Blending Cloud IAM Delivery Flavors: Convergence Of In-House And IAM Suite Offerings

Andras Cser

Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ's IDM stack as a basis for their hosted offering solution.

Read more

The Psychology Of Bad News

Andrew Rose

 

Last night I stumbled across a documentary on BBC2 (content only available to UK residents – sorry!) about the human brain. One section talked about how the brain perceived risk issues – obviously an interesting topic for security folk!

A test subject was placed into a brain scanner and asked to estimate the likelihood of 80 different negative events occurring to him in the future – from developing cancer, to his house being burgled, to breaking a leg etc.  Once he had stated his opinion, the real likelihood was then displayed to him.

At the end of the 80 events, the process resets and the subject is presented with the same events and asked to, once again, state his perceived likelihood, although this time with some knowledge of the actual answers.

The results are surprising. 

Where his initial response had been too pessimistic, the test subject adjusted his perception to align with the actual likelihood. However, where he had initially been too optimistic, his opinion remain largely unchanged by the facts! It was apparent that the brain proactively maintained a ‘rose-tinted’ view of the risks, accommodating a more optimistic view but shunning anything more negative.

The scientists argued that this was the brain did this for two main reasons

1 – To minimise stress and anxiety, for the resultant health benefits; and

2 – Because an optimistic outlook helps drive success, support ambition and keep humanity striving for a better future.

Read more

How To Survive And Thrive At #SXSW If You’re Not From Texas

John Kindervag

I’ll be in Austin, TX this weekend to participate in South-by-Southwest Interactive. My panel “Big Data Smackdown on Cybersecurity” will be held Sunday, March 11 from 12:30PM - 1:30PM at the Austin Hilton Downtown. Hope to see you there.

Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve lived in Dallas, TX for 30 years so I consider myself an adopted native-Texan. I’ll be at South-by-Southwest Interactive this weekend, so I thought I’d share some tips for all my current and future friends. For those of you from out-of-state – known as furriners – I hope you’ll find this advice helpful.

You’re coming to a foreign country.

Read more

An Unexpected RSA Encounter

Rick Holland

Last Friday, after a long week of RSA conference events and meetings, I eagerly looked forward to slipping on my headphones and enjoying the relative silence of my flight back to Dallas. As I approached my seat, I saw I was sitting next to a United States Air Force (USAF) officer. I looked at his rank and saw two stars on his uniform, making him a major general. I had a sudden sense of nostalgia and I instinctively wanted to salute him. I resisted the urge, introduced myself, and thanked him for his service.

Over the next two hours I had the most unexpected and fascinating conversation of my RSA week. It turned out that my fellow traveler is the commanding officer of the Air Force Research Laboratory (AFRL). According to the website, the AFRL is “the Air Force’s only organization wholly dedicated to leading the discovery, development, and integration of war fighting technologies for our air, space, and cyberspace forces.” We discussed a variety of open source topics, including electromagnetic pulse weapons, cyberweapons, Stuxnet, unmanned aerial vehicles, USAF renewable energy initiatives, as well as national policy.

Read more

Starving The Golden Goose

Andrew Rose

The new revolution in apps and social media continues at a stunning rate. Nearly every day a colleague tells me of another app or site that is bubbling up and about to hit the big time. Many will not break through, but some will capture the imagination and become the next generation of YouTube and Facebook.

The behaviour of certain apps/sites, however, gives me some cause for concern. As a recent entrant to Pinterest, I was alarmed to note that the site takes a copy of the pinned image and serves that from its own servers. The burden of managing copyright issues seems to sit firmly with the users, most of whom never give such legislation a second thought. There is a method for removing content however, unsurprisingly, it’s not half as simple as pinning new content.  Pinterest’s terms and conditions are also interesting, giving it “irrevocable, perpetual, royalty-free” permission to “exploit” member content.

The Pinterest site is building its value on other people’s content — which is fine as long as those people have consented.  I recently looked at some interesting Infographics pinned on the site, all of which must have taken considerable resources to put together, yet I never once needed to visit the source site, which may have perhaps triggered advertising income vital to enabling them to continue their work. I wonder if they even realize their content is available in this way?  

Read more

Lies, Damn Lies, Security Metrics, And Baseball

John Kindervag

The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon turned Vietnam-era Secretary of Defense — this famous idea failed miserably as a strategy. While it sounds good to the CEO’s ears, there is a corollary bubbling up below him that implicitly states that “If my boss wants to measure something that doesn’t exist, then I’ll invent it!”

Read more

Security Pros Need To Value Pragmatism Above All Else

Andrew Rose

Last night I attended a vendor presentation about cloud-based risk and the threat from nation state attacks. Unfortunately, due to a busy schedule and a difficult journey, I arrived just as the final presentation moved to its Q&A stage. Listening to a Q&A session when I had no idea what the content of the presentation had been was actually quite an interesting experience, unfortunately not for all the best reasons.  A section of the audience immediately dived into the detail and tried to find fault with the solutions that had evidently been outlined. They poked and prodded the presenter until she admitted that no solution was 100% and, yes, there were ways to mount a successful attack even with her recommendations in place. At that point, the questioners sat back in their seats, triumphant – they had won.  There seemed little interest in continuing the conversation to figure out ways to minimize the remaining risk, and their body language suggested that they had mentally discounted everything that had been said.

I was a little disappointed by this. Some S&R pros seem to treat information security as an academic exercise, a challenge where the best argument wins and security is a mere footnote. These folk are often also the ones who overreact to very complex, and very unlikely, technical threat scenarios while overlooking behaviors and processes that may be fundamentally flawed. They appear unhappy with any security solution that isn’t perfect. I had hoped that we all recognized that good security was not about hitting a home-run; it’s much more about applying the 80/20 rule over and over again, iteratively reducing the risk to the organization.

Read more

WikiLeaks And Stratfor Make The Case For More Data Encryption

John Kindervag

Yesterday, WikiLeaks released emails taken in the highly-publicized Stratfor data breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.

While Stratfor’s response suggests that some of the emails may have been tampered with, this is not the point. As the soon-to-be infamous “Lunch Theft” email shows, that might be merely what the email calls Fred's rule # 2: “Admit nothing, deny everything and make counter-accusations.”

Read more

Force Multipliers - What Security & Risk Professionals Can Learn From Special Forces

Rick Holland

Last week I read an article on wired.com’s Danger Room blog about the elite US military Special Forces command, JSOC.  The units within the Joint Special Operations Command (Delta Force and Seal Team 6) are responsible for the most clandestine and sensitive US military operations, including the Bin Laden raid into Pakistan last year. JSOC is very similar to elite Special Forces (SF) units across the globe including: the Russian Spetnaz, British SAS, French Naval Commandos, and the Israeli Shayetet 13.  These SF units are capable of addressing asymmetric threats that traditional military units aren’t prepared to handle.

In the article, Spencer Ackerman interviews Marc Ambinder, one of the authors of The Command about JSOC. The article piqued my interest and I just finished reading the eBook. Like almost everything I do, I considered the information security implications as I read it.  Today’s infosec threat landscape is dominated by unconventional threats that are difficult to address. How can we leverage the techniques utilized by SF to deal with the cyber threats we face today?  I realize that we have an international audience, and my point isn’t to focus on US policy, but rather to take a deeper look at the unique capabilities of SF units and what lessons we can apply in our roles as S&R professionals.

Read more

Categories:

Open & Honest - Should Breach Disclosure Be Mandatory?

Andrew Rose

A few months ago I shared a flight with a very pleasant lady from a European regulatory body.  After shoulder surfing her papers and seeing we were both interested in information security (ironic paradox acknowledged!) we had a long chat about how enterprises could stand a chance against the hacktivist and criminal hordes so intent on stealing their data.

My flight-buddy felt that the future lay in open and honest sharing between organisations – i.e. when one is hacked they would immediately share details of both the breach and the method with their peers and wider industry; this would allow the group to look for similar exploits and prepare to deflect similar attacks. Being somewhat cynical, and having worked in industry, I felt that such a concept was idealised and that organisations would refuse to share such information for fear of reputational or brand damage – she acknowledged that it was proving tougher than she had expected to get her organisations to  join in with this voluntary disclosure!

Across the US and Europe we are seeing a move toward ‘mandatory’breach disclosure; however they have seemingly disparate intentions.  US requirements focus on breaches that may impact an organisations financial condition or integrity, whilst EU breach notification is very focussed on cases where there may have been an exposure of personal data.  Neither of these seem to be pushing us toward this nirvana of ‘collaborative protection’.

In the UK, I’m aware that the certain organizations, within specific sectors, will share information within their small closed communities, unfortunately this is not widespread and certainly does not reflect the concept of ‘open and honest’ as my flight-buddy would have envisaged.

Read more