I was reading an interesting article the other day on a new Government Cloud service being offered by Amazon. Security advances and budgetary pressures draw agencies to cloud - Nextgov: This to me raised a number of thoughts including the cost of compliance for Amazon to maintain the system to meet some very broad and detailed government requirements. Now do not get me wrong, I think that Amazon has the capability to do this, the question becomes is there the long term desire to maintain things that the government will require of them. The flip side of this is that it may encourage the government agencies to rethink how it looks at maintaining systems and may in turn help them to reduce some of their costs internally as well.
The other thought I had was one of protecting access to the data. The federal agencies have broadly moved to smart card based authentication systems and are now looking at how to enhance that with attribute based authorization using architectures like BAE (Backend Attribute Exchange). I wonder how Amazon intends to leverage the authentication infrastructures that have been put in place. Does the Amazon offering now allow extension of the user platform beyond the traditional desktop to tablets and smartphones, both of which have become very relevant in the government market? How will Amazon handle the enhanced checking of credentials and interoperation with these systems? How open to the acceptable government profiles for SAML, OpenID and Kantara will they be? There are lots of questions here and dependent on which requirements the government has been testing the Amazon service against these may already be in the forefront or these may start to appear as people use the service.
Of course there is no lack of technology that will enhance the architecture - systems that provide for multiple authentication device types, which may be required dependent on the resource accessed, combined with the ability to roll out strong authentication credentials to smartphones or tablets (whether PKI, OTP or others), along with a variety of smart card/chip capabilities that can use various communication technologies certainly opens the field of use.
These are all things we are working with today and implementing for a broad audience. The technologies are there, the systems just need to leverage them appropriately.
- Posted using BlogPress from my iPad
Friday, August 26, 2011
Friday, August 12, 2011
Those who cannot remember the past are condemned to repeat it
This quote from George Santayana has been somewhat skewed over time .... "Those who do not learn history are apt to repeat it" being one popular one but I believe Santayana's words are as true today as ever.
No this is not a post about politics - it is about security and ties into some of the recent thoughts on planning. As I had a coffee today I began to think about security from a network perspective. Not network security but the perspective of security being established through the interconnection of people, technology and events. As I did this I remembered some of my history and it then dawned on me the similarities of things in the past and what has been happening today. Let me try to explain.
Most of you are familiar with the Comodo attack from earlier this year. The attack was perpetrated by going after the platform used by an administrator. The success of this attack led the attacker to being able to create credentials in the name of some very significant companies that would have allowed very broad attacks on potentially hundreds of thousands of users. Thankfully the latter part of the attack was not executed and the breach was discovered before major widespread damage. The point here was that the attack was against the management plane of the system and an attack at that level can be hard to discover. A similar management plane attack occurred in 2010 that allowed someone to take control of a private Certificate Authority which caused major problems for a very large contracting firm in the US. Two examples of management plane attacks that created great havoc.
So where is the history linkage. Well 25 years ago there was a manager at a firm in California that discovered an accounting error in a system. He asked one of his people, Clifford, to look into this. It took some time but Cliff was able to discover a sophisticated attack against the burgeoning defense and other networks. He eventually traced the perpetrator to a network connection coming from Germany. For some time he got no where working with the Deutsch Bundespost, who ran the networks, and then one day they called with the data he needed. What Cliff did not know at the time was that the perpetrator had used a management plane attack within the Bundespost system. He was able to connect to the DBP network, carry out his attack against networks all throughout the US and then he would go back and delete the accounting record on the network switch before it was uploaded to the accounting system. To the DBP the user was never there. A young guy living in Ottawa worked with the DBP and they found the switch coding issue that allowed the guy to delete the accounting records. The hole was closed and a couple of months later Markus Hess was caught.
Now closing the accounting error at the DBP was only one piece of the puzzle, to learn the rest read The Cuckoo's Egg, but it did show that an attack against the management plane would provide a mechanism to hide the real attack.
The lessons learned here are many but the big ones - understand system connectivity (the network), plan to protect hierarchically making sure the high value management system gets attention, and leverage new technologies that provide strong two or three factor authentication on the highest value assets since a breach there will either bring the entire system down or will create a security gap that is not even known about.
- Posted using BlogPress from my iPad
No this is not a post about politics - it is about security and ties into some of the recent thoughts on planning. As I had a coffee today I began to think about security from a network perspective. Not network security but the perspective of security being established through the interconnection of people, technology and events. As I did this I remembered some of my history and it then dawned on me the similarities of things in the past and what has been happening today. Let me try to explain.
Most of you are familiar with the Comodo attack from earlier this year. The attack was perpetrated by going after the platform used by an administrator. The success of this attack led the attacker to being able to create credentials in the name of some very significant companies that would have allowed very broad attacks on potentially hundreds of thousands of users. Thankfully the latter part of the attack was not executed and the breach was discovered before major widespread damage. The point here was that the attack was against the management plane of the system and an attack at that level can be hard to discover. A similar management plane attack occurred in 2010 that allowed someone to take control of a private Certificate Authority which caused major problems for a very large contracting firm in the US. Two examples of management plane attacks that created great havoc.
So where is the history linkage. Well 25 years ago there was a manager at a firm in California that discovered an accounting error in a system. He asked one of his people, Clifford, to look into this. It took some time but Cliff was able to discover a sophisticated attack against the burgeoning defense and other networks. He eventually traced the perpetrator to a network connection coming from Germany. For some time he got no where working with the Deutsch Bundespost, who ran the networks, and then one day they called with the data he needed. What Cliff did not know at the time was that the perpetrator had used a management plane attack within the Bundespost system. He was able to connect to the DBP network, carry out his attack against networks all throughout the US and then he would go back and delete the accounting record on the network switch before it was uploaded to the accounting system. To the DBP the user was never there. A young guy living in Ottawa worked with the DBP and they found the switch coding issue that allowed the guy to delete the accounting records. The hole was closed and a couple of months later Markus Hess was caught.
Now closing the accounting error at the DBP was only one piece of the puzzle, to learn the rest read The Cuckoo's Egg, but it did show that an attack against the management plane would provide a mechanism to hide the real attack.
The lessons learned here are many but the big ones - understand system connectivity (the network), plan to protect hierarchically making sure the high value management system gets attention, and leverage new technologies that provide strong two or three factor authentication on the highest value assets since a breach there will either bring the entire system down or will create a security gap that is not even known about.
- Posted using BlogPress from my iPad
Monday, August 8, 2011
Timely ....
A few weeks back I wrote a piece on planning. The context may have seemed odd to some, unless you are a runner, but the basic idea is that for any challenging undertaking you need to plan not just for completion but for events that may hinder that completion whether those events occur in the preparation or execution of your plan.
The timeliness aspect comes in light of a lot of recent articles and commentary around breaches, social engineering attacks and announced vulnerabilities. It should be no surprise that we are seeing an increase in articles on this with DefCon in Vegas this past weekend, and the events that lead up to it, but I think we are also seeing the recognition of a true problem even from outside of the technical community.
As I read some of the articles that come out I see a consistent theme - little opportunities that are missed that either created the gap that was taken advantage of or created a gap that made the initial event so much worse. One of the best pieces I have read that begins to address some of the issues with actionable ideas was a piece written by Jeffrey Carr on Shady Rat. In this piece he identifies a four step process that starts to address the "gap that made the initial event worse". This type of direct action taken conjunction with development or revisiting of a broader plan is what is needed for organizations big and small. (For those small organizations that think this is a non-issue take a look at the Anonymous hack at rural sheriff offices and that is the new stuff - the older stuff would really scare you)
What is that broader plan? I wrote on some of this a few weeks back and I still contend that it is bigger than this or any blog is, but there are some basics. I hate simple graphics as they can be so empty but I think in this case if we go beyond simple we are writing a book - so here goes:
For most organizations 5 simple areas are what is needed to be looked at. I was going to do the loop-back diagrams but being a car guy I like gears better and it gets the point across. The point is that all five elements need to work together. The four outer gears, although smaller, are as important to get right as the overall strategy. All these working together is what drives the organizations business purpose. Mess with one gear or implement it poorly and the overall plan suffers. As I mentioned a few weeks back, ignoring the surprises, or not being prepared to respond to the unknowns will also cost dearly.
I think that most companies will say that they have these basic elements in their plans but based on what is happening in in the real world we are seeing that either they are not well implemented or not being effectively updated and monitored. A plan is only as good as it's execution. So take a look at your plans, update them as needed and have in place a regular review - and that does not mean every 5 years. In today's world it should, at least, be part of your quarterly reviews.
- Posted using BlogPress from my iPad
The timeliness aspect comes in light of a lot of recent articles and commentary around breaches, social engineering attacks and announced vulnerabilities. It should be no surprise that we are seeing an increase in articles on this with DefCon in Vegas this past weekend, and the events that lead up to it, but I think we are also seeing the recognition of a true problem even from outside of the technical community.
As I read some of the articles that come out I see a consistent theme - little opportunities that are missed that either created the gap that was taken advantage of or created a gap that made the initial event so much worse. One of the best pieces I have read that begins to address some of the issues with actionable ideas was a piece written by Jeffrey Carr on Shady Rat. In this piece he identifies a four step process that starts to address the "gap that made the initial event worse". This type of direct action taken conjunction with development or revisiting of a broader plan is what is needed for organizations big and small. (For those small organizations that think this is a non-issue take a look at the Anonymous hack at rural sheriff offices and that is the new stuff - the older stuff would really scare you)
What is that broader plan? I wrote on some of this a few weeks back and I still contend that it is bigger than this or any blog is, but there are some basics. I hate simple graphics as they can be so empty but I think in this case if we go beyond simple we are writing a book - so here goes:
For most organizations 5 simple areas are what is needed to be looked at. I was going to do the loop-back diagrams but being a car guy I like gears better and it gets the point across. The point is that all five elements need to work together. The four outer gears, although smaller, are as important to get right as the overall strategy. All these working together is what drives the organizations business purpose. Mess with one gear or implement it poorly and the overall plan suffers. As I mentioned a few weeks back, ignoring the surprises, or not being prepared to respond to the unknowns will also cost dearly.
I think that most companies will say that they have these basic elements in their plans but based on what is happening in in the real world we are seeing that either they are not well implemented or not being effectively updated and monitored. A plan is only as good as it's execution. So take a look at your plans, update them as needed and have in place a regular review - and that does not mean every 5 years. In today's world it should, at least, be part of your quarterly reviews.
- Posted using BlogPress from my iPad
Monday, August 1, 2011
NSTIC Privacy - a better understanding
A few weeks ago I wrote about the NSTIC privacy conference. It was one of those events where a lot of ideas and concerns were discussed, which I always find helpful. Sometimes, however, you need to live some of these things to appreciate it. Here is a case in point .....
Yesterday I took two of my kids to have lunch in Baltimore. We all like the city and being a short drive away it is nice to swing by to see what is new and what is going on. We decided to grab lunch at a little pizza place just east of the main Inner Harbor area. When we got there I did a quick Yelp check-in and that got posted to my twitter feed. Three hours later I got a text from a Baltimore targeted Restaurant deal site's Twitter account. My conclusion is because of my Twitter post I was marketed directly for this service.
Now I am the first one to admit that Twitter, Yelp, etc are very open with limited privacy controls. But I had never been targeted so directly before. The fact that I had dined in a city I was now a market target. Do I have a right to let my friends know where I dine and if I enjoy it without the worry of being bombarded with service offerings? It is a simple case but I do see why the privacy groups are concerned with tracking of activities based around our identity.
How do we solve this? Of course there are those that are out there that will say - do not twitter all you do. But I am not sure that is a sane business model for someone like Yelp or for the businesses that rely on what is effectively word of mouth advertising. I will give kudos to the guys that developed the system to target market me but that being said I want control of what I am getting or seeing. I strongly believe that a combination of attribute release capabilities and opt-in/opt-out mechanisms need to be built into the provider systems so I can turn on or turn off these types of activities.
Hopefully NSTIC will drive the different parties to cooperate on an interoperable way to achieve this which I believe reduces risks for users and certainly makes them feel more confident about their privacy.
- Posted using BlogPress from my iPad
Yesterday I took two of my kids to have lunch in Baltimore. We all like the city and being a short drive away it is nice to swing by to see what is new and what is going on. We decided to grab lunch at a little pizza place just east of the main Inner Harbor area. When we got there I did a quick Yelp check-in and that got posted to my twitter feed. Three hours later I got a text from a Baltimore targeted Restaurant deal site's Twitter account. My conclusion is because of my Twitter post I was marketed directly for this service.
Now I am the first one to admit that Twitter, Yelp, etc are very open with limited privacy controls. But I had never been targeted so directly before. The fact that I had dined in a city I was now a market target. Do I have a right to let my friends know where I dine and if I enjoy it without the worry of being bombarded with service offerings? It is a simple case but I do see why the privacy groups are concerned with tracking of activities based around our identity.
How do we solve this? Of course there are those that are out there that will say - do not twitter all you do. But I am not sure that is a sane business model for someone like Yelp or for the businesses that rely on what is effectively word of mouth advertising. I will give kudos to the guys that developed the system to target market me but that being said I want control of what I am getting or seeing. I strongly believe that a combination of attribute release capabilities and opt-in/opt-out mechanisms need to be built into the provider systems so I can turn on or turn off these types of activities.
Hopefully NSTIC will drive the different parties to cooperate on an interoperable way to achieve this which I believe reduces risks for users and certainly makes them feel more confident about their privacy.
- Posted using BlogPress from my iPad
Subscribe to:
Posts (Atom)