That makes a lot of sense. Now in this vision, do you see still a role for a small security upstart?

Oh, of course. And there always will be just like, again, using the automotive example, there are small companies that build safety equipment. But the thing is they're not going to sell to the end-user. If you're going to be a security start-up five years from now, you're going to sell your products or services to the operating system vendors, the networking vendors, to the large IT outsourcers. Your goal is going to be to get your idea, your product, your service, your patent, whatever your technology is, embedded in these larger product offerings.

Gotcha. Now to switch gears a little bit. I know you're quite an expert on encryption. Do you think the data on laptops and handheld devices – will that ever just be secure?

Again, I mean, we're talking about absolutes again. Will you ever be secure from murder? Of course, the answer is 'No', there will always be some risk. My laptop is encrypted, I use PGP disks, I'm very happy with it. It's a full disk encryption and my data is secure. Is it absolutely, 100% secure? Of course not. Is it good enough for every purpose I can think of? Well, pretty much, yes. So, sure, I mean, these are not hard problems. But yet, we have to get out of the absolute thinking. And that's very much computer thinking. No one would ever imagine saying "But you're still at risk for murder" even if you wear a bullet-proof vest – when are we going to fix that problem. We realize that problem never gets fixed. You know, laptop encryption is no different.

Now what do you see the timeframe on this? I mean, obviously, it's happening right now. Do you think five years in the future or?

I'm sorry, timeframe for what?

This encapsulation of security into the end product.

You know, I'm really hard at timelines. I figured it would happen already. We're seeing the signs of it. How fast it goes really depends on the appetite of organizations for buying larger IT products and services, for buying big contracts, like the kind that IBM Global Services, BT Global Services, AT&T Global Services provide. As those become more ubiquitous, the technology starts becoming embedded and then gets sort of encapsulated away.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 6:05 minute podcast below:

Download file

What follows is a transcript of my podcast with two people from Packet Analytics, Andy Alsop, President and CEO, and Ben Uphoff, the Vice President of Research, where we discuss Packet Analytics' Network Forensic Search Engine, how to tool was developed at Los Alamos National Laboratory, what the Network Forensic Search Engine does, how it would have helped with an access breach like Societe Generale, and, finally, what they see for the future of security.

Packet Analytics recently announced the launch of a Network Forensics Search Engine, give me a brief overview of both your company and what the announcement entails.

So essentially, what we’ve done is we have developed technologies that has been licensed exclusively out of Los Alamos National Laboratory and we have commercialized the software that was developed by Ben and developed it and are selling it as product called 'Net/FSE' or the Network Forensics Search Engine.

It allows security analytics to do deep dives into network alerts using all that voluminous network data (IP-based data) that exists on the network and allowing them to dig down deep into those alerts and put contexts around those alerts far beyond any of the other solutions that exists in the marketplace today.

As you mentioned, it was with an agreement with Los Alamos National Laboratory. I find that fascinating so tell me a little bit more about that.

Well, the technology was developed at Los Alamos based on the needs of the network engineering group there, specifically, the network security team. And what we were faced with was millions and millions of events being generate by the network every day that all had really interesting information in them but we didn’t really have the technology to quickly search and efficiently store that data so we set out to solve that problem by developing Net/FSE and that technology allows the security analyst at Los Alamos to, in a single web interface, access all the network log data that’s important in their day-to-day operations to get down to the bottom of security incidents, intrusion detection, system alerts, or just kind of, you know, user troubleshooting questions.

So now tell me a little bit more about how the search engine works and exactly what does it tell you.

The search engine is designed and optimized to quickly search through IP-based network information. One 'sweet spot' of the search engine is NetFlow data and that was a real driver of the technology. At Los Alamos they were generating over a hundred million NetFlow events from routers alone off the network, that’s not even including firewall data, IDS data. We’re looking at potentially hundreds of millions of network events and the search engine was designed to be optimized for that situation and to quickly put the data at the fingertips at security analyst and work as a tool for them to do their analysis and incident response.

How would a tool like this have stopped what happened to the bank in France, Societe Generale, where the rogue trader essentially traded away $7 billion.

Well, what I would say is that essentially it’s not going to stop an event from happening but what it allows the security analyst to do is to be able to recover much more quickly. Currently, what ends up happening is that there is no way to have visibility -- significant visibility into all of that network data as it exists today and many organizations aren’t even collecting it.

But if the bank were to have been collecting this type of data, what it would allow them to do is to look into the activity of that trader to put more contexts around his activity and what he was doing. So as soon as the alert or something triggered his behavior that something had been going on. And they need to do the forensic investigation beyond just what he was doing in his trading system, it would allow the analyst within the organization to determine maybe what his motivation was or what websites he was visiting, looking at his email traffic, looking at his network traffic to be able to put context around all this trade activity.

And as you’re seeing in the, you know, in a lot of the news reports, that’s one of the -- one of the pieces they’re still digging down into is what was all the motivation behind this and all the trades that he did.

Now, what do you see for the future of both security and your company?

Well, what we’re seeing is there are trends in the industry and they’re already starting. There’s a -- if you consider the whole security -- the IT security piece as being a pie, a large segment, maybe 90 percent of the pie right now, if not more, is being focused on the -- what we call the “protection and detection” side and that is securing perimeters and looking at what intrusions might be coming in and trying to block those intrusions.

We expect that companies have to and will continue to invest in those technologies. But there’s a piece that’s missing and that’s the piece we’re bringing to the table as well and that is the incident response side that -- the ability to respond when something happens. Because you can just see in 2007 was really an awful year and there were a lot of companies that found themselves with situations they weren’t expecting and didn’t have the opportunity to quickly recover and respond.

I mean TJX is probably the bellwether example of having to take months to figure out what happened. There really has to be an incident response plan that is proactively put in place. And that -- I see that as being a growing piece of the pie for IT security spending.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Make sure you sign up for what's certain to be an exciting and illuminating ebizQ SOA security roundtable happening next week Wednesday, February 27th. Sign up right here!

Listen to or download the 6:58 minute podcast below:

Download file

What follows is a transcript of my podcast with Anne Thomas Manes, Vice President and Research Director of the Burton Group, where we discuss SOA security -- how traditional security methods are insufficient for protecting SOA, why layered defenses are best, whether or not security will slow down an SOA deployment, and finally, what's coming in the future for SOA security.

What are top security concerns associated with SOA?

I would say that the biggest concern is the fact that with services, you’re exposing business processes within your organization and if you don’t properly secure those interfaces to those business processes, you’re now letting anybody in the world come in and access them.

And, you know, a lot of people think that well as long as I keep it only inside my firewall it’s reasonably well protected. But, you know, if there is a URL that provides access to a service, chances are somebody’s going to be able to connect into it. And the -- the idea that your perimeter is actually going to protect your internal systems is pretty dangerous at this point.

So you mention perimeters, which sounds a lot to me like a traditional security system. How come traditional security like perimeters and intrusion detection systems, how come they’re not sufficient to protect SOA?

They’re really good for protecting a single URL so as long as there is no links, or there’s no hops in the process, as long as you’re having a client talk directly to the service and you’re protected that one URL that’s providing access, then that might work okay. But the thing is that that when you’re -- we’re dealing with service-oriented systems, you typically have many different services involved in a process.

And as you go from one service, to the next service, to the next service, to the next service, you wind up losing all of the authentication information and you lose any opportunity to truly audit the process. And so you need some kind of mechanism to actually carry along the original user’s ID and to capture the path and all the different services that get touched in the process in order to capture the appropriate amount of information to support your requirements for, you know, all the regulations that are going on, or for e-discovery type of requirements and things like that.

So the traditional mechanisms that are out there typically are based on point-to-point security so they will protect a communication between one endpoint and another endpoint. And they will enable authentication between those two endpoints but they won’t provide the kind of security required to protect information when it’s sitting in an intermediary or propagate that authentication information on the next top in the process.

So is what I’m hearing, is it a layered defense would be best for SOA security?

Well, I certainly like layered defenses. So you got the idea. If you got your periphery on the outside, so you’re using traditional firewalls, using traditional virus intrusion detection and those kind of things because there’s an awful lot things that can filter out. But then, you also want to make sure that the individual endpoint does proper authentication, and you may actually want to put in multiple levels in between, which are giving additional levels of authentication, and capturing the audit trail, and other different areas.

So yes, I recommend that you use a combination of security protections when you’re dealing with a service-oriented system. You use the traditional periphery type of security measures, you also use identity-based security measures at the endpoints, and then potentially you use additional intermediaries to perform additional security capabilities like auditing, or cross domain, credential mapping and things like that.

Is it essentially a given that security concerns will slow down a SOA deployment?

Well, that actually depends, on how well managed your security strategy is. If you have too devised a security system for every single service, then obviously, that’s going to delay the deployment of a particular service. But if you’ve got security that’s automated and mechanized within your system, you could actually get it so that you simply deploy the service and then you can figure your security requirements at the service and it’s taken care of automatically.

That’s actually part of your governance program. You want to make sure that it’s part of your governance program, you have a standard security strategy and you just make sure that whenever service gets deployed that it automatically gets instrumented and secured according to your policies.

Right, that’s good to know. Now, what do you see as the future of SOA security?

At this point, I think it’s actually really easy to secure your environment. You just have to use different practices than what you would probably do just for your websites. There are some great technologies that are out there that will enable the kind of security that I’m talking about. Any platform that support Web services has the ability to support WS-Security.

So that gives you the ability to actually capture security information and pass it with the message and that’s one of the things that’s required to do the multiple layer defense approach. And then there’s some really good technologies out there from XML gateway vendors or from Web services management vendors who provide the kind of automated infrastructure that I was just talk about, which will automatically protect your services for you, and automatically configure the kind of management and security protections that you want, such that you don’t have to do a whole bunch of effort every single time you deploy a service.

So the basic security systems are in place right now, and that’s a wonderful thing, and I strongly recommend that people use these technologies to secure their systems. Now there are some additional things that are coming along so, for example, there’s a specification that was finalized last year at OASIS called “WS-Secure Conversation” and that actually gives you an additional layer of security by enabling two communicating service endpoints to establish a secure connection, and that actually is going to be more -- a more efficient way of establishing a secure conversation so that you don’t have to authenticate on each interaction.

You setup the connection once and then you use that connection for a series of exchanges and stuff, and so therefore, you amortize the cost of that initial connection over time. Two additional specifications: WS-Trust was also standardize last year and then WS-Federation just began. These are systems that allow you to establish security token servers, a place where you can go get a security token and it’s actually a component of WS-Secure Conversation to get these tokens to create the sessions.

WS-Federation, now, allows you to actually create a mechanism to cross domains, which is something that’s -- is inherent in business-to-business type communications and also even within a given organization. If you got a large organization with a lot of different business units, you probably have different security domains. And so being able to cross those security domains is a challenge today and right now you have to do a credential mapping, you have to put it an intermediary in between and have them actually map credentials one to the other. But if you can have that more automated that is probably going to be a nice feature. It’ll probably be two or three years I think before that’s really implemented in products but that’ll definitely make life a little bit easier.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Don't forget next week's ebizQ roundtable on SOA security. Sign up right here!

Listen to or download the 13:52 minute podcast below:

Download file

What follows is a transcript of my podcast with Sanjay Beri, Vice President of Access Solutions for Juniper Networks. Sanjay has ten years' experience in the high-tech industry having played key roles at companies such as Microsoft, Newbridge Networks and McAfee, and in this podcast we discuss today's attack vectors, Juniper's solution, and the future of security attacks.

What type of attacks do companies need to be most concerned with in 2008.

Sure, there's really two types of categories of attacks that I would say come to the forefront. The first are associated with insiders, or your own employees, or end-users. And the first thing that most folks are realizing is that the threat of inside folks, employees, contractors and even partners often outweighs the attack vector that, for example, an outsider who wants to penetrate your network and steal data could weigh in on.

So that's the first threat. The first threat is employees, they're not experts in security, they do open email attachments, they do browse to websites, which are consumer-based websites full of malware and so on. They do what many would call normal things but in the security world, frankly, opening themselves to many threats.

And as a result, I think the first thing that folks need to realize when they look at threats is valid employees trying to do the right thing, doing things that are authorized at work will do things that open themselves up to attack and it doesn't need to be -- an attack doesn't need to be instigated by an outsider. An employee can actually instigate it by simply going to a website. For example, going to Facebook, downloading a widget, doing whatever many employees do with either for business or consumer purposes at work and that's -- that's the first thing.

And then the second, of course, is the traditional one, which is attackers, right, hackers. Most of them used to many times script kiddies and -- and folks doing this for fame. Nowadays, these are in many cases criminals, people actually trying to penetrate your network not leave any, you know, leftovers that tell you that they did it and often end-pointed attacks steal a lot data, those are the two big categories of threats that are out there.

So those are the attacks. Give me a quick overview of Juniper's solution?

So Juniper's solution is really broken up into both of those different vectors. And -- and the first is the recognition, I think, that-- and this sort of drives Juniper's development of its solutions -- the recognition that employees, partners, contractors, you know what, the philosophy that not to trust anyone is actually a good one.

And it's not to say that your employees aren't trustworthy or your partners aren't, it's just that, you know what, they don't know often what's on their systems. They don't know, for example, that there's a bot or a piece of spyware, or a malicious code on their system that will propagate to other users or servers.

So Juniper's solution on that side is to ensure that, for example, before a user gets onto the network, you not only validate who they are, user name, password, token, and so on but, frankly, that's not good enough anymore. You go in, for example, look at where they're coming from. Are they coming from my LAN? Are they coming from a kiosk? Are they a partner coming in from an external site, which I do not control? Are they coming in from the wireless network?

So that's one other factor. And then the other factor is what is their net, you know, end-point that they're connecting from look like? Is it all company- issued laptop, which has AV, personal firewall and so on, on that system, i.e., is it a secure system, you know? Is it, wow, that system is locked or that's a pretty open system? Take all of that data, all of those parameters and using our product, whether it's the SSL VPN, which is our market leading remote access product or Unified Access Control product, which is built off the SSL VPN but is more for campus and wireless networks versus remote access.

Those two products which basically have the same platform, same underlying policies, they take all of the data I just mentioned and they then allow a user access to the network in the right way, to the right resources, with the right security privileges, and they do that, basically, by dynamically assessing all three parameters, user, location, end-point state.

Then they provision the network. We do that in the UAC case, provision your firewalls; provision your switches via 802.1 access and so on. They provision them so the end-user gets access only to the right things. For an SSL VPN, where all traffic goes through the product, it is a proxy and as a result can do it immediately for you on the product itself and provision only the right resources to the right users at layer seven.

That's the first step, access. Ensure that the right users get access to the right resources with the right security policies and do it in a way that's easy, manageable and as well open so that whatever vendor they have in the end-point. And frankly, in the UAC or NAC's case, whatever they have in their network, Juniper's switches or someone else's, it works, so open is key.

The second piece is -- let's say me, Sanjay. I have a valid computer, locked down, I authenticate it properly, I'm on the LAN. Does that mean that I just stop there and all of a sudden, I get access to everything and they, you know, I don't check that the person is doing something malicious? No. The second thing you need to make sure you have is inline control of these systems. You need to make sure that you have firewalls and IPSs looking at the traffic and seeing if there is something malicious that is being passed on the network from the user to the user and so on.

And that's where intrusion prevention comes in and we have products that integrate firewalls and IPSs together. And those products as well by the way do, for example, take that data that they get and pass it back to our SSL and net -- and UAC products so that if I'm on the network, and these products detect something malicious on the network, they notify a remote access and UAC NAC products and they can then de-provision or re-provision the user's access based on what dynamically was going on in the network.

How is Juniper's solution different from simply just bundling a bunch applications together and do a single appliance?

Sure. I think the first thing to remember about Juniper's solution is it's open. We are not forcing people and we never will to just buy our products. And it is a key characteristic of Juniper in general and a key characteristic of our solutions to combat these threats. We promote open standards like TCG and TNC, and we drive those standards in the industry, and collaborate with partners, competitors and others to make sure that, for example, if you have our UAC or NAC product, you can have whatever you want on the end-point.

If you want to use our 802.1X supplement you can, if you don't, you don't have to. If you want to use Vendor A's antivirus, you can, or Vendor B's, sure. Whatever it is on the end-point, we're driving open standards so that data can be in an open standard way fed to a NAC product and then provision the network. We're also driving things in the industry that allow networking devices to feed the results of what they see on the network to a product like a or UAC, Unified Access Control, which is our NAC offering to that in an open way so if you have our firewalls, our IPSs or someone else's, you can feed that data out.

So that's one big thing, it's open. The other key characteristic is that we focus on what I would say is “closed loop” systems. Systems that don't just, for example, you stick our SSL VPN in and or you stick our UAC in and you're done, that's it, you know. It doesn't work with any your other products. From a management point of view, you can't get reporting through that same management system that you manage your UAC or SSL with your other product that we have.

So generally, trying to solve that management framework while remaining open and realizing that single box integration is definitely valuable, for example, in the branch where you can't afford multiple devices. But people will want multiple devices in many cases. And they may not want them from the same vendor. When integration makes sense, we make and we offer those products, firewall IPS integrated, done.

You know we have that best-of-breed. Firewall IPS routing, same thing. However, in many cases, for vendors or customers who don't want that, we'll also make sure we work in that other mode so that's one big difference. Open, you want integrated, you want stand-alone. Making sure, that works. Closed loop systems, i.e., don't just let one product operate by itself.

It'd be great if you're a UAC and SSL product could interoperate with the firewalls, and switches, and IPSs out there and they made one plus one equal three instead of operating a silos, we make that happen. And then, the last point I tell you is this. One of the keys that we focus on is developing best-of-breed systems. We focus on the quality of what we deliver because we're focusing on customers who view they networks as strategic, right.

Customers who view security and networking as a driver for their business in terms of, hey, this is a differentiator, right. This can differentiate me. Not someone who just views it as, hey, let me just buy the cheapest appliance, that's not who we sell to. We sell to folks who view their networks as strategic and that drives our development and the quality of products we put out.

Since some of the solution is automated, can't that create problems if a hacker manages to change some of the automatic settings?

Sure, that's a good question. The automation, if you remember, the first thing that when folks, for example, configure a product. Say you go to our UAC product or SSL VPN product and you configure a policy, the first thing is everything I describe to you about end-users, it should apply to that administrator too. Who are they? Where are they coming from? What does their end-point state look like?

Access all that, then let them configure the product and set the policy. So first of all, on a control channel side, you need to make sure that you have the right level of authorization, authentication, access of that user before you even let them change any policies, and that is the first step to making sure that an unauthorized user doesn't get onto your equipment and set policies.

So that high level of security it needs to apply not just to your employees, and remote access employees, and your contractors, but to your administrators as well, and that's one of the big reasons you can avoid this. In terms of automation, after those automation policies are set, what we find is customers often start sort of in a non-automated way, they setup policies, they see how things often go, for example, you remember the IDS IPS transition.

Many folks adopted sort of IDS first and then moved inline prevention. On the remote access and NAC market, some have more closed looped systems than others. Some choose to automatically, you know, re-provision switches and firewalls across their campus. Some wait and get comfortable with it and then do it. So it's also a process, right. We don't expect folks to do everything immediately.

They'll go through pilots, they‘ll go through larger deployments and then they'll get eventually to fully or partially automated. So, you know, our system allows folks to cross all that chain, right. They can do whatever they want from the most automated to partially, whatever they're comfortable with. So that's -- that's one of the big things to make sure that folks have a plan and a phased plan to move along and roll these things out.

Now, what do you see as the future for security threats?

Sure. So the future is, you know, I categorize in two things. And I said, you know, these hackers and which are often criminals now and then there's protecting a corporation from its own people, and its partners, and contractors. Those two vectors are still the same. I think some of the big changes that you'll see is nowadays an employee often does a lot more than work at work.

You know it's not just surfing traditional websites and, you know, news sites and so on. It's frankly going to Facebook looking at widgets which one day could have malware on them or going to Google's, you know, initiatives when they, for example, launch lots of their, you know, whether it's video, open social whatever it is. Lots of these things, which take up a lot of bandwidth, which folks will be looking at, at work. These are just new vectors of attacks, new vectors of threats.

And as social networking and P-to-P and so on takeoff even more, it will enter the corporate world. Whether that is through employees doing things that have nothing to do with work or it's corporations using these applications for the betterment of themselves. So having a device and a system, which does what I said, access first. Who gets access to what with what security privileges, dynamic assessment of user location end-point?

Those paradigms will remain the same. What will change is all the different vectors in which attacks can come into the network. The other big thing, I think, you will see as well pretty soon and you've already seen, it's just this notion that folks who are attacking you -- malicious folks, they're not out for fame, they're still criminals so more pointed attacks whether its credit cards from large corporations or it's personal data; that will continue and that will get more and more sophisticated.

And as a result, systems on your network need to get more sophisticated, they need to understand applications. Ports and IPs, you know, that's a thing of the past, right. It's users, applications, understanding them, protocol, decoding them and so on. So more of that is absolutely critical to combat sort of the complexity of what attackers out there will be throwing at us.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Download file

What follows is a transcript of my podcast with Adam Vincent, the Federal Technical Director of Layer 7 Technologies. Adam has extensive experience building secure service oriented architecture as well as sharing information across security boundaries, and in this podcast we discuss the challenges of SOA security, the similarity between SOA and Web 2.0, Layer 7's solution, SOA governance, and finally, the SOA security challenges of the upcoming U.S. Presidential election.

Also, don't forget next month's ebizQ roundtable on SOA security. Sign up right here!

Could you give me a quick overview of SOA security?

Sure. So SOA security is very similar to what we've seen in typical application security. The big difference in SOA vs. 'what we're used to' is that SOA is somewhat of a concept vs. a technologies so the concept itself allows for more interoperable information sharing and it's often seen as being an enabler of more business-to-business communications and so with that comes the complexity of crossing organizational, departmental and community boundaries so not only do you have to deal with integrity, confidentiality, and non-repudiation like you do with any other application but now you have the challenge of trying to federate and govern those security policies between different organizational partners.

That pretty much leads to my next question. Why is SOA security considered such a challenge?

I would say based on my experience especially around working within the government that any time you want to try to define security policy that crosses multiple organizations that there's a challenge just politically in making sure that the policy defined actually allows all of the participants of the information sharing system to actually possess the capabilities that they desire so an example would be that if you're sharing information that might be privacy act and FISMA control oriented, that there might be policies that govern how you do that from an enterprise perspective so, you know, from organization to organization but there may be different policies that each of those organizations also adds to that and specifically you end up with a hierarchy of policy as related to a particular information sharing opportunity.

Interesting. Now are there a lot of similarities between securing SOA and Web 2.0?

I see Web 2.0 as being an extension of SOA. It's basically taking what SOA has created as an opportunity for more advanced information sharing, quicker time to market, you know, all of the overloaded terms that are used to say that the SOA is great, I see Web 2.0 as being an extension of that and allowing those same kinds of premises to now be pushed out to the user so SOA on its own is generally seen as an application to application distributed model that allows those applications to be more interoperable and more reusable across a single enterprise but also multiple enterprises where Web 2.0 has been seen as a very quick to market technology or set up technologies and concepts that allows now that SOA paradigm to be fully realized in a user-oriented capacity.

Tell me about Layer 7's solution for SOA security.

So, Layer 7 is basically founded on the concept of SOA security so we specialize in web services, AJAX and REST based applications security. We have come to be focused on the policy that I mentioned earlier so, you know, I don't want to go too far down in the weeds here but the hierarchical policy and governance relating to those policies is, in my opinion, the challenge in information sharing and it is the challenge that SOA has in front of it and so Layer 7 is based on a technical approach of using something called web services policy as an underlying policy configuration allows, in a technology form, us to collapse all of those organizational and departmental and enterprise policies into a single policy engine that then can enforce and rapidly adjust based on those policies.

One of my readers wanted me to ask about SOA governance and also the level of automation provided by your solution.

That's, again, a very complicated topic. What I can say, you know, quickly about SOA governance is that there's two different forms of SOA governance that are required to fully realize what we see as being the vision of SOA enablement and I typically refer to them as "design time" and "run time" governance. A lot of people have differing definitions but that's mine. Design time governance is the process that you would go through to collaborate within the human sense with all of the participants of a information sharing approach and design time is what we're used to today and generally takes quite a bit of time. Now run time is the expectation of making sure that all of the requirements that we came to when we discussed what we were going to use our SOA for, run time would be where the actual processing logic would exist to make sure that those things are actually happening. So, security is by far, in my opinion, the biggest run time governance challenge that's faced by the enterprise that's adopting SOA.

Interesting. Now with the upcoming US election, presidential candidates are using their websites for donations and to increase voter participation. Last year, there was a breach in security of several campaign websites. What advice do you have for people who are looking to make donations or to submit their information online?

There's basically a list and the list is growing, unfortunately, of issues that relate to consumer security and with the political election approaching, the biggest thing that we need to look at is the sheer number of users that will be using these websites so most of these websites will leverage some kind of registration so that they can track user information so all of that user information is going to be captured somewhere, generally this is one level removed from what the user interacts with so an example would be a user interacts with their browser which is, in fact, interacting with the web application but that web application is actually communicating with a database and that database has all of the information about all of the users that have gone to that website. It may include credit card information, it may include some very limited cases this is not seen much anymore, it may even include their social security number. This information is paramount for that website owner for doing their business process and doing the things they need to do. What is not paramount for is a single place of attack and so hackers will look to high interest and high use websites especially as we get closer to the presidential election and the number of users of those websites grows.

Now what do you see as the other challenges for security, especially in the area of SOA?

So, in regard to the presidential election, I think that there are multiple challenges that exist for the service provider so, a second ago I talked a little bit about the consumer of a website and there are certain things that they care about and so they basically you can put it in the form of different buckets. They care about the information they're looking at is it correct, that they're looking at the right website and that their information is kept private and that there's no risk of identity theft in their information being, you know, let out into any public forums. But there's another risk that we haven't talked about and there's a lot of threat and that's with the provider of that website and so, you know, as the provider threat is realized, that's also going to impact the customer, the user of that website. So, in that, I would say that, you know, the provider has to worry about things like the ability for their information to be correct on that website so more and more people are hacking websites, logging in as, you know administrative users and then actually changing content on a page to actually harm the reputation of the website owner, in this case it would be a presidential campaign member or in some cases, it's basically to get their name out. In either case, that's detrimental to the political party. Another risk would be denial of service. Denial of service is probably the easiest exploit for an attacker to use and specifically allows the attacker to bring down a website through some kind of overflow of traffic or, you know, some kind of crafty message that they send to the web application. That harms the political party again, because now the website is unavailable for anyone to use. And other one that's probably not as prevalent but is still a threat is that these websites are used, there's hundreds of thousands of hits per day and one form of attack that we need to be aware of is the ability to upload malicious code to that website and then use that as distribution point so, you know, that would be something that impacts the service provider, in this case the political party because they would then be used as an attack vector on all of the browsers that are interacting with that website.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

What follows is my live podcast with Michael T. Donaldson, VP of Marketing of Ping Identity, from Gartner's Identity and Access Management Summit, where Michael and I discuss the objectives of Federated Identity, how it relates to OpenID, and what's coming up for Ping, and just to give you a teaser, SaaS is expected to break big.

Listen below:

Download file

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

This is my second (successful) podcast from Gartner's Identity and Access Managment Summit where it seems everywhere I turned news was breaking and breaking fast. In this podcast Brandon Whichard, Product Line Manager Identity Management, explains Sun's announcement last Tuesday to acquire Vaau, then gives a brief overview of role management, and finally, what we should look for from Sun in 2008.

Listen below:

Download file

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 7:02 minute podcast below:

Download file

What follows is a transcript of my podcast with Eric McNeil, Manager of IBM's Corporate Security Strategy, where we discuss IBM's announcement of having achieved an end-to-end security solution (which you can read right here), or what IBM terms the 'Holy Grail' of computer security.

Why don't you just give our listeners an overview of your announcement?

Well, IBM really is changing the game of IT security. And it's really a game that needs to be changed. Given today's complex infrastructures, given the more sophisticated attacks our clients are seeing, given the more open, collaborative business models we're trying to secure. The current approach to IT security, that is, trying to secure this technology or that, securing applications, securing the data, securing the servers, is not enough. That's a much more holistic, comprehensive view of security and that's what IBM is announcing today.

So in the announcement, you started by saying security is broken. Can you elaborate on that?

Well, as I said, you know, given all the new threats and new complexities, it's very difficult to approach security from the bottoms up, technology-specific approaches we have today. Today's security is very much siloed. It's very much driven by technology, and what we're really trying to do is provide the capabilities to have the business requirements drive security. That it's less about securing this technology or that, but it's more about securing the business processes that really have a business impact on the client.

Some analysts have said that they believe that IBM is just too big, and all of your security solutions are too distinct and separate for you to really achieve an end-to-end security solution. So how do you respond to that, or how are you able to overcome that?

I'd say that it's going to take a partner of IBM's scale to really pull off of all that this problem requires. We really are changing security in two ways: one, is really allowing people to mitigate risks across all five of the IT domains. So we look at the domains as: people, technology, information, applications and physical facilities. If you look at a business process, you can't secure that process just by securing one technology or one domain. It really will require you to look across all of those domains and look at controls on all those domains.

If you look at most of the security industry, they are focused on one domain or the other. So what IBM has done, we've made a significant amount of investments and acquisitions to develop very strong capabilities to mitigate risks across all those domains. And a great example is PCI. The PCI people were very smart. They didn't say "well, we have this data encryption challenge, so let's require some data encryption technology." What they did was look at the business process of what was happening. That is, how this customer information was coming into these firms, how it was moving around the firms, how it was touching different technologies and different people. And what they did was come up with twelve capabilities required to mitigate risk on the entire process.

What we're also now seeing is our PCI solution, which uniquely shows that IBM can cover all twelve of those capabilities.

You say that this will give companies a complete view of their security. Exactly what will this complete view of their security look like?

Well, in addition to managing risk and mitigating risk in each of the IT domains, we need to allow the company to make business decisions across all those domains. Because at the end of the day, security is much more business decision as it is a bunch of technologies. So what we're really doing is elevating security to really be risk management, allowing firms to align these IT domains and IT security with their business processes, quantifying risk and moving to a continuous process and improvement approach that allows them to optimize their business results over time.

At the end of the day, CIOs and CISOs these days are more business executives than just managers of technology. And they're expected to manage risk in their domain the same way the CFO manages risk in his domain. And that the end result needs to be what optimizes business results.

As we all know, and as IBM has proven today, technology changes faster than any other industry. So how can a true end-to-end solution keep up with all of this change? And, by that, I mean -- how are you going to incorporate technologies like virtualization or service-oriented architecture into this end-to-end solution?

One thing that we're doing here is really separating governance from operations. And you can think of it as sort of like a car. Today, we have this car which is all these security technologies that people deploy but it has no steering wheel. From a risk perspective, it's driving all over the road. Increasingly, what business executives, the new business aligned CIOs and CISOs are trying to do is drive this infrastructure. They're looking for a steering wheel that allows them to align the risks across the infrastructures and make sure they are driving the infrastructures in a way that optimizes business results.

So we have this very strong focus on the governance of all these technical capabilities as well as segmenting them into their various domains so that we can poor in the right technologies, investments and expertise into each domain to maintain currency with technology progress as well as making sure we're providing leading edge capabilities in each domain.

How can this new approach bring business value to security?

First off, there's a lot of new business models people are trying to deploy. Globally integrated enterprises, managed services, service-oriented architectures… The challenge with any of these things is they bring a lot more complexity and risk into the organization. IBM's providing much more advanced capabilities to manage the risk and threats that these new business models bring so people can enjoy the business benefits of them.

We also allow them to take out significant costs out of their infrastructure. Certainly, there are some redundancies that people can minimize. We can also think in terms of business controls. Often, as people try to deploy best practices, say, in security, they also find that there are a lot of redundant controls. They might have thousands of controls they are trying to manage.

What the audit community is saying to companies is that they really want them to take more of a risk perspective to these controls, and drive to a more efficient set that can provide deeper understanding of how these control align to the business, help them manage them better and be more responsive to effects on those controls.

People can then take out potentially millions of dollars worth of costs of how they're managing the controls today, which is through a lot of manual processes.

You say this is the first wave in this new wave of IBM security products. What can we basically expect in the second and third waves?

I think you will see IBM continue to flesh out these capabilities. Then going deeper and more comprehensively into each of the domains, and to orchestrate capabilities across domains and drive synergies among the domains. And increasingly drive security upward into the organization so that risk management could be done more automatically and more comprehensively.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Listen to or download the 7:41 minute podcast below:

Download file

What follows is the transcript of my podcast with Mike Paquette, Chief Strategy Officer of Top Layer Networks. Mike has over 23 years in computer networking and security experience, and in this podcast we discuss how companies must be more proactive with their security.

First -- can you just tell me what type of attacks companies need to be most concerned with today?

Yes. One of the major concerns is the compromised computer. The compromised computer meaning a computer that's been infected with some software other than what the user or the administrators intended it to run. This is at the root of many of today's cyberthreats. So I think that organizations should be taking steps to protect against the Malware, which is this undesired software by keeping the systems patched. By using technology like intrusion prevention systems. And educated users to protect against the targeted attacks which are prevalent today in 2007 and I expect these targeted attacks to be prevalent going into 2008, as well.

How can companies become more proactive in solving their security problems?

Well, I guess the simplest way to say this is by investing in IT security infrastructure and policies before a significant security incident takes place.

In saying this, are we saying that most companies now are typically reactive when it comes to security?

Well, somewhat. There is actually a couple of ways to look at this. Today, many organizations are investing in IT infrastructure but they are motivated by regulatory compliance. And I always wonder, "is that proactive or reactive?" It's proactive because it's actually ahead of an incident taking place, but they are being pushed a little bit by an audit or some other regulatory pressure. So -- I think proactive means that IT security infrastructure is improved on a regular basis and for the purposes of enabling business, first of all. But also, to ensure using a reasonable level of care in protecting the systems and the data on which the business operates. So, I would have to summarize that by saying that I think there are indeed some organizations that are being proactive, but there are still quite a few organizations that are being reactive.

So much of security is what we don’t know with the unknown threats, and things that haven't been discovered yet. So, how is it possible to be proactive against basically the unknown?

That's a good question. It is true that the actual vulnerabilities that enable some of these new attacks are not known yet. That's a fact. However, the general vectors or the methods over which these attacks will occur are known. Compromised computers, you know, will continue to be at the heart of the cyberthreat risk. Stolen laptops. Lost USB memory sticks. These types of methods or avenues through which these threats and attacks can take place are known today.

So organizations that take proactive steps today to secure these items, they can actually get real risk reduction both in the reduced likelihood of physical loss and the reduced liability because they've at least taken reasonable care using existing technology to reduce those risks. So to summarize my answer to that question: yes, indeed, some of the actual attacks are not known yet, but the general categories in which they will take place are known and we can make proactive investments in those categories today, to reduce risk.

Are there any mistakes a company might make in trying to almost be too proactive?

Yes, there are some mistakes that can be made. And a typical one gets back to the comment I made just a little bit earlier about if compliance, regulatory compliance, is the driver and an organization thinks, "yes, I'm being proactive because I'm going off and meeting this regulation," -- you've maybe heard the term of compliance for compliance's sake? Well, I think this is a mistake that some companies are making. They're implementing the bare minimum, the letter of the law, to meet some regulatory compliance.

For example, the payment card industry data security standard. There are ways you can meet that specification by implementing bare bones techniques and technologies that just barely meet the specification. Organizations that do that are missing a huge opportunity because most of those regulatory compliance guidelines are done for good common sense reasons to help reduce risk. So one mistake is compliance for compliance's sake. I suppose there are some organizations that make another mistake, which is implementing so much IT security, so much process and technology, that they actually impede their organization's ability to do what they need to get done. So, I don't see that too often but sometimes you see the security team going overboard and implementing password policies that are so complex, that they actually backfire and everyone writing down their passwords on a little sticky and putting it next to the monitor.

What do you see for the future of security threats in this proactive approach?

I think we're in an era where the lure of easy money is going to be a primary motivator for, you know, as far out as I can see with regard to the threat landscape. Whether it's in the physical realm of stealing laptops, whether it's in a little more intelligent realm of stealing data to be used for subsequent exploit, like identity theft. I think that's going to be the primary motivator.

And, so what that means -- when I try to answer this question, I like to look at what are the IT trends that are taking place, and how does those IT trends layer on top of them, there's the greed factor and the lure of easy money for people are so inclined to take illegal steps to get there. And I can see a few things. I think compromised computers, and again, those are computers operating software that was not intended to be put on there by the user or by the administrator -- that would remain a primary vehicle for these threats.

And by computers, I think we're going to expand our scope beyond the desktops and the laptops, but certainly into our PDAs and our smartphones. I think we'll continue to see phishing attacks where email messages and IMs that go to end users are luring them, you know, I call it the tempt-to-click email and the tempt-to-click IM because once the user is lured into clicking on one of these links, then it's actually quit