| Subcribe via RSS

Data Security & Identity Management: Essential 1st Cousins in IT Security

5 Tools for Improved Identity Management As a senior architect, sales engineer, and consultant out in the field working closely with senior IT security leaders and CISOs, I sometimes run into questions surrounding the Vormetric product line related to Identity Management. Having implemented identity management solutions for Fortune 500 companies around the world for a number of years, I truly appreciate when these questions arise, as it demonstrates some understanding that Data Security and Identity Management are essential first cousins in IT Security.

How are they first cousins within IT Security and why are they both so essential, vital and important, you ask? At some point here, I’ll throw out at least a one-line history statement to show how and why they are related so we can subsequently understand their vitality and importance within enterprises in today’s world.

Data Security & Identity Management Go Hand In Hand

But first, when you think about it, at base and stripped all the way down, digital information is about digitized data on a storage medium of some sort. That’s it. Whether it’s raw data or data that is executed (ie. a program, a script, etc.), to the storage device and the operating system that manages both, it’s all just “data.” The data itself then is at the heart of what every computing system is about. And data security is all about securing that data wherever it lives for the enterprise.

Digitized data just sitting on a storage device however is meaningless. Access to that data and a frame of reference – “this data is a ‘program,’ this data is ‘system data,’ this data is ‘user data,’” etc. – is what gives data meaning and life. [1] For someone who sells and/or implements in either the Data Security or Identity Management space, it can be very easy to don horse blinders and insist to customers that their solution is the essential piece:

“No! It’s all about protecting the data and having data protect itself!”

“Au contraire! It’s all about identities and governing access to the data!”

Actually, Data Security and Identity Management are symbiont to one another and synergistically linked – chicken and egg, needle and thread, wall and head (for all us cybersecurity professionals, I had to throw that one in there!), Batman and Robin, Oscar and Felix, Wallace and Gromit. (You get the picture… :-)) Ya gotta have both. Both are right and either by themselves aren’t the entire answer or solution to the problem of securing data.  Data without access is dead. But access governance that doesn’t drive protection and controls all the way down to the data level is insufficient. Both are needed, necessary and essential and must be combined together to provide an effective and efficient solution to data security and identity and access management and governance. They go hand in hand.

In terms of implementation…, [Identity Management and Data Security] should be implemented top down and bottom up, and somewhat simultaneously, designed to meet in the middle.

More »

Tags: , , , , , , , ,

The (Immediate) Future of Ransomware

April 26th, 2016 | No Comments | Posted in IT Industry, Security

ransomware-chartIn keeping with the fact individuals and enterprises are seeing and experiencing a lot more occurrences of ransomware, I’m also seeing a lot of articles and comments either discussing it and what to do about it or providing some siloed indicators of where ransomware might go.

A number of comments, in my opinion, are aimed at what ransomware has been up until now and how to combat it.  Very soon, few if any of these suggestions are going to be effective in stemming the tide of ransomware. It’s my opinion that ransomware is already exhibiting some horrifying variations that we aren’t taking into consideration fast enough.

To Really Protect, Think Like a Criminal

It’s not a coincidence that some of the best minds out there when it comes to really understanding IT Security and how to actually address risk and stop these types of well conceived and formed attacks come from those who lived on the dark side and have come to the light – former hackers like Kevin Mitnick, Robert Morris and others. And we have a lot of white hats (too many to name here) who are extremely good precisely because they (a) think the same way as the criminal black hats and (b) have incredible intimate technical knowledge just as black hats do.

And don’t think your servers are safe. Hackers are already looking to get inside of your data center and maliciously encrypt and hold for ransom as much of your company as they can.

In order to effectively handle some of these malevolent attacks, you can’t be standing still. The whole history of dark-side hacking, breaches and generalized wreaking of havoc paints a storied picture of never standing still. Because once something is proven as technically possible, the very next thought by highly sophisticated hackers is instantly “How can this be extended?!”

Almost all hacks start out as “let’s try something” attempts.  Initially even conceiving of a new vector often takes intimate and expert knowledge of the target (usually operating system, but sometimes a target language flaw or other kind of architecture). But once a potential vector is exposed as having validity, it’s game on. There’s the initial hack, and then all the “mods” (modifications) that go with it come like a flood. (Reference the attached graphic associated with this article.)

Ransomware is no different. Just when you think you’ve got the attack scheme and the attack vector figured out, so many mods are hitting you, it makes your head swim. I’m seeing some articles, well-meaning, that state “if you just do this, this and this, you can stop ransomware.” If you do those things, yes, you can stop the ransomware of today or the ransomware of last week. But you won’t be doing much to stop the ransomware of next week or next month or that’s coming out in three months.

Hackers are always thinking fifteen steps ahead. It’s time we started doing the same. Here are some things to “look forward to” and expect when it comes to ransomware. A lot of these mods are already in the wild! But if they are not, you can be sure, hackers are already working on these: More »

Tags: , ,

History Demonstrates Strong Encryption Is Here To Stay

January 15th, 2016 | No Comments | Posted in Data Security, Security

magic-book-burning-247(Originally published on LinkedIn – January 13th, 2016)

I am a very firm believer that knowing the background and history of things provides a much better forward-looking perspective and present decision making capability. Would that this view was adopted more. If it were, the age old George Santayana quote that “those who don’t remember the past are condemned to repeat it” would never have come into existence. The fact mankind never really seems to learn the lessons of history also seems to trap the unfolding of events in a cyclical pattern.

The Encryption Debate and History’s Lesson

Encryption, that technology that for years in the computing world has done its job quietly in the background and without much acclaim, is suddenly a topic that is all the rage due to recent and tragic world events. Lawmakers stipulate and paint a gloomy picture that without the ability to intercept and decipher encrypted communications on the part of criminals and terrorists, national security is at serious risk. Technologists on the other hand, including myself, maintain that the implementation of so-called “backdoor encryption” in effect weakens encryption for all of us with severe consequences and effects to our normal, everyday security, economy and lives. Essentially, to weaken encryption would be to cut off our noses to spite our collective economic and everyday-life faces. Lawmakers and technologists and technology companies are digging the trenches and the staunch faceoff, while mostly civil at the moment, continues.

In a recent interview for The Wall Street Journal, Max Levchin, past co-founder of PayPal and a cryptography expert, questions along with other technologists (including yours truly) whether lawmakers really understand how encryption actually works. Levchin goes on to stipulate that if we’re going to continue the national debate, let’s at least make sure lawmakers do in fact understand how encryption works technically.  And perhaps few are more qualified to step up and provide such an education than Max and other well known cryptographers in the cryptographic community.

Not only do I question whether lawmakers understand how encryption works, I also question whether they’ve really taken into account how the world works. It would be easy for anyone to say “how the world works today” but history, if we’re willing to learn from it, demonstrates the world has been working a certain way for a very long time when it comes to widespread technological innovation leveraged in conjunction with outside agenda.

Let’s take a quick lesson from history that coincidentally has ties to today’s date – January 13th – and see if history has anything to teach us concerning how the weakening of encryption would very likely play out were lawmakers to insist on their position through mandatory legislation.
More »

Tags: , , , , ,

Considerations Around Application Encryption

December 22nd, 2015 | No Comments | Posted in Data Security, IT Industry, Security, Tools

person-encryption-623x420For years, the use of encryption to protect data-at-rest on computers within the enterprise was solely the responsibility of developers who coded the applications that used or generated the data. Early on, developers had little choice but to “roll their own” encryption implementations. Some of these early implementations were mathematically sound and somewhat secure. Other implementations, while perhaps not mathematically sound, were adequate for the risk developers were attempting to mitigate.

As technology progressed, choices for encryption matured and solidified across development stacks. Callable libraries were born. Algorithms were perfected, significantly strengthened and pushed into the public domain. And beyond application encryption, encryption itself began to offer benefits to the enterprise at an operational level – within turnkey, off-the-shelf solutions that could be aimed at specific enterprise use cases such as end-point data loss prevention (DLP), encrypted backups, and full-disk encryption (FDE) among others.

Today however, when CISOs and senior security, software and enterprise architects think of protecting data-at-rest, their conceptions can sometimes harken back to days of old and they will stipulate encryption solutions as necessarily needing to be implemented at the application layer.

And while it turns out there is actually no extreme fallacy in this thinking and some benefits at this layer remain, there are some considerations and tradeoffs surrounding application encryption that aren’t overtly obvious. These considerations and tradeoffs can get lost when not weighed along with more recent turnkey, transparent solutions that get implemented at a different architectural layer with nearly the same benefit yet with much less risk and cost association.

Let’s look at and consider some of the ins and outs of application encryption. Hopefully the following thoughts and considerations will help those who are deep in the throes of needing to make a decision around encryption of data-at-rest.
More »

Tags: , , , , ,

Two Years Later: Reflections from “The Breach”

November 6th, 2015 | No Comments | Posted in Data Security, IT Industry, Security

target-100221410-largePresident and CEO of Vormetric, Alan Kessler, blogged earlier this week concerning the far-reaching impacts of the Target breach – reflections from almost two years later. Alan remonstrated in his article that the Target breach was the most visible mile marker in 2014, a year full of breaches and continuing into 2015, and he went on to discuss and reflect on some of the other specific breaches.

In this article, I would like to reflect on some of the industry-wide changes that have taken place since the Target breach.

“The Breach”

The Target breach was so significant that for at least the first year afterward, it was referred to, especially in security circles and even on the news, as simply “The Breach.” And as Alan has already detailed, that breach was merely a harbinger of things to come with major breach after major breach taking place after the Target breach.

But what has been the impact of all these breaches? As one would expect, reactions and responses to “The Breach” by organizations have been all over the map.  Some have, as the saying goes, not “let a good crisis go to waste” and have become better companies as a result. Others have not fared or reacted as well.

While “The Breach” and the major breaches afterward has led most major retailers to reevaluate their data security approach, the retail edition of the Vormetric 2015 Insider Threat Report shows that retailers still have a long way to go. Over 51% of retail respondents reported being very or even extremely vulnerable to insider threats – the highest rates measured in the study. Many of these organizations continue to invest in security and utilizing traditional approaches that have proven over the last two years to be insufficient.

While the threat obviously still remains high and a number of organizations still admit they have a long way to go, positive changes have taken place since “The Breach” (hereafter referred to simply as the breach) that are moving the retail industry and other industries along in a positive direction.
More »

Tags: , , , , , ,

History Foretells the Raising of the Ante: Securing Your Data Now All but Mandatory

August 31st, 2015 | No Comments | Posted in Data Security, IT Industry, Security

Federal-Trade-Commission-FTCIt’s been said that those who don’t learn from history are doomed to repeat it. In my last article, I wrote metaphorically about the medieval arms race to protect the pot of gold inside the castle from outside intruders. This time I want to draw upon history as the telescopic lens through which we forecast the journey into the future in a world full of advanced technology. Through this lens, we will see that the future is already here and history is beginning to write the same story again.

We’ll aim our history telescope backwards in time to the technological breakthrough of the automobile. As with any technology, the advent of each is initially only embraced by a few, and the same is true of the automobile. While the first automobile may have been designed and custom-built as early as the late 1600’s, automobiles were not mass produced and available to the general public until the turn of the 20th century. Widespread, generalized use of the automobile came about right after World World I, thanks to the genius of Henry Ford.

Even in the early days of the automobile, there existed enough power in these “new” devices to wreak havoc upon lives whenever there was an automobile accident. Victims of such accidents were often left holding the bag in terms of the costs and consequences, as were the drivers themselves, regardless of who was at fault. At some point the repeat scenario of “cause and victim” attracted the attention of governments and the auto insurance industry was born through mandatory legislation. The ones welding the wheel of this new technology were made accountable and the ante was raised.

Shift ahead to the 21st century and we behold the power of a world full of automation, driven by the wonders of computer technology. And while computer technology is no longer new either, the global use of computer technology as the business engine fueled by its gasoline of endless data tied to the consumer is starting to have the same effect whenever the “accidents” that we call breaches take place. Governments are beginning to wake up and take notice, and questions concerning liability are starting to be asked. In effect, the future is happening now, history is in the process of repeating itself, and the ante is being raised once again.

More »

Tags: , , , , , , , ,

Data Is The New Gold: Getting Data Security Right in Retail

August 28th, 2015 | No Comments | Posted in Data Security, Security

+44 (0) 7710 787 708 images@adamparker.co.uk

Traditional security has always been metaphorically tied to the medieval castle building of old: building thicker walls and drawbridges, creating multiple perimeters, raising larger armies, you know – the whole nine yards. This paradigm extends into the modern world, which maintains its fascination with sophisticated perimeters. For exhibit A, witness the recent Mission: Impossible Rogue Nation Hollywood blockbuster where sophisticated perimeter security was the primary obstacle to overcome.

A Data-Centric Approach Is Needed

But imagine changing that mindset from traditional perimeter-based security to data-centric. A data-centric approach, cast against the metaphorical medieval art of castle building, would result in thieves penetrating outer defenses, only to find the pot of gold actually filled with worthless tokens or paper notes.

Throughout the movie, traditional approaches didn’t stop Ethan Hunt (the protagonist, manipulated by the antagonist into doing his dirty work) and they won’t stop Ethan Hunt-like hackers from infiltrating retailers’ networks.

Data Is The New Gold

As the world progresses from a mere “information age” into an age of “big data,” it’s simple – the volume, granularity and sensitivity of individual data is growing exponentially. With this growth comes severe risks and consequences of losing valuable data.
More »

Tags: , , , , , , ,

@IdMConsultant for IdM Related Tweets

December 2nd, 2012 | No Comments | Posted in General Idm/IAM, IAM Development, IT Industry, Security

I’ve been wanting for a while to create a dedicated channel on Twitter for tweeting content specific to Identity & Access Management. As of now, I’ll be doing exactly that via a new @IdMConsultant Twitter account. (Totally shocked that that Twitter account was actually available!)

So look for short, I-hope-to-be-handy tweets on the various IdM products we implement, support and provide expert advisory services on through Qubera Solutions. Expect tweets such as Implementing Full Text Search for #SailPoint #IIQ6? Don’t forget to copy the resulting index files across your server farm! Qubera Solutions is IdM/IAM vendor agnostic — we advise and implement solutions that fit your specific needs and requirements, so expect tweets that are vendor agnostic as well, but narrowed to just IdM/IAM.

(Traffic on my older and still existing @TechnologEase Twitter account will carry more general content relating to technology in general and what TechnologEase exists for which is Internet Consulting. Done Right.)

Tags: , , , ,

Troubles w/Kindle And “Consumer Security”

May 6th, 2012 | No Comments | Posted in General, IT Industry, Moble, Networking, Security

I just wanted to provide the results of an two-hourlong trouble-shooting session on a new Kindle brought into my household yesterday.  Not only was it a bit frustrating, but in light of a number of things, quite astonishing as well.  Astonishing that Amazon, Google and even Apple to some extent view and address the consumer market the way that they do.  As a consumer, I have to say it’s frustrating.  As a security professional, I have to say it’s disappointing to say the least.

First the problem: You’d think these days it would be a simple thing to go down, buy a wireless device and throw it on your network in no time flat.  That was exactly what I attempted to do yesterday.  I went down to buy a cheap Kindle for one of my children, throw it on the network and be done.  Two hours and an even exchange later, I finally figured out what the problem was.

For most devices, the act of associating with your wireless network and then using your network are two different things.  So we always get a device onto the network first, then worry about how it’s going to connect to outside services later.  Because, yes, admittedly, I’m not running normal equipment here at home.  We don’t allow full blown access to the outside, polluted internet for a number of reasons.  We have a combination web-filter/proxy server appliance (in the cloud, actually), a commercial grade firewall, a caching DNS server and a few other things sitting inbetween devices on the soft, chewy inside network and the hardened outer shell.

But again, in the past, this was not a problem.  We knew, once devices got on the network, some equipment might have to be visited and settings slightly tweaked into order to get a device to work.

Here Is Why Amazon States Kindles Don’t Work In Enterprise Settings

The thing with Kindle that is different however is… when you are attempting to connect to your wireless network, Amazon, in the name of let-me-hold-your-hand-consumerism (which isn’t necessarily a bad thing — Amazon lives and breathes based on the consumer’s point of view, or tries to anyway), does a little bit more.  The Kindle first tries to connect to your wireless network, utilizing the base amount of information you’ve provided it.  Once successfully connected however, the Kindle doesn’t immediately tell you this.  It tries to connect to a backend somewhere at Amazon first.  If you have a firewall blocking that access, the Kindle doesn’t indicate this is the problem, it merely punts and reports back that… it can’t connect to your wireless network. Which isn’t entirely the case, but that is what is reported.

Now again, as I stated parenthetically above, I understand why Amazon goes through the invisible two-step process, but… what is reported back is not the case and extremely misleading.  It took me some time to discover, after digging through numerous forums, to find that Kindle (Amazon) is going through this transparent, behind-the-scenes two-step process.  Once that was known, I was able to work around it, albeit by taking drastic measures I wouldn’t normally expect to take, but, I was able to register the device.

Which brings me to a major frustration as a consumer and disappointment as a security professional.  If Amazon truly lives and breathes from the consumer’s point of view, I hope they as well as Google and Apple — three of the world’s most major internet “impactors” (at present) — take the following into serious consideration:

Amazon, Apple and Google Seem To Be Ignoring The Obvious

I can’t go off on a complete diatribe right now, but… Amazon and Google and to some extent even Apple don’t seem to realize that the internet they have helped develop has, as a result of their efforts, gotten just a tad bit more sophisticated lately.  With that sophistication, some complexity has necessarily had to be driven down to the consumer level.  It’s not just corporations which utilize firewalls and proxies and other security devices and approaches any longer.  You can go down to Best Buy or buy right off the Amazon “shelves” ironically, any number of mainstream wireless access points and routers and nearly all of them come with a feature set that allows a more sophisticated consumer (shall we say) any number of options for securing their home networks.  Not just from people getting in, but controlling somewhat how people on the inside get out.

Yet, I can’t for the life of me understand why Amazon and Google (and again Apple to some extent) “act like” these kinds of features don’t exist and continue to act like we are still in 2005 when most people simply didn’t or didn’t know how to apply simple WEP, WPA or WPA2 security to their wireless devices or utilize any other security approach.  They act like every WiFi network you attach to has completely 100% free unhindered access to the internet and maybe a couple of devices hooked up to it.

Beyond that even, they seem to be pushing for this to be the normative setup in a day in age where security has to be taken into consideration even down to the consumer level. These devices weren’t designed with that in mind and in fact the companies seem to thumb their noses a little at any consumer who has taken security a little bit more seriously than most. And that is disappointing and annoying. (That is, their explanations read between the lines as “Yeah, we know that, but we don’t care; our devices were purposefully designed to only work on wide-open wireless networks — deal with it.”)
More »

Tags: , , , , , , , , ,

Remote Windows (SMB) Sharing over Secure, Encrypted SSH

October 10th, 2011 | No Comments | Posted in Networking, Security

Here’s a blast from the past. For years I’ve kept an engineering notebook. Simply because after about a decade of playmaking, everything started to blur. Who, what, how and when started to just get hard to track. (And I still haven’t written down everything unfortunately — which really is just a tad irritating when I have to reclimb a mountain once already conquered… :-))

So from time to time, I may reach back and post something of interest, esp. if I’ve had a hard time finding the solution anywhere else. (There’s a million things I’ve done that everyone else has done. You don’t need this blog for that. Click here to find those. :-))

So, once upon a time — I’ll not state the time, place or occasion — I wanted to connect to my Windows shares at home from a remote location inside of a firewall. Now, everyone knows SMB and Windows file sharing in general is notoriously unsecure. How to do this without exposing myself and the network I was on? Enter the old trusty companion, SSH. Here’s how we do it, picking up from a post several years ago:

Original Posting

It’s not too hard to run a remote LAN connection over an SSH tunnel on Windows.  Assuming the SSH tunneling aspect of this is already in place (via Cygwin, PuTTY or something else), here’s what we need to do:
More »

Tags: , , , , , , ,