national critical infrastructures: can we afford to secure them one application at a time?

The US Department of Homeland Security has identified 18 critical infrastructures and key resource sectors that are, in the words of the DHS, “the backbones of the nation’s security, public health, safety, economic vitality and way of life.” These infrastructures include systems that enable and deliver energy, water, communications and IT, just to name a few. The DHS says that if any of these systems were to be incapacitated it would have a debilitating effect on the country, potentially leading to catastrophic numbers of casualties and property loss.  It’s no wonder President Obama’s administration is paying so much attention to cyber security, after all, all of these systems are vulnerable via Internet-connected networks used to manage their operations.
To protect critical infrastructure systems, enterprise owner-operators need strong access management in place to secure information on a need-to-know basis.
The subject of access management places us squarely into the middle of an application security debate. Not the debate over how to develop secure code or how to best issue patches and other fixes, but rather how to best shield data from unauthorized access to the many applications served out over the Internet. Within this debate, there is one issue that I think all sides could agree upon, which is that the nation can’t afford to protect its systems used to operate critical infrastructures through a one application at a time approach. There simply are too many applications in use that need securing and a one at a time approach would take years, countless resources and put time on the hackers’ side.
At Rohati, we’ve brought to market a revolutionary technology that changes the dynamic of access management from one at a time to “many at one time.” This many at one time approach reduces risk by removing the luxury of time from hackers’ resource kits and by accelerating the speed that access management can be applied across the breadth of applications deployed on corporate networks. Additionally, the speed at which Rohati secures access reduces costs associated with traditional security approaches.
Consider the case of the US Energy Infrastructure’s electric power grid, a critical infrastructure that is a maze of high voltage power lines transporting power to all facets of the nation’s public and private sectors. We know from published reports in publications like Network World and the Wall Street Journal that recently hackers have attacked the grid, potentially in an attempt to secure information and gather intelligence on how to shut it down. Can the US afford to secure access to systems used to manage the grid one application at a time? Wouldn’t the more logical course of action be one that can lay down protection at one fell swoop?
Now is the time to adopt a change in conventional access management thinking, now is the time to invest in solutions that can address these issues much more effectively and much faster.  Time is one luxury we do not have.

/shane

eWeek – securing sharepoint

Access management is the most troublesome aspect of IT security not only because of the rapid pace of change and highly collaborative working practices, but also because of the lack of cost-effective solutions available. At Rohati we’ve paid special attention to solving access problems highlighted by collaboration applications like Microsoft SharePoint. The eWeek team were good enough in allowing us to post an opinion piece for their Knowledge Section where we drew on the expertise of our internal team to present some viable direction on “How to Secure Microsoft SharePoint”. Supporting our position is a recent survey we conducted that revealed a gap between collaboration applications and secure access. You may have read about the findings in Angela Moscaritolo’s SC Magazine article , in Richard Adhikari’s Internetnews.com article , in Erin Bell’s eChannelline article , or in Kelly Jackson Higgins Dark Reading piece . All did an excellent job of pointing out where the gaps are and how to address them. I hope you find the eWeek piece informative.

/steven

Getting to the Point: Solve Cloud access security issues with the TNS

Earlier, I kicked off my cloud discussion with a look at some of the different cloud definitions in circulation. Since then, a number of additional descriptions have risen to the surface, but it’s safe to say that they’re all very similar. On this same topic, McKinsey released a report, “Clearing the Air on Cloud Computing,” that sparked a tirade in many of the cloud groups on ‘why they shouldn’t quit their day jobs’ as management consultants. Either way, I’ve not seen a topic spark such debate in years. This has to be a good thing.

“Security” is the first of five concerns called out in the Open Cloud Manifesto. The “concern” reads:

Security
Many organizations are uncomfortable with the idea of storing their data and applications on systems they do not control. Migrating workloads to a shared infrastructure increases the potential for unauthorized access and exposure. Consistency around authentication, identity management, compliance, and access technologies will become increasingly important. To reassure their customers, cloud providers must offer a high degree of transparency into their operations.

It’s reassuring to continue to see this issue front and center. A high degree of transparency, authentication, identity management, compliance, and attention to issues around access technologies will become increasingly important in the cloud. After all, enabling secure authentication, identity management, compliance, access and transparency is what Rohati provides.

The validation for what Rohati delivers doesn’t stop in the manifesto. The recently formed Cloud Security Alliance has identified 15 areas of concern for cloud security, included among the 15 is also Identity and Access Management.

Consistent authentication, ID management, compliance and IAM are very real security concerns. Cloud vendors and enterprises utilizing private clouds need to not only provide for all four of these critical security functions but also prove to their customers and auditors that these security needs have been met. Only then can they get on to the more critical function of selling the benefits of their systems or extending them across their organizations.

I know there are times to be “vendor neutral” when postulating ideas and outcomes, this isn’t one of them. Rohati’s TNS is a practical solution that can solve these problems at a fraction of the cost of what you would pay for a more traditional software-based technology.

With Rohati’s TNS appliance, cloud providers and cloud services consumers — public and private — can ensure that their clouds are powered by technology that enables:

· High performance scalability that meets the authentication and ID management demands of constantly changing enterprise populations
· Creation of secure zones and enforcement of granular access policies
· Authentication and authorization from multiple directories across multiple clouds
· Transparency through accurate audit logs for comprehensive visibility into who is doing what on the network
· Simplified administration from a single network console

There might have been a time in the history of IT when it was prudent to hesitate on a solution purchase until after a problem became obvious and mainstream — this is no longer the case. Rohati’s TNS deploys fast, can be in production within hours and delivers measurable ROI. Solving the cloud services access security issue is no simple task. Rohati has taken an innovative approach that will keep IT teams, auditors, the CFO and application development teams smiling in the face of a very complex and rapidly changing set of deployment challenges.

/shane

Security Emerges as Chief Cloud Concern

As early as April 2008, Gartner was actively involved in defining what the “Cloud” is. In a paper titled Tutorial for Understanding the Relationship Between Cloud Computing and SaaS, Robert  Desisto, Daryl Plummer and David Smith postulated that Cloud computing is:
…a style of computing where massively scalable IT enabled capabilities are delivered as a service to external customers using Internet technologies…
Since then, additional definitions have been offered, Network World’s Tim Greene has provided one of the most recent. Just last Thursday, Tim simplified the Cloud in this way:
…So the cloud is a physical place, perhaps owned and controlled by some other entity, and it contains computing resources that are available pretty much on demand for a price...

I think it also worth mentioning that Chris Hoff has been one of the most prolific definition providers up to this point. His Rational Survivability blog has been as heavily involved as any in identifying the many Cloud varieties in production today.

At Rohati , we are looking at the cloud from a slightly different angle. Being a vendor, we know that definitions will be benefit driven as opposed to technology driven. Decision makers are going to budget for Cloud related expenditures based primarily on what they return as opposed to how they’re built, and while the providers will certainly have to answer questions (and provide proof) about what’s under the hood, the customer will leave that problem to the provider.

So the question becomes, what are the benefits of the Cloud and how elusive are they? This is largely still a work in progress but it is clear though that expectations are high and cloud consumers expect that their investments will return them:

·      Increased business response times
·      Accelerated creation of new services via rapid prototyping capabilities
·      Reduced acquisition complexity via service oriented approach
·      IT resource efficiency via sharing and higher system utilization
·      Handling of new and emerging workloads
·      Simplified IT management
·      A platform for collaboration and innovation
·      …amongst other things

A recent IDC survey revealed that 75 percent of those polled expressed that Cloud security is their chief concern in terms of the challenges that need to be addressed. This is good news for the user and the security industry. For starters, it means that the security market will grow alongside the Cloud market as Cloud providers will have to take steps to address this concern, secondly, Cloud users can expect that their continued adoption will drive security innovations that respond to their concerns.

Cloud definitions, what adopters expect and a clear understanding of users’ chief concerns sets the stage for an interesting industry dialogue on cloud security and compliance. To avoid running the risk of rambling from subject to subject, I am going to spread my thoughts on this discussion over a few different posts. The first will be next week.

/shane

got sharepoint?

Hardly a day goes by without some commentary on the wide scale adoption of microsoft sharepoint. Saw this post on networkworld on some recent Gartner research highlighting the viral deployment of sharepoint instances and the security issues this introduces. For our part, every, yes every, customer we engage with has this issue. They are without exception all deploying sharepoint at a departmental level and increasingly enterprise wide as a replacement for other content management tools, simple fileshares or other custom intra/extranet sites. The increasingly collaborative and loosely coupled nature of businesses today is contributing to the deployment of tools like sharepoint and forcing a rethink on security architectures to deal with this ‘de-perimeterization‘. So the question arises of how to secure the instances you know about and those you don’t – not an easy problem to solve, especially if you are pressured by application deployment times and the availability of budget/resources to implement the appropriate controls to limit the risk of unauthorized access. For our part, we have taken a network centric solution approach to solve this problem that we think optimizes ease and time to deploy with functionality. Whatever you decide, Microsoft has done an incredible job at propagating Sharepoint to a tipping point of adoption and this issue will present itself soon if it hasn’t already.
/steven

Tech Stimulus?

Tech stimulus? I think it is safe to say that last week the IT industry breathed a cautious sigh of relief when the White House reinstated Vivek Kundra as CIO of the United States. After all, he is in charge of a $71 billion government IT budget and pushing an agenda that calls for government agencies to turn to the private sector for computing solutions. It is certainly good to know that a piece of a budget this size may find its way into the private technology provider sector.

IT security solutions providers have additional reason to be optimistic about the future. President Obama has announced an ambitious initiative to migrate all — yes all — healthcare records to digital format within 10 years and he plans to invest $20 billion in stimulus money to make this happen. As this transition occurs, information security solutions are going to play a vital role in ensuring that security, privacy, HIPAA and other compliance concerns keep pace.

Some may say that the threat of HIPAA imposed fines and so low and infrequent that this regulation, like many others don’t yet have enough teeth to influence IT decision makers to push information security to the tops of the budget pile. The stimulus package and digitization initiative may change this.

We know that organizations that accept government money are subject to extra scrutiny, just look at AIG. Any organization that accepts a piece of the $20 billion to migrate healthcare records from paper to electronic is going to be subject to this same level of scrutiny. If your company accepts a check, would you want to be the CEO, CIO or CISO under the microscope if suddenly millions of records are compromised, especially if you knew that a small technology investment could have prevented such an occurrence?

Currently, only a small percentage of healthcare records are digitized, this is one reason why compliance imposed knuckle wraps have been few and far between, nonetheless, the threat is already very real.
Most of us in the access management business have all seen headlines about how the records of Hollywood superstars like George Clooney , Farrah Fawcet and Britney Spears have been breached, but these incidents aren’t isolated to opportunists looking to sell information to tabloids. In May 2008, New York Times tech writer Steve Lohr wrote about how medical records are becoming the target of malicious hackers. In The New Hacker Economics , he tells how pilfered healthcare records are gaining value in criminal circles. How mammoth could this nefarious enterprise become when healthcare records in the US reach a point of 100 percent electronic?

/shane

a little late..but my first post…

Oftentimes, the CEO seat is too far removed from listening first hand to customer concerns. We are initiating the Rohati blog as a dialogue tool for a rich discussion with our customers, analysts, media, and partners. The subject matter is of course, access management, although I’m sure we will digress to other topics, as bloggers are oft to do. Although other members of the team will contribute as well, I will make it a point to post regularly and to respond to inquiries and comments that come in.

I’ve had the good fortune of steering Rohati through some tremendous milestones.  In May of 2008 we successfully launched the company, secured a critical round of funding from Matrix Partners and Foundation Capital, delivered our first product — the TNS 100, added luminaries like Thomas Noonan to our Strategic Advisory Board, were honored with industry awards, and continued to develop relationships with partners such as Oracle and customers like JDSU. Despite the uncertain economy, Rohati remains on solid ground.

Successful CEOs owe many of their victories to the contributions of the talented people they surround themselves with — no exception here. One of the exceptionally talented people I have had the good fortune of working with is Gretchen McCoy. A few months back Gretchen joined our strategic advisory board and brought her 20 years of Payment Card Industry IT security experience from Visa with her. Needless to say, she has provided incredible insight.

Gretchen recently penned an opinion piece for SC Magazine where she points out the PCI DSS challenges the retail industry faces and provides an authoritative opinion on how to deal with them.

In her piece, How should you ensure PCI DSS compliance? <http://www.scmagazineus.com/How-should-you-ensure-PCI-DSS-compliance/article/128484/> She points out that the PCI Council has indeed provided a roadmap for achieving compliance but that card processors are still left on their own to decide what solutions are needed.  It’s not often that we get to benefit from the experience of people like Gretchen, this is a great opportunity to do so.

Thanks for your time, please enjoy Gretchen’s SC post and remember to check this blog frequently for the latest on Rohati, the access management market and the IT security and network world in general.

/Shane
CEO, Rohati Systems, Inc.