Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Emerging Technologies: How to secure new products

New business initiatives mean new threats.

On the Horizon
New business initiatives mean new threats. Are you ready?

From January to May of this year, the Identity Theft Resource Center tracked 136 major identity thefts affecting 56 million people. According to the Ponemon Institute, 45 percent of such breaches result from missing laptops. At an average corporate cost of $182 per compromised record, why doesn't every company encrypt laptop data?

"Worldwide, about 20 percent of laptops are encrypted," says Richard Stone, vice president of marketing at mobile security vendor Credant Technologies. "A year ago, one barrier was budget, but most companies have now gotten past that. During the VA incident, envelopes alone to notify those affected cost $11 million. Encrypting that data would certainly have cost less."

Stone believes that many companies do not yet encrypt laptop data because they have not determined exactly what they must do to comply with regulations and make their organization secure. "Measure twice, cut once applies to encryption," he says.

Booting Up
Today, most companies that encrypt laptops start with a mandate. "Ten years ago, our customers made IT-initiated point decisions," says Gerhard Watzinger, CEO of SafeBoot, which also secures mobile devices. "Now, the No. 1 driver is compliance, with corporate-wide rollouts initiated at the board level."

Alexandra Kim, executive director of ISS technology at George Washington University, experienced this firsthand.

"It's an idea we've had for years, but a 2006 board meeting gave us a turbo charge," she says. GWU then created a five-phase plan to encrypt all confidential data with Utimaco SafeGuard. "We segmented the population and did those at the top first. Our first phase covered all users who access confidential data and carry laptops. Our next phase will encrypt all desktops in departments that use confidential data."

Highmark Blue Cross/Blue Shield in Pennsylvania found motivation aplenty to encrypt thousands of laptops and desktops. "We're a DoD (Department of Defense) contractor; we're also bound by HIPAA and SOX," says Chris Kashner, desktop specialist. "We see other companies losing data and didn't want our name in the headlines."

To address those concerns, Highmark deployed GuardianEdge Hard Disk Encryption, first to laptops, then to teleworker desktops. To stop flash drive leakage, Highmark later added Pointsec Media Encryption.

The Right Tool
"Ours is definitely not a one-size-fits-all policy," says Kashner. "We initially chose AES full-disk encryption for laptops because it was bulletproof. We chose [a different platform] for removable media protection because of the vendor's DoD history, centralized control and ability to make use-case exceptions."

San Antonio-based Clarke American Checks combines Computrace LoJack for Laptops with PGP Whole Disk Encryption on about 700 laptops. "Those programs now go out the door with all new laptops," says senior IS auditor Deron Means. Clarke evaluated half a dozen products before settling on PGP. "If all we wanted was disk encryption, any could have done that. But most could not encrypt emailed .zip files or archives--features that were huge for us."

The Hershey Company chose SafeBoot Device Encryp- tion for transparency, ease of use and small footprint.

"Demonstrating audit compliance and integration with our identity management infrastructure was important to me," says Dan Klinger, manager of IS. "Our support center also required delegated roles and central management through one console."

Coverage can also play a big role. "If an employee buys a laptop, we have a standard," says Rob Marti, director of IS at Integris Health in Oklahoma City, "but physicians go out and buy the latest toys; I can't dictate what they'll use. The faster we can support new devices, the better."

Integris chose Credant Mobile Guardian as a common file/folder encryption platform for Windows laptops, Palm PDAs and Windows Mobile 5.

Working Out the Kinks
These companies selected different platforms to meet varied requirements, but all emphasize the importance of pilot programs to work out any kinks.

"My laptop's BIOS had to be flashed before encryption worked," says Means. "Now we have a process of running scandisk and upgrading BIOS before installation."

To avoid problems on older laptops, Means installs software LoJack before encryption. "You may decide to just encrypt newer laptops with chip-based LoJack," he says.

Highmark also started slowly to minimize impact, but found that data could be encrypted reliably without extraordinary measures. "Backups and BIOS updates are fine ideas, but if you're encrypting 4,000 laptops, it's just not feasible," says Kashner. "We didn't do any of those things, and our failure rate was minimal--out of 13,000 desktops, we lost maybe one."

"As long as the laptop itself is well managed, we don't have encryption issues," says Integris' Marti. "But on PDAs, we do a hard reset, install Credant, then reinstall applications, because some Mobile 5 devices have issues with releasing memory."

Laptop Blunders
Stolen or lost laptops have exposed millions of records. Here are some of the most notable listed by the Privacy Rights Clearinghouse.

Nov. 19, 2005 Stolen Boeing laptop with 161,000 records.

Dec. 25, 2005 Stolen Ameriprise Financial laptop with 260,000 customer records.

May 2006 Theft of Veterans Administration laptop and external hard drive containing records of 28.6 million veterans.

June 2006 Stolen Ernst & Young laptop with credit card data of 243,000 customers.

March 2007 Theft of Los Angeles County Child Support laptops including 243,000 SSNs, names and child support case numbers.

Process, Process
During its pilot, GWU emphasized communication. "I personally called the head of each department before we started," says Kim. Just two problems were encountered and both were aborted without data loss, instilling confidence required for a larger rollout. The pilot also produced a process. "We found that encryption can take two to eight hours," says Kim. "Now we work with departments to pick a time that doesn't impact their business. "

Indeed, everyone interviewed identified people rather than technology as the most essential ingredient.

"Securing data is one thing; retaining the inherent usability of a device is another," says Credant's Stone. "You can't require users to change the way that they work. Don't require the IT organization to change the way that they work either."

According to Watzinger, about 35 percent of SafeBoot's customers use both full disk and file/folder encryption on the same laptop. "When you have an outsourcer administering the CEO's laptop, you need to give him access but stop him from seeing sensitive data," he says.

"After standardizing devices, the biggest thing is having executive management support on who gets encrypted and why, so that you're not fighting that on a daily basis," recommends Marti.

"We put some weight around our laptop protection by making policies heavier," says Clarke American Checks' Means. "Now, if theft is due to negligence, it could cost you your job. One guy had his laptop stolen twice and he no longer works here. After that, it's amazing how few laptops are stolen."

Take Away
The Real Cost Laptop encryption is expensive. Data breaches are a lot more expensive. Encrypt now, starting with high-risk users.

Follow the Money SOA shifts the security landscape from the infrastructure to business initiatives. Put your security budget where the business is investing its money. You will be a business champion and get management's ear at budget time.

Security is Security Out of sight, out of mind? Virtual servers don't secure themselves, nor is it enough to secure the host. Apply best practices for physical server security with heightened awareness of the dynamic nature of virtualization.

On the Line Prepare now for attacks on your IP-PBX, even if we're not seeing them yet. Don't wait for the bad guys to start DoS-ing your IP telephony infrastructure.

Web Services
Architectural Overhaul

Service-oriented architecture changes the security landscape; are you prepared to change with it? by Gunnar Peterson

Service-oriented architecture (SOA) changes the game for information security. Its strategic goals of interoperability, integration, service virtualization and reusability require a radically new approach to security architecture.

Interoperability and integration mean that the business offers services based on the value they add for service consumers and providers (such as printing boarding passes from the Web) instead of based on the IT silo, such as proprietary CRM or ERP systems. Virtualization in a Web services context means that the location of the service implementation is irrelevant at the time it runs, enabling partners in Tokyo, Bangalore and Chicago to collaborate on a business process. Reusing business logic enables a more reliable and cost-effective platform, removing the need to start from scratch on every project. This applies to reusable security services as well.

The adage that security must be a proactive business enabler applies more than ever with SOA. Overcoming the perception that it inhibits commerce is mandatory.

How will this happen? Security services require design, development and operational support, so they must be targeted at high risk and/or high business value areas. Over the course of time, integration patterns emerge in the enterprise, and security leadership can help determine the most cost-effective security investments, leveraging reusable shared security services. This moves security away from an auditor role and into a business champion as a service builder.

Let's examine the key guidelines security officers need to consider in mapping out this 21st-century architecture.

  • Partner with security stakeholders. This often ignored lesson becomes essential in a world dominated by SOA. IT security's future is in partnership with the business, software development (even if outsourced) and customers. The earlier security gets involved, the more likely the mechanisms that enforce security requirements will be implemented when the system is deployed, not tacked on later.

  • Tie risk to the business. There's inherent technical and business risk in any integration--compound this many times over with SOA, which is all about platform and process interoperability across business, geographic and technical boundaries.

    This works to your advantage; in customer and partner integration, the business benefits and risks are easier to quantify in risk management terms, because they are tied to a business service, rather than the IT infrastructure as a whole.

    Put your security budget to work where the business is investing its dollars.

  • Do it by the numbers. Risk is about numbers. Quantify how you're doing and measure progress over time. Given the distributed, heterogeneous nature of SOA, unifying security concerns with metrics gives the security team a way to "see" the system's security posture objectively and helps stakeholders make business decisions.

Web Services (continued)

  • Bake security into development. Security must function as a design partner not solely as an auditor. Involve security early and often in the SOA software development lifecycle. Since developers have historically viewed security as an impediment, be proactive, presenting cost- and time-savers such as reusable security services.

    For example, browser-based single sign-on using SAML enables better, faster, cheaper authentication services that can span multiple application boundaries.

    Offer expertise through threat-modeling services to help define the security requirements for the project, and provide security and QA testing.

  • Look beyond the center. IT security must embrace decentralized security architectures, as SOA pushes data and decision-making out to the edges of organizations.

    The architectural problem is how to enforce security policy consistently on distributed endpoints and intermediaries you probably don't control and/or can't continually audit.

    These may include adding semi-autonomous remote branch offices, agents working from home, and outsourced development and business processes. Security architecture for services such as authentication, authorization and auditing must embrace this new order.

  • Get the message. SOA is an XML message document-oriented way of organizing systems. In traditional IT security, the server authenticates and authorizes the client based on the request. However, under SOA integration, the message document contains the information the service provider--not a single central server--requires to perform authentication and authorization.

    The security architecture must reflect this; it's the single biggest mind-set shift for many IT security organizations.

    This model requires IT security to be agile in collaborating with business goals, because it relies less on hard physical boundaries and auditing every intermediary endpoint.

    The messages are protected with encryption, digital signatures and content validation whether or not they are in use in Amsterdam, Sydney or Rome.
Focus enterprise security on design and implemen-tation for reusable message security mechanisms like signing and encryption that enable wide interoperability through open standards, such as WS-Security and SAML (See "SOA: Built on Standards"). Since these are not trivial to develop, specialized tools such as XML security gateways (See "Message Mediators") have emerged.

Web Services (continued)

  • Implement federated identity. Since digital identity is extremely context-specific, SOA's highly distributed approach creates challenges in provisioning and access management. No one system tells you everything about a particular identity; rather, one service makes an assertion about an identity, and the relying services evaluate them.

    In this light, it's critical to understand both the capabilities and limitations of your enterprise's current provisioning, access management and federation systems.

    Fortunately, federated identity uses the basic principles of SOA to deliver identity as a service, extending the governance reach of the enterprise's identity management systems.

    Your challenge is to enable federated identity use cases between service requesters and providers by creating a schema for representing the identity and the services that exchange identity assertions and results for authentication, authorization and auditing. The business benefits from increased integration with customers and partners.

  • Bulletproof service registries. Service registries, which store and manage service interface information and associated policies, have at least two important security considerations. They contain valuable information, such as data schemas, service interface and security policy information that must be protected by access control.

    Ideally, they should have the highest level of protection, like an OS kernel. Additionally, since the service registry is where the security policy and mechanisms' metadata is described at design time, and executed at runtime, the IT security team should look to it as a key enabling technology to publish and enforce security policy.

  • Secure the middleware. Historically, middleware applications were considered to be "inside" the firewall, isolated from the outside world. SOA integration requirements place much greater reliance on middleware, such as enterprise service buses that enable reliable, asynchronous messaging and orchestration engines that manage interactions across multiple services. They function as decentralized hubs, aggregating enterprise services and data, and connecting key systems. This new role dramatically alters their security requirements and requires a review of your security architecture.

    The key point is ensuring that messages have sufficient security rights to be routed in the network, while limiting access to the data itself. Think of an envelope holding a letter (the XML message) that requires the correct addressing and postage, but prevents the postal clerk (middleware) from reading its contents.

Gunnar Peterson is a managing principal at Arctec Group, which provides IT architectural services. Send your comments on this article to

XML Security Gateways
Message mediators

One of the strategic challenges with applying security in a loosely coupled world is where and how to provide authentication, authorization and auditing services in a conversation between a service requester and provider. XML security gateways have emerged as effective tools to mediate communication between services and apply security policy. They allow the organization to use a message-level security approach using standards such as WS-Security and SAML to represent security tokens in the XML message. (See figure, right). XML security gateways can deliver a number of useful security services in SOA:

Authentication/authorization. Authenticates and authorizes service requests and responses using open standards, such as WS-Security and SAML. Interestingly, many SOA standards allow for the architecture to use different namespaces for different tokens, such as one token for message routing and one for data access. What this means in practice is that the token protecting, say, account data, may originate in Tokyo, while the token protecting routing information may originate in Dallas.

Audit. Provide a convenient point to deploy audit logging services for the services they protect.

Input validation. Services are still vulnerable to injection attacks like SQL or LDAP injection; additionally, services have to deal with attacks on infrastructure, such as those against XML parsers. XML security gateways provide a pipeline to execute whitelist and/or blacklist input validation rules.

XML Denial of Service (XDoS) protection. There are several known ways to execute denial of service against a service using XML. These include sending recursive elements (building the same object over and over again) and jumbo payloads (in a loosely coupled world there's nothing to stop an attacker from sending a 1 GB file). XML security gateways can deploy specialized logic for dealing with XDoS.

Security token and identity mapping. Since SOAs span multiple technologies, a single request can easily traverse mainframe, Java servers and Windows. Typically, these identity tokens must be mapped to local formats, so the mainframe may require username/password, the Java system uses LDAP, and the Windows system uses Kerberos. XML security gateways provide an enforcement point for token validation and exchange through token mapping.

There are many services that can be deployed in XML security gateways, and each tool has its strengths and weaknesses. The OWASP XML Security Gateway Evaluation Criteria Project ( provides an open standard for evaluation criteria that represents a transparent, level playing field for XML security gateway solutions to define their solution's key value propositions.

--Gunnar Peterson

SOA: Built on Standards
WS-Security, SAML put Web services in the fast lane on the Information Highway.

Because SOA is not predicated on a single technical development platform, the security services the architecture requires, such as authentication and authorization, must be provided not through a single security solution, but rather through interoperable security standards, such as WS-Security and SAML. Since SOA spans business, geographic and technical boundaries, the security services that protect identity, data and applications require interoperable standards, such as XML Encryption and XML Signature, that can make security assertions no matter the development platform used by either the service provider or requester. (See figure, right). The most important of these standards include:

WS-Security 1.1, which describes how to attach security tokens (such as Kerberos tickets and X.509) to messages.

WS-Trust 1.3, which extends WS-Security, describing how to move security tokens around in integrated systems.

WS-SecureConversation 1.3, which shows how to optimize performance in message security by creating security contexts and a more efficient channel.

WS-SecurityPolicy 1.1, a specification for describing a policy for a server's security requirements.

SAML 2.0, an XML-based security assertions markup language for making and evaluating authentication, authorization and attribute assertions.

All of these standards may be applied at the message level, the XML document, enabling end-to-end security models, not point-to-point security models. For example, if SSL is terminated at the edge of the corporate network, an unencrypted XML document and the confidential data it describes is then in the clear. But requiring security, such as encryption, to the XML document builds assurance into the security infrastructure as a whole, so there's no need to audit every endpoint between Bangalore and Tokyo every day. Likewise the XML signature allows for authentication and integrity at the message level.

Additionally, security services can be applied at a more granular level; think of an airport security model, which includes fundamentally different risk and policy concerns for baggage scanning, tower-to-plane communications, physical checkpoints and passport checking. Historically, IT security architectures for Web applications rely on technologies like SSL and username/password, all-or-nothing security implementations that do not scale to distributed endpoints with different security concerns. The SOA goal of reuse means the service provider cannot always predict how the service requester will use the data it provides. The goal of virtualization means that the endpoint address and location may change-- the claims processing site in Tokyo goes down, and calls are rerouted to Bangalore.

The standards landscape is rapidly evolving. One of the chief value-adds IT security can bring to the table in SOA is to understand the maturity, role and utility of the key SOA security architecture standards and implementations so the enterprise can take full advantage.

Setting the architectural direction for standards in your organization is key to success. The standards should be published in the service registry, ideally as part of prescriptive security architecture that can be used in the software development lifecycle. The IT security team should collaborate with the software developers to define what level of security is appropriate for a given application. Finally, the IT security strategy should identify key standards it wants to deploy, in a security as a service model, and look to the marketplace for tools that allow for cost–effective, wide-scale deployment of the key enabling standards.

--Gunnar Peterson

Security is a Virtual Reality

The same best practices that apply to a physical infrastructure apply to a virtual one as well. by Neil Roiter

Virtualization is changing the face of corporate IT, reducing the number of physical servers, saving space and cutting energy costs. Its flexibility and ease of deployment enables companies to respond rapidly to new business initiatives and requirements. Gartner predicts more than 4 million virtual machines will be deployed by 2009.

Does this change the security environment? Yes and no.

"The baseline is that virtual infrastructure is quite similar to physical infrastructure in terms of security," says Patrick Lin, VMware's director of product management for data center platform products. "It doesn't absolve you of following good security practices."

Virtualization, in fact, improves security practices in some respects. It's easy to create and deploy "gold" master server images, both for new deployments and for restoring compromised servers to a good state. It's ideal for testing patches on multiple configurations without additional hardware or exposing production systems.

That also means security managers must remember that, as in a physical network, one compromised server can affect others. Each guest server must be protected.

"People sometimes assume that virtual machines are isolated from each other; the user interfaces of these tools seem to imply isolation," says Ed Skoudis, founder of security consultancy Intelguardians.

"From a security perspective, generally, users in virtualized environments are still using the same tools in each guest" that they are for physical servers, says Simon Crosby, CTO of XenSource. "No one has gotten to the point in which the hypervisor offers security to multiple guests. That's still coming."

The shadow factor is the risk--mostly theoretical, at least for now--that the hypervisor itself can be exploited and controlled through some vulnerability and used to subvert the guest VMs.

"We advise people to assume the ability of an attacker to jump from guest to host to guest is a possibility, and to architect virtualization accordingly," Skoudis says.

The biggest risk, perhaps, comes from the adage that complexity breeds insecurity.

IT security staff used to associating security practices with boxes and wired networks have to be alert to changes. Virtual servers are easily and transparently moved to maximize bandwidth and computing resources; dormant high-availability servers need up-to-date patches and configurations.

The danger is acute if business-critical, high-security VMs occupy the same physical box as less secure servers. Best practice requires that enterprises group like servers from a security perspective.

Virtualization (continued)

It may be more complex than that. Maintaining--or even knowing--the correct configuration requirements may be problematic.

"There could be conflict when I change configurations and patch, given the complexity of SAN, virtualization software and the OS," says Dennis Moreau, CTO of Configuresoft. "Best practices have focused on each layer in isolation, but what's best for storage may not be for an application."

This means thinking in terms of dynamic situations, in which one gold standard for a given OS or application doesn't necessarily apply.

"IT has to connect dots across the components," says Moreau. "How do virtual components impact each other?"

"Security is not a problem perceived by customers; they're focused on performance and achieving consolidation," says XenSource's Crosby. "The bad guys are not paying attention yet, but this will increase as the number of virtual machines increases."

Neil Roiter is Information Security senior technology editor.

Virtual World Tools

Just a handful of vendors are offering specialized VM-specific security products, anticipating what may be a growing market. They include:

Reflex Security
Reflex Virtual Security Appliance (VSA) profiles virtual network state, assets and communications, providing antivirus/antispyware protection, network discovery and network policy enforcement for VMs on the host machine.

Blue Lane
Blue Lane VirtualShield takes a different approach, protecting unpatched, out-of-date and offline VMs. It discovers VMs, ports, applications and protocols, and applies corrective action against traffic that could exploit vulnerabilities.

StrataGuard Free IDS/IPS is available free of charge as a VMware virtual appliance. Its Cobia Unified Network Platform is an open-source software platform that provides multiple security services across physical and virtual networks. It can be installed on standard servers or as a VMware virtual device.

It's Your Call

IP telephony saves money and resources, but don't ignore security. by Neil Roiter

IP telephony is going mainstream. The cost savings of deploying, expanding and maintaining a converged network rather than separate voice, data and video infrastructure is too good to ignore. Frost & Sullivan recently reported that the North American enterprise IP telephony endpoint market revenues hit $1.02 billion in 2006 and predicts it will reach $2.79 billion in 2011.

As with any emerging technology, there's some confusion over security. It hasn't been much of an issue with traditional phone systems.

"It's been the most mission-critical and reliable application in the environment," says Gartner research analyst Lawrence Orans. Now, "It's just another application on top of the data network. The IP-PBX becomes just another vulnerable server."

But a server that controls the most important business application. Denial-of-service attacks against the IP-PBX or the network could bring business to a crashing halt.

"We haven't seen the kind of high-profile attacks on voice as we saw on the data side," says Orans. "That doesn't mean you shouldn't take precautions." He says targeted attacks will increase as IP telephony deployment grows.

Almost without exception, IP telephony is contained internally; the IP-PBX connecting to traditional communications infrastructure.

"The threat is still relatively low. IP telephony will become a more lucrative target as there are more vectors of attack," says Mark Collier, CTO of telephony security company SecureLogix. "There's little visibility outside of the perimeter."

Gartner advises to protect the IP-PBX the same way as any critical server, including a network firewall that supports VoIP protocols, including SIP, H.323 and the various proprietary protocols, depending on the IP-PBX vendor. Separate VLANs and bandwidth controls help assure quality of service.

"What you need to do is basic network security," says Collier. "We recommend an audit. Most threats can be eliminated by configuring correctly, fixing the dumb stuff. You should still have a traditional firewall; it's too early for a VoIP-specific firewall."

That will probably change over time. There are VoIP-based attack tools, mostly based on SIP. Although IP telephony providers like Cisco, Avaya and Nortel use proprietary protocols, market pressures are bound to push them toward SIP over time.

Sipera Systems' Viper Lab regularly discloses vulnerabilities in SIP systems. Sipera, along with companies like Natural Convergence and BorderWare, offer specialized VoIP security products.

"Many enterprises, primarily financial and health care, know these attacks are possible and are taking measures now rather than wait for an attack," says Krishna Kurapati, Sipera CTO.

Further, financials rely heavily on instant messaging for trading, including SIP-based applications like MS Office Communicator and Lotus Sametime. SIP security products may make sense for these companies, and for SIP-based voice going forward.

"IP telephony can be secured," says Gartner's Orans. "We advise our clients to move ahead if it makes sense to the business, and protect it properly."

Neil Roiter is Information Security senior technology editor.

Article 1 of 14

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All