Changing the Landscape - IBM's $1.5 Billion Security Initiative

On November 1^st, the world’s largest IT company  set forth a major security initiative - developed over the past 18 months, IBM announced strategies to help its customers achieve  “an enterprise free of fear” (their term). Big Blue is allocating $1.5 Billion and 200 security researchers to turn that vision into reality.

What does this mean to all of us?

Because IBM views compliance with regulations as one of the main drivers behind this initiative, their proposed new approach is based on a comprehensive and automated security risk management process. The goal is to provide CIOs and CISOs with tools and methodologies to automate the measurement and assessment of business processes and risks, as well as the costs of managing their information more effectively.

IBM's risk management framework is fleshed out with a family of security products that help address external threats - these include ISS, Watchfire, Fidelis Security Systems, PGP and Verdasys.

In future blogs we will take a closer look at what we already know about the IBM Security Framework , what we see on the horizon, and the Web Application Security and Network Vulnerability Assessment products that make it all work.

I, for one, welcome IBM's commitment to this space, and look forward to monitoring their progress with you!

Key Benefits of Build and Release Delivery Automation

When building an effective enterprise architecture framework, the following five primary architectural components need to be defined and addressed:

1. Enterprise Services: Shared enterprise  services business architecture
2. Information Systems Services: use of a service oriented approach to deliver application integration and information services
3. Infrastructure: - description of the approach for establishing and operating data centers, networks and platform hardware and or software
4. Security Services: processes, governance and associated technologies required to achieve and maintain information security for enterprise services
5. Service Management: Support and Delivery processes to enable effective management of Enterprise Services

The Service Management component, which is becoming increasingly important to executives and IT architects, comprises Incident Management, Services Level Management, Configuration Management, Change Management, Release Management, as well as other related processes.

In this blog, we will focus on the Release Management process and evaluate the benefits to organizations of automating their Build and Release Delivery Process and consequently achieve business improvements.

Build and Release Delivery Automation delivers value to organizations by reducing the cost of software delivery. This increased development efficiency is achieved by reducing manual steps and leveraging quality processes across multiple projects.

Decreasing overall time to market is another benefit of Build and Release Delivery Automation. Accelerated development cycles by enabling server pools, parallel processing and performance queues enables of a given project into independent tasks, which can execute in parallel on one or several servers.

This process automation could translate into increased quality of products delivered by accommodating more frequent code builds, providing developers with immediate feedback on the success or failure of their coding efforts to keep them on the right track and providing QA teams key information about builds so they know what changed and what tests should be run.

To better understand the benefits associated with Build and Release Delivery Automation, we need to look at reduction of the cost and the overall time to market of software delivery and gains in quality of products delivered.

Last but not least, having a complete history and audit trails for every build, test and deploy activity helps with compliance and improve collaboration of distributed teams.

What Components need to be included in a strong HSPD12 Program?

In the previous blog we addressed the main dynamics driving the HSPD-12 implementation. In this blog we will look at core components of a successful HSPD-12 Program.

The HSPD-12 Mandate provides a Common Identification Standard for Managing Access to Information and Services across Federal Agencies. In short, it mandates a common, interoperable identification standard for managing access to information and systems for, within, or among Federal agencies and departments. It also addresses interagency interoperability and compels Federal agencies to adopt stronger security standards and procedures. In addition, it provides consistency for issuing identity credentials to employees and contractors and addresses both access to physical facilities and logical assets.

Key Components

A Strong HSPD-12 Program includes the following components:

• Identify the “As Is” environment
• Provide an understanding of where process change is needed
• Determine which specific implementation model is best for the environment
• Build a communication plan for the organization
• Maintain the communication
• Develop/coordinate policy and guidance
• Evaluate plans
• Track implementation
• Provide training and awareness
• Assess compliance (C&A)
• Monitor compliance and identify change

Agencies implementing FIPS 201 must assign an individual to the role of PIV Senior Agency Official for Privacy and conduct Privacy Impact Assessment (PIA) on systems containing information in identifiable form (IIF). They shall consult with personnel responsible for privacy issues at the implementing agency/department while developing the PIV system and write, publish, and maintain a comprehensive “system of records” document for the PIV system. This also means maintaining appeals procedures for those who are denied a credential or whose credentials are revoked and establish consequences for violating privacy policies of the PIV system. Finally agencies need to assure that the technologies used in the department or agency’s implementation of the PIV system allow for continuous auditing of compliance with stated privacy policies and practices governing the collection, use, and distribution of information in the operation of the program.

The OMB underscored the need for privacy measures in PIV implementations. In April, the Office of Management and Budget released draft PIV implementation guidance that re-emphasized the necessity of adhering to the privacy goals of HSPD-12. Specifically, the guidance re-emphasized the following activities for implementing agencies:

• Develop, implement and post in appropriate locations (e.g., agency intranet site, human resource Ensure that personal information collected for employee identification purposes is handled consistent with the Privacy Act of 1974 (5 U.S.C. §552a).
• Prepare and submit to OMB a comprehensive Privacy Impact Assessment of the HSPD-12 program, including analysis of the information technology systems used to implement the Directive.  The PIA must be reviewed and updated periodically.
• Update pertinent employee-identification systems of records (SOR) notice(s) to reflect any changes in the disclosure of information to other Federal agencies (i.e. routine uses), consistent with Privacy Act of 1974 and OMB Circular A-130, Appendix 1
• Adhere to control objectives in section 2.1 of the Standard

In order to meet Federal compliance requirement, a well-documented Certification and Accrediation (C&A) process has been identified as a core compoent of an HSPD-12 Program. The C&A is usually based on NIST 800-53 standards with emphasis on Access Control and Identification and Authenction Requiremenet.

Key security implications of opening up your LAN to wireless traffic

Wireless technology is taking its place in today’s society, thus increasing the demand for wireless LAN.  Risks once associated with WLAN can be easily mitigated due to the advancement in WLAN security.

With the increase in and popularization of various mobile computing devices such as laptops, and PDAs, more people need to access the network to perform a variety of data transference functions at any time in any place. WLANs offer a new dimension in productivity for users.  A Gartner study suggested that enterprises could expect a 22 percent productivity improvement by introducing WLANs.

To evaluate the main implications of using WLAN form the security perspective, we need to look at both the benefits and the potential risks of introducing such technology into the LAN landscape.

WLAN benefits can be expressed as follows:

• Connection is near and instantaneous for mobile workers
• Staff can remain online even when in meetings or working away from desks
• Online information is always available
• Integration of new devices and applications into the IT environment improve significantly
• The cost of provisioning network access to new buildings is substantially lowered
• Network can be easily scaled to respond to different levels of demand
• Increases organizational adaptability to internal growth through improvised seating configuration and lower marginal cost for relocation per user

Potential Risks introduced by WLAN are the following:

4      Rogue access points

4      Traffic analysis and eavesdropping

4      MAC spoofing/session hijacking

4      Denial of Service (DOS)

4      Masquerading

4      Modification of data

4      Increased system complexity from switch locations in various  areas due to limited rack space

4      Effectively planning and configuring wireless backbone 

4      Greater network management costs associated with wireless specific activities (managing coverage, network activity)

4      Procurement of user’s wireless hardware (wireless card, laptop or other required equipment) incurred in addition to the expense of established hardware refresh cycle

Each organization needs to look at the benefits and the potential risks introduced with using WLAN technology and judge its overall impact on its business goals and strategic objectives. Judging from the latest trend in the corporate world, as the security concerns raised form the use of WLAN are being addressed by technologies such as 802.11i, more and more companies are willing to assume the risks that come with opening up their network to wireless traffic and benefit from the flexibility of WLAN technology.

In the next blog we will look at the major areas that need to be addressed in order to successfully secure a wireless environment.

How to implement network level security using IPv6?

Introduction

IPv4-based networks form most of today's networks due to its relative resilience in spite of its age. Cracks have however been apearing on a new version of the protocol has been in the work.

All new techniques introduced to overcome some of the IPv4’s most-known security deficiencies (SSL, IPSec, etc.) have been judedged useful but insufficient. In other words, despite all recent improvements, the supporting Internet infrastructure continues to lack the appropriate security framework.

IPv4 security issues

Security was not a primary concern when designing IPv4. Basically, the idea was to establish an end-to-end pipe with no regards for security. The end-nodes where assumed address security requirements such as encryption and digital signing (e-mail applications would perform own encryption).

The following resilience requirement are needed to deal with security threats:

• Denial of service attacks (DOS): Certain services are flooded with a large amount of illegitimate requests that render the targeted system unreachable by legitimate users
• Malicious code distribution: Worms and viruses use infected hosts to infect remote systems
• Man-in-the-middle attacks: IPv4’s lack of proper authentication mechanisms may facilitate men-in the-middle attacks
• Fragmentation attacks: This is achieved by exploiting large IPv4 packets at he O/S level (e.g. ping of death attack)
• Port scanning and other reconnaissance attacks: Network is scanned to find potential targets with running services
• ARP poisoning and ICMP redirect: This occurs when forged ARP responses are broadcasted with incorrect mapping information that could force packets to be sent to the wrong destination. ICMP redirect attacks use similar approach.

IPv4 short term remedies

To deal with IPv4 security limitations, certain techniques such as Network Address Translation (NAT) and Network Address Port Translation (NAPT) have been developed . They can offer certain level of protection against some of the security threats addressed above. Also, the introduction of IPSec facilitated the use of encryption communication, although its implementation is optional and continues to be the sole responsibility of the end nodes.

The Network Working Group of the Internet Engineering Task Force (IETF) proposed in 1998 a new suite of protocols called the Internet Protocol version 6 (IPv6) to deal with the limitations of the current Internet infrastructure . This new suite of protocols aims to deal with a number of the issues that affect IPv4-based networks, including its lack of network level security.

Podcast/Blog: 8 Deciding Factors in Selecting Disk and Folder Encryption Products

Background

Listen to the podcast (.mp3).

A new report filed by federal security auditors finds that that the Internal Revenue Service (IRS) has had almost 500 laptop computers lost or stolen over the last three years, many of which were loaded with sensitive taxpayer information. The report contends that between 2003 and 2006 the IRS had some 490 laptops lost or stolen in 387 individual incidents.

Perhaps the most notorious loss of a laptop in the federal sector came in May 2006 when a contractor working with the Department of Veterans Affairs had a computer stolen from his that carried the personal data of an estimated 26.5 million people. The laptop was eventually recovered by law enforcement officials.

In addition to failing to properly secure their devices in and out of the office, the auditors said that some of the IRS' 100,000 employees were not properly encrypting data on their machines or utilizing adequate password protections.

In their final recommendations, the auditors recommend that IRS leaders refine their incident response procedures to ensure for better understanding of any potential data exposure and more frequently remind employees to use proper device security measures. The report also contends that the agency should consider implementing a "systemic disk encryption solution" on its laptops that does not rely on employee interaction to protect sensitive information.

Systemic Disk Encryption Solution

Security mechanisms to consider when evaluating the right disk encryption solution could be expressed as follows:

Policy: Which policies and certifications are required by the organization

Information architecture: Where sensitive information is stored

Application architecture: How the application uses information

Communication: How the devices communicates

Device Management: How the device is managed

Primary use of the device: An office automation tool, industrial purposes, or mobile communication

Selection Criteria

Given the recent high profile announcements with regards to the loss of laptops and the associated liabilities to organizations that fail to take the appropriate steps with regards to addressing mobile devices vulnerabilities, I decided to take a look at Full Disk and Folder Encryption products that are commercially available today that help mitigate mobile device vulnerabilities.

The factors contained in the following table should help you in going through the process of selecting disk and folder encryption products:

Area of Comparison	Full Disk Encryption	Folder Encryption
Encrypts the entire disk	The entire disk is encrypted	Only selected files and folders are encrypted
Impact on the computer system	MBR is modified	Operating system files are excluded
Platform support	Generally limited to single desktops and mobile computer systems	May not be used on most systems
Authentication options	Limited to drivers available at pre-boot.  Vendors are expanding the capabilities to include network connectivity	Generally, any authentication mechanism supported by the operating system
Multiple user authentications	Authentication required at pre-boot Authentication maybe be synchronized or linked to network authentication	May require authentication on file access can be linked to the operating system or network authentication
System maintenance	Reboots during patching may be a problem	No issues during maintenance
Backups	Information is generally not encrypted if the backup runs within the operating system	Information may be encrypted or not depending on how backups perform
User control	User makes no determination as to whether to encrypt a file or not	User may have control over which files are encrypted.  New policy-based products transfer encryption decisions to administrator

Smart Card Blog - Multiple Profiles Part II

As a number of readers have pointed out, supporting concurrent access to multiple cards would be another way to avoid requiring customers to swap cards in order to sign in using a different profile.

As much as I wish this approach could be pursued, I think it would be problematic.

Concurrent access is not common industry practice and (perhaps most troublesome of all) changes in the application software code may be required to concurrently access multiple cards from a given process. This is b/c such access would have to be segregated into different threads, and application software is currently single–threaded.

Smart Card Blog - Multiple Profiles Coming!

What might be next - an upcoming change in Smart Card technology and/or configuration:

At present, Smart Cards do not support the storage and concurrent use of multiple PKI profiles. Because today's Cards lack the ability to store multiple profiles on a card, and because only one card/token is typically supported per client, customers will need to physically swap cards to use different signing profiles. I believe that the inconvenience of this will force a change (and in the near future), and am interested in discussing the implications of this.

The Top PKI-Specific Criteria When Selecting HSM Solutions.

The selection criteria for the HSM within the context of PKI implementations, can be broadly grouped into the following categories: Operational Quality, Scalability, Functionality and Vendor Health.  A description of the selection criteria follows:

Operational Quality: 

Resiliency & reliability: The large capacity HSM customers will expect months of continuous operations and the ability to deploy resilient configurations of HSM(s) where a single HSM failure does not result in an application failure. 

Product lifecycle: Selected HSM(s) should have a product lifecycle compatible with your organization’ needs with the actual lifecycle dependent on the cost of acquiring, distributing and upgrading the customer premises technology.

Durability: Customers should be able to subject HSM to continuous duty cycle for extended periods each day.

Operational support: Vendors should be able to provide service level agreements in line with your 24x7 support model. The large capacity HSM(s) should provide the necessary audit and trace information to enable effective helpdesk & operational support procedures.

Scalability:

Performance: A small capacity HSM supporting 0.25 TPS and a large capacity HSM supporting 40+ TPS. 

Capacity: The large capacity HSM needs to support storage of multiple PKI identities.

Scalable footprint: The large capacity HSM(s) should be able to scale both vertically and horizontally

Functionality:

PKI support: HSM must offer the following security features - 2048-bit (the expected key length size necessary for proper security of PKI) key pair generation, private key storage, and private cryptographic operations. The HSM must be compatible with the Public-Key Cryptography Standards #11 (PKCS#11) standard and certified for usage with Entrust PKI software.

Security level: Vendors that verify their security implementations by subjecting them to government and industry driven security validation programs are preferred. Compatibility with FIPS level-2 or higher is required.

OS certification: Vendors should be capable of certifying their products on your supported Operating Systems. 

Connectivity: Large capacity HSM(s) should be LAN connected and multi-server shareable. The small capacity HSM(s) should allow for USB connectivity.   

Vendor Health & Focus:

Vendor size: Large publicly held vendors are preferred as they would have substantial resources to support our needs and it is easier to monitor their financial health. 

Existing relationship: Vendors with existing relationship are preferred as the organization already has worked out commercial and legal contract terms and conditions with them and has experience working with them.

Mission-critical deployments: Vendors with mission critical customer deployments are preferred.

Status as a ‘top account’: Any new commercial technology needs to be supported by a strong vendor relationship.  Being a top account gives us sufficient leverage to ensure timely resolution of problems.

What are the PKI specific benefits of using Hardware Security Modules (HSM)?

A hardware security module (HSM) is a device that provides a secure and dedicated environment for performing cryptographic operations thus reducing the likelihood of secret key material being compromised as well as improving cryptographic processing performance. Here we try to address the secret key protection aspect of using HSMs.

Confidential electronic keys, such as those used by the PKI private key are critical to application security.  If their confidentiality is compromised, a fraudulent message purporting to be from a legitimate user can be sent to another user.  The receiver of such a message may not be able to detect this fraud, because the signature appended to the message would appear to be valid.  Accordingly, it is critical that confidential keys be adequately protected.

The first step to protecting confidential keys is to have good controls on access to environments where the keys are created and where they reside.  For additional protection, one approach is to employ various software techniques to secure the keys on the host computer where the keys reside, and where they are used for cryptographic operations.  Typically, the keys are encrypted on disk, and memory protection measures are employed to protect the key during cryptographic operations.  Additionally, encryption and other measures can be used to protect keys when they need to be transported to another host computer.

Although software-based approaches can offer significant additional protection, an even greater level of security is possible by employing hardware devices, such as HSMs, that are specifically designed to protect confidential electronic keys.  Typically, these devices are used to safe-store keys.  The keys are created in these devices and cryptographic operations performed with these keys can be carried out within these devices, thus making sure that the keys never need to leave the hardware.  Various physical and logical security features of these devices further minimize the risk of key compromise. 

If a user’s private key were only protected by a software-based approach, a successful attack could occur if there were co-ordinated security breaches at two customer institutions or two branches of an institution.  Such an attack would be relatively difficult but not impossible. Use of an HSM instead of software-based protection would likely make this attack more difficult since it is harder to steal HSM private key information without being detected.