On the Horizon
New business initiatives mean new threats. Are you ready?
From January to May of this year, the Identity Theft Resource Center tracked 136 major identity thefts affecting 56 million people. According to the Ponemon Institute, 45 percent of such breaches result from missing laptops. At an average corporate cost of $182 per compromised record, why doesn't every company encrypt laptop data?
"Worldwide, about 20 percent of laptops are encrypted," says Richard Stone, vice president of marketing at mobile security vendor Credant Technologies. "A year ago, one barrier was budget, but most companies have now gotten past that. During the VA incident, envelopes alone to notify those affected cost $11 million. Encrypting that data would certainly have cost less."
Stone believes that many companies do not yet encrypt laptop data because they have not determined exactly what they must do to comply with regulations and make their organization secure. "Measure twice, cut once applies to encryption," he says.
Today, most companies that encrypt laptops start with a mandate. "Ten years ago, our customers made IT-initiated point decisions," says Gerhard Watzinger, CEO of SafeBoot, which also secures mobile devices. "Now, the No. 1 driver is compliance, with corporate-wide rollouts initiated at the board level."
Alexandra Kim, executive director of ISS technology at George Washington University, experienced this firsthand.
"It's an idea we've had for years, but a 2006 board meeting gave us a turbo charge," she says. GWU then created a five-phase plan to encrypt all confidential data with Utimaco SafeGuard. "We segmented the population and did those at the top first. Our first phase covered all users who access confidential data and carry laptops. Our next phase will encrypt all desktops in departments that use confidential data."
Highmark Blue Cross/Blue Shield in Pennsylvania found motivation aplenty to encrypt thousands of laptops and desktops. "We're a DoD (Department of Defense) contractor; we're also bound by HIPAA and SOX," says Chris Kashner, desktop specialist. "We see other companies losing data and didn't want our name in the headlines."
To address those concerns, Highmark deployed GuardianEdge Hard Disk Encryption, first to laptops, then to teleworker desktops. To stop flash drive leakage, Highmark later added Pointsec Media Encryption.
The Right Tool
"Ours is definitely not a one-size-fits-all policy," says Kashner. "We initially chose AES full-disk encryption for laptops because it was bulletproof. We chose [a different platform] for removable media protection because of the vendor's DoD history, centralized control and ability to make use-case exceptions."
San Antonio-based Clarke American Checks combines Computrace LoJack for Laptops with PGP Whole Disk Encryption on about 700 laptops. "Those programs now go out the door with all new laptops," says senior IS auditor Deron Means. Clarke evaluated half a dozen products before settling on PGP. "If all we wanted was disk encryption, any could have done that. But most could not encrypt emailed .zip files or archives--features that were huge for us."
The Hershey Company chose SafeBoot Device Encryp- tion for transparency, ease of use and small footprint.
"Demonstrating audit compliance and integration with our identity management infrastructure was important to me," says Dan Klinger, manager of IS. "Our support center also required delegated roles and central management through one console."
Coverage can also play a big role. "If an employee buys a laptop, we have a standard," says Rob Marti, director of IS at Integris Health in Oklahoma City, "but physicians go out and buy the latest toys; I can't dictate what they'll use. The faster we can support new devices, the better."
Integris chose Credant Mobile Guardian as a common file/folder encryption platform for Windows laptops, Palm PDAs and Windows Mobile 5.
Working Out the Kinks
These companies selected different platforms to meet varied requirements, but all emphasize the importance of pilot programs to work out any kinks.
"My laptop's BIOS had to be flashed before encryption worked," says Means. "Now we have a process of running scandisk and upgrading BIOS before installation."
To avoid problems on older laptops, Means installs software LoJack before encryption. "You may decide to just encrypt newer laptops with chip-based LoJack," he says.
Highmark also started slowly to minimize impact, but found that data could be encrypted reliably without extraordinary measures. "Backups and BIOS updates are fine ideas, but if you're encrypting 4,000 laptops, it's just not feasible," says Kashner. "We didn't do any of those things, and our failure rate was minimal--out of 13,000 desktops, we lost maybe one."
"As long as the laptop itself is well managed, we don't have encryption issues," says Integris' Marti. "But on PDAs, we do a hard reset, install Credant, then reinstall applications, because some Mobile 5 devices have issues with releasing memory."
Stolen or lost laptops have exposed millions of records. Here are some of the most notable listed by the Privacy Rights Clearinghouse.
Nov. 19, 2005 Stolen Boeing laptop with 161,000 records.
Dec. 25, 2005 Stolen Ameriprise Financial laptop with 260,000 customer records.
May 2006 Theft of Veterans Administration laptop and external hard drive containing records of 28.6 million veterans.
June 2006 Stolen Ernst & Young laptop with credit card data of 243,000 hotel.com customers.
March 2007 Theft of Los Angeles County Child Support laptops including 243,000 SSNs, names and child support case numbers.
During its pilot, GWU emphasized communication. "I personally called the head of each department before we started," says Kim. Just two problems were encountered and both were aborted without data loss, instilling confidence required for a larger rollout. The pilot also produced a process. "We found that encryption can take two to eight hours," says Kim. "Now we work with departments to pick a time that doesn't impact their business. "
Indeed, everyone interviewed identified people rather than technology as the most essential ingredient.
"Securing data is one thing; retaining the inherent usability of a device is another," says Credant's Stone. "You can't require users to change the way that they work. Don't require the IT organization to change the way that they work either."
According to Watzinger, about 35 percent of SafeBoot's customers use both full disk and file/folder encryption on the same laptop. "When you have an outsourcer administering the CEO's laptop, you need to give him access but stop him from seeing sensitive data," he says.
"After standardizing devices, the biggest thing is having executive management support on who gets encrypted and why, so that you're not fighting that on a daily basis," recommends Marti.
"We put some weight around our laptop protection by making policies heavier," says Clarke American Checks' Means. "Now, if theft is due to negligence, it could cost you your job. One guy had his laptop stolen twice and he no longer works here. After that, it's amazing how few laptops are stolen."
The Real Cost Laptop encryption is expensive. Data breaches are a lot more expensive. Encrypt now, starting with high-risk users.
Follow the Money SOA shifts the security landscape from the infrastructure to business initiatives. Put your security budget where the business is investing its money. You will be a business champion and get management's ear at budget time.
Security is Security Out of sight, out of mind? Virtual servers don't secure themselves, nor is it enough to secure the host. Apply best practices for physical server security with heightened awareness of the dynamic nature of virtualization.
On the Line Prepare now for attacks on your IP-PBX, even if we're not seeing them yet. Don't wait for the bad guys to start DoS-ing your IP telephony infrastructure.
Service-oriented architecture changes the security landscape; are you prepared to change with it? by Gunnar Peterson
|Web Services (continued)|
|Web Services (continued)|
Gunnar Peterson is a managing principal at Arctec Group, which provides IT architectural services. Send your comments on this article to firstname.lastname@example.org.
|XML Security Gateways|
One of the strategic challenges with applying security in a loosely coupled world is where and how to provide authentication, authorization and auditing services in a conversation between a service requester and provider. XML security gateways have emerged as effective tools to mediate communication between services and apply security policy. They allow the organization to use a message-level security approach using standards such as WS-Security and SAML to represent security tokens in the XML message. (See figure, right). XML security gateways can deliver a number of useful security services in SOA:
Authentication/authorization. Authenticates and authorizes service requests and responses using open standards, such as WS-Security and SAML. Interestingly, many SOA standards allow for the architecture to use different namespaces for different tokens, such as one token for message routing and one for data access. What this means in practice is that the token protecting, say, account data, may originate in Tokyo, while the token protecting routing information may originate in Dallas.
Audit. Provide a convenient point to deploy audit logging services for the services they protect.
Input validation. Services are still vulnerable to injection attacks like SQL or LDAP injection; additionally, services have to deal with attacks on infrastructure, such as those against XML parsers. XML security gateways provide a pipeline to execute whitelist and/or blacklist input validation rules.
XML Denial of Service (XDoS) protection. There are several known ways to execute denial of service against a service using XML. These include sending recursive elements (building the same object over and over again) and jumbo payloads (in a loosely coupled world there's nothing to stop an attacker from sending a 1 GB file). XML security gateways can deploy specialized logic for dealing with XDoS.
Security token and identity mapping. Since SOAs span multiple technologies, a single request can easily traverse mainframe, Java servers and Windows. Typically, these identity tokens must be mapped to local formats, so the mainframe may require username/password, the Java system uses LDAP, and the Windows system uses Kerberos. XML security gateways provide an enforcement point for token validation and exchange through token mapping.
There are many services that can be deployed in XML security gateways, and each tool has its strengths and weaknesses. The OWASP XML Security Gateway Evaluation Criteria Project (https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project) provides an open standard for evaluation criteria that represents a transparent, level playing field for XML security gateway solutions to define their solution's key value propositions.
|SOA: Built on Standards|
WS-Security, SAML put Web services in the fast lane on the Information Highway.
Because SOA is not predicated on a single technical development platform, the security services the architecture requires, such as authentication and authorization, must be provided not through a single security solution, but rather through interoperable security standards, such as WS-Security and SAML. Since SOA spans business, geographic and technical boundaries, the security services that protect identity, data and applications require interoperable standards, such as XML Encryption and XML Signature, that can make security assertions no matter the development platform used by either the service provider or requester. (See figure, right). The most important of these standards include:
WS-Security 1.1, which describes how to attach security tokens (such as Kerberos tickets and X.509) to messages.
WS-Trust 1.3, which extends WS-Security, describing how to move security tokens around in integrated systems.
WS-SecureConversation 1.3, which shows how to optimize performance in message security by creating security contexts and a more efficient channel.
WS-SecurityPolicy 1.1, a specification for describing a policy for a server's security requirements.
SAML 2.0, an XML-based security assertions markup language for making and evaluating authentication, authorization and attribute assertions.
All of these standards may be applied at the message level, the XML document, enabling end-to-end security models, not point-to-point security models. For example, if SSL is terminated at the edge of the corporate network, an unencrypted XML document and the confidential data it describes is then in the clear. But requiring security, such as encryption, to the XML document builds assurance into the security infrastructure as a whole, so there's no need to audit every endpoint between Bangalore and Tokyo every day. Likewise the XML signature allows for authentication and integrity at the message level.
Additionally, security services can be applied at a more granular level; think of an airport security model, which includes fundamentally different risk and policy concerns for baggage scanning, tower-to-plane communications, physical checkpoints and passport checking. Historically, IT security architectures for Web applications rely on technologies like SSL and username/password, all-or-nothing security implementations that do not scale to distributed endpoints with different security concerns. The SOA goal of reuse means the service provider cannot always predict how the service requester will use the data it provides. The goal of virtualization means that the endpoint address and location may change-- the claims processing site in Tokyo goes down, and calls are rerouted to Bangalore.
The standards landscape is rapidly evolving. One of the chief value-adds IT security can bring to the table in SOA is to understand the maturity, role and utility of the key SOA security architecture standards and implementations so the enterprise can take full advantage.
Setting the architectural direction for standards in your organization is key to success. The standards should be published in the service registry, ideally as part of prescriptive security architecture that can be used in the software development lifecycle. The IT security team should collaborate with the software developers to define what level of security is appropriate for a given application. Finally, the IT security strategy should identify key standards it wants to deploy, in a security as a service model, and look to the marketplace for tools that allow for cost–effective, wide-scale deployment of the key enabling standards.
Security is a Virtual Reality
The same best practices that apply to a physical infrastructure apply to a virtual one as well. by Neil Roiter
Virtualization is changing the face of corporate IT, reducing the number of physical servers, saving space and cutting energy costs. Its flexibility and ease of deployment enables companies to respond rapidly to new business initiatives and requirements. Gartner predicts more than 4 million virtual machines will be deployed by 2009.
Does this change the security environment? Yes and no.
"The baseline is that virtual infrastructure is quite similar to physical infrastructure in terms of security," says Patrick Lin, VMware's director of product management for data center platform products. "It doesn't absolve you of following good security practices."
Virtualization, in fact, improves security practices in some respects. It's easy to create and deploy "gold" master server images, both for new deployments and for restoring compromised servers to a good state. It's ideal for testing patches on multiple configurations without additional hardware or exposing production systems.
That also means security managers must remember that, as in a physical network, one compromised server can affect others. Each guest server must be protected.
"People sometimes assume that virtual machines are isolated from each other; the user interfaces of these tools seem to imply isolation," says Ed Skoudis, founder of security consultancy Intelguardians.
"From a security perspective, generally, users in virtualized environments are still using the same tools in each guest" that they are for physical servers, says Simon Crosby, CTO of XenSource. "No one has gotten to the point in which the hypervisor offers security to multiple guests. That's still coming."
The shadow factor is the risk--mostly theoretical, at least for now--that the hypervisor itself can be exploited and controlled through some vulnerability and used to subvert the guest VMs.
"We advise people to assume the ability of an attacker to jump from guest to host to guest is a possibility, and to architect virtualization accordingly," Skoudis says.
The biggest risk, perhaps, comes from the adage that complexity breeds insecurity.
IT security staff used to associating security practices with boxes and wired networks have to be alert to changes. Virtual servers are easily and transparently moved to maximize bandwidth and computing resources; dormant high-availability servers need up-to-date patches and configurations.
The danger is acute if business-critical, high-security VMs occupy the same physical box as less secure servers. Best practice requires that enterprises group like servers from a security perspective.
It may be more complex than that. Maintaining--or even knowing--the correct configuration requirements may be problematic.
"There could be conflict when I change configurations and patch, given the complexity of SAN, virtualization software and the OS," says Dennis Moreau, CTO of Configuresoft. "Best practices have focused on each layer in isolation, but what's best for storage may not be for an application."
This means thinking in terms of dynamic situations, in which one gold standard for a given OS or application doesn't necessarily apply.
"IT has to connect dots across the components," says Moreau. "How do virtual components impact each other?"
"Security is not a problem perceived by customers; they're focused on performance and achieving consolidation," says XenSource's Crosby. "The bad guys are not paying attention yet, but this will increase as the number of virtual machines increases."
Neil Roiter is Information Security senior technology editor.
It's Your Call
IP telephony saves money and resources, but don't ignore security. by Neil Roiter
IP telephony is going mainstream. The cost savings of deploying, expanding and maintaining a converged network rather than separate voice, data and video infrastructure is too good to ignore. Frost & Sullivan recently reported that the North American enterprise IP telephony endpoint market revenues hit $1.02 billion in 2006 and predicts it will reach $2.79 billion in 2011.
As with any emerging technology, there's some confusion over security. It hasn't been much of an issue with traditional phone systems.
"It's been the most mission-critical and reliable application in the environment," says Gartner research analyst Lawrence Orans. Now, "It's just another application on top of the data network. The IP-PBX becomes just another vulnerable server."
But a server that controls the most important business application. Denial-of-service attacks against the IP-PBX or the network could bring business to a crashing halt.
"We haven't seen the kind of high-profile attacks on voice as we saw on the data side," says Orans. "That doesn't mean you shouldn't take precautions." He says targeted attacks will increase as IP telephony deployment grows.
Almost without exception, IP telephony is contained internally; the IP-PBX connecting to traditional communications infrastructure.
"The threat is still relatively low. IP telephony will become a more lucrative target as there are more vectors of attack," says Mark Collier, CTO of telephony security company SecureLogix. "There's little visibility outside of the perimeter."
Gartner advises to protect the IP-PBX the same way as any critical server, including a network firewall that supports VoIP protocols, including SIP, H.323 and the various proprietary protocols, depending on the IP-PBX vendor. Separate VLANs and bandwidth controls help assure quality of service.
"What you need to do is basic network security," says Collier. "We recommend an audit. Most threats can be eliminated by configuring correctly, fixing the dumb stuff. You should still have a traditional firewall; it's too early for a VoIP-specific firewall."
That will probably change over time. There are VoIP-based attack tools, mostly based on SIP. Although IP telephony providers like Cisco, Avaya and Nortel use proprietary protocols, market pressures are bound to push them toward SIP over time.
Sipera Systems' Viper Lab regularly discloses vulnerabilities in SIP systems. Sipera, along with companies like Natural Convergence and BorderWare, offer specialized VoIP security products.
"Many enterprises, primarily financial and health care, know these attacks are possible and are taking measures now rather than wait for an attack," says Krishna Kurapati, Sipera CTO.
Further, financials rely heavily on instant messaging for trading, including SIP-based applications like MS Office Communicator and Lotus Sametime. SIP security products may make sense for these companies, and for SIP-based voice going forward.
"IP telephony can be secured," says Gartner's Orans. "We advise our clients to move ahead if it makes sense to the business, and protect it properly."
Neil Roiter is Information Security senior technology editor.