Our last nine months of research into identity and access management have yielded quite a few surprises – for me at least. Many of these new perspectives I have shared piecemeal in various blogs, and others not. But it occurred to me today, as we start getting feedback from the dozen or so IAM practitioners we have asked to critique our Cloud IAM research, that some key themes have been lost in the overall complexity of the content. I want to highlight a few points that really hit home with me, and which I think are critical for security professionals in general to understand.
- BYOD. MDM. MAM. That’s all BS. Mobile security is fundamentally an identity problem. Once you appreciate that a smartphone is essentially a multi-tenant smart card, you start to get a very different idea what mobile security will ultimately look like.
- How very little IAM and security people – and their respective cultures – overlap. At the Cloud Identity summit last year, the security side was me, Gunnar, and I think one other person. The other side was 400 other IAM folks who had never been to RSA before. This year at the RSA Conference was the first time I saw so many dedicated identity folks. Sure RSA, CA, Oracle, and IBM have had offerings for years, but IAM is not front and center. These camps are going to merge … I smell a Venn diagram coming.
- Identity is as glamorous as a sidewalk. Security has hackers, stolen bank accounts, ATM skimmers, crypto, scary foreign nationals, Lulz, APT, cyberwar, and stuff that makes it into movies. Identity has … give me a minute … thumbprint scanners? Anyone? Next time security complains about not having a “seat at the management table”, just be thankful you have C-level representation. I’m not aware of a C-level figure or Identity VP in any (consumer) firm.
- Looking back at directory services models to distribute identity and provide central management … what crap. Any good software architect, even in the mid-90s, should have seen this as a myopic model for services. It’s not that LDAP isn’t a beautifully simplistic design – it’s the inflexible monolithic deployment model. And yet we glued on appendages to get SSO working, until cloud and mobile finally crushed it. We should be thankful for this.
- Federation with mobile is disruptive. IT folks complain about the blurring of lines between personal and corporate data on smartphones. Now consider provisioning for customers as well as employees. In the same pool. Across web, mobile and in-house systems. Yeah, it’s like that.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Database Security Restart. Adrian’s DR post.
- Follow The Dumb Security Money. Mike’s DR post.
- Who has responsibility for cloud security? Mike appears in a NetworkWorld roundtable, and doesn’t say anything (too) stupid. Imagine that!
- Adrian’s DR paper: Security Implications Of Big Data.
Favorite Securosis Posts
- Adrian Lane: Developers and Buying Decisions. Yeah, it’s my post, spurred by Matt Asay’s piece on how cost structures are changing tech sales. I should have split it into two posts, to fully discuss how Oracle is acting like IBM in the early 90s, and then the influence of developers on product sales.
- Mike Rothman: Developers and Buying Decisions. Adrian predicts that developers may be more involved in app security buying decisions. What could possibly go wrong with that?
- Rich: Developers and Buying Decisions. Fail to understand the dynamics and economics around you, and you… er… fail.
- David Mortman: Defending Cloud Data: IaaS Encryption.
- Gal Shpantzer: Who’s Responsible for Cloud Security?
Other Securosis Posts
- DDoS Attack Overblown.
- Estimating Breach Impact.
- Superior Security Economics.
- Incite 3/27/2013: Office Space.
- How Cloud Computing (Sometimes) Changes Disclosure.
- Identifying vs. Understanding Your Adversaries.
- Apple Disables Account Resets in Response to Flaw.
- Friday Summary: March 22, 2013, Rogue IT Edition.
Favorite Outside Posts
- Rich: What, no Angry Birds? Brian Katz nails it – security gets the blame for poor management decisions. I remember the time I was deploying some healthcare software in a clinic and they asked me to block one employee from playing EverQuest. I politely declined.
- Gal Shpantzer: Congress Bulls Into China’s Shop
- David Mortman: Top 3 Proxy Issues That No One Ever Told You.
- Mike Rothman: You Won’t Believe How Adorable This Kitty Is! Click for More! Security is about to jump the shark. When social engineering becomes Wall Street Journal fodder we are on the precipice of Armageddon. It doesn’t hurt that some of our buddies are mentioned in the article, either…
- Adrian Lane: Checklist To Prepare Yourself In Advance of a DDoS Attack. A really sweet checklist for DDoS preparedness checklist.
- Dave Lewis: ICS Vulnerabilities Surface as Monitoring Systems Integrate with Digital Backends. Don’t know if it’s real, but it is funny!
Project Quant Posts
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
- Defending Against Denial of Service (DoS) Attacks.
- Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
- Tokenization vs. Encryption: Options for Compliance.
Top News and Posts
- Spamhaus DDoS Attacks
- Evernote: So useful, even malware loves it. Evernote as botnet C and C.
- Google glasses. Just friggin’ funny!
- Your WiFi-enabled camera might be spying on you
- “Browser Crashers” Hit Japanese Users
- Victim of $440K wire fraud can’t blame bank for loss, judge rules. This is going to be a hot topic for the next several years.
- FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for 2013
- Amazing Plaintext Password Blunder
- Chaos Communication Camps. Or should that be Kamps?
- “Lucky Thirteen” Attack
- MI5 undercover spies: People are falsely claiming to be us. This has occurred a few times before.
- GCHQ attempts to downplay amazing plaintext password blunder
- Slow Android Phone Patching Prompts Vulnerability Report
- Lawyer hopeful of success with secure boot complaint
- Cyberbunker’s Sven Kamphuis says he is victim of conspiracy over Spamhaus attack
- One in six Amazon S3 storage buckets are ripe for data-plundering
- That Internet War Apocalypse Is a Lie
Blog Comment of the Week
This week’s best comment goes to Nate, in response to Who’s Responsible for Cloud Security?
I think the second quote here is a biggy. A lot of folks use the “address it in contract” line. I have to admit at first my thinking went along the lines of: “how is all this ‘cloud’ stuff really any different than application service providers?” For SaaS at least, it seemed like a fancy rename for an ASP. Now a cloud head would probably tear me up over how the difference is in the layers of abstraction and elasticity really running underneath, but I’ve seen plenty of things labeled ‘SaaS’ that are still just a couple web servers running some niche app. As a security guy the biggest difference turned out be the purchasing and contracting model. ASPs used to go through something resembling a real purchasing process with real contract negotiations. There was an opportunity to request specific evidence of security controls, and I’ve even done independent auditing and penetration testing of an ASPs wares. The legal folks also had an opportunity to be specific about damages. For many ‘cloud’ applications no such purchasing process exists. Someone is just slapping down a credit card and running. You get whatever documentation of controls and audit proof the provider feels like publicly disclosing and whatever damages are in their take it or leave it SLA. That means you have a lot less opportunity to shluff off responsibility by contract. Which isn’t necessarily a bad thing if the end result is more people being more responsible for their own data. It is very different though, and it means actually having to think about stuff…