Don't Forget the Forest

I'm frustrated. But it may not be why you think.

I haven't made too many posts on the blog over the last few months, mainly because I've shifted out of the Identity Management space and slid more into a security investigator role. I have always wanted to be a security investigator, and while I'm starting out with a focus on privacy disclosures, I do hope to someday parlay this opportunity into something larger.

As a result of this new set of responsibilites, I'm currently at SANS Baltimore attending Ed Skoudis' SEC-504 -- Hacker Techniques, Exploits, and Incident Handling. (The course is being taught by John Strand, who is an amazing instructor doing a bang-up job). This new opportunity is not why I am frustrated. Quite the contrary; I'm ecstatic at the chance to prove I have the chops for this type of work. However, there's a...vibe, perhaps, that I am first noticing now after almost seven years in Information Security. It's really highlighted in this conference by people at every level - the instructors, the presenters and vendors, and the students themselves.

This vibe is, essentially: we (security professionals) are losing the battle versus cyber-criminals. Staying ahead of black-hat hackers is a deeply-technical game of cat and mouse that requires constant vigiliance to stay ahead of, and you are never really ahead, because once update an antivirus signature, the virus is mutated. Once you patch a piece of software, there's another vulnerability found (or worse-yet, a vulnerability in the patch). It's a daunting, no-win scenario that each security professional has to come to terms with. We, as a community, seem to have accepted the fact that we will not win; that we are just "treading water" as one presenter put it. Collectively, perhaps we just feel that someone has to do this job: it's fun and it pays well, so why not?

So sitting in class today, I had an epiphany. I think we are taking the wrong approach to Information Security. I think instead of focusing so strongly on defensive measures and vulnerability management, we should focus on standards (laws) and enforcement of those laws. Let me illustrate with an analogy since my writing kung-fu is not as strong as I would like:

Let's say that we all live in California. California has a problem with earthquakes. When there's an earthquake, buildings fall down, bridges collapse, chaos ensues. Well, let's say the quality of the building construction is pretty weak: there are no shortages of shoddy builders and no standards in construction to make buildings more earthquake-resistant. Instead, we have small, disjointed teams of people who go from building to building and try to reinforce buildings in key areas to make them more earthquake-resistant. Our goal is to try to keep the buildings standing without loss of life and property during the earthquake.

How could we do this more effectively?

1. We could develop strong standards for building structures in California -- i.e. buildings need to be built with ductility; use base isolation devices to detatch the building from the ground so that shaking from the quake does not shake the building, etc.

2. We can also try to prevent the quakes from happening at all.

So let me reel this analogy back in. Think of a hacker as a California earthquake. We go around defending (patching buildings) but when the earthquake comes, the buildings still fall to it. The only way we are going to get ahead of the earthquakes are to make our buildings resistant to failure, --or-- to try to avoid the earthquake (hack) altogether by eliminating the cause. I am saying we need to spend more time and energy focusing on arresting and prosecuting cyber-criminals.

Now, you may read that and chuckle; "but they're all in Russia and China!", you may think. That's not the only places they are. The information being stolen from companies around the globe is funding organized crime and international terrorism. Doesn't stopping organized crime and international terrorism sound like virtuous goals? There are a few things to consider when you start to let the scope of that sink in:

1. we can't do it alone. We, as security professionals, are like the first responders to the collapsed buildings after an earthquake. We stop the bleeding, rescue the folks that are trapped and sometimes we even locate and help remove those that didn't survive the quake. But it's hard for us to influence policy to protect people from earthquakes. It's our job to bring this problem up to our congresspeople, our senators and our appointed civil leaders.
2. Our standards bodies (ICANN, WC3, etc) need to take a more aggressive focus toward information security, through the representative organizations that make up those groups.
3. We need stronger anti-hacking laws that will allow prosecution across international borders...an international agency, perhaps, similar to INTERPOL, that is recognized by an international body (say, the United Nations) to identify, locate, and apprehend cyber criminals. We put the fear into these criminals that they will be caught for these crimes. Deterrance. If you pull a skilled cyber criminal off of the "streets" you remove that talent from being misused.

There are other initiatives you can throw in there (like education of hacker hotbeds, creating legitimate wealth opportunities for that talent, etc), but we won't go into that. Right now, let's focus on the bigger picture: Stronger architectural/technical standards, tougher laws, and a much larger hacker deterrance program (again through apprehension and prosecution) is going to be the beginning of the only way we'll ever get in front of the curve. It's the only way we'll ever see the forest instead of focusing on the trees.

Security Models

I had an interesting conversation this week with an architect at the organization I work at. We were discussing the security model of an existing app that his group was looking at modifying. He was having a difficult time understanding why our organization uses an RBAC (Role Based Access Control) model.

The architect came from a military background before starting at our organization. In the military, information is secured by the level of privacy it requires: data can be unclassified, restricted, confidential, secret, and top-secret.

As our conversation progressed, it became clear to me the architect was trying to apply this classification model to how our organization conceptually separated data. Since we work at a large insurance company, anything with private health information could be one category, and anything with sensitive data (like a date of birth or social security number) could be another classification, and then people could be "cleared" for both classifications, right?

One of the significant differences that he hadn't yet realized was that, unlike a military outfit, our organization paid insurance claims. So, we adopted a role model to help enforce a separation of duty between the claim-creators and the claim-payers, because if you can create a claim and then pay it, you have all ingredients you need to bake a fraud-filled cake. While we do use a military-esque data classification model for certain types of business (for example, employee health data is sequestered away from the general population, as is data related to federal/government employees), the role model we use is where it really shines.

Using conceptual roles, we assign different types of employees different categories: claim processors (the folks that pay claims) are all placed in one conceptual role that gives them all of the access they need on the various applications they use that only permit paying of claims. Our underwriters are given a separate, conceptual role that only permits them to submit claims. Since there is a hard rule that associates can only have one role at a time, a separation between submitting and paying claims exists.

This implementation of Role-Based Access Control (RBAC) has several benefits, especially on a larger organization such as ours; separation of duty is simply one of them. I will get a bit more detailed into how it works in upcoming posts. For today, I just wanted to briefly share these two differing perspectives.

How does your organization classify data?

References:
Military data classifications
RBAC

Thoughts around Voting

This post may be a bit more scattered than some of my other posts. Thoughts around the issue are still materializing, so we'll use this platform to help work them out. :-)

The wife and I just returned from taking our kids on a summer vacation to the beach. Because we're midwesterners, the beach, a real beach, is a serious 10+ hour drive. During the road trip, we discussed the current turmoil happening in Iran. For those not following the news, Iran decided to hold public elections for a new president on June 12th. The (then) current President, Mahmoud Ahmadinejad, was declared the winner by the clerical leadership of Iran, causing questions on the validity of the election results. There have been public protests, riots, and killings, media censorship, pretty much the worst possible outcome for an election.

This got me thinking to election fraud that Iranians are claiming have happened, and how someone may go about trying to avoid it. An event such as an election depends on one thing and one thing only: trust. That trust breaks down because of another fundamental concept around election that people hold dear: secrecy. Some people are uncomfortable with publicly-sharing who they vote for. So, thinking about trust and secrecy, how might the principles of Information Security/Identity Management have helped to control Iran's elections?

It's hard to just focus on trust or secrecy; the two are really interrelated. Specifically, trusting the election process is on the level, that there is no corruption, is nearly impossible with secrecy. Even in the U.S., the 2000 election of George W. Bush over Al Gore was rife with scandalous talk about election-rigging and ballot-stuffing. Transparency would solidify trust. Let me explain.

Let's say we wanted to set up a re-election in Iran. We're going for a do-over to help stop the protests and uncover the true nature of the people of Iran. Here are the things we could focus on to ensure an appropriate vote:

• every eligible citizen is uniquely identified.
• every eligible citizen has a specific attribute applied to their unique identity: Ahmadinejad, Moussavi (the challenger), or Abstain.
• The votes are cast publicly.
  
• The attributes are assigned publicly
  

Let's look at each one at a time. The U.S. Government uses social security numbers to uniquely identify eligible voters. Does Iran use a similar identity system? Sure, usage of SSN and voter eligibility brings its' own unique challenges, such as ensuring deceased voters aren't having votes counted, but by and large, uniquely accounting for every eligible citizen voter is a strong starting point.

Having your vote associated with your name is a somewhat riskier proposition, especially where there might be potentially harmful repercussions around voting against the leader in power. Information Security might be able to help; using the SSN as a base, key exchange technology could protect the identity of the voter, yet still permit them to publicly-track their vote for Ahmadinejad or Moussavi. So, if my SSN is 123-45-6789, and I voted for Moussavi, my SSN gets hashed to a unique ID (say 677-5AJ27-119#29), and I am given that value, and I am the only holder of said value. My unique ID can be placed on an "election board" for my district, and we can see that 677-5AJ27-119#29 voted for Moussavi. This would ensure anonymity and transparency at the same time. If my vote were incorrectly counted, I could contact an election official to have it corrected. You might run into some individuals flip-flopping, but by and large this is as transparent as you can get while still retaining privacy.

Technology-aside, another thought we had about this while driving was, most fledgeling democracies seem to end up running into the same difficulties that Iran is running into; mainly, they have an election, the winner of the election has doubt cast upon them due to lack of trust in the government, and they are throwin into civil war. Again, trust is at the root of the issue. What if a third-party were given the power to steward/operate the election? What if the United Nations ran the election, or created a separate, independent arm to run the election? Would that help to solidify the trust in the election results if it were run by a politically-unbiased party? Could there ever be political unbias in something as political as an election for the head of a country?

Identity Management and Airport Security

I just returned from speaking at the Financial Information Security Decisions conference (held by Techtarget.com - check it out) in New York with colleague Kelly Manthey from Solstice Consulting; the conference was great, and our presentation seemed to be well-received.

As we were waiting at the airport for our horribly-delayed flight out of Newark, our conversation turned to airport security. Now, there are a few very good blogs out there, written by very smart people, discussing airport security, so I won't get into the Transportation Security Administration here. However, Kelly and I ran into an interesting subset that I thought might make for good discussion here.

Kelly was expressing how she found it somewhat frustrating how all airports apply security to protect the aircraft and its' passengers, but they all implement it in a very different manner. The screening process at Chicago's O'Hare airport, for example, is slightly different than at Newark. At O'Hare, you can use TSA-approved bags for your laptop so you don't have to take it out and display it while going through screening. O'Hare even has signs posted that explain how it's acceptable for you to use one of these laptop bags. The TSA even posts their policy on their website.

Yet at Newark, Kelly was asked to pull her laptop out of this TSA-approved bag and display it, "to ensure it wasn't tampered with."

When we thought of it in the context of an IT problem, rather than a physical security problem, our viewpoints shifted slightly. Perhaps it's a problem of not having architectural standards. Perhaps the scanning equipment is different at each airport. The TSA doesn't regulate that all airports use the same scanning/xray equipment, right?

That had us thinking...and this is where the identity management part of this comes in. Think of an airport as a corporation, and the airplane as the highly-sensitive...database, I suppose. You need to be able to move people in and out of this highly-sensitive database, but there is a risk that a small percentage of this audience has malicious intent.

How do you determine which sources (in this case, people) are to be trusted and which are not? There are two answers: authentication, and authorization.

Travelers are authenticated through their driver's license or passports. However, all those documents do is tell you that person knows how to drive or can follow a process for international travel. It doesn't give you any of their history so you can determine intent or credibility. This is where some principles of identity management directly clash with privacy: IdM says to have one source of truth, and privacy says people should be able to choose what you know about them. If we applied an Identity Management concept to this scenario, the drivers' license you present to the check-in steward at the airport would contain a record of your employment, credit, incarceration history, aliases, previous addresses, clubs, organizations and affiliations, financials, and health records. That's pretty scary, yes?However, wouldn't it be helpful to have all of that information in one place to begin to determine the intent of an airline passenger, wouldn't it?

Ok, so maybe that's a bit too infringing to simply ensure airline safety. I can agree with that. I'm not quite ready to abandon the IdM mindset for this problem though. There is another concept that can be applied here: certification.

Depending on your industry, regulatory laws are starting to request companies perform regular audits of employee access. Asking a manager to review and authorize the access their team has is called "certification"; specifically, the manager "certifies" that the team has appropriate access.

How does that apply to people? When the U.S. Government is working on a top-secret project, they have to be very selective with who they trust to work on it. They have established a process to help determine that trust - security clearance. I won't go into the details in this post, but there's some digging into your history that occurs, some character references might be used, and you are given a clearance level.

The airport works in a very similar manner; pilots and co-pilots have certain clearance levels to permit them access to places that baggage-handling and custodial staff don't. Why not certify passengers?

You can bet that frequent flyers would be interested in skipping the often-multiple-hour wait at security checkpoints, and I'm certain the TSA would appreciate the smaller amount of (uncertified) passengers they would have to screen.

Now, there are certainly some issues to address, such as cost. Could the cost savings of not having to continue to ramp-up scanning equipment, hire/maintain TSA employees, customer satisfaction, and managing people outweigh the certification process cost? One would think if we could certify people to handle our national secrets, we could certify people to ride on a plane.

Google profiles

It looks like my first true post is coming sooner than expected.

In attempting to solidify an online presence (so people can look me up when they say "who the hell is that?!" when looking through the speakers' profiles for the Financial Information Security Decisions conference), I did the unthinkable: I googled myself.

Everyone should try it. Go ahead. Put your name into google and see what comes up. Evidently, I'm a sheriff in Minnesota, an Orthodontist in St. Louis, and a techie. Someone's been witholding those additional paychecks.

Anyway, while running this self-search, Google placed a link across the top of the search results: "Are you Brian Schlueter? Register, with Google Profiles!" Google Profiles?

Google has released a new feature as part of their iGoogle suite - profiles. The tagline: "control how you appear in Google by creating a personal profile."

I use a gmail account. As such, I do play around with some of the features that Google integrates with their suite of apps - I'm a Google docs user, I'm registered with iGoogle (though I don't really use it all that often), and I even use Google Latitutde, because it's neat and it goes against the grain of tinfoil hats and bomb shelters that most security professionals seem to find comfort in.

Back to self-googling. I was logged into iGoogle at the time of the self-google search, so when I clicked the link for Google Profile, it automatically pulled in information from my gmail account - my name, blogs I might follow in Blogger, my Picasa account, and YouTube videos I may have uploaded.

This is a splendid example of extremely solid identity management practices. Google has purchased these companies and integrated their products all under one set of credentials - namely, my email address. Being able to associate my Gmail account used for Blogger registration, and then showing that in my account profile has a very polished, together, and easy-to-use feeling to it. Large companies should take note - Google has recognized that having one account to manage is cheaper for them. It's only one password to remember. It's only stored once. Preferences can apply across all sites. It's slick, and a focus on end-user experience that doesn't often show at an Enterprise level.

Now, though, it can. Sun (and thereby, Oracle) recently announced it was adding support for Google Apps Premier (linked by fellow Blogger Google Operating System) , which is the professional, business-focused version of Googles' popular apps suite. This includes API's that permit you to use your organization's existing credential store (ActiveDirectory, SunONE LDAP, etc) in conjunction with Gmail, Google Docs, Google Talk, Google Calendar, and the Google Page Creator. That's a nice small business solution.

How come the suite of Google products can all use the same set of credentials, AND integrate into your small business or Enterprise? How can Google take my Gmail account, tie it to my Blogger.com and Youtube accounts, and wrap it all together to have me represented in a single identity?

Strong architecture. In this case, in the form of The Google Apps API. We'll make a deep-dive into the Google API in a future post.

Welcome to Multiple Identities!

Here we are; the first blog post. I've thought about starting a blog for a while now. Recently, I committed to writing a book about two topics I really enjoy: Identity Management and Security Architecture. After finally saying "ok, it's time to do this!" and building the outline of the book, I thought it would make sense to start to flesh out all these thoughts rolling around upstairs by testing them out in a Blog.

So, let's talk about this blog. The focus will be on information security, specializing in the two topics mentioned above - Identity Management and Security Architecture. For credibility (hah!), it might help to know a little about me and my experience (or lack thereof). Therefore, this first blog post will be all about me. :-)

I've been in Information Technology for a little over a decade; I started as a PC tech at a small construction company while going to school at a local community college, and ended up landing a well-paying full-time job in desktop support in Chicago, IL working at a large law firm. After a few short months on the phones, I was promoted to the hardware support group, fixing laser printers and taking apart laptops to replace LCDs and whatnot.

This experience carried me away from my home city and downstate to a very large insurance company, working with a team that supported their people in the field that did estimates on car accidents and ensured the hardware/software they used was reliable and played nicely with each other. I did that for a few years, specializing in wireless WAN communications (those folks needed to be able to communicate back 'home' from the middle-of-nowhere) before it became cool and commonplace like it is today. After a while, I was up for a change. The application security team was a growing field in a growing area at that company and had plenty of smart, young talent to corrupt, so off I went.

What a difference. I quickly found myself. Information Security ignited passion in me that I didn't realize was there. I consumed it. Quickly, I became SANS G-SEC certified and started working on large efforts that were re-designing home-grown software and changing platforms (from VB/COM to Java/J2EE) to be more flexible and integrate more cleanly. Eventually I was asked and accepted a spot on a future-facing team that was looking at bringing in some of the first web services into the organization. This team was building a new framework, developing software iteratively, and I was on the team to help secure it. Awesome!

It was my tenure over these few years in Application Security that I learned the most about web services, XML, WS-Security, ID Federation. I was introduced to Role Engineering and the concept of RBAC. I learned about Kerberos, security tokens, and security as a service. I was hooked.

Around this time, my wife and I decided to try to move back home, so I accepted a position at another large insurance company on their Identity Strategy team. The team has their fingers in alot of pies, but ultimately it's responsible for ensuring the products at the company all integrate nice and neatly with the home-grown Identity Management (IDM) solution. I've been able to touch various parts of the organization, and get involved with all sorts of interesting projects and spoken to all sorts of interesting people in my quest to ensure new products integrate with the company's application framework.

Not too long ago, a partner with Solstice Consulting, Kelly Manthey, gave me my first public speaking opportunity at the Illinois Institute of Technology's NetSecure '09, which I enjoyed a great deal. Recently, Kelly has asked to collaborate on a presentation for TechTarget's Financial Information Security Decisions '09 conference in New York City, which is even more exciting! We're going to talk about how Identity Management can save your company money! So, in addition to helping organize thoughts for the book, this blog will serve to organize thoughts about our presentation.

That's me in just under 700 words. Don't worry; the next few posts will be much more exciting.

Enjoy your day!