Thursday, December 6, 2012

To encrypt or not to encrypt, that is the question

In my last post I wrote about the South Carolina breach and this attack has now made it's way to even vernerable publications like the Economist.

The interesting question here is when does encryption of PII or PHI at rest go from "advanced technology that really goes above and beyond" to "industry standard"?

If you look at PII or PHI on laptops or other physical devices encryption has been standard for close to ten years now. Very few organizations allows their employees to have sensitive data in clear text today. The main reason for that are simple economics. It is much cheaper to pay for license for encryption software plus some extra juice in the laptops than having to shell out for identity theft protection. In any organization of significant size theft or misplacement of laptops is simply something that occurs on a monthly or even weekly basis. The other reasons is that it embarrassing and potentially career limiting for a CIO to have to explain why they lost the data when protection simply was easily and cheaply available.

Are we getting to the point where the corporate networks simply are considered being breachable just like laptops are "stealable"? Will encryption continue to be perceived as the silver bullet that automatically provides safe harbor for the information?

I am the first to admit that I really don't have any strong answers to these questions.

Wednesday, November 21, 2012

HIPAA and reverse incentives

Last week I visited ISA New Englands November member meeting and one of the talks was by Karen Borton about HIPAA. Really good walk through of a complex subject.

Major HIPAA breaches (500+ affected users) are published by the NHS on their website. If you look at the list you can see that most breaches still are "forgot laptop on the bus" kind. Is this because that is the most common attack vector or just because that issue is easy to discover?

Most companies that are covered entities do encrypt all laptops in order to ensure that a lost laptop does not result in a potential breach and notification but it is still quite uncommon that all PII and PHI is encrypted at rest. In contract it is quite common that the same companies encrypts credit card data as PCI more or less requires encryption.

In one recent breach the state of South Carolina PII was stolen as well as credit card data. The end result was that PII will now be encrypted within the organization.

Given the current state of regulation perhaps it takes an attack on that specific organization to raise executive awareness to actually start moving on this issue? On the other hand clearly the laptop encryption issue did somehow get noticed and actioned on throughout the industry so perhaps there is still hope.

Saturday, November 3, 2012

Compliance and security in different verticals

I attended a very interesting healthcare round table last week organized by RSA. One of the things that we discussed was how different verticals handle their respective compliance legislation.

There was a lot of consensus around the fact that finance has a very mature security stance. This is probably partly due to the fact that the compliance legislation (SOX) is rather mature and well defined. The consequences of non compliance can be very painful for very important people in the company which usually results in a lot of attention. There has also been a number of very big events in finance where insiders have gained elevated privileges in order to hide trading losses

If you move on to retail you have PCI which is very detailed and specifies exactly what you need to do and what happens if you don't. Again there has also been a number of cases of insiders stealing credit card data where improved security systems clearly could have lead to at least earlier detection and smaller losses.

In healthcare on the other hand we have HIPAA and HiTech. HIPAA is very high level and doesn't have any real teeth. There were some talk about HiTech fixing this but this far there has been very few cases where HiTech has been really brought to bear against health care or payer organizations.

Another aspect is that the information handled by healthcare organizations is harder to fence. Financial organizations tends to handle cash which certainly is very easy to fence. Credit card data isn't pure cash but thanks to organized crime there essentially are underground exchange where credit card data can be sold in wholesale quantities.

Healthcare and healthcare insurance information is harder to capitalize on as it is much easier to pose as a person with a credit care to a merchant than to pose as a healthcare provider to a healthcare payer. On the other hand the potential payouts could be very substantial so I wouldn't be surprised if we see a "TJ Max" like case very soon in the healthcare sector. The PI aspect of the PHI is another potentially interesting attack target as it often is possible to perform identity theft using the data in the insurance information.

The consensus in the meeting was that healthcare in general is relatively immature but that there are a lot of things that points to a change in culture over the next few years. One clear possibility is that the enforcement of HiTech may be stepped up and there may also be enough embarrassment generated by a couple of big data loss cases that actual change will happen in the industry.

BCBS Tennesse is one very famous example on what can be done if an organization decides to tackle a specific aspect of security (data at rest in this case). It should be noted that the cost of just providing data at rest encryption for a mid size payer organization is $6 million so lifting the overall security posture of the industry clearly won't be cheap.

Monday, October 8, 2012

IDM in the cloud

Recently there was a very interesting discussion around cloud based IDM vendors at Wisegate. The question that was posed was what are the current cloud based IDM alternatives. There is a number of vendors out there but my three favorites for a US based corporation would be:

Lighthouse security
A quite mature solution based on the IBM security stack (formerly Tivoli Identity Manager and friends) with a quite nice custom GUI.

Sena systems
My old employers at Sena offers a hosted turnkey IDM solution based on the Oracle stack. This solution is built on top of a very mature service offering that Sena started working on way back in 2006.

Very interesting solution architected by Nishant Kaushik (ex Thor, ex Oracle).

A couple of years ago cloud based offerings was a quite new thing and most vendors did not offer it. Today you can get this offering for most of the major products and most of the bigger implementation players will have a cloud offering in their portfolio.

The main draw for most customers of cloud based implementations is that you avoid having to install and maintain an often complex, temperamental and finicky IAM installation. There is a significant element of economy of scale of running a number of very similar IAM installation in a data center compared to running just one so this makes a lot of sense.

The second advantage a cloud based implementation offers is that it usually supports a standardized set of requirements instead of offering a basically unlimited configurability that most major IAM stacks will offer. This means that the implementation time is much shorter and the implementation cost as well as maintenance cost is much smaller. The downside is of course that you have to accept the use case and the requirements that already are in place. Sometimes you have the ability to do some limited configuration but you definitely aren't able to write custom code.

As a general rule it is easy to burn three times the license cost on professional services in an IAM engagement so there is a huge financial incentive to go with a standard cloud implementation rather than a custom local installation.

IAM as a service is clearly taking a bigger and bigger mind share and as corporations becomes more and more comfortable with running things in the cloud it is likely that the mindshare will result in a bigger and bigger market share as well.

Wednesday, March 7, 2012

Datapower - a blast from the past

Back in 2005 I was living in London and working for Sena Systems. Sales were slow in Europe and I was subcontracted out to a partner for a three month engagement in the US. The partner was called Datapower and was headquartered in Boston. Little did I know that this project would result in one of the big turning points in my life.

While working for Datapower I not only met my now wife but I also got some experience of the product and also got to experience what happens when IBM buys your employer. One result of that buy was that Datapower cut the relationship with non IBM partners so I had to leave the DP area and moved over to the provisioning practice.

During the next five years I didn't do any Datapower work so when I got the chance to take part in a hands on DP lab day I took the chance.

The most striking part of the experience was how little DP had changed. Most of the user interface was almost identical . DP has a wizard oriented user interface where you basically are guided through a setup process. The end product of the process is a functional unit such as a multi protocol gateway or a web proxy.

The advantage of this setup is that you can build quite complex entities without any programming or in depth training. The disadvantage is that you sometimes is a bit limited. If the option you need isn't available as an option you are usually toast. The supporting entities such as encapsulations of certificates or SSL protection of connections can also be a bit hard to figure out as they can be either pre defined or reused or be defined as part of the workflow.

One really nice function in the new OS is addition of an XACML interpreter which makes it possible to run the DP device as a PDP. You can also link the DP box to a TSPM server and use the DP box as a PEP. The PDP functionality seems a bit shallow and you have no support for policy authoring or distribution so it is really not a fully fledged XACML solution. Despite this it is good to see XACML support in yet another well established security appliance.

Thursday, February 2, 2012

Stockholm syndrome and Gartner provisioning quadrant

I will be speaking at the Identity and access management seminar in Stockholm Sweden on May 3 this spring.

My talk will primarily cover how to upgrade IAM systems including how to integrate "newer" functionality from the IAG space. I think the seminar will be very interesting so if you happen to be in the area I would recommend attending. Even if you are not in the area you know that you want to visit the land of the socialist nightmare (or statuesque blonds, pick your choice).

When you upgrade your IAM system you have to make two major choices:
  1. What software package will I use?
  2. Who will perform the upgrade?
The answer to the first question can be determined in many different ways (i.e. who plays golf with whom) but lets take a look at the new Gartner user provisioning magic quadrant and see if that provides any answers.

This years magic quadrant is rather boring which probably reflects the maturity of the market. The big three (IBM, CA and Oracle) is hanging out in the upper right corner with Oracle having a slight edge. Courion pulls off another strong showing and the cat with at least 99 lives (Novell) seems to be alive and well.

IBM, CA and Oracle are also the only players with a more or less fully featured and more or less integrated IAM stack. The down side is that the packages from the big three tend to have high license costs and also are quite complex to install and configure.

Due to the acquisition of the provisioning module from BMC Sailpoint now has a decent provisioning offer. Not as fully featured as the leaders but definitely a competitive offering.

The challengers section of the report contains a number of interesting vendors such as Forgerock and Lighthouse.

Overall there were very few surprises in the report and you can almost read between the lines that the Gartner analysts are much more excited about the new IAG quadrant (courtesy of Sailpoint).

Friday, January 27, 2012

Useful TIM tips and tricks

I ran into a page full of useful TIM tips and tricks that I thought I should share: IBM Tivoli Identity Manager How To

Sunday, January 15, 2012

Challengers: Forgerock

One very interesting trend over the last couple of years is the rise of a number of challengers in the IAM space that has unsettled the oligopoly of IBM/Oracle/CA. Sailpoint, Aveksa and Courion keeps scoring very well in the waves and quadrants but there is also a number of smaller companies that simply don't have the market presence to be noted by Gartner and Forester and I thought it could be interesting to take a look at some of the companies that I think have an interesting viewpoint or interesting products.

First up is Forgerock. Forgerock largely consists of ex Sun employees that left during or just after the Oracle take over. Forgerock has managed to pick up some of the very brightest Sun talents as well as some of the most interesting concepts and ideas from the now defunct Sun IDM community.

Forgerock's main differentiator is the fact that their products are open source. The company has also been very good at leveraging various open source products as a part of their platform which has resulted in the creation of a quite rich product stack in a short period of time. The open source philosophy plus a very impressive list of implementation partners also means that the long term product support is safe which is one of the major issues with buying an IDM product from a small player.

The stack consists of four major components:
  • OpenAM
  • OpenDJ
  • OpenIDM
  • OpenICF
OpenAM supplies or will shortly supply most of the functionality that you would like to see in an SSO product including federation and risk based authentication. The product currently supports an agent based approach for policy enforcement with a reverse proxy becoming available during Q1 2012.

OpenDJ gives you a competent Java based LDAP server with a very interesting web service interface.

OpenIDM offers a very flexible provisioning platform with lifecycle events, workflow support (BPMN 2.0 based), password synchronization, self service interface as well as auditing and reporting support. The main strengths is the flexibility and modularity offered by the OSGI based framework.

OpenICF is a framework to create connectors with a quite impressive list of currently available connectors.

If you look at the components the main strength is that they are Java based, very flexible and service oriented from the ground up and has integrations with some very interesting open source products. There is no legacy core that consists of tons of magic built on top of a data model with three letter table names or a huge install footprint (you all know what products I am talking of).

The main issue with Forgerock is the same thing that doomed Sun. It is a technology and engineering driven company that builds excellent products which is great if you are an end user company is mature enough to take a flexible platform and shape it to what you need. Forgerock has managed to cultivate a very impressive list of implementation partners but most of the partners are small boutique shops. Most of the products still need a bit more depth and lacks flashy user interfaces so if you are looking to implement an IAG solution or a massive cloud provisioning solution against a very tight timetable you should probably look elsewhere.

On the other hand if you are a technologically mature company or are comfortable with trusting a system integrator to do your technology work for you Forgerock offers a very competitive IAM platform that can be customized to fit your needs without breaking the core application. In the end it is much easier to build a nice front end for a stable, flexible and strong back end than doing the reverse exercise.

Thursday, January 12, 2012

IAG magic quadrants and no more Tivoli

A new year has started and as all new years 2012 will certainly bring some interesting new changes.

Gartner published their new Magic Quadrants and this year they invented a new one in the form of "Identity and Access Governance". If you want the report you can get it from Sailpoint. The report really doesn't contain very much information that wasn't made public in the Gartner IAM summit back in November.

Aveksa and Sailpoint continues to lead with Oracle just behind them. It is really fun to see smaller vendors unsettling the larger players. The main surprise is probably that IBM is totally out of the race with essentially no products at all in this space.

I would say that this is not entirely accurate as you can achieve the same functionality as in Sailpoint or Aveksa using a combination of ITIM, a custom request and approval front end and the new IBM Security Role and Policy Manager (IBM RaPM). This would of course require a lot of work so clearly for most new customers the Sailpoint or Aveksa solution looks quite tasty and it is clear that IBM has some catching up to do.

IBM is also renaming most or all their Tivoli products and making their latest acquisition Q1 labs the centerpiece in a new security group. Using a SIEM tool as the center of your security suite is a novel idea and the Q1 user interface is very slick so this may be just the right move for IBM.

The name change will make googling for Tim and Tam information substantially harder as IIM and IAM are already kind of occupied. Makes you long for the good old days of 2011....