in terms of what damage it may do gets reduced significantly. It is certainly true that a lot of security vendors will try to capitalize as the POS as a major attack point and increase, as a result, at least in some cases, will increase security for folks who go ahead and utilize a more secure version of the POS system.

I'm not entirely certain as to whether this will become extremely widespread. Our experience is that retail is a very conservative industry. There needs to be a very clear understanding of the ROI on investment on something like, say, going out and spending a lot of money on each POS terminal. Again, if you reduce the risk from exposure, then the cost of exposure goes down. So I really do hope that the notion of really implementing strong data retention rules at the POS would become very popular.

Or the next thing I think will happen is that we'll see much more control on those points along the chain where POS terminals are reporting their transactions, or they get consolidated. Those areas usually hold transactions from multiple POS terminals and therefore become more attractive in and of themselves. They also become an entry point and an attack vector into the main systems, those merchandising systems sitting at the back end and thus they become very important when trying to discover a potential breech.

Beyond that, you know -- I'm not a prophet!

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

An interesting discussion has popped up on Jackson Shaw's blog about superuser accounts, which are essentially the admin accounts that much have universal access. And while a companies access and identity management might be top notch, and the entire system hardened from outsider attacks, if the superuser or privileged accounts aren't taken care of, that company is ripe for an insider attack.

The discussion on Jackson's blog is primarily about why many large IAM (Identity and Access Management) solutions don't also include a solution for superuser accounts. Some say because it's not a big enough market, or they believe that it should be a separate and distinct product, and even the ones that are building a solution (FYI, Apple has done a good job with Mac OS X) are building kernel-intrusive tools to manage the problem. As Jackson Shaw wonders, why don't they simply solve the problem at the very beginning?

At the IAM summit I had the chance to meet with e-DMZ, and their superuser solution, which they call the Shared Account Password Solution (SAPM). The first question I had for them was whether a buy-out was in the works, but while they did give me quick smile, they offered no comment. Talking about how they had developed the solution, Kris Zupan, the CEO of e-DMZ, said he had worked at a big bank a long time ago and was put in charge of the shared user passwords. He said he would have to get someone to open a big safe, pull out a large pile of shared account passwords, and when he was finished with them, put them right back.

And while that worked all right for awhile, once the system grew -- as all systems do -- it became totally unworkable (unless, of course, the bank had invested in a much bigger safe, at which point he would have been at a convention called 'Bigger Safes and Security Boxes'). So he developed the e-DMZ solution, which you can check out right here.

According to Ant Allan's presentation at the Gartner conference, baring an external solution, the best way to manage privileged accounts are as follows (this comes from Jackson Shaw's blog, and who works for Quest):

* Minimize the number of users with full superuser privileges
* Eliminate shared passwords for shared accounts - Indeed
* Eliminate hard-coded passwords for service accounts - Yes, please! Hearing that someone had one hard-coded for 18 years made my stomach turn.
* Look for tools from your preferred IAM vendors - Don't hold your breath.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

What follows is my live podcast with Michael T. Donaldson, VP of Marketing of Ping Identity, from Gartner's Identity and Access Management Summit, where Michael and I discuss the objectives of Federated Identity, how it relates to OpenID, and what's coming up for Ping, and just to give you a teaser, SaaS is expected to break big.

Listen below:

Download file

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

This is my second (successful) podcast from Gartner's Identity and Access Managment Summit where it seems everywhere I turned news was breaking and breaking fast. In this podcast Brandon Whichard, Product Line Manager Identity Management, explains Sun's announcement last Tuesday to acquire Vaau, then gives a brief overview of role management, and finally, what we should look for from Sun in 2008.

Listen below:

Download file

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Had an exciting meet-and-greet with Jackson Shaw, the Sr. Product Manager from Quest, and I have to say, there is a big difference sitting in my home office writing about this stuff than going out to the shows and meeting with the movers and shakers of identity and access management.

Jackson Shaw has a history as long as identity and access management itself, even before it was actually called identity and access management. He is currently with Quest Software, and Jackson said that even though many of the IAM solutions are offering automation, that does not mean they are offering simplicity, as in fact automation can often just add more complexity.

I also had to ask Jackson if it really felt like something big and important really was under way at this year's summit, or if it just felt like this every year (this being my first year how could I know?). Nope, he said, something's definitely happening this year, world's are colliding. That is just like me, to join something just as it's about to hit big.

We had a long and far ranging talk about all things IAM, and on parting, I asked Jackson what we should look for 2008. He replied, "We're really going to start to see market forces collide around identity and access management from the consumer side and from the corporate side, and how that is going to force some of the revolution that Gartner and others are predicting."

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Got a chance to sit down with Omar Hussain of Imprivata, whose company is taking the next logical step in identity and access management and is tying together both the logical and physical worlds of access and identity. In this quick podcast, we discuss the fascinating story of Imprivata's creation, the ROI of IAM, and finally, what to expect in 2008 from this booming sector of the security industry.

Listen below:

Download file

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

I have to make it quick, as the information is coming fast and furious...I have absorbed so much information at this point, it feels like my brain is about to deny me access.

My first sit-down was with Howard Ting from Securent, who immediately broke the news that Securent has been bought by Cisco. Wow, big news, and talking with Howard I could see Cisco knew what they were doing.

The Securent solution is spot on, with all the bells and whistles you would expect from an IAM solution, but it runs in real-time with precision control and is very dynamic. In fact, the information was so good, I sat down and recorded a podcast with Howard, but the MP3 player I used to record the podcast was new to me, and for the life of me I do not know what the player did with the sound file, so either it'll turn up soon or I'll record another podcast with Howard.

I was glad to hear that Cisco is mostly going to leave Securent alone and independent so as not to slow their momentum. And on leaving, I asked Howard exactly what were the main challenges Securent had to overcome in the past year, and he answered, "Educating the market that their is a better way to manage entitlement."

Better way indeed, check out Securent right here.

And more, much more, later.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Tomorrow bright and early I am off to L.A. for the Gartner Identity and Access Management summit. I'm really looking forward to relaying the latest and greatest technology that keeps identity and the data behind each identity safe and secure without creating endless log-in hoops to jump through just to be able to start working.

The companies we have already arranged meetings with with are Sentillion, Alert Enterprise, Ping Identity, The Dot Net Factory, Arcot Systems, Securent, Quest, BiTKOO, Imprivata, Xceedium, Novell, e-DMZ, and let's not forget HP, IBM, and Sun.

I'll be blogging live from the event on both Wednesday and Thursday, so keep checking back throughout the day for all the access and identity management updates and highlights.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

A big question coming to the fore of access management is exactly how much control should a user have over their identity, but within the company network on sharing data and such online? With User-Centric Identity Management, the answer is, quite a lot of control. But what is the advantage?

According to Identity Management Success, the thinking is, "In government and enterprises, user-centric Identity Management is considered advantageous for improving authentication, fraud detection, privilege management, and access control.

Other advantages follow:

* Improved usability
* Enhanced security
* Backward compatibility
* Protocol flexibility
* Increased uptake of online services.

Pretty much exactly what you would want from an engaged workforce. And you simply do not want to saddle employees with endless authentication. I mean, the entire modus operandi of information technology is better productivity, better information, etc, but a poorly deployed AIM solution can bring IT's advances to a halt. To read the full blog, click right here.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

The Digital Identity Forum has an interesting blog on companies pricing out Identity Management. Seems to me, with all the electronic ink spilled over various breeches and data thefts lately, I simply cannot imagine a company not taking Identity and Access Management seriously today, much like the company I used to work for in New York City that got very serious about our building's physical security after 9/11. What was once an anyone-who-walked-in-could-get-access-to-the-elevator policy quickly became a magnetic ID/everyone sign-in/announce all visitors policy -- and the same sea change should be going on with computer access.

For business planning purporses, how much should an Identity and Access Management system cost? One way to calculate is to look at the price of stolen identities: as of the end of October (I wonder how much these prices fluctuate, and is there some sort of Identity trading floor where someone shouts out, "The price of a Jerry just hit $9.50"), an email password cost as little as $1, and the details of a credit card as much as $350.

But businesses aren't exaclty going to caculate how many credit cards they might hold, multiply that by anywhere near $350 to come up with their number. A much better method is the cost of a data breach. Gartner puts the price of a data breach at $300 dollars per account, and that number accounts for investigations, fines and lawsuits. On the other side of the equation, good AIM security should cost around $16 dollars an account over the first year, with that number declining over time.

So it is true what Gartner says, that implementing security is always cheaper than a data breach. I'm sure I'll have a lot more to report in terms of price, and apocalyptic warnings about not protecting your data, when I'm at Gartner's Identity and Access Management show next week in L.A. Look for me to blog live from the event!

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Found an interesting article at Dark Reading covering the next generation of firewall which essentially is a smart firewall. The company with the firewall, Mercy Medical Center, has to control access to 6,000 different users with a number of different uses and needs (from doctors to nurses to admin), but must also protect sensitive patient records.

Mercy Medical Center runs Palo Alto Network's PA-4000 Series firewall, and while standard, or I guess we can now call them old-school, firewalls, simply protect the network, and either allow or disallow users access to all of the network, the next-gen firewalls work at the application layer and grant access based on other variables, like data type.

Mark Rein, senior director of IT at Mercy Medical Center said, “We were surprised at some of the information that our partners had access to,” but emphasized that there were no HIPAA violations.

“We were running into some capacity issues with our existing firewall [Cisco’s IPX], and thought it was time to look and see what else was available,” explains Rein. The Palo Alto product beat out security products from a handful of vendors, including Cisco and Juniper, because it offered more granularity than other firewalls, according to Rein.

And once the system was up and running, the security problems stopped. “Before we were guessing about which applications users were working with. Now that we know, we want to make sure that employees have access to information needed to complete their jobs without raising any security concerns,” says Rein.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 7:02 minute podcast below:

Download file

What follows is a transcript of my podcast with Eric McNeil, Manager of IBM's Corporate Security Strategy, where we discuss IBM's announcement of having achieved an end-to-end security solution (which you can read right here), or what IBM terms the 'Holy Grail' of computer security.

Why don't you just give our listeners an overview of your announcement?

Well, IBM really is changing the game of IT security. And it's really a game that needs to be changed. Given today's complex infrastructures, given the more sophisticated attacks our clients are seeing, given the more open, collaborative business models we're trying to secure. The current approach to IT security, that is, trying to secure this technology or that, securing applications, securing the data, securing the servers, is not enough. That's a much more holistic, comprehensive view of security and that's what IBM is announcing today.

So in the announcement, you started by saying security is broken. Can you elaborate on that?

Well, as I said, you know, given all the new threats and new complexities, it's very difficult to approach security from the bottoms up, technology-specific approaches we have today. Today's security is very much siloed. It's very much driven by technology, and what we're really trying to do is provide the capabilities to have the business requirements drive security. That it's less about securing this technology or that, but it's more about securing the business processes that really have a business impact on the client.

Some analysts have said that they believe that IBM is just too big, and all of your security solutions are too distinct and separate for you to really achieve an end-to-end security solution. So how do you respond to that, or how are you able to overcome that?

I'd say that it's going to take a partner of IBM's scale to really pull off of all that this problem requires. We really are changing security in two ways: one, is really allowing people to mitigate risks across all five of the IT domains. So we look at the domains as: people, technology, information, applications and physical facilities. If you look at a business process, you can't secure that process just by securing one technology or one domain. It really will require you to look across all of those domains and look at controls on all those domains.

If you look at most of the security industry, they are focused on one domain or the other. So what IBM has done, we've made a significant amount of investments and acquisitions to develop very strong capabilities to mitigate risks across all those domains. And a great example is PCI. The PCI people were very smart. They didn't say "well, we have this data encryption challenge, so let's require some data encryption technology." What they did was look at the business process of what was happening. That is, how this customer information was coming into these firms, how it was moving around the firms, how it was touching different technologies and different people. And what they did was come up with twelve capabilities required to mitigate risk on the entire process.

What we're also now seeing is our PCI solution, which uniquely shows that IBM can cover all twelve of those capabilities.

You say that this will give companies a complete view of their security. Exactly what will this complete view of their security look like?

Well, in addition to managing risk and mitigating risk in each of the IT domains, we need to allow the company to make business decisions across all those domains. Because at the end of the day, security is much more business decision as it is a bunch of technologies. So what we're really doing is elevating security to really be risk management, allowing firms to align these IT domains and IT security with their business processes, quantifying risk and moving to a continuous process and improvement approach that allows them to optimize their business results over time.

At the end of the day, CIOs and CISOs these days are more business executives than just managers of technology. And they're expected to manage risk in their domain the same way the CFO manages risk in his domain. And that the end result needs to be what optimizes business results.

As we all know, and as IBM has proven today, technology changes faster than any other industry. So how can a true end-to-end solution keep up with all of this change? And, by that, I mean -- how are you going to incorporate technologies like virtualization or service-oriented architecture into this end-to-end solution?

One thing that we're doing here is really separating governance from operations. And you can think of it as sort of like a car. Today, we have this car which is all these security technologies that people deploy but it has no steering wheel. From a risk perspective, it's driving all over the road. Increasingly, what business executives, the new business aligned CIOs and CISOs are trying to do is drive this infrastructure. They're looking for a steering wheel that allows them to align the risks across the infrastructures and make sure they are driving the infrastructures in a way that optimizes business results.

So we have this very strong focus on the governance of all these technical capabilities as well as segmenting them into their various domains so that we can poor in the right technologies, investments and expertise into each domain to maintain currency with technology progress as well as making sure we're providing leading edge capabilities in each domain.

How can this new approach bring business value to security?

First off, there's a lot of new business models people are trying to deploy. Globally integrated enterprises, managed services, service-oriented architectures… The challenge with any of these things is they bring a lot more complexity and risk into the organization. IBM's providing much more advanced capabilities to manage the risk and threats that these new business models bring so people can enjoy the business benefits of them.

We also allow them to take out significant costs out of their infrastructure. Certainly, there are some redundancies that people can minimize. We can also think in terms of business controls. Often, as people try to deploy best practices, say, in security, they also find that there are a lot of redundant controls. They might have thousands of controls they are trying to manage.

What the audit community is saying to companies is that they really want them to take more of a risk perspective to these controls, and drive to a more efficient set that can provide deeper understanding of how these control align to the business, help them manage them better and be more responsive to effects on those controls.

People can then take out potentially millions of dollars worth of costs of how they're managing the controls today, which is through a lot of manual processes.

You say this is the first wave in this new wave of IBM security products. What can we basically expect in the second and third waves?

I think you will see IBM continue to flesh out these capabilities. Then going deeper and more comprehensively into each of the domains, and to orchestrate capabilities across domains and drive synergies among the domains. And increasingly drive security upward into the organization so that risk management could be done more automatically and more comprehensively.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

As more and more companies scramble to comply with PCI, I think a good question to ask right now is, exactly how compliant was TJX before their massive data breach? Or, to put it another way, What's the point of struggling to get PCI compliant if it's simply going to result in another data breach like TJX?

According to Search Security, some recent disclosures from TJX court documents actually show that the retail giant FAILED 9 out of the 12 PCI DSS requirements covering encryption, access controls, and firewalls. Penalties for failing to comply can add up to as much as $500,000 and also include increased auditing requirements along with losing the ability to process credit cards altogether.

So should PCI be weakened in order to make it easier for companies to comply? "Looking at the 12 requirements [of PCI DSS], I have to wonder how could you make them any more lax than they are," said Keith Gosselin, IT officer for Biddeford Savings Bank in Maine. "These are the simplest of best practices. As a CIO, CEO or CFO, why would you not want your company to meet these requirements?"

Some companies have actually started pushing back, saying that PCI is simply too strict. "Companies have gotten over the scare from Enron and WorldCom and are starting to push back on these regulations and say 'hey, this is costing us too much money,'" he said. "You look at PCI DSS and there is nothing illogical about what's required. But if a company can get the rules lessened, that's what they're going to try and do."

The question is, though, once TJX was found to be in violation of 9 of the PCI rules, how come those problems weren't immediatly fixed? Very simply because of lax auditing. Apparently, TJX passed a PCI DSS check-up, but some key problems were either missed or totally overlooked. "They had no network monitoring and no logs, and they had unencrypted data," an auditor who asked not to be identified said. "But this wasn't picked up by the auditor. They passed the Level 1 inspection and shouldn't have."

It also bears mentioning that TJX's problems go much deeper than simple PCI compliance, as TJX should also be used as a textbook case study in how not use wireless networks.

So what's to be learned: Ignoring PCI and accepted best practices for protecting credit card data is like ignoring the dentist for a bad tooth...it only gets worse.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Yesterday, IBM issued a press release announcing they have transformed security. If you haven't read the press release, you can do so right here. Quite simply, IBM announced that they have achieved the Holy Grail of computer security, which is a complete, end-to-end, one-stop shop for all of your security needs. As soon as I read the news, I immediately went...AH HAH!

While the announcement took me by surprise, I also have to say I saw it coming, and not only because IBM has been talking about an end-to-end solution all year long (and also buying companies in order to fill out their security portfolio).

But I guess what is missing is my true belief that it can be done. As IBM even said in the announcement, security is broken. But can they, will they, fix it? It reminds me a little of a Monty Python skit, where some loon tells everyone he is going to jump the English Channel. The fellow trains all year long, lifting, running, doing stretches, and even wears his best long underwear on the big day. A crowd gathers, the fellow runs and jumps...and lands about six feet out into the surf. A decent jump, but a jump wouldn't even clear a large English puddle.

But such doubt is almost too easy. It's almost knee-jerk doubt -- because it's never been done, it never will be done -- and I'm sure that's how most analysts will respond to the announcement.

I think what IBM is attempting absolutely needs to be done, and if it's a little bit of cart-before-the-horse, so be it. Yesterday, I got a chance to speak with Eric McNeil, Manager of IBM's Corporate Security Strategy, and one of the biggest doubts about IBM pulling it off is the sheer size of IBM. But when I asked Eric that question, he replied that, in fact, it would actually take a company of IBM's size to pull such a thing off.

And you know what? I think he's right. Will it succeed? You know, even if IBM gets within 85% of their goal of complete security, the opportunity to end all the growing security redundancies and improve performance and cut cost, is just too great not to risk it.

And isn't IBM the company that transformed itself from a stogy hardware company to a bit-less stogy software company a decade or so back? Look for my podcast with Eric McNeil either Tuesday or Wednesday of next week.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)