Federation 2.

0: An identity ecosystem
July 2, 20112011-07-02 04:20:13 ... Standards are maturing just in time for identity federations to meet the new demands for cloud and mobile access, reports Deb Radcliff. For years, the notion of federating identities into a single secure identity ecosystem to work across multiple applications and entities seemed to gain little traction. That is, until recently, when cloud computing and mobility started placing new demands on access that only a federation could solve. The reality is, identity federations of hundreds of thousands to millions of business-to-business (b2b) entities are flourishing in the automotive, aerospace, pharmaceutical, government and other sectors. Now, vendors, service providers and enterprises are adopting standards to support single sign-on (SSO) authentication for cloud and mobile access. Meanwhile, Facebook, Google and other social networking giants are poised to become one-stop identity providers for the masses. Federation is alive, well and thriving, says Mark Diodati, research vice president at Gartner. Most organizations are using federation internally, to connect to partners and to connect disparate security and access systems during mergers and acquisitions. Now, federated identity is about SSO and provisioning to resources in the cloud.That is not to say that federation is going to be a walk in the park. Standards responsible for growing adoption of identity federations are numerous and confusing, experts say. Yet, to comprehensively prepare for federation, enterprises, cloud service providers, as well as identity services and access management vendors, will all have to consider multiple standards based on their and their users' access models. Another issue is vetting the identities, which brings into question legal issues around privacy, liability and allocation of risk, says Jeremy Grant, program director of the National Strategy for Trusted Identities in Cyberspace (NSTIC), a public-private sector initiative that debuted in April. The agency is charged with creating a trusted, online ecosystem that would designate a single credential to users as a one-time digital password e.g., software for mobile devices, a smart card or token to foster secure transactions on the internet.There are very large federations out there specific to sectors within the government and in vertical industries, Grant says, pointing to SAFE BioPharma (a standard used by organizations to verify and manage digital identities), CertiPath (which manages a huge identity federation for the aerospace industry), and InCommon Federation (which supports more than 200 research universities). The issue is getting identity federation to the next level, which requires a new wave of authentication technologies and rules to govern them that can work in a highly mobile, portable world where smart cards and tokens may not always be the answer. For example, he cites phone authentication, which can be used as a third factor for one-time tokens via text message. In addition, the phone itself can be used as the additional factor. Enterprise federationsThese, and multiple other SSO and authentication technologies, are enabled by federation, say experts. However, depending on their use, federated networks come in many different flavors, all of which are impacted by what analysts call an alphabet soup of standards. Confusion over these standards have, so far, held up widespread adoption of federation, says Eve Maler, principal analyst with Forrester Research.She estimates that large-enterprise adoption of federation for business process outsourcing, such as access to human resources web apps, is higher, although there is no formal data available. She adds that adoption will really take off now that the Security Assertion Markup Language, or SAML, became a standard once Microsoft adopted it for its Active Directory Federation Services (AD FS) 2.0, released in mid-2010.

All vendors, services and enterprises need to get onboard with SAML if they want to federate identities, says Andr Gold (left), senior director of technology operations and IT security at AutoTrader.com, a subsidiary of Cox Enterprises. AutoTrader, which recently completed the acquisition of VinSolutions, a provider of end-to-end solution platforms for auto dealers, has been developing SSO provisioning internally based on SAML and other standards, and is now providing SSO to some of its customers. Federation has become a key component of our mergers and acquisitions strategy, Gold says. It will enable us to on-board new companies and, ultimately, new customers and consumers too, in a quicker and more costeffective manner. More importantly, we will be able to provide a richer experience to these groups as they interact with different applications and products across the AutoTrader.com portfolio. While Gold has worked for organizations that have been able to build their own hooks based on SAML APIs, a growing number of organizations are turning to vendor products or identity service providers to federate their whole identity infrastructures, say analysts. Managing your identities, your PKI certificates, assertions and authentication is complicated in this everchanging identity federation landscape, says Dave Miller (right), CSO of Covisint, which supports nine million users of OnStar, linking vehicle drivers with remote services. This is why analysts see a growing service industry around identities: These services handle the hard work of standardization and identity management for them.American Hospital Association (AHA), based in Chicago, is one company which turned to an identity service after federating the first five of 16 widely used software-as-a-service (SaaS) applications for the cloud. Some of the service applications they are federating include social intranet and collaboration provider Socialtext, document management and collaboration provider Box.net, IT self-service management provider Numara FootPrints, and HR payroll/time entry service UlitPro. In one example, we had our own custom SAML adoption for one of our performance management tools, but that tool vendor kept changing the way its login works around the exchanging of public and private encryption keys, and our links kept getting broken, says Karthik Chakkarapani, the AHA's IT director of technology solutions & operations. We didn't want to do this with 16 applications. And we didn't want to write our own code to enable the single sign-on to all these applications either.Federating to mobility Synovus Bank, with 30 banks on the East Coast, didn't want to manage the identities of its approximately 100,000 commercial and 200,000 home-based customers. It also wanted its identity management to occur outside its firewall. So Synovus recently started using Crosscheck Network's Forum Sentry XML Gateway service between these users and their applications. Users and their sessions authenticate on the Forum structure, their SAML assertions are signed by Forum, and Forum also issues their secure tokens, says Santosh Kokate, lead technical analyst with Synovus. The beauty is I have online banking sitting safely behind the identity gateway and the identities and authentication are established there. I don't have to manage those identities or write a single line of code to make federation happen. Synovus also supports authentication for mobile users through REST (Representational State Transfer), which supports HTTPS-based assertions for when Kokate estimates are 8,000 mobile banking customers at this point (and more planned in the future). Because Synovus' intermediary, Crosscheck, supports these and other standards, Synovus can adapt to different types of identity federation requirements as needed. In Architecting a Cloud-Scale Identity Fabric, a report to IEEE, the world's largest professional association dedicated to advancing technological innovation, Eric Olden, the ounder, CEO and chairman of Symplified, discussed two additional standards needed to extend SAML for more granular provisioning (through Service Provisioning Markup Language or SPML), and user authorization and access management (through Extensible

Access Control Markup Language or XACML). Here's a news flash for you: Federated Identity 1.0 is dead, Olden says during a follow-up interview with SC Magazine. Long live Federated 2.0 to support SSO, multifactor authentication and identity management in an increasingly mobile user base all essentially accessing through the cloud. There are even more standards supporting federation at the 2.0 level, say experts. Specifically is Open Authentication (OAuth) 2.0, which is flexible, lightweight and can be used when SAML is not available by taking assertions over HTTPS. As such, OAuth, along with OpenID, another standard, facilitates access by mobile devices through unique forms of authentication, such as using SMS to issue secondary authentication tokens, or using the phone itself as an identifier. To make access painless for its nearly six million end-users and 60,000 businesses, the cloud content management platform at Box, a Palo Alto, Calif.-based online content management and file storage business, needs to enable sharing and collaboration from anywhere on any device, while also providing the security, visibility and reporting capabilities required by IT departments. The only way to meet those needs is to support all popular federation standards, says Tomas Barreto, engineering manager at Box. Our customers are going to need SSO for all of their applications internally, and for all their clouds not just our Box cloud, Barreto says. To enable SSO use with multiple clouds, we need to support multiple standards, including legacy SSO standards, current SAML standards and new standards as required.Federating to the consumer In consumer-to-business federation networks, such sites as Facebook, Google and other popular social networks are embracing OpenID and other lighter, more open standards so they can become the identity service providers for their own consumers and all their non-sensitive online applications, Forrester's Maler says. Logging in at Facebook, then, would allow users a single click-through to their other applications, so long as those application providers are participating in the federated network and interoperate with the appropriate standards. While some organizations feel uneasy about using a Facebook or Google account as the primary login for their customers, employees and partners, others are accepting this as the way of the future. For example, the AHA's Chakkarapani says many of his mobile, part-time and younger workforce want to leverage social networking for conducting all forms of business.We need to be able to support all types of access in order to achieve the 100 percent adoption of our system that we've achieved, Chakkarapani says. Many of our young people will only work in these type of collaborative environments. On the other hand, AutoTrader's Gold says he worries about the risk of using social networks as the primary identification service for employee, partner and, ultimately, consumer access. For example, in May, 100,000 Facebook applications enabled the leakage of millions of access tokens to third parties, and there are myriad examples of social networking consumers being phished of their credentials or letting in malware that gets in the middle of properly authenticated communications. This is why vetting the identity provider is important for organizations considering outsourcing their identity management, says NSTIC's Grant. Vendors and service providers are picking up the basics of identity now, doing provisioning and directory services management, says Grant, whose program has been slotted to receive $18 million to support identity pilot programs in 2012. But the tools for governance and compliance aren't there yet.At the end of the day, it doesn't matter what the standard is, just as long as the identity ecosystem is working for businesses and consumers, says Patrick Harding, CTO of Ping Identity, an identity security firm. A CTO doesn't care what standards are involved or if it is federated or not, he says. CTO's don't want lots of passwords everywhere, and

they want to seamlessly access all of their applications regardless of where they're accessing from or where their applications are hosted. {sidebar] LEGALITIES: What is required? The American Bar Association's Identity Management Legal Task Force is trying to sort out legal and privacy issues surrounding identity attributes and trust. In January, after a series of regional and national meetings, the ABA released version two of its Trust Framework for federated identity networks. The framework describes operational and legal requirements for building trust into these systems, including the use of specifications, standards and rules of operation and enforcement.

Perimeter defense
December 2, 20112011-12-02 04:20:30 ... pbr / /p pDefending the perimeter increasingly is becoming an ambiguous concept. The hard, knife-edge perimeter of the past is dead and gone. Long live the sort-of-fuzzy, kind-of-gray area, not-quite-a-DMZ perimeter of the future. This notion begs the question: Who cares about the perimeter anyway? After all, it's all about the data, and we are interested in sharing a lot with the world at large, so why not just protect the data and let the rest go?/p pWell, that's barking up the right tree, but as my grandpappy was fond of saying, Ya ain't got the coon treed yet. To tree the coon, we really do need to be concerned with both the data and the infrastructure since it is the poisoning of the infrastructure that puts our data at greater risk.nbsp;/p pBeing able to address problems at the application layer before they can infect devices and other applications, move about the enterprise collecting sensitive data and phoning home to deliver the booty is a key aspect of protecting the ever-fading perimeter in the enterprise of the future. That said, it would be good if such a device could work hand-in-glove with a data leakage product so that interdiction of malware phoning home with a payload could become a defense-in-depth proposition. That is where this year's perimeter defense Innovator comes into the picture./p pShould the perimeter defense system also be the data leakage prevention tool? That's an open question in our view. We can make a pretty good case that it should, but then we would lose the defense-in-depth. That, of course, is the primary argument against the unified threat management (UTM). The answer has been that the depth becomes what is done at the client level. One layer of protection goes to the perimeter and one to the endpoint. For this year, however, we did include an independent data leakage prevention (DLP) product./p pWhen the perimeter is especially fuzzy, having endpoint, DLP and perimeter protection is a very good idea, indeed. And, making all three of these pieces work together will, for certain, tree that pesky, enterprisecompromising coon./p pbM86 Secure Web Gateway/b/p pbr / /p pimg alt="" src="http://media.scmagazineus.com/images/2011/11/18/1211-p-m86_211481.jpg" style="float: left; margin-top: 11px; margin-right: 11px; margin-bottom: 11px; margin-left: 11px;" /Anbsp;couple of months ago, we recommended the M86 product to some friends in the banking industry. We had the opportunity to give the product a thorough shake-down, and the results were impressive. First, malware defines the M86 product. And

the malware engine defines its innovation. M86 focuses on distinct capabilities that are holistic, rather than any one single capability. Regardless of what the organization is, M86 has deployed its anti-malware tools from small enterprises up to the very large. Read the market, respond and move the product fast. Listen closely to customers and anticipate. That is what makes M86 tick. And it shows in its products and support./p pM86 has a very long history. The founders created the current company by merging several world-class companies together. Each was an innovator in its field. Together, they looked for a problem to solve in the market. Over a very short time, they developed a vision of applications that will be a problem in the future. Then they attacked the management of those applications./p pM86 capabilities are available through the company's appliance, software or software-as-a-service (SaaS) for web and email security.nbsp;/p pM86 works with organizations that have a vested interest in keeping its customers safe, so it provides the technology to ensure that safety. These partners become M86's salesforce, taking its products to their customers, keeping the customer safe and not spreading malware around the web./p pM86 products use patented, real-time code analysis and behavior-based malware detection technologies, as well as threat intelligence from M86 Security Labs to protect networks against new and advanced threats, secure confidential information and ensure regulatory compliance. A tall order, but certainly within the realm of M86's capability. The strong merging of premises products and cloud services gives M86 customers access to a lot of power./p pbAT A GLANCE/b/p pVendor: a href="http://www.m86security.com/"M86 Security/anbsp;nbsp;/p pFlagship product: M86 Secure Web Gateway/p pCost: starts at $4,980/$9.38 per user license for 10,000+ users, including one-year standard support./p pInnovation: A comprehensive defense gateway with the ability to work with associated products to protect the internal network from the perimeter./p pGreatest strength: Technological know-how, experience and creative problem solving./p hr / pbr / /p pbTrustwave DLP/b/p divimg alt="" src="http://media.scmagazineus.com/images/2011/11/18/1211-p-trustwave_211497.jpg" style="float: left; margin-top: 11px; margin-right: 11px; margin-bottom: 11px; margin-left: 11px;" /We've said it before, but here we go again: Trustwave is without a doubt the finest example of a well thought-out cybersecurity product going. It is intuitive, has well-constructed menus and capabilities, and does exactly the job for which it is intended./div pTrustwave was the result of a merger in 2005. The predecessor company was founded in the 1990s by ex-NSA employees and was mostly a consulting practice focusing on PCI compliance. The current company still does consulting and assessment, plus it has a portfolio of more than 20 products, which it either built itself or has acquired. Trustwave has built a comprehensive security portfolio by actively integrating everything in its kit into a holistic security management system./p pThe Trustwave strategy is to build and acquire leading products from multiple sources and integrate the mix into what the customer needs, whether on premises or as a managed security service. The company actively applies both consulting expertise and research. That provides a platform of knowledge and experience. The team also has a unique ability to combine compliance management with compliance enablement by providing all the

necessary services and components to allow one-stop shopping. From the beginning, it has established relationships with large banks and consortia to provide products and services in bulk. Using its partners to leverage sales, Trustwave has over time established a base of more than one million clients by selling to the customers' customers and leveraging those relationships./p pRecognizing that customers grapple with complexity and compliance, Trustwave set out to simplify this through a comprehensive suite of security products and services. When we asked the visionary what makes the company tick, he answered: Trustwave is committed to identifying and protecting sensitive data in every form in every environment. Our vision is for a global community in which transactions are safe, and information flows freely and securely.nbsp;/p pThat global vision has gone a long way toward putting Trustwave in this year's Innovators designation./p pbAT A GLANCE/b/p pVendor: a href="http://www.trustwave.com/"Trustwave/anbsp;nbsp;/p pFlagship product: Trustwave DLP/p pCost: $10,000/p pInnovation: Data leakage prevention for the rest of us./p pGreatest strength: Intuitive organization, strength and depth of technology to support users no matter who they might be./p br / br / pbr / /p