So, I’ve enjoyed putting on my analyst hat for the last few months to survey the identity management market and catch up with some companies that I hadn’t talked to for some time.

Last week I got the chance to take a look at what Courion was up to, especially after the news of their breakout third quarter results. It’s been a while and in my memory, they were a company that had successfully built a solution for identity provisioning (not a small problem). Looking at their website it was clear they’ve grown past those roots and moved to a more comprehensive solution around access governance. Talking with Courion gave me the opportunity to see the solution in action in the form of their Access Risk Management Suite.

Data analytics has been a part of the IT world for some time, providing insight into data that enable businesses to be more agile and proactive with information about their business and customers. When it comes to identity, however, the solutions have been focused around automating policies around access to data and applications, but not in understanding the risk associated with that automation.

It’s good to see companies such as Courion recognizing this risk and building a robust solution to address the problem. Actually, with their roots in building connectors into identity stores of all shapes and sizes they’re well suited to provide a solution since they already have the ability to look directly at identities as they relate to authorization.

Analytics is the new frontier in security. It’s evident in many of the conversations I’ve had with companies as they look at the complex threat landscape and the enormous amount of data that is created from security event logs. Courion can a part of the solution for assessing risk with identities within corporate enterprises; not a bad position to be in.

Continuing the security management momentum, Colorado-based LogRhythm announced version 6.0 of its SIEM platform this week. The news may not seem as big as two major acquisitions, but LogRhythm’s new release really exemplifies what’s needed for next-generation SIEM platforms, such as:

1. Deep situational awareness: Old-school SIEM kept track of log events generated by perimeter security devices or across the network. This is no longer. In its new release, LogRhythm expands its view to monitor traffic, events, and anomalies across networks, hosts, and user behavior. You can then use this information for analysis, forensic investigations, or IT operations planning. Given the scaling needs associated with collecting and analyzing massive amounts of data, LogRhythm also bolstered performance in its new release.
2. Canned rule sets. Even large well-funded organizations are struggling to recruit and retain security professionals with advanced skills. In fact, ESG Research indicates that 22% of midmarket (i.e., 100-999 employees) and enterprise (i.e., 1,000 employees or more) organizations have a problematic shortage of information security skills. LogRhythm 6.0 addresses the skills gap with technology by embedding “knowledge modules” tailored to different use cases or specific user functions.
3. Automated response. Soon-to-be published ESG Research indicates that large organizations are actively automating more and more security remediation activities–especially in light of increasingly sophisticated attacks. LogRhythm demonstrates that it gets this requirement by adding “SmartRemediation” automation to its 6.0 offering.

I’ve heard that LogRhythm has really grown revenue over the past few years and I now understand why–the company’s 6.0 revision is in the sweet spot of a big and lucrative market transition.

You can read Jon’s other blog entries at Insecure About Security.

There’s no doubt of the ex-admin’s culpability in this case, but the company also has some responsibility in this mess.  Users with administrative privileges are still users.  They are entrusted to act with integrity in dealing with company assets, but we know too often that this isn’t always the case.  And, I’m not saying that IT administrators can’t be trusted, but we all know the adage “trust but verify.”  That’s most relevant in dealing with administrators.  Even without malicious intent, admins can cause damage to systems and data when proper controls are not in place.

The first control missing was the fact the admin was able to create a dormant account with admin rights that he could enable later.  The creation of that account should’ve been discovered immediately with proper monitoring software, ones that are focused specifically on managing privileged users.  Many companies, such as Hitachi ID, have products focused on recording the activities performed by administrators–every program run, every keystroke, every account change.

Additionally, IT needs to be more diligent in providing adequate separation of duties for administrative tasks.  With the exception of small IT departments there shouldn’t be one person that performs all the administrative functions on servers, applications, and databases.  Companies like Centrify provide a unified platform that allow fine grained access across varying servers, applications, and databases.  A periodic audit to certify each privileged account’s access rights can help raise alerts to suspicious activity, including creating back door accounts.

Finally, change control requiring a second or third witness to any changes to administrative accounts would’ve prevented the ex-admin from convincing one employee to activate an account that allowed access to administrative privileges.  We all make innocent mistakes from time to time, but another pair of eyes, or better yet, a formal approval process for changes to administrative accounts, prevents this type of incident from occurring after the fact.

It’s time to put an end to these incidences.  There are a limited number of administrators, a number easy to manage and monitor.  It’s not really a matter of whether we can solve this problem, but whether we have the will to solve it.  It’s always uncomfortable to put controls in place that imply that a company doesn’t trust those that are stewards of company digital assets.  But, I think we have enough headlines to show that “trust but verify” and monitor is well placed.

The fact is, breaches happen. In this case, it happened to RSA. And I’m sure they’re dealing with the ramifications that that entails. But, this could’ve happened to many other vendors–it has, and it will again.

The lesson the customer takes away, or the lesson that is reinforced because we all know this as security folks, is that every organization needs to follow a defense in depth strategy for mitigating threats and the damage that can occur:

• Effective IPS systems to detect intrusions coming from both outside and inside the network
• DLP implementations to detect sensitive and/or protected data that’s leaving the network
• Effective access control policies from the application layer all the way to the network layer
• Strong authentication for a higher level of assurance when identifying users
• Strong policies for principles of least privilege and separation of duties

Also, keep in mind that the breach occurred with the SecureID token that is used for two-factor authentication. Since it’s two factor, that means there is still another factor that has to be paired with that token to successfully authenticate. And while username/password is not the best assurance, it still slows down the attack if users are diligent about not sharing their credentials. As always, this is where education comes in. Users have always been the weakest security link and constant education on security policy and practice can not be overdone. As a matter of fact, when looking at the message sent by RSA identifying an Advanced Persistent Threat (APT) as the nature of the attack, the actions to take that RSA outlined to its customers had a heavy social engineering focus to it.  Not surprising.

This type of APT seems impossible to combat, and in many ways it is. Users will always fall prey to these types of social engineering schemes. And introducing social networks into the equation makes the problem even large and makes the requirements around strong authentication and authorization even more critical. Authenticating users to critical data should entail more than just a two-factor challenge. The authentication must contain context around the access request.  Where is the user located?  Is the authentication request coming from Russia when the user has already authenticated at the local office?  How many times has the user logged in? And if it’s from different locations, then we’re not talking about the same person. When are they accessing the information?  Is it likely that Ethan, from accounting, would be working on the accounts receivable data at 2 in the morning?  These are just some of the obvious alerts that could aid IT departments in catching unauthorized access into corporate resources.  Vendors who can provide IT departments more visibility to what’s happening with their data and the events happening with their corporate directory in a comprehensive way will provide a valuable service toward a more thorough defense against attacks and data theft.

In the end, these attacks will continue.  And don’t expect users to become more savvy as they start to use more social networking and other sites to conduct more business on the internet.  Expect them to become more vulnerable and, in turn, expose your organization to more risk.

As a security gal, what was really impressive was witnessing the renewed commitment IBM has made to making security an integral part of each of its solution deliverables. Just a few examples of the enhanced visibility I saw at the conference:

1. A multi-threaded security track was added to the conference focusing on compliance, cloud, endpoint security (a la Big Fix), identity management, and emerging threats. The sessions I went to were well attended and it was clear that security is a growing segment of this conference.
2. IBM has elevated security within the company, with resources devoted to supporting security initiatives across all the IBM brands. This approach shows IBM’s seriousness about building security into the design and development of each of its products.
3. Speaking to Teresa Cook, Director of World Wide Security Marketing, it’s clear that IBM is focused on a strategy to assist customers with their security initiatives by emphasizing the ways that security can foster innovation rather than inhibit business.

These are all encouraging signs, and I hope the security tracks continue to grow at next year’s conference. The sessions this year were full of success stories from customers who provided blueprints for attendees in providing these solutions.

On another note, if you ever get the chance to hear Dean Kamen from Deka Research speak, it would be time well spent. Not only is he one of the great inventors of his time, but his passion for fostering and inspiring enthusiasm for technology in our youth through his FIRST organization is truly impressive. In attendence at the keynote were youngsters from the local chapter of FIRST who received a rousing ovation from the conference attendees when they were introduced. This ovation fit in perfectly with the message Dr. Kamen wants to promote in celebrating technology in our country like we celebrate sports and entertainment. I would strongly encourage anyone that wants to get involved in sharing his/her enthusiasm for our industry and developing a passion for technolgy in our youth to look at the work FIRST is doing and volunteer. It would certinaly be a fantastic journey.

RSA Authentication Manager Express: Although the Cloud Trust Authority was the big announcement from RSA, they also introduced an authentication platform for small to medium-sized businesses.  The solution provides strong authentication to SSL VPNs, web applications, and Citrix XenApp virtual desktops, allowing companies with up to 2500 employees, partners, and clients access to resources using multi-factor authentication.  Using risk-based authentication, users can access applications with just a simple username and password or can be stepped-up with an on-demand authentication based on a one time code sent to a mobile phone.  The solution integrates with the customer’s existing identity store making it easy for users to self register for the service based on a username and password they already know.

SecureAuth Identity Enforcement Platform:  This offering from SecureAuth provides multi-factor authentication and single sign on all in one appliance.  It uses the existing IT organization’s identity store to authenticate users, and employs a PKI infrastructure with a built in CA to provide a secure session to resources without the need for client software.  Using SAML, IEP provides SSO to cloud applications such as Amazon hosted apps and Google apps.  It also has built in support for VPN solutions from Juniper and Cisco. With all these features included in the appliance, SecureAuth is delivering a drop-in solution without the need for special integration or development expertise.

ActivIdentity:  There are a couple appliances from ActivIdentity that provide everything from credential management to CA services to support for multiple authentication methods with its 4TRESS appliance.  These solutions have been available for some time from ActivIdentity as software modules for integration into enterprise and government environments.  They’ve taken those same features and packed them into appliance solutions that can be dropped into small to medium IT infrastructures that don’t have the same specialized identity skill sets as larger organizations, but still need the strong authentication solutions for employees and customers.

These are just a few examples of the appliance-based solutions available for small to medium enterprises.  It’s a good thing, too.  Smaller companies have been underserved by this market for some time, since most of the solutions provided by vendors have come with steep integration and consulting services costs that customers can’t afford.  Providing solutions that are designed to drop in seamlessly (of course, that’s always the claim) into existing IT identity environments is a step in the right direction.

While we were waiting for a former president this week, a security conference broke out.  I already touched upon the heavy cloud theme at RSA which I understand is required marketing these days.  But, there were some other themes too.  Mobile security was probably the other hot topic.  Makes sense since that’s the latest consumer product to seep into corporate networks.  Remember when PCs, also a consumer product, started to seep into the corporate network?  Talk about disruptive.  Mobile devices promise to be just as disruptive, and the security vendors are all over it.  Case in point, I’m sitting at a bar last night with a colleague of mine that now works at Juniper.  He pulls out his cell phone and showed me the Junos Pulse client for his iPhone which included the following pieces:

• Antivirus
• Personal firewall
• Anti-spam
• Loss and theft prevention
• Monitoring and control

And this wasn’t just demo stuff.  He wasn’t even at the show.  I just wanted to have a beer with a good friend.   This is the normal mobile phone security software that is available today.

Looking at this client from Juniper and also the announcements from Cisco and Check Point it’s becoming clear that the other emerging sub-theme this year was identity aware networking. Sure, we’ve had networking solutions for some time that require authentication to access the network, but once the user is authenticated, the identity is lost.  That makes it hard to manage access to resources.  These vendors are starting to understand this void better and know that there’s great value to be able to manage access at the network layer by building policies that incorporate a more complete context about the resources coming on the network.  These include:

• Who wants access to the network
• What resource do they want access to
• When are they accessing the network
• Where are they coming from (inside the corporate network, home office, coffee shop)
• How are they accessing the network (corporate issued PC or laptop, home computer, mobile device)

But, the most important piece is maintaining that context throughout the session.  As the workforce becomes more mobile, it’s no longer a convenience to have this context.  The best way to stop critical data from leaking out of the network is to make sure there is a policy that doesn’t even allow access to begin with if users are coming from possibly compromised locations or devices.

More on the identity solutions at RSA in Part II.  But, for now, I’ll settle for a beer at the Chieftain with the former president.

1. President Obama was in town last night, meeting with a bunch of industry mucky mucks in Palo Alto.  The president is promoting a program to emphasize science and technology to prepare the US economy for the future.  I hope the President’s dinner banter included a plan to fund cybersecurity training and education programs since there is a growing skills shortage.  I also hope that the President leaned on industry fat cats to bolster internal cyber supply chain security processes as well.
2. It was nice to see federal integrators like CSC, Northrop, and SAIC at the RSA Conference.  These firms do big cyber supply chain projects with the US government and critical infrastructure.  We need more of their brainpower in the industry at large.
3. While I wouldn’t characterize identity management as a major RSA theme, everyone was talking about it.  User identity, device identity, VM identity, and brokering identity to the cloud.  I expect a “behind-the-scenes” boom for PKI to support all of these initiatives, but the geekiness of PKI makes it taboo for general discussions.
4. I spent a memorable hour with Raimund Genes, CTO of Trend Micro, discussing the current threat landscape.  He took me through some data about the threat landscape and the cyber underground.  I was surprised to find out that fake AV software continues to be the leading on-line scam.  There is a funny twist here.  The scammers charge people around $50 bucks to buy their phony software.  They tend to keep this money and then sell the identity information (i.e., credit card numbers, names, addresses, etc.) to others.  Talk about kicking your victims when they are down!
5. I keep thinking that the full-disk encryption market is fully saturated but it is not.  Vendors say they continue to grow share and prices remain relatively stable.  Encryption isn’t the hook anymore, now it is all about managing an army of encryption clients.
6. I can’t tell you how many security vendors referred to attacks emanating from Facebook.  In my view, Facebook views security as a business/public relations problem and really doesn’t care about the safety of its users.  Facebook really has to step up.
7. I agree with my friend Chris Christensen from IDC, the RSA Conference is composed of too many suits and not enough security professionals and researchers.  Thank goodness for Black Hat.

Hopefully, some of the success of this year’s RSA Conference was driven by the recognition that we really need to do more–like train more security professionals, improve security and risk management processes, and invest in effective safeguards.  I’m cautiously optimistic that this is the case.

You can read Jon’s other blog entries at Insecure About Security.

It’s not surprising to see this theme.  According to the recent ESG 2011 IT Spending Intentions Survey, cloud computing has emerged this year as a growing priority in IT as a cost containment strategy. And as we all know, security stands as one of the primary impediments to moving services and data to the cloud.  But, with all the cloud solutions that are widespread at this year’s conference, I’m not sure that customers feel they understand the roadmap that will get them from the infrastructure they have today to the new technologies and services of tomorrow’s cloud.

The Cloud Security Alliance hosted a four hour summit on Monday to provide “the most timely and relevant education for securing cloud computing.”  It was a packed session with around 1,100 people in attendance.  But what I saw when I looked around was a lot of confused faces.  I think most came to the summit for that education, but after a four hour parade of stars it seemed that most of the folks in the room left feeling more baffled about how they take their organization to the cloud or why.  I think the goals of CSA are noble and the security guidance they have issued with the contribution of numerous vendors is a good place to start.  But the summit didn’t seem to take that next step to help customers take that next step.  It seems to be cloudy, alright, or more like foggy.  Kind of fitting for San Francisco.

Many customers know that a move to the cloud is going to be a slow, step-by-step transition.  But, they have real security issues today with their current IT infrastructure. Products will provide the obvious tools, but what customers need most is a concrete security strategy–one that helps them address and mitigate the real risks they face today.

I would love to know what customers that were in attendance thought of the CSA summit and the cloud solutions that are at RSA this year. Are the cloud messages hitting a chord and providing a strategy that resonates?  Or, is it just cloudy?

The service is rolling out to subscribers so it will take a couple days for the option to show up on all accounts (already checked mine this morning–no joy).  Essentially, the service will work as I outlined before: users will put in their usual password for e-mail and then be sent a onetime passcode on their mobile phone.  There are actually a few options on how users can receive the code:

1. Google will call the phone with the code
2. Google will send an SMS text to the phone
3. You can generate the code yourself using a mobile app, called Google Authenticator, on your Android, iPhone or Blackberry.  Doesn’t look like the app is available for Windows 7 Mobile or HP’s Pre3.

E-mail is often an overlooked application when it comes to protecting data. We often think of our bank accounts, credit cards, health benefits, etc. as sites that contain sensitive data–and they are.  But e-mail can potentially contain data from ALL those sites all in one place.  This is a good first step and Google, with its incredibly far reach, is wise to take the lead in this.  It would be great to see others start to follow suit soon.