Modernizing Authentication — What It Takes to Transform Secure Access
At last week's Gartner Security and Risk Management Summit, threats were booming, budgets were lean, and businesses were challenged to do more with less. Security professionals now scramble to safeguard new IT initiatives like cloud computing, social networking, mobility, and Windows 7, while meeting escalating regulatory, compliance, and e-discovery demands. CISOs have little choice but to focus finite security resources on those risks that most impact business success.
As Gartner analyst Eric Ouellet said about Data Loss Prevention: "Don't try to boil the ocean follow the priorities of your organization to attempt only what makes sense for you right now."
Organizations are buying too much DLP, said Ouellet. Most fail to deploy all of the components they have purchased within three years. Worse, many underestimate the need to involve non-IT stake holders, right from the start. Too often, the result is an expensive disappointment. "Start with one big business issue and focus on solving it first," he said.
Similar recommendations were made about other technologies throughout this summit. Cyber-crime continues to grow, as do vectors through which we expose business assets. As the attack surface expands, it becomes impractical to lock down everything. Instead, speakers told attendees to enable key business processes with targeted security controls.
Learn to sharesmartly
In his summit kick-off, former US Attorney General John Ashcroft said that organizations must learn to protect sensitive information while balancing privacy vs. usability. "The important breaches those that are the most costly come from inside," Ashcroft warned. As in the infamous case of FBI-agent-turned-spy Robert Hanssen, Ashcroft said, "There can be just too many people with too much access."
However, ignoring situational awareness can be just as damaging. Whether the result of policy or lack of consolidation, "Siloing of information inside IT can be as dangerous [to enterprises] as siloing inside intelligence agencies was to the US before 9/11," said Ashcroft. "Don't let this happen to you."
Ashcroft cited recent "shoe bomber" and "Times Square" terrorist attacks that were defeated through the participation of individuals, not just law enforcement. When it comes to effective enterprise security, IT cannot go it alone. "We need to enlist the broad public in securing information," argued Ashcroft. Privacy should be about enabling access, by the right people, to the right datanot preventing access by everyone.
Gartner analyst John Pescatore took attendees on a tour of cyber-threats, past, present, and future. "In mainframe days, all we had to worry about was insider threats," said Pescatore. "But then the Internet changed the way that we did business."
Soon thereafter, worms began to prey upon e-mail as a common business communication medium. "Today, social network and virtualization are reshaping cyber-threats once again. We're seeing the rise of non-traditional application ecosystems, where everything occurs outside the good old data center," he said.
From Twitter and Facebook worms to DNS cache poisoning, it's tempting to think of next generation threats as requiring new controls. However, "more than ninety percent of these attacks are exploiting vulnerabilities we already knew about, or should have known about. Very few attacks less than 1% are zero-day attacks," said Pescatore.
As a result, Pescatore advised attendees to focus on a few big-impact areas:
- Scouring inbound messages at security gateways (or inside cloud services);
- Supporting IT consumerization securely using NAC, desktop virtualization, and application whitelists; and
- Improving Web security through software vulnerability assessment and SaaS.
Supply chain pollution, hypervisor/VM threats, Trojans downloaded from app stores, compromised clouds, and LTE/4G attacks are likely to emerge over time. But those sexy new threats should not be permitted to siphon attention away from today's top-priority defenses.
"Don't count raindrops," said Pescatore. "Focus on leaks in the roof."
Look before you leap
Ouellet observed that turnout for his Data Loss Prevention session was bigger than ever. Despite early-adopter burn-out, the DLP market continues to grow. [Editors note: For advice on how to choose the right DLP for your company, read How to Choose a DLP Provider.]
DLP products now are widely available for deployment at the network perimeter or on endpoints, policing data delivered through a single channel (e.g., e-mail, DRM) or enterprise-wide. Acquisition costs can be hard to plan because components are often sold a la carte for example, separately-licensed discovery, prevention, and encryption modules. The good news, said Ouellet, is that per-endpoint prices have fallen to the point where the incremental cost of single-channel DLP may now be considered negligible.
Of course, bigger operational costs are incurred as DLP is rolled out.
"Most deployments end up in monitor-only mode because the cost and impact of blocking can be too much," said Ouellet. One example: It is rarely appropriate for first line IT to examine leaked data to decide how to remediate an incident. "The person who should probably look at content is the data owner finance, legal, HR, compliance." Thus Oeullet's imperative to get non-IT stakeholders involved at project start.
Ouellet described one trial that compared monitor vs. prevention modes. "Remediation was actually lower in the blocking trial. It turned out to be more effective to monitor, warn, and educate than to block," he said. Organizational resistance, false positives, and national privacy laws may all pose concerns, but DLP rollouts are most successful when focused on one big business problem. "Start with single channel or skip prevent for now," Ouellet recommended. "Work closely with user awareness programs to get the most value from DLP and measure success by reduction in events. If rates don't drop, educate."
Pursue quick returns
In his session on Windows 7 security planning, Gartner fellow Neil MacDonald noted that most enterprises skipped Vista. He predicts that half will deploy Windows 7 this year, and that making this transition will have real security impact. However, the most promising security features in Windows 7 are only available in Enterprise or Ultimate versions, which require additional on-going fees.
However, MacDonald said that many enterprises could greatly improve their security posture even without Windows 7. "The two most significant things you can do today are get off Internet Explorer 6 and get rid of administrative rights for end users," he said. "Neither requires moving to Windows 7, although you can use Windows 7 migration as a catalyst to make them happen."
Some IE6 applications will not run on IE8 (included in Windows 7). Companies stuck on IE6 for this reason should consider using Windows 7 XP Mode or terminal services to (virtual) XP desktops to preserve legacy access. Moving all other Web activities to IE8 without further delay can tap improvements like DEP and ASLR protection while browsing, smartscreen filters, and Type 1 cross-site scripting defenses.
"You will need to test all of your applications, especially if you're running as a standard user, but you should start using IE8 as soon as possible," counseled MacDonald.
Windows 7 User Account Control (UAC) does not require running as a standard user, but it can discourage users from making unauthorized changes. MacDonald acknowledged that the politics of eliminating administrative rights can be daunting. "Our users are like ponies running around free on the prairie. Now we're putting up barbed wire fences and they're getting spooked," he said.
Nonetheless, MacDonald argues that companies should start running all applications as standard user prior to deploying Windows 7, clearing this hurdle before UAC prompting begins. Organizations grappling with tough cases should consider solutions like BeyondTrust or Avecto that can permit privilege elevation on exception while running as standard user most of the time.
More intriguing security features like AppLocker, BitLocker, and DirectAccess may come with full-blown Windows 7 deployment, but executing a migration plan can easily take a year. In the meantime, get these two big-payoff steps out of the way, advised MacDonald. And don't forget to survey your security tools for Windows 7 (32 and 64 bit) support and involve your security team in deciding which Windows 7 features to use.
Leverage unmanaged devices
Many enterprises are now working to enable secure access from employee-liable smartphones especially iPhones. But in his session on trusted portable personalities, Gartner analyst John Girard noted that many business activities require a larger screen and better data entry to edit documents. To support such activities in a secure, but cost effective manner, IT must provide a trusted environment (safe, private, and auditable) that is portable (available when and where needed, from a wide range of hardware) and embodies each employee's personality (files, applications, settings).
Portable personality approaches to enable corporate data access from unmanaged desktops and laptops fall into two broad categories: device-based and portal-based. Device-based offerings include workstation-on-a-stick (e.g., vDesk, IronKey) and virtual machines (e.g., Citrix, VMware). Portal-based approaches include virtualized desktops (e.g., terminal services, Citrix), SSL VPN with quarantine (e.g., Juniper, F5), and cloud application services (e.g., Google, Nivio).
Each approach has distinct benefits, but can be stymied by limitations, such as trusted agents that lack permission to run or enforce policy, hosts that cannot boot from USB, and cloud services that cannot support offline use.
"No single solution satisfies every dimension," said Girard. "You may need more than one." He then described nearly a dozen case studies in which large security-sensitive organizations had successfully used one or more portable personality solutions to support a wide range of business activities, including the US Navy and FEMA.
Girard recommended that each company establish a decision framework with which to evaluate manageability, compatibility, and supportability for each portable use case. To maximize local defense, consider portable personality devices; to maximize versatility, consider portable personality portals. When deploying solutions, bear in mind that each will be used in a potentially hostile environment.
"The equipment they're using could be lost; the data they're working with could be placed at risk. You'll need to know what the user was carrying when they lost it, what they were doing when compromised, and that means audit capability," cautioned Girard.
Avoid audit fatigue
Each Gartner summit includes solution provider sessions during which vendors and their customers describe challenges and how they were addressed. During one, Tripwire CTO Gene Kim shared his research on audit performance and recommended nine practical steps to overcome the audit blame cycle.
Kim and colleague Jennifer Bayuk benchmarked audit performance for over 1500 organizations, examining prep practices and measuring associated costs. "We wanted to codify how [high-performing] organizations were different. One way they were different was in how they played the audit blame game," said Kim. Audit readiness is usually over-stated until immediately before the audit, at which time there is a mad scramble to right all the wrongs. With security accounting for 15 percent of total IT spend, compliance and audits are starving other projects.
This occurs when organizations focus on the wrong goal passing the audit, rather than ensuring that business assets and processes were properly secured all along.
"When all of your time is spent getting ready for audits, businesses start implementing controls as part of one-time audit prep," explained Kim.
Kim found that organizations that performed well in audits shared several characteristics. In addition to spending one-third the time prepping for audits and having fewer repeat failure findings, they were five times more likely to detect a breach by automated controls, fives times less likely to have breaches resulting in loss, and experienced half as many change implementation failures. In short, whatever these organizations were doing to pass audits more easily also had real business value.
"It turns out that three controls predicted 60 percent of performance," said Kim: the extent to which an organization defines, monitors, and enforces (1) a standard configuration strategy, (2) process discipline, and (3) controlled access to production systems.
Based on these findings, Kim outlined steps that attendees could take to emulate these top-performers, starting with aligning tone at the top and creating a merged set of infosec and compliance goals.
"Put goals into business context, identify controls to meet those goals, and define what business process owners must do to support them," said Kim.
Next, map goals onto indicators that demonstrate success and apply them to business processes. Using inputs, outputs, and systems identified during process analysis, establish control ownership roles and responsibilities and define tests that demonstrate whether compliance goals are being met. Conduct tests frequently enough to rely on results, independent of audit timing or scope. Track metrics and remediation reports, and maintain situational awareness to determine business change impact on defined goals.
"If you take these steps, you'll have a culture that doesn't tolerate [unplanned] change, that makes decisions based on data, and that tracks data so that fixes can be made quickly, before problems have business impact," said Kim. Oh and you'll be more likely to pass your next audit with less waste, lost sleep, and finger pointing.
Seek innovative solutions
Nearly 100 companies exhibited in this event's "solutions showcase," including premier sponsors Google (Postini), RSA (Archer), Qualys, Symantec, Websense, and Verizon Business. Products on display ranged from DLP, endpoint protection, data encryption, patch management, Web security, and IT security controls to e-discovery, fraud detection, SEIM, GRC, audit management, risk assessment, and IT disaster recovery management.
Gartner showcases are not loud glitzy extravaganzas. This is not an event where dozens of companies stage major product announcements. Instead, booths are modest, providing attendees quiet opportunities to chat with existing suppliers and learn about new solutions. Here is just a small sampling of what we found there.
- IronKey CMO Dave Tripier demonstrated Trusted Access for Banking, which builds on IronKey's ruggedized, encrypted USB storage. According to Tripier, 20-30 percent of users have experienced online fraud; Zeus is a major threat. To mitigate this risk, some banks are giving select business customers an IronKey Trusted Access for Banking stick. During the demo, the stick's virtual keyboard defeated an implanted keylogger, while its trusted DNS resolver bypassed /etc/hosts redirection to a phishing site.
- CORE Security, known for its IMPACT Pro penetration test tools, chose the summit to announce INSIGHT Enterprise, an appliance that continuously verifies a network's security posture and defenses.
"INSIGHT does not replace human intuition; there is still a need for pentest tools and experienced testers," explained senior director Michael Yaffe. "INSIGHT automates common tests, focusing on the data exposed (rather than exploits and vulnerabilities that cause exposure). It is designed to better inform the business."
Application owners can use INSIGHT to run their own first-line and regression tests on systems for which they have credentials and access. Security staff can use INSIGHT to trend test results and evaluate the effectiveness of controls.
- We chatted with Proofpoint CMO Peter Galvin about e-mail archival in the cloud. Proofpoint has a long history of delivering anti-spam and anti-malware, initially using software, then an appliance, and now SaaS. Over time, Proofpoint added e-mail encryption, data loss prevention, and archival, administered through a common policy engine.
"Compliance and retention drove our recent move into archival," explained Galvin. "We leveraged cloud delivery to provide capabilities similar to what large enterprises can achieve, but at a low cost per user. Using grid computing and commodity storage, we can journal a copy of every message for archival, retrieving those messages in under 20 second search time."
A cloud service like this can implement a 7-10-year retention policy far more economically than a forensic e-mail search ever could, said Galvin.
- Many companies focus on e-mail and messaging security, but Indorse CEO Rob Marano says this leaves a hidden crisis electronic files.
"Like a foundation that's solid, but has a few cracks, what we do is to complement Sharepoint, WebDav, DRM, and other network file sharing systems by applying file format and processing expertise to catch whatever slips through," said Marano.
Indorse manipulates files to track their movement, even beyond a secure IT environment. For example, video game manufacturers use Indorse to track pre-release screenshots shared with authorized reviewers.
"The file leaves the administrative domain, but the domain doesn't leave the file," said Marano. "We protect files in a way that doesn't require licensing software to all of the parties that need access."
- Senior Security VP Tom Gillis spoke to us about Cisco's Secure Borderless Networking initiative. At the summit, Cisco announced new Cisco ASA and Cisco Security Manager releases. Gillis said there will be always be a place for "heavy" endpoint security, but that smartphones need lighter-weight solutions that dovetail with network defenses.
"We put a small software NIC on each device iPhone/iPad, Palm Pre, Windows Mobile, Nokia/Symbian to make policy-based routing decisions," explained Gillis.
E-mail might be sent to a ScanSafe cloud, Web traffic might be redirected to the nearest proxy, SIP traffic could be routed to a VoIP call manager, and all other traffic tunneled to an ASA. However, when the smartphone is inside the firewall, different rules could be applied transparently to the end-user.
"We want to provide secure, seamless access for wired, wireless, and mobile Internet," said Gillis. "A BlackBerry-like experience, but for all traffic types and devices."
"Our virtualized secure environment provides a secure browser session that launches to a bank-defined portal page," explained Tripier. "The secure session prevents snooping at transactions, which are proxied through IronKey's cloud."
So many sessions, so many sponsors, so little time. Like cyber-threats themselves, we could not come close to exhaustively covering everything of interest at Gartner's Security and Risk Management Summit 2010.
In the end, we left with a sense that security staff simply cannot learn about, much less defend against, every possible risk. Given finite resources, security planning has become a matter of triage identify areas that require the most immediate attention and pose the greatest potential, focusing your resources without losing sight of the bigger picture.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.