Far too often, we fail to see the obvious weaknesses in our defenses.  Over 50 million consumer passwords have been reported stolen in 2012 alone in highly visible ‘smash and grab’ attacks.  Yahoo, LinkedIN, Zappos, eHarmony…the list goes on.   This is the equivalent of robbery in broad daylight.  How did we as an industry let this happen?   The answer reminds me a lot like the title of this post which is also an ancient saying that has rung true for ages. 

First, let’s give credit where it is due.   Website operators have been proactive in shoring up their defenses including: 

• Web application firewalls and a variety of network defenses to thwart attacks
• Advanced forensic tools to detect and trace malicious activity
• Multifactor and risk-based authentication tools to augment the quality of authentication provided by passwords

But, the simple truth is that good old passwords remain at the foundation of this multi-layered defense.  We failed to ask a simple question – ‘Are the passwords properly secured where they are stored?’ We have the equivalent of installing a digital motion sensing alarm at the front door while the backdoor is secured with string.    Why?   Because the technology used to protect the stored passwords has become outdated.   Several websites simply hash passwords while some store salted hashes.  Current state of the art of cryptography and the compute power available readily to attackers have made it possible to crack 100,000 passwords in just a matter of hours using inexpensive hardware.  Hashing and salted hashing are no longer adequate protection for stored passwords.   Attackers have taken full advantage of these advances to bring down the outdated defenses protecting stored passwords.

Granted, individual passwords are often weak and phishing attacks continue to threaten the security of the individual user.  But, the threat of en masse theft of millions of passwords is even bigger and too grave to be left unaddressed.  The impact of a realized threat is high because users tend to use the same passwords for multiple websites.  Compromise of one website can very quickly lead to multiple other websites falling like dominoes.  The damage done to consumer confidence and brands of consumer-facing businesses is too high to measure.

Passwords are not going away any time soon.  They are convenient and they are everywhere.  Consumer websites will continue to use passwords for a long time to come although we will try as an industry to foster adoption of other stronger authentication methods.  We have to solve the problem of unprotected passwords decisively and immediately.

At RSA, we have a legacy of innovation in authentication including PKI, multi-factor authentication techniques and layered risk-based authentication.  We continue to innovate in those fields but we felt it necessary to take a step back and deliver a strong solution for protecting stored passwords.  This is why we announced RSA Distributed Credential Protection last month at RSA Conference in London.  This is a product developed at RSA based on patented innovation from cryptographers at RSA Labs.   The technology behind the product employs the proven methods of threshold cryptography but applies it in practical ways to essentially split passwords into multiple random pieces stored on secure servers.   The key innovation is that passwords can be authenticated at runtime by the secure servers without any need for passwords to be reassembled. 

With this simple solution, websites will be able to split their passwords across multiple locations and security domains.  An attacker would have to compromise and gain access to all servers to gain access to the passwords. With proper separation of security domains and networks, this would be very difficult.  We make it even harder by offering the option to periodically randomize the stored password pieces again to further reduce the window of time in which the attack has to be performed. 

This simple but powerful technique would strengthen security where it really matters – at its foundation – where the passwords are stored.  Ultimately, the goal is to stay one step ahead of the attackers.  WithRSADistributed Credential Protection, we can raise the cost of attack exponentially.  

There is no better alternative to a layered defense.  We must secure both the ‘front door’ (multi-factor and risk-based authentication, fraud detection, application firewalls) and the ‘back door’ (stored passwords, privileged users/insiders, software security).    As an industry, we have spent disproportionate amount of our time on the front door.  With RSA Distributed Credential Protection, we hope to close the back door to the passwords and keep it shut tight! 

***This blog was contributed to the Identity and Data Protection Beat by Nirav Mehta.***

• 

• Web Access Management tools are struggling to keep up with exponential growth in number of users and applications (especially SaaS apps) as well as mobility of users. Static authentication and access policies are just not suitable for a highly dynamic set of access patterns and ever-changing risk profiles.

• Provisioning technologies that operate on the principle of taking user information from one system and replicating it somewhere else are reaching their productivity limit as large numbers of applications are delivered from the cloud.  Provisioning systems were built to operate within a corporate network boundary.

• Organizations are experiencing the substantial burden of integrating identity federation with dozens of cloud services.  Every organization is duplicating the repetitive tasks required to establish identity integration with every cloud service.

Our challenge is to leverage and enrich the existing IAM tools to deliver the foundation for tomorrow’s IAM.  We believe this can be done.  We know this can be done.  Today, RSA has announced availability of three solutions that demonstrate how RSA is delivering the IAM infrastructure for the next 15 years.

• RSA has already integrated the RSA Access Manager (WAM) technology with RSA Adaptive Authentication (risk-based authentication).  We are pleased to announce that this integration has been deepened to add the ability to authenticate users using one time passwords sent via out-of-band email.  The combination of WAM and risk-based authentication represents a new breed of risk-aware web access management that is enabling organizations to confidently roll out clouds for consumers and partners.

• As identities grow in number and richness of context, the ability to provide a single source of truth about the user will become one of the most fundamental building blocks of IAM infrastructure. RSA has entered the identity management market by offering the RSA Adaptive Directory.   This is a familiar technology –virtual directory – that will be immensely important as the foundation upon which other IAM apps will depend.  In the context of the new IT, it will enable organizations to harvest identity information across the enterprise and expose it securely and flexibly to partners and cloud services.

• Last year at RSA Conference, we announced the RSA Cloud Trust Authority (CTA) that would enable a new efficiency by providing the function of a cloud-based access broker.  Today, we have released the first component of the IAM component of CTA – RSA Adaptive Federation.  This is a federation-as-a-service product that would enable unprecedented ease of use and minimize the effort required for integration with SaaS apps.

Seen in isolation, these technologies are very effective but the sum of these solutions is certainly larger than the parts.  We call this sum Adaptive IAM.  Adaptive in the face of cloud and mobile.  Adaptive in the face of ever-changing risk profiles. Adaptive in the face of the increasing number and richness of identities.

We, at RSA are lucky to have the opportunity to build on a great legacy and deliver the future.  These new solutions are only the beginning.

• 

How do we achieve ubiquitous and continuous trust in identities on the Internet?  How can we make the Internet pervasively identity-aware?  How can we extend the trust we gain in identities at the time of authentication throughout the user’s interaction with the Internet?  What if we can create a new trust index that is a composite of who the user is and how they interact with the Internet?

The last question led RSA to Zscaler and we found ways to answer these questions which led to the collaboration that we announced at RSA Conference this week.  RSA’s Cloud Trust Authority (CTA) is a set of security services spanning identity and access, data protection and compliance.    The identity and access capability of the RSA Cloud Trust Authority  (currently in beta) is a cloud-based service that authenticates users dynamically based on a variety of risk-based criteria and uses standards-based identity federation to enable users to get where they want to in the cloud.   Zscaler’s inline security gateway monitors the user’s web session continually and protects the user’s session against infection that can lead to session hijack and loss of trust in the identity.   The marriage of the two will enable something bigger than the sum of the parts – a cloud-based solution for establishing and sustaining trust in identities in the cloud.

Here’s how we do it – both, the RSA CTA and the Zscaler are cloud-based services.  Zscaler’s global cloud is used as an inline Internet security gateway that is available ubiquitously.  When users attempt to access the Internet, Zscaler transparently redirect them to the RSA CTA.  RSA CTA determines the risk posture of the user based on the location they are coming from (geo IP), the device they are using (whether known or unknown), the time and pattern of access, etc. to compute a risk score.  This score dynamically drives the strength of authentication of the user.   If a user is coming in from their usual office location and computing device and if they are logged into their corporate network (e.g., Microsoft Windows network), they don’t have to provide any additional authentication.

If the user is coming in from an unexpected location or unexpected device at an unexpected time, the RSA Adaptive Authentication risk engine dynamically adjusts the risk level and prompts the user for additional authentication.  The strength of the authentication is commensurate with the level of risk.    Once the user is authenticated, CTA sends the user back to Zscaler with an indication of the trust level of the user based on the facts and circumstances.  Zscaler dynamically alters where the user can go in the Internet based on this trust level.  Zscaler also monitors the user session for risky behavior that might lead to infection.  For example, if Zscaler sees signs of a bot on the user’s device that points to a potential session hijack, it redirects the user back to CTA for verification that the user behind the device is still the one that had authenticated at the CTA.

Further, Zscaler can randomly redirect users back to the CTA for authentication throughout the session.  If the environment in which the user is accessing the Internet has not changed, the user does not even notice anything as they are redirected right back to Zscaler.  If something has changed, the CTA will challenge the user to ensure that the trust in the identity is maintained.  Lastly, Zscaler will feed rich information about the user’s web access behavior to the RSA risk engine so that RSA can factor that into the risk level of the user and authenticate the user appropriately.

This notion of applying concepts of authentication and identity verification throughout the user’s interaction with the Internet and the composite risk posture determined by factoring the user’s environment and the user’s web browsing behavior will enable us to start delivering ubiquitous and continuous trust in identities.

Beyond this, we can imagine what we can achieve if every Internet request carries a dynamic trust index that can be consumed by any Internet destination. ‘It will take an ecosystem’.  Zscaler and RSA have laid the foundation.     Stay tuned for more.

• 

The timing of this message is significant! We are at one of the most crucial points in the history of IT.  In the next five years, we will witness the most dramatic change in how IT is delivered and consumed.  Research from leading analysts and anecdotal evidence all around us is indicating that IT spending on cloud-based services (SaaS, PaaS, IaaS) will grown from 3% of total IT spending to 30-40%. Let’s pause for a moment – that is a MASSIVE shift in spending and an *unprecedented* shift in culture and attitude.  Never before have we witnessed such a shift of infrastructure and applications out of the organization’s hands and into the hands of external cloud service providers.

This move is natural. Can you find a single organization out there with a mission statement that reads “We shall strive to own and operate our own IT”?  IT is a vital but supporting function that most companies would love to consume as a utility delivered by external, expert service providers so that they can focus on whatever their core business might be.   But this state is not easy to achieve.  It will take at least a decade because the cloud has not matured enough to address the complete and diverse range of enterprise IT needs of organizations across different sizes, vertical industries and geographies.  Despite this, it is quite clear that organizations are moving rapidly to the cloud.  The popularity of Salesforce, Google Apps, Amazon Web Services, ADP, Workday, Terremark, Savvis and a whole host of other SaaS/PaaS/IaaS services is proof.  These cloud services have permeated organizations virally through the users and often without the active involvement of the internal IT departments.

The Problem

The early success of cloud services has not yet translated in exponential and unbridled growth.  Two major security-related problems are preventing broad adoption of cloud-based services.

First, there is a general deficit of trust in external cloud services.  Trust is a big word but is appropriate here.  Trust comes with control and visibility.  Organizations recognize that they cannot have the same level of control and visibility over cloud services as they have over infrastructure that they own and operate.  But, they cannot achieve even remotely comparable levels today.  This is because service providers offer rudimentary security controls at best and these controls differ by service provider.

The second problem is a new one for the IT industry and is systemic.  Each organization and each service provider would have to establish and maintain large numbers of point-to-point integrations with each other.  Integrating with complex security infrastructure of one external entity is hard enough.  Doing it with dozens or hundreds of external service providers or tenants is very resource intensive and unsustainable.    No matter how much technology we throw at it, if the security industry does not offer a fundamentally new approach to solve many-to-many problem, widespread cloud computing will not take firm hold.

RSA’s Answer

RSA answered the call this week with the RSA Cloud Trust Authority (hyperlink – http://rsa.com/press_release.aspx?id=11320), a set of cloud services spanning identity security, information security, infrastructure security and compliance for secure and compliant cloud computing.   I describe it in some detail in this video below:

How does this offering fundamentally address the problem describe above?  Why RSA?

1. We will enable a hub and spoke model for security integration and trust relationships.  By offering security services in the cloud and for the cloud, we will all but eliminate the need for point to point security integration between participating service providers and their tenants.  Each organization or service provider will only have to integrate with the Cloud Trust Authority for functions such as identity federation and compliance reporting.   They will not have to be aware of the complexity and diversity of each other’s security infrastructure freeing them up to focus on what they really set out to do – offer and consume the cloud service.

2.  RSA will offer a wide set of security capabilities thanks to its rich portfolio of leading technologies spanning identity, information and compliance.   We will leverage partner technologies where appropriate – for example, the initial beta offering in 2011 will leverage the Tricipher cloud service acquired by VMware.   Most importantly, RSA will link these technologies in meaningful ways just as we do with our on-premise solutions at our customer sites. Several identity federation services are available in the market today but none address data security, infrastructure security and compliance along with it.  The RSA Cloud Trust Authority is the first offering to target a comprehensive set of capabilities.   In fact, our initial offering in 2011 will offer both identity and compliance services.

3. Solving the problem will require an ecosystem approach.  If a dozen offerings like the cloud trust authority emerge, we will create a problem similar to the one we want to solve (limiting the number of entities and technologies with which organizations and service providers have to integrate).  For completeness of the offering and to create the necessary concentration of capabilities in a single cloud-based entity, RSA will leverage its industry partnerships with infrastructure and security vendors.   Also, to ensure the largest possible ecosystem of trust, RSA will recruit the key service providers.  Service providers will benefit by working with the most prominent security solutions provider rather than having to work with several.

4.  Last, RSA is a leader in virtualization and cloud computing.  We have delivered several industry firsts in the area of virtualization and cloud security over the last 2 years (monitoring, GRC, strong authentication, DLP, etc.).   RSA is also a major SaaS provider itself protection hundreds of millions of online identities and transactions with its cloud-based offerings.   In other words, RSA is a leader in delivering security solutions ‘in the cloud and for the cloud’ already.  We feel strongly that we are well suited to step up to take this challenge and create the necessary strong ecosystem and innovation.

We know there is a long road ahead and we know we cannot do this alone. This is a call to action for the entire IT industry.   Please reach out to us with your views and join us in solving a problem that is bigger than all of us.  The biggest reward if we get this right would be the pride of having paved the way for the biggest IT transformation of our generation.

Let’s grab this opportunity to create a lasting legacy!

• 

Whether or not one believes such regulation is appropriate or not, this development is very significant because it will bring Internet transmission closer to a public utility like telecommunications and electricity. Although the current move excludes any regulation of the ‘computing functionality’ and content provided by the Internet services, it is only a matter of time before we get there. A ‘common carrier’ in the United States (roughly equivalent to a public carrier in continental Europe) is a person or company that transports goods or people for any person or company and that is responsible for any possible loss of the goods during transport. Early common carriers were railroads, airlines, bus lines, etc. Telecommunications companies and wireless providers came under this category in the twentieth century and now, broadband Internet. Given the history, it would not be a stretch to say that virtualization-based compute services such as those from Terremark, Amazon and several others are likely to become regulated public utilities in the next 10 years. This is good for the consumer. Coupled with free and fair access to broadband Internet, it will bring affordable and widespread access to computing to the general public.

What does this mean from a security perspective? Any public utility is part of the nervous system of a nation. The importance of securing such computing services should be comparable to the importance of securing our water supplies and electrical grids. Governance of these services will also come under scrutiny. Establishing robust risk management, problem resolution and privacy protection will be minimum requirements. The upshot for service providers building an infrastructure-as-a-service business is to go beyond basic security controls and ensure that they invest in a framework, tools and skills for managing Governance, Risk and Compliance (GRC) right from the beginning. Service providers that act now to build their infrastructure and services with this in mind will have an unquestionable competitive edge when cloud computing gains foothold. Those who develop this core competency will be able to break out of the pack in a commodity market.

• 

So what implications does this have on security? RSA believes that virtualization provides a clean slate to ‘get security right’. Upwards vertical integration of the VMware stack will extend the benefits of innovative security embedded in the virtualization layer to cloud-ready applications that are optimized for the stack. For example, imagine creation of a new Zimbra e-mail account that in turn triggers the provisioning of virtual machines, security controls, and multitenancy controls in the vSphere and vCloud platforms.

In general, the real promise of the VMware acquisition of Zimbra will be unleashed as VMware systematically integrates its core services that enable availability, security, chargeback and multi-tenancy to the SpringSource and Zimbra assets. These are exciting times at VMware and for those of us lucky enough to witness and shape the new IT.

• 

• Authentication for cloud services is usually password-based. Organizations that typically require 2-factor authentication for their enterprise applications will have to accept weaker authentication.
• Auditing of actions and events occuring within the cloud service provider’s infrastructure is difficult because the service providers do not offer such visibility into their infrastructure to their customers.
• Government authorities may have rights to serve a warrant and seize the information from the service provider without the permission of the customers of the service provider.
• Customers of cloud services may not have any visibility or control over the hiring practices of their cloud service providers, leading to concerns related to abuse of privilege.

These concerns do reflect the reality of early cloud computing and SaaS offerings, and organizations should consider these factors carefully before using cloud services for enterprise applications. But, to assume that these issues are unavoidable with the use of cloud services would be a mistake. All concerns outlined above can be addressed to ensure that organizations do not have to make a choice between the security and privacy of their information and the cost savings and flexibility made possible by cloud computing.

As the use of the cloud for enterprise applications becomes more prevalent, service providers can and will provide more sophisticated security architecture and models to meet the expectations of their customers. Examples include:

• Offering 2-factor authentication as an option for access to cloud services
• Risk-based authentication to cloud services to ensure that strength of authentication is commensurate with the associated risk
• Comprehensive logging in the cloud infrastructure,  coupled with web-based reporting capability exposed to the tenants of the cloud
• Encryption of data before it is sent to the cloud service provider to address concerns related to loss of confidentiality
• Key managers, identity federation servers and certificate authorities offered as trusted third party security services in the cloud to ensure separation of duties between the service provider and the security provider

These services are not revolutionary. They are well-established enterprise security technologies extended and optimized to secure the cloud. Security investment and sophistication has always been pegged to the risk associated with the IT infrastructure being secured. So far, cloud computing and SaaS has predominnantly been used for consumer or non-production use. As the use of cloud computing extends to enterprise applications and production environments, enterprise-grade security will be offered widely by major cloud service providers. The security industry will rise to provide ‘Trust-as-a-Service’ or cloud-based security services to check and balance the privilege that cloud service providers can exert over their customer’s information. Lack of adequate security capabilities in cloud services thus far is not an indication of where the industry is going. Cloud services are poised to enjoy a steep growth curve; we should expect cloud security to also rapidly grow in sophistication.

Organizations should not resist taking advantage of the tremendous business and operational advantages of cloud services,  but rather look for service providers who offer enterprise-grade security with their cloud services.

• 

As IT departments rapidly embrace server and desktop virtualization, security departments of those organizations are faced with the task of ensuring that the IT infrastructure continues to remain compliant to internal and external security policies.   Security officers are presented with several products and technologies that extend VMware’s platform security, replace it with something else or offer some combination in between.  Applying these products effectively to address a bewilderingly complex compliance landscape can be a daunting task. 

Many organizations have correctly recognized that establishing a solid foundation of security processes and controls is the best place to start.  EMC, through its RSA Security and EMC Ionix divisions have come together with VMware to provide clear and pragmatic guidance to security practioners who are responsible for maintaining security compliance in virtualized environments.  An RSA Security Brief entitled Security Compliance in a Virtual World was released this week and it can be downloaded from ww.rsa.com.  It focuses on five measures that would help organizations jumpstart their security compliance efforts – platform hardening, configuration and change management, administrative access management, network security and segmentation and event reporting. The paper provides a framework and context within which organizations can evaluate security technologies rather than simply putting focus on point products.

• 

• Almost everyone described some form of friction between the IT and security departments related to virtualization.   IT departments are pursuing aggressive plans to virtualize servers and desktops with an eye on cost savings and the security and risk departments are on the fence while they cautiously examine additional risks introduced by virtualization, if any.  A few mature organizations have gone past this phase and have IT and security departments working together to not only save costs but also use virtualization to deliver better security. But in most organizations, the lack of understanding of the security implications of virtualization is causing many organizations to become overly risk averse, causing unnecessary delay in the adoption of virtualization or, organizations get too conservative and adopt architectures that dilute the return on investment offered by virtualization.    For example, the lack of trust in virtual firewalls and virtual network isolation is causing organizations to leave physical network isolation in place which in turn adversely affects the server consolidation ratios.
• The biggest concern related to security was inadvertent misconfiguration.  With the consolidation of server, network and storage services within the virtual infrastructure, server administrator is also required to configure virtual networks and switches.   With increased consolidation of computers and networks, the impact of a single mistake in configuration could lead to a major outage of servers or failure of several network segments.
• The convergence of server, network and security capabilities within the virtual infrastructure is creating new demands on the traditional datacenter administrators.  Most server adminstrators I talked with were responsible for creating and managing ESX images including the networking, security and storage configuration.  Consequently, server teams have to collaborate more closely with network and security teams to properly manage the converged infrastructure.  There is strong demand for administrators that have knowledge of computing, networking, storage and security so that they can configure the virtual infrastructure with full understanding of the impact to each domain.  The advent of the virtual datacenter is giving rise to a new breed of datacenter administrators who will be capable of using the powerful tools offered by virtual infrastructure vendors to create and manage the entire virtual datacenter.  This new breed of administrators will bridge the divide between network and security operations.  Administrators that do not possess cross-domain expertise will be prone to expensive misconfiguration.  The virtual datacenter adminsitrator is born.
• 

]]> http://blogs.rsa.com/the-birth-of-the-virtual-datacenter-administrator/feed/ 0 http://blogs.rsa.com/the-goby-and-the-shrimp/?utm_source=rss&utm_medium=rss&utm_campaign=the-goby-and-the-shrimp http://blogs.rsa.com/the-goby-and-the-shrimp/#comments Thu, 23 Apr 2009 16:15:16 +0000 Nirav Mehta http://rsablogdev.com/?p=352 What if virtualization makes security more effective and eficient?
What if virtualization actually reduces the cost of security?

The relationship between virtualization and security is indeed symbiotic. It reminds me of the endearing mutualism between the goby fish and the pistol shrimp.

]]> What if virtualization makes security more effective and eficient?
What if virtualization actually reduces the cost of security?

The relationship between virtualization and security is indeed symbiotic. It reminds me of the endearing mutualism between the goby fish and the pistol shrimp.

Virtualization (of server, desktop, storage or network) improves resource utilization while offering unprecedented flexibility in deploying and managing IT infrastructure.   Such flexibility and mobility of IT resources would not be acceptable without security controls that enable organizations to virtualize their infrastructure and yet retain control over their information assets.  On the other hand, security applications, like other applications, benefit vastly from the scalability and control offered by virtualization technologies.

Given the state of the global economy, this symbiosis is more relevant than ever.   Shrinking IT budgets, reduced workforces and the drive toward energy-efficient computing have compelled organizations to pursue virtualization more aggressively.   Security technologies are enabling organizations to embrace virtualization with confidence.   Security departments, on the other hand, are under greater pressure to deliver more cost-effective security in an increasingly regulated business environment.  The virtualization layer provides an excellent opportunity to build security into the infrastructure cost-effectively (for example, by minimizing the need to integrate with multiple operating systems or to deploy hardware appliances on the network).

I have an example from the past and the present that I’d like to share.  A decade ago, the emergence of virtual LANs and the 802.1Q tagging standard enabled complex corporate networks with hundreds of network devices to be virtualized and collapsed into a few massively scalable switches.   Vendors snatched this opportunity to develop firewalls that doubled as layer three switches or vice versa.  As a result, IP security became integral to the network backplane and near wirespeed firewalling became the norm rather than the exception.  The cost of security fell just as it became more effective.

Today, server virtualization is creating a similar opportunity.  VMware’s VMsafe technology offers deep inspection of virtual machine CPU, memory, network and storage.  Security vendors are taking advantage of this capability to not only secure VMware virtualization but also to virtualize their security applications and deeply embed them into the virtualization platform.  As a result, monolithic security appliances are turning into virtual appliances and becoming one with the virtual infrastructure.   An example of this is the proof of concept integration between RSA Data Loss Prevention (RSA DLP) and VMware vShield Zones that was announced at the RSA Conference 2009 this week.   The concept is that RSA DLP would run as a virtual machine on VMware ESX servers and would work in concert with VMsafe technology to inspect virtual network data flow from VMware virtual machines.  As a result, data loss would be detected and plugged closer to the source (at the server rather than a network choke point) and the need for deploying and maintaining dedicated network appliances for data loss prevention would be minimized.

Co-deployment of security applications with virtualization infrastructure provides mutual benefits and enables the delivery of a whole greater than its parts.   Like all other things in IT, we should always separate hype from reality but in this case, the writing is on the wall and the evidence from the past and present is clear. Security and virtualization are meant for each other, much like the goby and the shrimp.

• 

]]> http://blogs.rsa.com/the-goby-and-the-shrimp/feed/ 0