From Russia with DLP Love

Ok so I'm not Sean Connery, but the title jumped out at me.

Those of you that know me will know I travel extensively across Europe in my current job. But not until last week did I make it anywhere near Eastern Europe. I started the week in Prague (beautiful city by the way) and then spent 3 days in Moscow meeting with various organisations...most of whom were banks.

Moscow still has remnants of its Soviet past as you would expect and the social divide is still vast. It feels a lot like China in that respect. In fact, I felt like I was in China...but no one was speaking Mandarin (I understand Mandarin so I should know). The main thing I took away from my visit is that Russia matters again. It seemed fitting that Vladimir Putin was named Time Magazine's Man of the Year for 2007 while I was in Moscow. I found out by watching CNN in my extremely expensive hotel room (not that I was staying in an expensive hotel by world standards - it's just how things are in Moscow...expensive for non-locals).

I'm not a social or political commentator so I'll stay clear of those things. But from a business perspective, it's not an easy place to work in. But it IS a place you can do business and it is growing at a fast pace. Here are a few points I took away from my visit:

• Forget about doing business in Russia if you cannot speak the language or if you do not have a local business partner to visit organisations with you. While most professionals in Western Europe can speak and understand English, this is not the case in Russia.
• Russian organisations don't waste time thinking about things and going through vast amounts of process (something the Western world is often guilty of...especially here in the UK). If they want to get something done, they get it done. Unfortunately, sometimes they can be hasty and go at 1000km/h when they should be going at 10km/h. I had to curb the enthusiasm of one of the organisations (they could speak and understand a little English) to help them plan things through properly rather than jumping straight into the deep end. Another organisation said to me "I want this now and where can I get it in Russian".
  
• Russia has somewhere between 100 and 1000 banks. I don't know the exact figure because different people were telling me different things. Most of these are small local banks and the only way to go seems to be consolidation or acquisitions. They cannot compete with the large international retail banks that are moving into Russia in the longer term and they know it.
• The IT landscape in Russia is still very new. But they have a lot of smart and educated people and are advancing very quickly (take Kaspersky for example). However, this means that many of the people you deal with in the IT departments are VERY young by our standards. Most of the so called "managers" I was talking to were only in university 2 years ago. I felt old (and I'm not...well at least I don't feel like I am).
  
• From an IT security perspective, they do care and there is movement. Fortunately for them, they are thinking about security up front instead of waiting until it is too late (like most Western organisations). But being so new to the IT area, this means there are a lot of "green field" opportunities. This can be a positive or negative depending on what solutions you are trying to sell.
• If you have encryption capabilities or technologies in the solution you are selling, forget about selling to state (government) organisations. They cannot put any encryption technology into their environments without first "ripping the solution apart" and looking at the internals. Then it has to go through a lengthy approval process which is almost always unsuccessful. I hear they are a little more lenient with Russian owned vendors and solution providers.
• Moscow's roads are permanently jammed...even more so than China. You cannot go anywhere during the day without getting stuck in a few traffic jams. Journeys that you expect would take 10 minutes always take somewhere between 30 minutes and an hour.
• Things are VERY expensive if you are not a local. My hotel cost 2-3 times the amount it would have cost me had I been in Western Europe or the USA.

Of course, I only spent 3 days there. So this is all just a first impression. I dare say I'll have to visit again so I reserve the right to change my views.

A little bit more about managed identity services

This isn't going to be a long post. I'm just going to refer to a post I made in July about Managed Identity Services being a hard sell.

If you haven't read it, feel free. If you have, someone made a comment in response to it which I've also responded to which extends the discussion a little.

Incidentally, if you want to keep track of the comments people write, here's the feed. Unfortunately, it's only available for those using RSS readers. Those of you subscribing via email will have to do without it for now. Sorry :(

UK government loses 25 million identity records

You've probably already heard about this. It was front page news in the UK all of last week. They haven't stopped talking about it and commentators all over the place are taking pleasure in chastising the UK government for the problem. I've been in Seville (Spain) for work and haven't had time to chime in until now.

I'm referring to the fact that HM Revenue & Customs (HMRC) managed to lose 2 CDs filled with 25 million child benefit records in the process of sending them to the National Audit Office (NAO). In short, if you have children and have tax records in the UK, chances are your personal records and bank details were on those CDs.

Of course, being such a high profile incident, the Internet and news channels are already filled with articles and comments. Also, every software vendor and consulting firm is more than likely trying to call on HMRC with the line "have we got a solution and deal for you"! Despite this, the failure is not primarily because of a lack of technology. It is all about the lack of a security culture, lack of education and awareness and badly defined procedures.

In September, they also managed to lose 15,000 records when sending details to Standard Life and an estimated 400 customer records in a separate incident. Here's a time line that summarises the incidents over the past few months if you want a high level view. HMRC's chairman Paul Gray has resigned over this incident. Someone had to fall on his sword over this and I suppose he was the logical first casualty.

This article at Techworld says that the NAO had actually only asked for National Insurance numbers and explicitly asked for the other information to be stripped out. But some bean counter "business manager" at the HRMC instructed that this not be done because they would have to pay their IT provider EDS to do it. Sound familiar to you? Yet another case of the need to save of dollars winning out over good security and privacy practices. It happens all the time because of uneducated "business individuals" with no sense of the need to protect sensitive information. That's why there have been so many incidents over the past few years and this is just the latest and highest profile one this year.

I'm frankly not surprised that this happened. It's a harsh thing to say, but I know a little something about a very small part of HMRC's systems and how EDS manages it. I should point out that I've never had anything to do with the EDS HMRC account or HMRC itself, but I do know some people who work on the account and it's a shambles. Identity controls are practically non-existent. Access controls are practically non-existent. There are also allegedly people working on those systems without a proper security clearance! This is not to say they don't safeguard some of their data. I'm sure they do, but it says something about the general culture and management mentality in place. I know for a fact that internally, BIG security holes are observed and brought to management attention by a lot of the guys on the ground, but their protests fall on deaf ears. It's almost always because dollars speak louder than the need to have good security controls in place. This is just unacceptable and it's not even totally EDS's fault, although they play a part. It's the fact that HMRC seem to have a culture of penny-pinching when it comes to IT and they've now suffered as a result. If you're unwilling to spend money on adequate security, you deserve to be called out as being incompetent and they've shown themselves to be exactly that. Unfortunately, millions of people have had to suffer as a result.

The main thing that strikes me out of all this is that EVERYONE (including British Prime Minister Gordon Brown) is blaming a "junior official" for the gaffe. This deflects from the actual problem. Even if the official was "junior", it was not their fault that this happened. In fact, being "junior" gives them a valid excuse for being stupid. The problem is just bad process and even worse IT management. This incident is inexcusable, especially if you are the Government and are responsible for the security, privacy and protection of your citizens. You CANNOT be losing information because you want to save a few bucks.

The "junior official" shouldn't even have had to think about what they were doing. They should NOT have had access to this information in the first place. And if an official does come along who should have access and is properly given the access, they should NOT be able to copy all this information onto something like a CD and have it sit there unencrypted and unprotected! Security should be put in place to make access to data "idiot proof" because most users are "idiots" when it comes to data protection. Even those of us who should know better violate security policies all the time because it's just easier. We do it without even thinking about implications because we all have the “it won’t happen to be” mentality. It’s even more rare that an incident occurs where there are such massive implications and on such a high profile and scale. In other words, most of us suffer from “she’ll be right mate” (borrowing a term us Aussies like to use) syndrome.

The chances of something like this occurring would have been far less if HMRC had properly implemented the following (in order of importance):

1. Decent security awareness training and education - User awareness will drastically reduce bad practices. People don't want to do the wrong thing. They just don't know when they are doing the wrong things.
2. More security training and education - Keep it fresh and up-to-date. Things change VERY quickly in the IT security game. It also helps to remind people from time to time that security is important. It NEEDS to be part of corporate culture because otherwise, things just fall in a heap.
3. Properly defined identity and resource/data access policies - Know what systems, applications, resources and data you need to protect and who should have access to them. Without this, all the technology in the world will not help.
4. Properly implemented policies supported by relevant technology solutions - Policies alone will not protect you against the bad guys and the "idiot" (too stupid to understand the security policies) or "lazy" (can't be bothered reading the security policies) user. There are also many of us who fall into the "I know I shouldn't be doing this but I'm not doing this as a bad guy - I just want to make my job easier" category.

In other words security awareness, training and education are paramount. It should be noted that this needs to be pushed from top down. If the business stakeholders do not buy into security being important, no one else will. Bottom-up security awareness and culture change NEVER works. Having some semblance of a security function is the next most important thing. Without it, all the best technology in the world will not help. And finally, put in the proper IT solutions to enforce these policies because you need the "virtual traffic police" to ensure that laws are met.

As a simplistic level, technology alone could have prevented this from happening in the first place, but it does not solve the over-arching lack of security that is apparently there for all to see. In fact, many commentators and so called "security experts" are saying they should have put in encryption technologies and it would have solved all their problems! This is just not true. By this I mean that they could have implemented basic stop-gap encryption technology to enforce that everything that gets written to CDs and DVDs gets encrypted. If that was the case, the loss of the CDs would not have caused this much debate and analysis around what went wrong. It would have simply been "oh, we lost some CDs and these things happen sometimes when you post things, but the data was all encrypted". That would have called into question their processes rather than their lack of focus on security and inadequate IT controls. The implications to the public would have been far less severe. If that had been the case, all it would have done was to delay their major incident. If all you do is put stop-gap measures in place rather than a proper identity, access and information security layer and accompanying controls, it is only a matter of time before the "water leaks from another part of the dam" (apologies for the cliché, but I'm too tired to think of a witty and original analogy).

The only positive from all this is that HMRC have now got a compelling reason to act and spend money on a first step towards an adequate security infrastructure. Keep in mind that being the Government, "adequate" is NOT GOOD ENOUGH. But it's a start. Unfortunately, many Governments do not even have adequate security. I dare say many other Governments in the world have similar issues but just haven't had the high profile incident to catch them out yet. Losing 25 million records is going to be very difficult to top however, so I dare say the UK Government's incompetence will be in the spotlight for some time.

I'm not privy to the processes that have been put in place for the scenario that took place so I'm not about to comment on the specifics. They probably have some sort of security awareness and education. Maybe being a "junior official" pushed the person down the list of people who could attend classes and they hadn't been given the requisite training (in which case they shouldn't have been able to access sensitive information at all - sadly this pre-requisite is often overlooked by security policy makers and even more often left unimplemented in security systems). If they had been given the training, then perhaps it was the "idiot" factor. If we give HMRC the benefit of the doubt and assume their education program is great, their operational and security processes are sound and their security policies are well defined, then this should have been prevented by the security measures and IT systems they have in place.

The whole process should have gone something like this:

1. NAO formally requests the 25 million records via the proper channels using the pre-defined and approved process.
2. Process is executed and approved after which the work assigned to an authorised official.
3. Official (who has undergone proper security education and training AND has this fact marked in their user profile to allow for rudimentary access to systems) picks up the task and is authenticated to the environment at a certain clearance level. If official has not undergone security awareness training, they cannot get access to anything sensitive.
4. Official retrieves information and based on credentials and their entitlements is only given the parts of the data they have approval to view. If this does not include the required information (e.g. names and national insurance numbers), the official should be able to request that the relevant entitlements be given to them and have this request approved by the relevant managers or security personnel. Access should not include the ability to retrieve information that is not required (such as bank details). In other words, there should be fine grained access controls in place for access to sensitive data.
5. Once allowed, official retrieves information and saves it to required media for transport to NAO. If the approved and documented process is to burn the information onto DVD or CD, then this is done. Upon the action of burning to CD or DVD, the information should be transparently encrypted without the official having to intervene or know that it is being encrypted. The decision on what to encrypt should be made by the system.
6. DVD/CD is packaged up and securely transported to the NAO securely and properly tracked.
7. The whole end to end process should be digitally audited and tracked in a central location for forensic purposes. Then there would be no need to pay PWC a truck load of money to “investigate” as they have had to do in this instance.

You may still be able to poke holes in the process I’ve outlined (the best processes do not cover off 100% of the potential risks, they just help mitigate the overall risks), but it would still be better than what HMRC currently have in place…and it took me 5 minutes to come up with it. If nothing else, it would have at least shown that they had been pro-active about protecting their data from a process and procedural standpoint. There is obviously more to information security than this and I’m not blind to the fact that implementing what I’ve outlined is no small task. If it was this simple, there would be no need for information security professionals. They need to start with the easiest bits and work their way up from there. Defining the procedures and policies is the first step. Putting in the encryption is an obvious easy win. The identity and access/entitlements part is a little trickier, but they need to think big to start to get somewhere. At this stage, I doubt they even know how to spell “entitlements”.

All I’ve done here is over off a small part of the big picture…but a part that would have potentially prevented the loss of the 25 million records. And even if they somehow managed to lose the CDs, they would only be useful as coasters or Frisbees to anyone who found them. The 25 million record data loss incident would have been averted and we would be talking about something more interesting this week rather than the UK Government’s incompetence.

Sun joins the role management game

The large vendors have largely ignored the role management aspects of Enterprise Identity Management. I outlined some of my thoughts on this in a previous post in response to Oracle's acquisition of Bridgestream. I also asked an open ended question around what the other large vendors would do in response to this. I just got part of the answer as Sun announced a few days ago their intent to acquire VAAU, another player in the role management game.

I won't repeat myself so read my Oracle and Bridgestream post if you want to know what I think about this whole role management thing. All that's left to add to that post is that Sun's just joined the game. Your move IBM/CA/BMC.

Whatever happens, all this is pointing towards the day when Enterprise Identity and Access Management = commodity. We're not quite there yet. But soon.

Symantec announce Vontu acquisition

As usual, my travel schedule for work is really screwing with my blogging habits and keeping up to date with news. Of course, this means I'm blaming it on the market's need for Data Security solutions...which is not such a bad thing.

Symantec finally announced their acquisition of Vontu early last week. More about it on Symantec's website here.

I spoke about Vontu briefly in a previous post and mentioned the whole Symantec acquisition of Vontu here when it was still a rumour. As it turns out, it was true and a very badly kept secret.

I'll post more about my thoughts on what this means for Symantec later when I have a spare moment. Hopefully that's sooner rather than later.

Cisco wants an identity and entitlement aware network

I've mentioned Securent a couple of times before and have had various opinions about the company and Authorisation/Entitlement Management in general. I've even had a bit of a debate with its CEO Rajiv Gupta both online and offline (via email).

In one of the "what the F*$&" moves of recent times, Cisco just acquired Securent for $100 million. In a side note, Securent curiously also announced guidelines and tools for centralising the management of entitlements. I think this is somehow going to get lost amongst all the talk about the acquisition.

There's plenty of informed commentary about it by Dave Kearns, Jackson Shaw, Ian Glazer, the Burton Group, and Dark Reading so I won't comment too much other than to say I agree with a few things various people have said:

1. Securent will form the basis of Cisco's centralised, network based entitlement/authorisation service. Why? Because Cisco said so.
   
2. Cisco is trying to bridge the gap between Identity on the network and Identity in the application world. They are not the only company doing this, but they are the most influential because they are Cisco. It's still true that in many circles today, the network = Cisco.
   
3. Cisco understand (or at least hopes that organisations understand) that Enterprise Identity and Access Management needs the network to play its part around user identity and context to have a truly coherent enterprise security infrastructure that works. I'm not saying it's easy. I'm just saying it needs to happen.
   
4. Securent will get lost in the big juggernaut that is Cisco, be consumed and eventually forgotten by virtue of being absorbed into a company as big as Cisco. So much for that great marketing team I've complemented before.
   
5. Why the heck did Cisco start its march into the identity space with Securent? It's a little puzzling, but I suppose the other "hot mature vendors" had already been gobbled up by the likes of IBM, Oracle, CA and others. Cisco is behind in this space. The fastest way forward when you are behind is to be disruptive. Maybe that's what they are going for. They need to be relevant in this area if they are to continue being dominant in the networking world.
   

IBM dips its toe into Data Security

IBM made a rather long winded and all encompassing announcement today around a bunch of Risk Management initiatives. In true IBM style, there's too much information for the average person to take in and understand at first glance. They are offering a heck of a lot and very few organisations will need everything they are announcing here. In fact, you probably don't even need half of what they are offering unless you have a HUGE security need and not much of an IT security department. Of course, they'll gladly send out a sales rep to sell it all to you. Don't buy it all. You don't need it all.

Now that I've done my IBM bashing for the day, I want to point out the data security piece:

"To deliver a total data protection solution throughout the information lifecycle, IBM ISS is partnering with leading data security vendors, including Application Security, Inc., Fidelis Security Systems, PGP Corporation, and Verdasys, Inc. By leveraging key technologies from these partners and IBM Tivoli, IBM ISS will offer a comprehensive set of asset-based data security services:

• IBM Data Security Services for Activity Compliance Monitoring and Reporting -new services that help protect companies from insider abuse and enhance audit preparedness by assessing, monitoring, and alerting on malicious and non-compliant database activity and vulnerabilities.
• IBM Data Security Services for Endpoint Data Protection - new services that help clients encrypt and manage data on endpoint devices, such as laptops and PCs.
• IBM Data Security Services for Enterprise Content Protection - new Data Loss Prevention services that monitor and help protect against intentional and inadvertent leakage of critical data."
  

In other words, IBM can offer you a Managed Security Service around data security and leakage prevention (aka DLP). So even though IBM aren't doing anything in terms of acquiring software in the DLP space (yet), they are flexing the might of their services arm in an attempt to service the need. It is worth noting that they need to partner with other vendors because they don't have the software portfolio to do it. Which brings me to my next point.

It would do them a lot of good to have a software solution in this space. The most logical place to slot the acquisition would be in Tivoli, but they could also put it into their Information Management brand. It makes perfect sense to tie data/information monitoring and leakage prevention into Identity Management, Access Controls/Entitlements Management, Compliance Monitoring/Reporting and Security Event Management and Correlation. It's a big hole in their portfolio. Once they get that, they'll need to start looking at the network layer.

I know they got out of that business a long time ago and said they would never go back...but hey, they bought ISS didn't they (incidentally, they could also roll DLP software into ISS). Stranger things have happened.

TrendMicro gets into DLP

I'm a few days late on this as usual. My excuse is that I've been busy working with a huge global organisation on their data security, protection, leakage prevention and PCI requirements.

With the spate of acquisitions in the Data Leakage Prevention space lately, it comes as no surprise that another has just occurred. TrendMicro acquired Provilla earlier this week. This trend will probably continue as all the large vendors try to elbow each other for a position at the front of the pack in this space and attempt to round out their security portfolios. That being said, we're still waiting on the rumoured Symantec acquisition of Vontu.

So you can add TrendMicro to the list of large DLP vendors I mentioned here...with the exception of Symantec (at least for now).

The question remains...what are the REALLY big vendors doing? I'm glad you asked (continued in the next blog entry).

Oracle integrates Bharosa

I spoke about having a to blog list of things back in August. One of the things on that list was some thoughts on the Oracle acquisition of Bharosa. In light of Oracle announcing a few days ago that they had completed the integration, I thought now would be a good time to cross the item off my list.

First of all, the product name. It's now called Oracle Adaptive Access Manager (OAAM). They've kept to the boring naming convention that seems to be the norm in the Enterprise Identity and Access Management (IDM) industry (with an exception which I talked about here).

Oracle also acquired Bridgestream recently (I wrote about that here). As I've said previously, couple that with the Bharosa acquisition and this gives Oracle 2 products in their suite that the other major vendors do not have the capability to match.

I've spoken with many a customer who has commented on the fact that it would be great if web access management solutions provided some protection against fraudulent activity. This used to occur on a monthly basis, so it's something that the market has been asking for (which is exactly why Bharosa filled a need). The large vendor answer used to be "well, just hook the audit logs of the access management product to a security event management product and write in some rules for alerting". To be truthful, this answer was crap. Unfortunately, it was the only answer that could be given without being kicked out of the room.

With the Bharosa acquisition, Oracle filled this need and added much needed and very useful capability into their suite. Sure, OAAM gives Oracle additional features around authentication. But the most important thing is that it monitors and reacts to potentially risky or fraudulent behaviour in real time. For example, a user could have access to perform certain actions or access certain parts of a web application, but if they exhibit risky behaviour leading up to the sensitive transaction, they can either be challenged further or be denied access completely. This is extremely powerful and can be a preventative measure which stops fraud dead in its tracks instead of only allowing for follow up analysis after an incident, assuming someone even noticed in the first place. This is true dynamic authorisation based on behaviour rather than traditional "yes/no" authorisation decisions that are so prevalent in the access management technologies today.

There will of course be times where the technology gets it wrong and prevents legitimate users from doing things. This will no doubt cause some pain on the user's part and subsequently on the service provider's part (e.g. customer satisfaction issues). But this is a lot better than allowing fraudulent activity to occur and then telling the user about it after the fact. In the case of banks, the costs are usually absorbed (although they are not necessarily required to - they just do it to keep their customers happy). In other cases, the user has to wear the loss. Ask someone if they would rather be denied access as opposed to losing their money and 99% of the time, they'll pick the "deny access" option. Of course, there are trade offs. If they get denied too often, then they go somewhere else. It's a balance and this is where getting the rules and policies correct are critical. You want to be able to protect against fraudulent activity without getting in the way of business. This should be the mantra of all security departments. DO NOT get in the way of business while keeping things secure. The best security technologies are business enablers, NOT business inhibitors. It's how one gets the balance correct that will go a long way towards measuring the success of a security department and subsequently the IT department.

What I'm about to say may sound familiar to those that read my Oracle and Bridgestream post.

Having OAAM gives Oracle an additional dimension to the way they can perform access controls and access management in their Identity and Access Management deployments. It also puts them ahead of their competition in terms of feature/function comparisons. So from a technical marketing standpoint, they are ahead and may win some deals this way. I mention this because it's only going to help if someone REALLY wants this type of functionality. It possibly also makes Oracle more favourable when analysts do their quadrants and charts.

But the main thing to keep in mind is that most software sales are not made based on feature/function comparisons. They are only useful in tenders (RFIs, RFTs, RFPs) to allow vendors to answer "yes" to more questions. Having something extra will generally not win a deal. NOT having something that is mandatory however, can lose a deal. That's all Oracle have done. Bought insurance against losing a bid. From a technical and IDM suite perspective however, it's a good move. It's also great to have the capabilities in place if you're implementing it in your environment. Whether it actually works as prescribed however, I don't know. I've never implemented Bharosa. Time will tell.

Symantec going DLP?

I go and talk about Vontu and the next thing I read is that there's a rumour flying around about an acquisition. If InfoWorld is right, it will be announced next week that Symantec is acquiring Vontu.

No I don't have any inside information. I don't work for Vontu. I know some have been wondering (based on some of the search referrals that have been coming through - although no one's actually piped up and asked me directly). I wasn't exactly full of praise about Vontu in my last post was I? I didn't think so.

So assuming this moves ahead, we'll have 3 BIG Vendors in the DLP space. McAfee, EMC (they acquired Tablus earlier this year and rolled it into their RSA division) and Symantec.

Looks like DLP's going mainstream very quickly, which is obviously good for the industry and organisations looking at a DLP solution.

DLP vendor race

I'm still in a data security mood, so those of you in the identity world can tune out this time round if you like...or if you want to broaden your horizons, read on :)

Remember when I said to implement a proper data leakage prevention (DLP) solution you need an agent on the endpoint? If you're new to the blog or if you're one of the lazy ones and don't bother reading my posts that go for longer than 2 paragraphs (you know who you are), go read about what I said here (this post somehow managed to get a mention on the Network Sentry blog at IT Business Edge - I don't know how).

Now that you're back, let's get to the point. Vontu are one of the main vendors that always get a mention when you talk DLP, but they've always only had a network based solution. What that meant was that they could only watch data flowing on the network and prevent it from leaving. Once a laptop leaves the corporate network, data could easily escape and no one would be the wiser. This is the main reason you need an agent. An autonomous one that doesn't need to be connected to the network to enforce security policies for information.

As I said, there have typically been 2 types of DLP vendors. Network centric ones, and endpoint centric ones. It seems Vontu agrees with what I said because they've realised they need to be at the endpoint to really get serious about being a DLP solution. In doing so, they are the first (that I know of) to take a serious stab at doing both.

They announced earlier this month that they now have an endpoint agent. I took a look at the functionality and while useful, is still quite a way behind what some of the other endpoint DLP vendors can do in terms of functionality. In other words, they're playing catch-up. The advantage they have is that if an organisation wants to go with a network centric approach (I don't really know why they would - although these tend to be cheaper) with some coverage on the endpoint (but not a lot) then they can go with Vontu.

Where Vontu may win out in the short term is in the marketing stakes. Organisation that are easily sold based on Powerpoint slides may be convinced that Vontu is the way to go. My money's on Vontu going out and saying "we're the only ones that cover all the bases for DLP because we do the network aspects and we cover the endpoint". It's very difficult to sell on feature function unless a customer really has specific requirements that one vendor can meet better than the other. And even then, the only way to prove it is in a bake-off, because everyone's going to say "yes" to most requirements.

I have no doubt Vontu will continue to add functionality to all their products. This can only be good for competition in the high profile space that's come to be known as DLP. The question is how fast can they run? Will they catch up in the endpoint game (unlikely unless they double the size of their development team because they've now got more products to work on)? What about the other vendors? How fast are they running? Do they care that Vontu are in the endpoint DLP space now (rhetorical question)?

Of course I'm just stating the obvious. In any new area of enterprise software, almost all the major players are small to mid-size companies/start-ups. It's usually the ones that run the fastest that will win out in the end. Not always, but it sure helps.

McAfee acquires SafeBoot

McAfee announced earlier this week that they were acquiring SafeBoot for $350 million USD. It's actually a good move, despite what I'm about to say.

It's almost like the McAfee product strategy people have been going through the PCI-DSS standards and acquiring technology to address gaps in their portfolio so they can sell a portfolio that "solves" all of a customer's PCI issues (or so they say):

1. They've had their Anti-virus and Anti-spyware solutions for a long time.
2. They acquired Onigma at the end of 2006 for its data leakage/loss prevention/protection (DLP) capabilities. They also just updated the DLP product with functionality to catch up with its competitors somewhat (although they're still behind in functionality).
3. They've got network access control software.
4. They've got a so called policy engine.
5. And now they've just shored up their encryption capabilities with the SafeBoot acquisition.

The gaps left are:

1. Firewall - but McAfee will probably say they've got that covered with their intrusion prevention solutions working in conjunction with their network access control solution.
2. System passwords and restricting access to information. In other words, Identity and Access Management.
3. Testing and monitoring all accesses to resources and data. Again, more Identity and Access Management - although McAfee will also claim their DLP product working with their network access control product and their policy engine gives them the tick in the box here.

It all looks very nice on a marketing slide of course. They still have to integrate all this technology. The technical integration of acquired products takes time and they usually don't play nicely with each other until the N+2 or N+3 release post acquisition.

Another thing. Their list of products is growing. If they aren't careful, they'll end up like Tivoli's portfolio from a few years ago, where half the products overlapped in functionality with the other half and very few of them worked nicely together. Tivoli have since fixed that, but it took a few years.

YouTube for documents pose risk to data security

The YouTube problem faced by content producers (e.g. television networks, record companies) has largely been a non-issue for most organisations. It's a big problem for them however. Articles all over the place going on about the billions of dollars in revenue being lost because it's easy for people to post and watch things on YouTube. Some have given up and embraced YouTube as a place to promote their artists. For example, RCA Records has a YouTube channel where you can watch all their latest music videos...and many old ones too.

The thing about YouTube is that it makes things you want to watch really easy to find. Just search for it. That's the real power (that and they were first to market and are now owned by Google, but these facts don't help with what I'm trying to say). It's a lot easier than asking your friends via email, instant messaging or social networking sites if they have certain files. YouTube also doesn't limit your "search network" to just your friends. You can search for videos posted by millions of people you don't know and will likely never meet.

Peer-to-peer networks, although related to the problem at hand are another issue altogether. They expose the same types of issues, but they are not as big of problem as one might think when it comes to corporate networks once you compare it to what I'm about to outline. Allow me to explain.

In a corporate environment, it's relatively easy to control the network traffic and applications that your users are running. With the right tools in place, you can prevent users from installing and running peer-to-peer applications or block the relevant network connections required for these things to function. This is a MUST. Imagine the whole peer-to-peer network workwide potentially being able to search for proprietary and sensitive information that is held on your corporate network. Users aren't trying to be malicious most of the time, but they aren't security people either. So they inadvertently leave great big holes in your organisation.

Imagine KFC's list of 11 secret herbs and spices being hosted on a KFC server somewhere and having that exposed to a peer-to-peer network! They probably wouldn't go out of business, but someone would put a serious dent in their revenue if they got their hands on it. Or if you're a retailer and one of your employees accidentally leaves a file full of customer financial details unencrypted and sitting on a folder that the peer-to-peer software can access. Great, big, giant hole that is going to cost the organisation lots and lots and lots and lots of money, not to mention the intangibles that cannot be measured in dollars (e.g. customer confidence, damage to the corporate brand). I think you get the idea. Peer-to-peer network on corporate network = bad idea. So lock that down.

Back to YouTube. But it doesn't host documents you say. Yep. True. Which is why YouTube is not really a problem for those of us not in the music, television and movie industries. What happens if there was a YouTube for documents? Quasi YouTube-like repositories have always existed. They're called online file servers. But they only store stuff...and most of the time this is not public. It's just there for the user to store their own stuff. And even if they someone allowed documents to be made public, they weren't very easily found. So they're not really YouTube for documents. Even so, you should probably be blocking users from uploading sensitive files to these sites. The risk profile isn't quite as high however, because of the lack of decent search capabilities. You put decent search capabilities and the power of tagging next to a document only type of site, and you get YouTube for documents.

I bring this up because of late, there have been quite a few start-ups doing just this. One of the early ones was Scribd. They actually market themselves as YouTube for documents. Recently I've also come across docstoc. They pretty much do the same thing. And to a lesser extent there are also sites that are essentially an online desktop/bulletin board for you to throw things on there. Photos, notes, music, videos...and documents. These can also be made public. I'm not sure if their search capabilities are decent, but they are there. Recent examples are Stixy and WIXI (as an aside, who the heck comes up with these names! They sound like something my little 5 year old cousin could have come up with).

So now we all have the same problem as the content providers that despise everything that YouTube represents...except corporations have more to lose. Why? Because it can potentially cost billions. That's right. BILLIONS. In fines from losing customer information, for not being PCI compliant, for not passing the many many audits organisations are subjected to nowadays and so on. And there's also the potential billions that could be lost if your "11 secret herbs and spices" gets out there.

Where previously the most convenient way for your data to leave via the network was through email (or even web-mail), it can now be hosted on multiple, searchable, document sharing websites. When you email a sensitive document out to a list of people, the speed that this document can proliferate is only as fast as the recipients can press the forward button. Even then, you're limited to their address books. This spread is exponential by the way, so it's by no means a non-issue. But it's still slower than having the sensitive document immediately available to a whole community of users! It's like aggregating all your contacts, the contacts of your contacts, the contacts of their contacts' contacts and so on (try saying that quickly) and blasting the document to all of them at once.

I've got an account on both Scribd and docstoc. I don't really use them at the moment. I just wanted to check them out. My first few searches on each already produced documents that I'm not so sure the companies they relate to want out there. But hey, they're freely available. You just need to sign up!

So how do you stop this? While you can conceivably and justifiably block most peer-to-peer applications, you can hardly block users from using the Internet! Sure, you can block Scribd, but then docstoc comes along. Then you block docstoc, and another competitor comes along. It may never stop. The same can be said about peer-to-peer clients, but it's a heck of a lot harder to build a new peer-to-peer client than it is to build a new document sharing website. Blocking specific sites or applications is only a temporary fix. There'll always be the next site or application that comes along.

The key is to protect the information and control the many ways it can leave and under what circumstances. There's obviously the whole issue of information identification and classification as the up-front step. But that's for another day :)

Just be aware of the escalated risks YouTube for document-like sites pose to your corporate data. They make the information much more readily accessible and data loss and leakage will happen a heck of a lot more quickly than it has in the past.

It's not about the iPhone - it's about the data

No really, it's not. Just bear with me for a couple of paragraphs (unless you fall asleep before you get past the iPhone bits).

I was walking along Regent Street in London over the weekend with a friend and dropped by the Apple Store. He wanted to buy a case for his laptop...not a Mac incidentally. That's becoming common though. Traditionally non-Apple users wanting to buy Apple branded (or inspired) accessories because they just look better than everything else out there. Some like me even decide they want an actual Mac, which is why I have a MacBook Pro. I'd never previously been a Mac user...such is the power of the Mac brand. The products have become fashion accessories, not pieces of technology.

This trip to the Apple Store over the weekend convinced me that never will this be more true than when the iPhone is released here in the UK on November the 9th (actually this will likely be true regardless of where the iPhone is released - except maybe in China where they'll have fake ones out before the release date). The release in the US has already seen unparalleled enthusiasm with the thing being sold out all over the place. The Blogosphere was noisy to the point of being tedious (including A-list blogger Robert Scoble who was first in line at the store to buy the thing and won't stop talking about it - just go to his blog and search for iPhone and you'll see what I mean). I actually ignored my Google Reader items that had the word "iPhone" in it for about 2 weeks.

The thing that actually prompted me to start thinking about this was the queue at the Apple Store. It was unusually long. I'd been there before and there are ALWAYS queues, but this one went out the door and round the corner! There was also a huddled mass around one particular section of the store. I was curious so I went to take a look. A couple of polite nudges, pushes an "excuse me please" grunts later, I emerged only to find they were huddled around the display/demo showcase for the new iPod touch. I don't know why Apple released this thing, but once again they proved they know their market. The iPod touch is pretty much an iPhone but without the phone. It even looks exactly like an iPhone. I then walked along the long queue to see what everyone was buying. You guessed it. They were buying the iPod touch. I guess they don't want the iPhone. Or maybe they want both...which is entirely possible with Apple fanatics. But if the demand for something like the iPod touch is so huge, you can bet the queues for the iPhone will be even longer. Most people will wait for the iPhone rather than buying the iPhone with no phone (aka iPod touch). So this suggests that the demand for the iPhone will far outweigh the huge queue I saw. I could of course have guessed from the reaction in the US, but this is the UK and things don't always work the same way here :)

Even being tied into the O2 network will not be enough to deter people, as observed in the US with AT&T being the exclusive network provider. So why is this the case? Because it is the best looking thing out there and can potentially replace all the devices you have. Your phone, your iPod (itself already achieving cult status and has a huge market share over its competitors), your PDA and your computer. In fact, as it evolves, it WILL replace your computer. As web-based technologies and applications become the norm (and believe me, Generation Y prefer using a web application to a fat Windows client, unless it's a computer game) there will be little need for laptops, except for poor sods like me who have to because I need to give solution demos to customers - I wish I could demo stuff on the iPhone. And that's exactly my point. Unless you need the processing power or a laptop (or desktop) or a decent sized screen, there is no real need for one. And as the iPhone evolves, it'll get to the point where it can power most applications (AJAX-intensive web ones or clients built for the iPhone) and there'll just be docking stations with keyboards and monitors to plug into your iPhone (or whatever mobile device you have). That's a little way off though.

I should also note that the iPod touch, being an iPhone without the phone, also exhibits these characteristics (it even has Wi-Fi capabilities). Whereas the iPod (and its variants) are just glorified USB disks that play music and video.

Don't get me wrong. We'll never do away with the desktop, servers or laptops. We just won't need to use them nearly as often. I get by most days without using my laptop. I just type away on my BlackBerry (and all the rest of you I see in airports, trains...and meetings do exactly the same thing). I could do so much more on a device like an iPhone though. It's an always-connected computer with the capability to interact with web applications much more seamlessly than the phones, BlackBerry and PDA devices of today. The crucial thing about a device like the iPhone is that I can actually use it for things other than email. My Blackberry is pretty useless for anything other than phone calls, SMS messages and emails. I can't view or edit any documents on it because it's just impractical. There are also a limited number of applications I can install on it...and most web-sites don't work properly.

Which means what exactly? It means you can view and manipulate information on an iPhone! This includes critical corporate data that really should be controlled. I know companies are only just starting to figure out how to control data access, movement and usage within their corporate environments and mitigate the risks of data loss and leakage (I see enough organisations about this to be able to make this statement with some level of authority), but the days of putting blinkers on and ignoring non-desktop environments as "just another fad" are going to kick you in the butt if CIOs, CISOs and Security Managers do nothing about it. Not just organisations, but all of us. Guess where all our personal, private information is held...YES, in the uncontrolled hands of the institutions out there that we deal with. Your bank. Your insurance company. Your local council. Your utility providers. Any retailer you've ever bought anything from. The car rental company. The airlines. The hotels. The list is endless, but I think you get the picture.

Why is this actually a problem? Peripheral devices used to simply be able to store data and allow you to cart it off somewhere else. There are levels of control you can place around these USB storage devices, ranging from draconian (e.g. you CANNOT use USB devices) to more elegant solutions that can determine what approved USB devices are and control data movements to and from these USB devices based on the information being moved (e.g. if the information contains personal information, encrypt the data before writing it onto the USB). Once information is on there however, nothing can be done to it until the USB is plugged back into something that can read it. If it's encrypted, it's safe because only an authorised device or machine can read it. If not, it's all garbage. Like I said, hordes of people have iPods and MP3 players but these are just USB devices. Again with the right tools, you can ensure people only load music and video files onto these devices. Or if not, the policies that govern USB usage will at least also apply to iPods and MP3 players.

Of course, I'm assuming that your organisation actually has a USB policy and enforces it. Having one and not enforcing it is pretty stupid. Being draconian about it is also not the smartest thing to do because you're disabling employees from doing legitimate work, but at least it closes off that risk for data to leave the organisation. The key is to practice a level of fine grained control over USB usage and to enable your employees to work more efficiently but within auditable, controllable security guidelines and policies. USB device control is actually very easy, if you have the right controls in place. What's not so easy is the issue around peripheral devices that are smarter than a USB drive.

Until now, the security guys have practiced the "hear no evil, see no evil, speak no evil" policy when it comes to PDAs, mobile phones, BlackBerry devices and the like. We haven't had as many issues here because as I said earlier, very few of us actually use these things to do useful work (except email - although it's debatable whether that's useful most of the time), let alone try to view and edit documents and work with data because it's impractical. There are of course people that do use these devices exactly for this purpose. Organisations just don't know about it...or pretend to not know about it because it's too difficult to figure out and the benefits gained compared to the perceived risks it presents don't keep the executives up at night. The exposure to data leakage and security this presents however, is relative minuscule compared to the iPhone age that is upon us. Or as some have been known to say, a fly on an elephant's bottom (the iPhone is the elephant).

• Problem number 1: The iPhone (and devices like it - every competitor is going to want a piece of this market) puts a pocket sized, functionally useful computer in the user's pocket.
• Problem number 2: Every executive is going to want one - and we know how difficult it is to enforce security policies on executives - imagine the risk it's going to pose when they insist on using their iPhone for work and connect it to the corporate environment. And I dare you to try telling them they are NOT allowed to use it for work.
• Problem number 3: Apple's products are much more prevalent in the demographic that is going to make up the bulk of the workforce in the not too distant future - Generation Y. And they will all want an iPhone or at the very least, an iPod touch.

What this suggests is a dramatic increase in the usage of pocket sized, mobile, always connected to the Internet devices within the enterprise. What was once devices made up of functionally crippled PDAs, phones and BlackBerry devices is going to become a network full of mobile-mini computers that fit in your pocket.

If you think the network perimeter is non-existent in enterprises today, it's going to be even more non-existent when iPhones start popping up all over the place in you enterprise. And when they do (and going based on the launch in the US, it's going to be a huge spike rather than a gradual curve), don't get caught with your pants down.

Think trying to control data leakage and information access within a corporate environment is tough? Try taking down your firewalls and Intrusion Detection Systems. Because this is what the iPhone is going to do to your corporate network if you're not careful. Let's not forget that someone could also walk away with the equivalent of a laptop or desktop and not be noticed because the thing is in their pocket!

Ignore the iPhone and devices like it at your peril. For organisations, it presents a huge headache. For software vendors and system integrators, it's a business opportunity. Of course, it would help if Apple opened up the iPhone's APIs instead of forcing people to hack at it to write applications for it. Until then, I suggest you take a look at your data control and access policies. If an iPhone is plugged in, it may not be such a good idea to let sensitive information get to it...at least not until someone out there gives you a valid solution.

Data security and leakage prevention is a much bigger issue than just USB device control and locking down iPhone access to the corporate environment. But when given a large problem, what does one do? Tackle the biggest one first. I'm not saying the iPhone problem is going to be everyone's largest issue or exposure, but it's not going to go away either.

Did someone say iPhone security agent? No I'm not selling one. I'm pointing out that I have yet to see one. Who is going to step up to the plate?

Espresso anyone?

I was beginning to think that people in the Enterprise Identity Management industry responsible for product names weren't creative. Look at all the names of the products. Anything that does provisioning is called "Identity Manager". Anything that does web access control is called "Access Manager". Anything that does simplified sign on (aka single sign on) is called SSO. I know the rationale behind it all. It makes things clear. But it's boring.

I just came across Sentillion's new single sign on product called expreSSO. I'm not qualified to comment on how good it is functionally, but for once it's a name that catches your attention. It's smart, creative and conveys the right message. The name immediately implies that it does SSO, is lightweight and easy to deploy. And yes I'm fully aware it' s not spelled the same as that tiny cup of coffee. It just sounds the same.

Of course, if you are not a fan of a good cup of espresso coffee, you'll say it tastes awful, is unsatisfactory and leaves a bitter taste in your mouth (which perfectly describes many Identity Management deployments out there). I for one am a fan of a good cup of espresso. So I like it. The name that is.

Which makes me wonder why IBM Tivoli didn't come up with this for their SSO product? FYI, it's called "IBM Tivoli Access Manager for Enterprise Single Sign-On", or ESSO for short. Then their sales and technical sales people (I used to be one) could roll into customers and offer up TIM TAMs and a cup of expreSSO. In "IBM speak", TIM = Tivoli Identity Manager and TAM = Tivoli Access Manager.

For those that are staring at the screen with a bewildered look, Tim Tams are a popular chocolate biscuit (cookie for the Americans reading this) in Australia made by Arnotts and are a quintessential part of Aussie culture. I used to cart packets (I did a whole carton once) of Tim Tams to the US and hand them out to anyone in Tivoli-land that wanted one. I think some of the TIM development team (hi guys) still have the packets stuck to the side of their work cubicles.

So maybe only Australian customers would have understood the reference and appreciated this. But it would have been a nice ice breaker.

Oracle and Bridgestream

This news is about a month old, but in case you've been in a cave for the past month (like I have, well not a cave but I've been in China so that's close enough) and don't know, Oracle bought Bridgestream. Now that's 2 things they have on the competition. The Bharosa and Bridgestream acquisitions give them 2 things their major competitors (IBM, Sun, CA, BMC, Novell) don't have.

Role management is a bit of an ambiguous term. It means different things to different people. In the software world, this usually refers to some sort role mining, automation and discovery. There are a few vendors out there doing this (Bridgestream was one, Eurekify is another) and they end up calling their offering role management because it helps automate the whole process of figuring out what the heck an organisation's roles should look like and who should be in these roles.

This all sounds good in theory, but role management in the form I've just described has not exactly taken off. It's one of those things that people keep saying they need to do. Except all they end up doing is sticking a bunch of roles they think will work into their provisioning systems and waiting to see what needs changing later on. Of course, by then it's too late and they have to re-do all the roles. As always, they pay an exorbitant amount of money to a consulting firm (I'm looking at you Accenture and Deloitte, and perhaps IBM too) to do the work.

It's also been a victim of priorities and security maturity levels in organisations. Most are not at the stage where they are ready to look at role mining and automation. Provisioning and access controls are usually the first things that get implemented, then some sort of audit, compliance and reporting capabilities are tagged on to feed off phase 1. Role management ends up being the nice to have...and by then there's no money, no time and no resources available. So we get into the near enough is good enough syndrome.

Yes I know proper role management helps with proper segregation of duties and also keeps auditors happy. But role management as a single discipline does not solve the whole issue. It needs to be used in conjunction with all the other Identity Management capabilities that typically get implemented. The role management/mining vendors have also suffered from being too low on the food chain and not being tied into a major vendor to be dragged along as part of the sale. It's also usually too difficult to integrate into whatever Identity Management software solution an organisation is implementing and becomes another moving part that is usually one of the first things to get thrown away...or at best pushed to phase 5. I've yet to see organisations get past phase 2 or 3 in the space of a few years. Phase 5 will show up...eventually.

And this is where Oracle have just placed themselves in the driver's seat. By buying Bridgestream, they've got another selling point over their competitors. And when organisations do indeed get to that phase 5 (or whatever), guess what...Oracle's going to ride in on their white horse and say they have a tightly integrated solution that has been tested and kicked around in production. I'm sure a few of their customers will want to be early adopters. Oracle will throw in a bunch of financial incentives to ensure that happens. It's the smart thing to do.

And when Oracle's doing this, whoever buys Eurikify (SAP, are you listening? You want to get in the Identity game get ahead - also makes perfect sense if you want to link it all nicely into R/3 and NetWeaver) will be left behind (although they'll still be ahead of the others that are just sitting there hoping sales will fall into their laps while their Identity Management technologies lag behind the competition).

And at some stage, someone's going to realise that just sucking in all your roles (and users) in from HR into your provisioning system only does half the job. Operational roles (stuff that is useful for day-to-day use) are not usually representative of what you find in HR. It helps to have an automated way to figure out what the operational roles really are. It's not going to be easy, and putting in a tool won't be a no brainer, but if it's integrated nicely into the provisioning system it certainly helps cut out a lot of the work...and takes business away from consulting firms that roll out whole teams of fresh graduates (who know nothing) to implement your enterprise security infrastructure for you. Scary isn't it. But we know that's what they do.

The Bridgestream acquisition isn't a huge game breaker. It's just Oracle buying insurance for the future. They may get a few deals here and there because a customer happens to think the world of role management/mining. But it's a smart strategic move.

They're fleshing out their capabilities nicely in the game we know as Enterprise Identity Management. I don't know what the other vendors are doing. For their sake, I hope they're not sitting there in blissful ignorance thinking their market share will not get eaten up by Oracle.

Back in London

No I haven't stopped blogging. I'm just knee deep in work and trying to catch up on news.

I got back to London about a week ago and have had nothing but end-to-end customer meetings since. Another weekend is coming up so I'll try to be up to date on the world by then.

Why I've been so quiet

Simple really. I've spent the past few weeks on holidays in China. I had Internet access in most hotels while there, but China's firewalls apparently cut out access to anything that remotely resembles a blog. So I couldn't even get to my own blog...not that I would have done a lot of writing while on holidays.

I'm now back in Sydney for 2-3 weeks so hopefully I'll get a chance to catch up on my emails and all the news I've missed while offline. Then it's back to London.

To blog list

I have a to do list for blog posts, so I guess technically it's a "to blog list". I'm posting the list for 2 reasons:

1. So that I remember.
2. I can no longer use the excuse that no one is going to notice if I don't get around to it.

It's not a long list, but each requires my brain to actually make an effort while writing. So here they are:

• Follow up to my post on Data Security and Leakage Prevention. I said I'd look at issues to consider and how to address them.
• My thoughts on the Oracle acquisition of Bharosa that I first mentioned here.
• James McGovern suggested in a comment on this post (yet another one relating to Securent) that I share my thoughts on "the need for entitlement management in general and the problem space in terms of implementation."
  

I'll get around to these. In what order I'm not sure. But if you would like to read about one over the others let me know via a comment or by filling in the "email me" form on the right column of the blog.

Biometric entry into Australia

I'm still catching up with my news and I came across this story today (yes I know it was written almost a week ago). Apparently by 2010 non-Australian citizens will have to go through the pain of being fingerprinted and iris scanned when they enter the country. I imagine this will be similar to the process the US currently employs.

The most interesting thing from a technological standpoint was this statement:

"This information will be stored in the department’s central Identity Services Repository, which will be complemented with an ID management toolkit, including high-integrity enrolment and registration systems, forensic document examination techniques, a specialist identity investigation capability, advanced name search software, and an online document verification system."

It makes it sound easy doesn't it. Those of us who have had anything to do with identity Management and repositories know it's not, especially when you're talking about something of this scale. The thing that jumps out at me most of all is "central Identity Services Repository". Are they kidding? If that's really the plan, they better do some serious design work.

I'm also a little wary of the sentence: "ID management toolkit, including high-integrity enrolment and registration systems". Do they mean they want to use one of the provisioning solutions out there (I can make a pretty educated guess about what this would be because I know what they bought - I'm just not sure I'm allowed to say)? What's there to provision to besides the actual repository? The users being stored in the system will never have to use the system. I'm not saying that using a provisioning solution is a bad idea, but they don't need all the functionality that comes with it. The benefits you get from using an off-the-shelf product may not pay dividends here because of the performance trade-offs. They just need a scalable data store that performs. In other words, they need a great big relational database (or LDAP if they want something that has an open standard attached to it) with an application in front of it. I'm over-simplifying of course, but that's essentially what they need at the back end with the application being the glue between the biometric devices and the data store.

The DIAC actually have a bunch of off-the-shelf software products they could just pull out and use if they wanted. In fact, if I put my vendor hat on, I'd be able to slot a product into each part of the paragraph above (and not just for the "identity" part). But that would be fitting business processes to a set of products rather than the way it should be - figuring out what needs to be done and using the right solutions that fit.

IBM and Unisys are the service providers helping them put all this together and have their work cut out for them. They won't complain though. There's too much money to be made.

There have been how many data loss cases?!

Came across this list on attrition.org today of reported data loss incidents since 2000.

It's a rather long and scary list. Keep in mind these are ONLY the reported incidents that have been found by attrition.org. Who knows how many have not been reported. I'd also dare say there's a heck of a lot more where companies just don't know that an incident's occurred.

IBM the leader in Identity and Access Management

I didn't say it...not lately anyway (I've previously said it many many many many many times in front of customers). At least now I can prove I wasn't lying :)

IBM are the worldwide Enterprise Identity and Access Management vendor in terms of revenue share according to analyst firm IDC.

They may not be for long however. Oracle just became a very formidable opponent with their acquisition of Bharosa yesterday. Don't get me wrong. I'm not saying Oracle wasn't formidable before the acquisition. But the issue now is that Bharosa does things that IBM's suite does not.

That's right. I said it. An IBM competitor has useful functionality that IBM Tivoli does not provide (here comes all the abuse from my ex-IBM colleagues).

More on this later.

A case for data leakage prevention at IBM

I used to work for IBM. If you know me or have been reading this blog for at least the past few months, you know this.

It should come as no surprise that from time to time, I keep an eye on what IBM does. I also read Robert X Cringely's blog. I've been catching up on my reading (I'm way behind) and came across this post regarding IBM's LEAN program. It generated over 1000 responses on Bob Cringely's blog so it obviously touched a nerve. I was once a cynical IBM employee so I can identify with some of the comments. At the risk of getting flamed by my ex-IBM colleagues, I shall comment no more on this :)

Bob followed that post with another the following week containing an IBM internal email circulated to employees in response to Bob's blog post from the previous week. That IBM management felt the need to respond to a "rumour" as they call it makes one wonder if Bob's on to something. But what I really want to know is this...

How the heck did that email leak outside of IBM walls?!?! Lotus Notes has protection against emails being forwarded, printed and even copying of email contents. Did those check-boxes not get ticked before sending the email? And if they DID get ticked then someone must have found a way around it (a Lotus Notes expert could probably figure it out). If there is no way around it in Lotus Notes (I'm not a Lotus Notes expert) then did someone just take a screen shot and have Bob painstakingly re-type the entire email? Perhaps. But I doubt it was that difficult. My guess is that all Bob had to do was copy from his email inbox straight into his blog post.

Does IBM have a Data Leakage Prevention (DLP) strategy in place? Maybe. Do they have a working solution in place? That was a rhetorical question. They don't. Will they have one soon? I'd put money on the answer being "yes". And yeah. I know something you don't. Don't ask or I'll have to go "James Bond" on you.

New look and name for the blog

This won't affect those of you reading this via an RSS feed. For those that usually get to my posts directly on the site, you'll notice a different look. No reason behind the change in look and feel other than to keep it fresh. It's just a standard template that is available via Blogger so it's not as if I spent any time or money to do it. I also started to notice that lots of people were using the same template (as my old one) so that was yet another reason for the change.

The most observant among you may also have noticed that I've renamed the blog. I hope the new name reflects what this is all about more clearly. The old name was a bit open ended. There's been nothing random about my posts for awhile so that didn't really make sense. This blog is really about IT security with a strong bias around Identity related issues (and probably data security in the months to come).

I'm not sure what that does to my blog's entry in Google's index. Hopefully nothing too painful (like getting thrown into supplemental result oblivion for example).

P.S. Could you please let me know (via comments or the "Email Me" form on the right hand side of the page) if you find any peculiarities with the blog (apart from anything stupid I may say in a blog post...even then write a comment to tell me what you think). Who knows what didn't get migrated over properly.

Data security and leakage prevention landscape

I've been focusing purely on this data security game for 2 months now (hence my lack of blog posts in June) so I thought it would be a good time to take a snapshot of my views. I didn't think it was appropriate to do it after a month because it was still too early for me to have an informed view of the marketplace and what the issues really are. At the 2 month mark, I've seen quite a few customers and am now able to understand what the typical use cases are, the varied approaches and attempts at solving the issue and how much demand there is in the market for solutions.

A few high level views I have of this space are as follows:

• It's the Wild West - Everyone tries to solve the issue in different ways. This includes organisations trying to prevent data leakage and vendors trying to solve the issue with their solutions. The reason is because it's a very new area and everyone's just coming to grips with the enormity of the task at hand. As a result, there's many a vendor who claims to solve the data leakage problem, but most are point solutions and any organisation wanting to make a decent attempt at tackling the issue will either need to come up with a holistic approach and plug the gaps with the point solutions or purchase a product that does most of what is required and decide if they want to spend money on plugging whatever holes remain. This concept and landscape is nothing new of course. Every new type of issue exhibits this early stage characteristic and as maturity of the marketplace sets in, you inevitably see consolidation and more holistic and complete approaches. The most recent example is obviously the Identity and Access Management industry. Just look at how the large vendors built their product suites. Needless to say, I'm in the camp that says the most holistic approach is the way to go. Don't buy point solutions because a year or 2 from now, you'll find that the next version of the 10 different products you just bought will overlap like crazy and upon further analysis, you realise you only needed to spend half as much...and that's not including the integration costs you had to bear by trying to tie all the disparate products together.
• Deja vu - Agents vs Agentless. Sounds frighteningly familiar. Identity and Access Management vendors had many a debate about the 2 approaches and which was actually better. Before that, it was the Systems Management bunch. It's the age old architectural and management simplicity vs visibility on the targets. In this case, it's the argument between having a network appliance watching network traffic between nodes and at the network perimeter and deploying agents at all relevant endpoints. If you monitor the network, you don't need to install anything on the endpoints. Problem is, you lose complete visibility once machines are no longer on the network. You are also blind to anything users do that doesn't involve the network (consider leakage via USB devices or CD burns). In the modern IT environment, there are too many mobile users that aren't on the network most of the time to ignore this as an issue. In trying to gain ease of deployment and management of the IT infrastructure, you lose security at the endpoint. On the other hand, placing agents on the endpoints means that your systems management and software distribution/asset management costs go up. There are more moving parts and it's yet another thing for the operations team to worry about. That is offset by the fact that you have visibility of your users regardless of whether they are on the network and whether they perform network operations. In this scenario, you are almost always protected (I'll explain the "almost" in the next point). I know which approach I'd rather take. In case I need to spell it out, consider that the concept that there is a perimeter around your organisation. It just isn't true anymore. You need to open up the network to do business. So just monitoring the network won't cut it. You need to place a virtual perimeter around your data to prevent it from going where it should not. This means you need agents.
• It is almost impossible to stop someone If they REALLY want to steal something - It's simple. Take a picture. No agent will be able to stop that. Until the day where each monitor has a sensor that can sense when an image capturing device (e.g. a camera) is being used and feed it back to the operating system, this cannot be fully stopped. You can however, slow down the speed at which thieves can get at the data. They may still get what they need, but it'll take them quite a bit longer and by then, you have a good chance of catching them because any solution worth buying will be able to tell that someone is doing a lot of things they shouldn't be doing. For example, for someone to realise that there is a way around the system, they would have had to either have lots of inside information (in which case the problem is not technical, but social) or have tried many things on the system to figure out where the gaps are. All the attempts should be noticed and relevant administrators notified. What this does is buy you time to catch a thief. 1 out of 10 may still get away with it, but you've stopped the other 9.
• It's an educational process - Most employees want to do the right thing. Problem is, most don't have time to read the 1000 page corporate data security policy. Putting measures in place can at least alert managers when employees do things they should not be doing or tell the users themselves. How many times have you emailed something to your home email account because it was the easiest way to get it there to work on it? Most people may think this is ok, but any experiences security professional will tell you that doing such a thing is probably a policy breach of some sort. If you just tell the users that are doing the wrong things that they should not be doing them, they'll usually stop. After all, who wants to get into trouble? Because of the lack of user education, many data leakage incidents are accidental. They don't know any better.
• At the forefront of everyone’s mind – Almost everyone is at least thinking about data leakage and what they can do to address the issue (see my notes from Infosecurity Europe 2007 days 1, 2 and 3). This does not mean organisations have the budgets to implement anything yet. There are still many that are stuck in the 90s and busy playing with firewalls and anti-virus/spyware products and have not moved on to other activities because of budgetary constraints. That being said. even these organisations are thinking about data leakage. The media obviously has a lot to do with this sentiment in the market thanks to constant reports of major incidents in all sorts of institutions (TK Maxx anyone?) and the fines being dished out to the organisations due to their lack of appropriate measures. It’s a real issue. Organisations will inevitably have to address it one way or another. This is also not just limited to large companies anymore. We have the PCI data standards to thank for that. Compound this with the fact that people are also thinking about identity theft (not always caused by data leakage, but data leakage usually leads to identity theft) and everyone has a real compelling reason to act.
• Not just about compliance – Sure this is a driver, but it’s not always the compelling reason. In fact, compliance as a justification for data leakage solutions is less common than most might think. Actually, I worry when a company wants to protect data simply because they have to be compliant (a good security department should not be driven only by compliance). More commonly, it’s about knowing what’s going on and just plain old good security best practice. Of course, there are those that use compliance as the official reason, but often that’s for budgetary reasons rather than any actual real business or technical reason.
• A good leakage prevention solution enables business – Why has security always been so hard to justify when it comes to asking management for a budget? Because it’s not easy to show return on investment (ROI). Security is also seen as annoying. After all, it just stops people from doing work right? That’s exactly what a draconian security environment does. Productivity suffers because things are just difficult to do due to security measures put in place. With data leakage prevention, the ROI is a little easier. I’m not saying it’s easy, but it’s much more effective when you go to management and say “if we don’t protect our data, we get fined millions if a single piece of information gets out.” Also, wouldn’t it be nice if you could let people do slightly risky things to be more productive as long as there’s accountability? Traditional measures take an all or nothing approach. The main reason being the inability to track fined grained activities. Yes, it sounds like authorisation/entitlement management. Why? Because that’s exactly what it is, but using a data centric view instead of an identity centric one. If only you could monitor, control and react (if required) to all user activities when dealing with data. Controls could be loosened slightly.
  

So what issues are there to consider? How can these issues be addressed? How does one go about the journey down this path? That’s material for another day.

SAP would do well to buy Ping

Ping Identity's been doing a lot of good work in the Identity space of late. Their latest is being first to market (at least I think they are) to launch a cross-over solution for Microsoft Windows Cardspace and OpenID in the form of SignOn.com.

They are perhaps the most active startup in the Enterprise Identity Management space (the guys at Securent might beg to differ) and are crossing over into the User Centric Identity arena of late, most notably with their interoperability tests at the RSA Conference earlier this year. They're also frequently mentioned by Kim Cameron on his blog in relation to work they do with Federated Identity and Cardspace, so it's not really surprising that they've launched SignOn.com

I was browsing their site when I came across a press release from mid June which mentions that their PingFederate product is now SAP NetWeaver certified. This jumped out at me because of my recent train of thought relating to SAP.

I wonder if SAP has its eyes on Ping Identity as an acquisition target? It would have fit right in with the NetWeaver story even without having PingFederate certified against it. Add the foray into the User Centric Identity space and it would give SAP a competitive advantage against the other established Enterprise Identity Management vendors. Why? Because very few of them are doing very much about it. Novell and Sun come to mind. The other vendors are too busy trying to acquire more companies to fill out their risk and compliance portfolios.

If I made the decisions at SAP, this is something I'd be pursuing aggressively. Then again, I don't run a multi-billion dollar company so what would I know.

SAP Identity will take time

I gave my 2 cents on the SAP acquisition of MaXware when it happened and noted that it wouldn't be long before they officially announce their entry as an Identity Management vendor.

Well they've now publically stated their intent. It'll take them awhile before they truly understand the space however. It's not surprising given that this is new to them and they've been too busy milking the SAP R/3 cash cow for so long. Oracle's Identity Architect Nishant Kaushik points this out (the "not understanding the space" part, not the cash cow bit) in his latest blog post following his observations from the recent Burton Group Catalyst conference. He's right, although he does have a vested interest in pointing this out given that SAP and Oracle go head to head in almost everything.

What SAP may not yet realise (but will soon enough) is that they have a distinct advantage over many of the other Identity Management (IDM) vendors when it comes to user management and provisioning, especially around anything to do with people and entitlements. In other words, what people should be getting access to within the environment and how they get this access.

Their competitive advantage is actually SAP R/3 itself. Almost every IDM deployment drives their user provisioning, updates and de-provisioning processes through their HR systems. In most cases this is going to be SAP or Oracle (typically Peoplesoft). It makes sense of course. If a person is hired, the first place they appear is in the HR system. When they leave, they get taken out of HR. It is for this reason that Oracle wasted no time in closely integrating their IDM suite with their HR applications and also took the trouble to cross certify them.

If SAP is to become a serious IDM vendor and challenge the likes of IBM, Oracle, Sun, CA and BMC they need to start with their existing R/3 install base. This seems like a no-brainer. Sales 101. Go after the people you already have relationships with and up-sell your products. What they'll need to be able to do however, is convince the install base that SAP IDM is the way to go because of the tight coupling with R/3 right from the underlying technology through to the business processes. SAP will not beat the other vendors on functionality, at least not for now.

They've essentially bought a meta/virtual directory product with synchronisation capabilities and minimal provisioning functionality (MaXware) and another product to tie in compliance (Virsa). There isn't enough functionality to compete from a holistic standpoint. They will need to prove that they hook into the SAP platform better than anyone else out there (and they really should because it's their own software) and they will also need to sell customers on their commitment to an overall IDM strategy and then go out and buy companies to fill the gaps, of which there are many.

In short, SAP need to focus on 2 things before being able to be a serious threat in the IDM game:

1. Integrate the current capabilities seamlessly into their application software stack and do it better than anyone else out there and sell customers on the fact that IDM should be driven by their existing SAP R/3 deployments.
2. Fill out the big gaps in their IDM portfolio. There are many holes.
   

When they do step 1 successfully, they may actually start to sell some of their software to customers that buy into their IDM vision/strategy. If they do step 2 successfully, the other vendors better watch out. Because then only 2 vendors will be able to say "our software can run your entire identity management process end to end, from business through to IT". At the moment, Oracle can probably go into customers saying this. SAP need to get there too. It's their best bet at becoming a legitimate IDM player.