Tuesday, 14 July 2009

International Course on Computer Security and Cryptography 2009

Last week we had the possibility to attend the 12th edition of the International Cosic Course. This course is biyearly organised by the Cosic research group from KULeuven and the topics handle on Computer Security and Cryptography. The event was sponsored by L-Sec and took place at the Arenberg Castle.

The course itself was very interesting, somewhat mathematical but still educational. You can find the various topics on the Cosic Course site.

The 4-day course began with an introduction into cryptography and PKI. After this introduction the mathematics could start! The second day was a deep dive in various security concepts. The third & fourth day handled on the implementations of these concepts.

The conference dinner at The Faculty Club on Thursday was a nice way to socialise with the presenters.
All in all it was a full-packed week with a lot to learn.

Thursday, 7 May 2009

Microsoft Security and Identity Lifecycle Platform

Yesterday, Wednesday 6th of may, I went to a Microsoft Architects forum about the new IAM products that Microsoft has to offer. Geneva, the codename of the new claims based identity system from Microsoft that allows single sign-on access to systems that are active across several data centres. It consists of the Geneva server, which is to deal with issuing and exchanging claims and controlling user access, a cardspace client and the Geneva Framework, an extension of Microsoft's .Net Framework 3.5. The server itself supports active directory and web service standards like Security Assertion Markup Language 2.0 (SAML), WS-Federation and WS-Trust.
The other product that Microsoft offers, and i'm going to discuss in more detail, is FIM (formerly known as ILM2). FIM stands for ForeFront Identity Manager,and it fits inside the range of other ForeFront-suite products offered by Microsoft. Like most of the Microsoft products it offers perfect integration with other Microsoft products and a familiar look and feel to any Windows user. The interface is made in SharePoint,it must be said that the interface looks like the most intuitive one i've seen in an Identity Manager,something Microsoft is really good at. (although I didn't have a hands on experience yet, i am building a demo system as we speak and will come back to this in another blog item)also worth noting that FIM interacts with Outlook aswell. Let me illustrate the previous statement with an example: when a user is added to a group or role in the identity system and approval is required to obtain that. The approver will recieve a mail in outlook with integrated "approve/reject" option similar to the accept/decline option when you are invited for a meeting in Outlook. What's also intresting is that in FIM you now have a workflow editor (it was missing in the pervious lifecycle manager from Microsoft). it also has a broader range of supported protocols. What does concern me is that, while FIM seems to support alot of possible directories (AD,ADAM,'other LDAP',..) for provisioning; but, for example, it's still unclear to me what will happen if i try to provision to an LDAP installed on a Linux or UNIX device. But as previously stated i will test this out and share my experience on this blog!

In General I was pleasantly surprised about this product. Because of the fact that companies tend to already have a large selection of Microsoft products installed,especially for the ones that have SharePoint and other ForeFront products, will make it easier for the employees to navigate the interface. This is a powerfull asset, especially since this is only the second release (other Identity Managers are at their 8th or even 12th release) i do see alot of potential in this aslong as Microsoft doesnt forget that companies tend to have a more exotic selection of protocols and directories other then their own.
Important to note that this product is expected to be released for the beginning of 2010.

Tuesday, 21 April 2009

Benelux Tivoli User Group - DAY 2

Because the user group rescheduled the agenda a bit, Peter Volckaert started with an introduction of IBM Tivoli Directory Integrator. I missed that presentation, but for the ones interested, following a link to the product site: http://www-01.ibm.com/software/tivoli/products/directory-integrator/.

And, finally, TCIEM development manager Michale Pintus and the product manager (grr … I can’t remember his name right now) gave the best of themselves explaining “Tivoli Security Information and Event Manager” in a nutshell. Until recently, companies were focusing on how to protect themselves against threads from the outside world. Because of a growing number of incidents (fraud, data loss…) initiated from inside the network, the demand for software addressing such issues became an urge.
TCIEM is comprised of two products:

1. TCIM or Tivoli Compliance Insight Manager: TCIM helps managing the billions of log file entries in a fast and efficient matter. Using an easy dashboard, one can easily gain an overview saying the environment is compliant with the security strategy in place. Using the same dashboard, an administrator can easily investigate a users’ activity, tracing security issues…

2. TSOM or Tivoli Security Operations Manager: Where TCIM is focusing on gathering information from log files, TSOM gathers real-time operational events coming from firewalls, ips-systems… TSOM also comes up with a dashboard showing security issues in real-time and serves as a launchpad to grave deeper into security issues.

Both the products are translating the complex log-data to an easily understood language, through the W7-methodology (Who, did What, When, Where, Where from, Where to and What). This data is made available through the dashboard, where further investigation is possible by clicking on the topic.

TCIM and TSOM are very closely tightened to each other; TSOM-data can easily be imported in TCIM where it is made available through the dashboard via the W7-methodology.

For those who know CARS (Common Auditing and Reporting System): on middle-term, this will be replaced by TCIEM.

And finally, we rounded up the second day with a presentation given by Guido Van Nuffelen about “Experiential Communications Management”. What it was all about? Well, Guido started his presentation by showing two short movie fragments: one of the legendary A-team, one of “Sex and the city”. After showing these, he raised a question asking what both the movies had in common: the number four. And, what he meant with that number: it seems that every good team is made up of four participants: an executer, a dreamer, a thinker, a decider. Any other combination will probably end-up in a mess: e.g. a team of 4 dreamers will bring up many ideas, but no one will be able to make it effectively working …

To summarize: the event was pretty informative, it gives the ability to get in touch with other products within the Tivoli-family and not less important … if the event is not planned during a vacation period … you do have the chance to get in contact with potential clients and IBM-people.

Benelux Tivoli User Group - DAY 1

Last week (16th and 17th of april) the 2-day taking spring edition of the “Tivoli User Group Netherlands” (Tivoli User Group Nederland, www.tggn.nl) took place in the Antwerp conference center “Elzenveld”, sponsored by IS4U. Well, because TGGN has expanded to Belgian and Luxembourg since the start of 2009 the half-yearly meeting is now called “Benelux Tivoli User Group” … which was the most significant announcement of Chairman Derk Yntema during the welcome.

Before starting with the usual parallel sessions, as “Director of Strategy for IBM Tivoli Software Brand” Don O’Tool gave a nice presentation about the strategy IBM would follow concerning the Tivoli-branded products. Next to improving and extending the current Tivoli-product basis, “green”-thinking really starts to play a major role.

The next IBM-representative, Steve Anderson, came up with a relatively short presentation about services and support where the following items were the most important ones: the differences between a standard and premium support contract, the different possibilities available for requesting support (ESR, Chat,…). And last but not least, IBM-support people now do have the possibility to log in remotely to the customers site to examine a problem in real life which saves the customer of gathering the bunch of data needed when creating an ESR.

As mentioned earlier, the program was based on three tracks: “Green”, “Employee Life Cycle Management” and “Virtualization”. As an IS4U-employee, mainly involved in TIM/TAM-projects, I decided to attend the second track.

Peter Volckaert, technical Tivoli Security sales specialist, did open with a presentation about the new “Tivoli Security Policy Manager” (http://www-01.ibm.com/software/tivoli/products/security-policy-mgr/) offering “security as a service”. Using Policy Manager, dynamical fine-grained authorization towards applications and web services becomes easy manageable. In fact, the software supports the full policy lifecycle management: author, transform, enforce, monitor. To address the client’s needs, Policy manager comes in two offerings:

1. Security Policy Manager for Application Entitlements: Application owners can externalize authorization and audit from their application code.

2. Security Policy Manager for SOA: Application owners can externalize the security policy protecting their web services. Besides, this solution easily integrates with the WebSphere SOA-appliances (Datapower).
Policy Manager is completely based on open-standards making it easily working with third-party software supporting those standards.

Next, in two successive sessions, the asset management tool “Maximo” (http://www-01.ibm.com/software/tivoli/products/maximo-asset-mgmt/) was explained (the user group played a bit around with the agenda). In the earlier years (read: before the acquisition of IBM) MRO’s Maximo was only focusing on not IT-related operational asset management. As more and more assets are touched by technology MRO and IBM came together to address this issue, finally ending in IBM adding Maximo to the Tivoli portfolio. One session was mainly focusing on how to use Maximo within the scope of “Employee Lifecycle Management”, where the other session was more related on how to use it in “managing IT and non-IT Assets”:

1. Employee Lifecycle Management: e.g. streamline the process to follow when an new employee starts working at a company, make sure he/she gets his company car if appropriate, does the user needs a cell phone and order one if necessary, make sure the user does have the necessary accounts created, … Make sure a retiring user hands over all its assets the moment he/she leaves, …

2. Managing IT and non-IT assets: e.g. streamline the processes at a helpdesk, based on the answers given by a user; a solution is given without the intervention of a helpdesk employee.

One important question was: isn’t there a remarkable overlap with ITIM (Identity Manager); the answer was more are less fuzzy.

As a last topic on this first day, Michael Ravelingien gave a very clarifying demo on Encentuate’s single sign-on solution (also strong authentication) (http://www-01.ibm.com/software/tivoli/products/access-mgr-esso/), acquired by IBM somewhere in March 2008. It was pretty astonishing to see what the possibilities of that package are, remember … once up a time with Passlogix (but it could run as standalone application). According to a Gartner report, the support of the latter will continue for another two years (dated 14th of March 2008) while IBM is preparing a migration to Encentuate-based solutions. The tool has the possibility to work in a shared or private workspace within a Windows environment, where there is a performance profit when choosing the first option. The second option is security-wise a better option because of each user has its proper context. Furthermore, RF-badge authentication is supported out of the box, possibility to close user windows when switching from one user session to another … great tool as soon kiosk pc’s (e.g. hospitals) are appearing into the picture!

We ended up our first day with a dinner in the restaurant, sitting next to Steve Anderson … really a nice guy!

Tuesday, 14 April 2009

WebSEAL and OpenSSO; combining the best of both worlds

WebSEAL enthousiasts will tell you that this reverse-proxy solution is of top quality and offers customers a great deal of flexibility. On the other hand, they would have to admit that it requires development effort to integrate it with other (stronger) authentication modules than the four authentication modules it ships with.

OpenSSO enthousiasts will tell you that the free OpenSSO product is of top quality and offers customers a great deal of flexibility and authentication modules out-of-the-box. On the other hand, they would have to admit that one has to build its own reverse-proxy solution with it.

If only there was a way to create a synergy between these two market leading products ... Enter the WebSEAL External Authentication Interface (EAI). This WebSEAL feature allows customers to delegate the authentication process to a third party component. Using OpenSSO as the External Authentication component is like a perfect match. OpenSSO supports a vast number of authentication modules right out-of-the-box like Active Directory, SAML, SecurID, InfoCard and even biometric systems, to name a few. Furthermore it can be deployed on a WebSphere application server and last but not least; it's free!

At IS4U, we put this into practice and wrote a whitepaper about it. It's freely accessible. Feel free to distribute our whitepaper to whom it may concern and provide us with feedback.

Monday, 9 February 2009

ESSoS 2009

Last week I went to the International Symposium on Engineering Secure Software and System (ESSoS) 2009. I attended the tutorial on Risk Management in Practice – Model Based Security Risk Analysis with the CORAS Method. I must say, it turned out to be an enlightening day.

I think the main conclusion that can be drawn from the audience comments is twofold. On one hand, the CORAS method -with its diagrams- provides in a convenient manner to visualise risk and communicate with the customer about it. On the other hand, it lacks the formality (and to be more specific: the checklists) that other Risk Assessment methodologies offer. The best example of the latter was demonstrated during an interactive workshop in which there was (due to the cumulative security expertise in the room) an ad-hoc explosion of vulnerabilities, threat scenarios and unwanted incidents for a relatively simple scenario.

Doing some google searching on the pointers I got from people in the audience on other Risk Assessment approaches, I found this interesting page on the Europa portal (which does not mention the CORAS method ... yet) that allows you to compare different approaches to Risk Assessement.

If you would like to check out CORAS for yourself, the sourceforge page of the project should be an excellent place to get you started.