Security Squared

$25M in New Funding Sparks Pivot3 Sales and Product Expansion

Steven Titch — Wed, 10 Mar 2010 12:36:23 PST

Pivot3's latest round of $25 million in funding will spearhead its entry into international markets as well as help bolster its line of integrated storage appliances.

With the venture capital infusion, Pivot3 will open its first offshore sales office and demonstration lab--in Tokyo--which will support the larger Asian market. Pivot3 sells IP-based storage area network (IP-SAN) appliances that integrate video management software from a menu of partners--delivering surveillance management and terabyte-level storage in one box. The company is coming off its first sales in the Pacific Rim region, having made recent installs in South Korea, said Lee Caswell, co-founder and chief marketing officer. The company also plans to double its U.S. sales force to 20 from its current 10, he said.

The Tokyo office will feature Pivot3 interoperability with cameras from vendors such as Arecont Vision, Axis Communications, IQinVision and Sony, Caswell said, and with software from partners such as Milestone Systems. "Our lab is where users can see the product locally and be supported locally," he said. Similar expansion is planned for Latin America and Europe, Middle East and Africa, Caswell added.

Pivot3's backers, led by Focus Ventures, aim to see both short-term payback and long-term strategic growth from the latest round, Caswell said. InterWest Partners, Lightspeed Venture Partners, Mesirow Financial Capital Partners IX, and Silver Creek Ventures--all existing investors--also participated in the new funding.

In line with its product expansion strategy, Pivot3 is also rolling out two storage appliances, MiniBank and HardBank, designed for smaller, decentralized surveillance and storage applications. Information about the products is on the Pivot3 site, although Caswell said additional details will be released next week.

In contrast to CloudBank, Pivot3's flagship product designed for large, centralized installations, which supports 12 to 24 TB of storage and which can be configured in arrays that can support up to 144 TB, MiniBank supports 4 to 8 TB in decentralized set-ups and can be arrayed to support up to 48 TB. HardBank is essentially a ruggedized version of MiniBank for harsh environments.

Right now, Pivot3 leads the global market for IP SANs used for video surveillance, according to IMS Research. Analysts such as John Honovich acknowledge that the company has a strong play in the higher-end segment for high-capacity, centralized surveillance storage, but say it may face broader competition where deployments are less than 100 cameras.

Nonetheless, MiniBank and HardBank give integrators in the Pivot3 channel a value-added product to sell into large Pivot3 accounts that may have additional decentralized video systems, Caswell said. An example would be a railway system, he added. Large stations require several dozen cameras spread out over platforms, ticket windows, food courts and waiting areas. Outlying stations may only need two or four cameras for platform surveillance. Caswell emphasized, however, that add-on sales were not the sole target for the new products.

Latest Cisco IPICS Integrates Dispatch Console, Mobile Live Video, Physical Security, PSIM

Sharon J. Watson — Wed, 10 Mar 2010 12:48:44 PST

Cisco adds dispatch console, interoperability for smart phones, other mobile devices to IPICS 4.0; APIs bring in PSIM, other systems

Cisco today is announcing availability of its IP Interoperability Collaboration System (IPICS) 4.0, styling it as a replacement for old, immobile dispatch consoles because of its ability to create a "collaborative" mobile incident management session among first responders, pushing and pulling live video and other media to an array of devices, including smart phones as well as traditional UHF/VHF radios.

Further, IPICS 4.0's policy engine "complements" physical security information management (PSIM) solutions an agency or enterprise might have in place, with the PSIM solution potentially pushing response templates to IPICS and its dispatch console, said Craig Cotton, senior director of product marketing, physical security business unit, at Cisco in a pre-release briefing with Security Squared.

Mobile Media-Rich Incident Management

Broadly, the release will enable entities to manage incidents and situations from any device with a network connection, with all responding parties able to share live or archived video, voice and other data using virtually any network-connected device, from standard telephones to smart phones. Only one agency needs to deploy IPICS 4.0 to enable the interconnections and data sharing.

For example, Bryant University was offered as a representative case study, in which its IPICS pilot installation is enabling collaboration among 13 first respond agencies throughout Rhode Island and two other states.
(See video case study of Bryant University's IPICS 4.0 pilot here.).

The other agencies are not necessarily using IP-based communications devices, explained Cotton; it's IPICS that manages the interoperability of devices. The other groups do not need to deploy any new technology.

The IPICS Mobile Client provides the multimedia data to the devices. It will debut as an "app" for Apple Inc.'s iPhone and then port to other devices. It can accommodate video from a variety of sources, including live, archived and Web-based, such as a YouTube video. Each of these sources can be patched through the dispatch console to the respondents, or from respondents to the console.

The dispatch console itself need not be in a static location, but could be ported to a mobile, networked device, such as a laptop.

IPICS 4.0 is fully integrated with Cisco's "Connected Physical Security" product portfolio, which includes IP cameras, video management, and physical access control. Web services application programming interfaces (APIs) enable users to integrate IPICS with third-party applications, including command and control, physical security information management (PSIM) and computer aided dispatch (CAD).

Further, a "pretty rich" scripting engine enables users to create custom responses to reside in the IPICS policy engine, Cotton said. The engine can push action templates to responders; via the API, it can also be tied to response policies residing within a PSIM solution, Cotton said. So the IPICS policy engine and a PSIM solution would be complementary, he noted.

With the APIs and scripting, enterprises could pull data from a variety of internal systems into IPICS incidents so that the data could be automatically forwarded to the dispatch console and/or mobile devices.

Higher Availability, Lower Price

IPICS 4.0 customers may add a secondary hot standby server that would automatically take over if the primary server failed, Cotton said. The servers can be geographically separated or located together.

Communications among devices are secured via SSL, secure VPNs and secure HTML, said Hiebert.

Cisco is offering IPICS 4.0 in a smaller form factor, at a lower price point-- a $25,000 entry level price tag vs. $100,000 previously--with a variety of software bundles, said Cotton. The new pricing "has dramatically increased interest," in IPICs among universities and local and state agencies, including fire and police, he said.

The lower total cost of ownership for IPICS because it utilizes existing IP networks as well as the cost of an iPhone compared to radios should make it an attractive solution, Cotton said.

"I'm not suggesting every municipality, airport, police and fire department around the world is going to get rid of their radios and go with iPhones," he said, who pointed out the iPhone would not be a suitable radio replacement for customers using many different frequencies. Others, though, who tend to single channels and basic capabilities may find the IPICS 4.0 and its Mobile Client iPhone app especially appealing.

"For them, an iPhone may be a suitable replacement for what would be a $2000 radio," he said.

# # #

The Cloud, Convergence, Consumerization and Common Sense

Sharon J. Watson — Fri, 05 Mar 2010 10:20:30 PST

An RSA Roundup

The Cloud has been everywhere at RSA this week permeating presentations and vendor discussions and casual discourse almost as much as foreign-originating cyberattacks.

What the tone of conversation reminds this writer of is the earliest days of the Web, when it was becoming obvious the Web and the Internet were disruptive, game-changing technologies--but no one truly knew exactly how the game would change or what their new position in it would turn out to be.

Worried about being left behind, many companies scrambled to "get on the Web." Some had a vision; others did it just to say they were there, often spending a lot of money for those bragging rights. It wound up taking some years before it became clear about how to integrate the Web into business processes and make the Web work as a tool.

The breathless cloud discussions at the 2010 RSA Conference in San Francisco have some of this tone of "we've gotta be in the cloud!" As we've talked to smart, smart people in security and identity management from CA, Hewlett-Packard, IBM, Microsoft, NetIQ, Novell, Splunk and VidSys, it's clear that some plain common sense needs to temper some of the cloud conversation--at least, if companies are to use the cloud with their security policies and procedures intact.

"A lot of [business] departments are buying Software as a Service (SaaS) without going through approval processes," said Nick Nikols, vice president, product management, identity and security for Novell in an interview with Security Squared.

Nikols said many CSOs/CISOs don't realize how much SaaS-based computing is going on in their organizations. Yet they and their enterprise are still accountable. "The fact that it's cloud-based doesn't mean security and compliance requirements don't apply," he said.

Further, some security experts argue cloud risks aren't fully understood. "That should be alarm enough," said Geoff Webb, senior product manager for NetIQ, a security information and event management solution vendor.

What Nikols, Web and other sources say is that enterprises must extend their internal security access and identity-proofing policies to whatever cloud or SaaS applications they use, whether they own them or buy them from a third party. The more automated this process, the better, so that enterprises can also get employee access to SaaS apps shut off when they leave. Otherwise, as Nikols put it, "there's not much" to stop them from accessing cloud apps and enterprise data whenever and wherever they choose.

Consumerization of Identity Management?

As we've reported, authentication of identities was a big theme all week as well. What struck us was how the notion of identity is likely to become more top-of-mind for increasingly tech-driven consumers in the U.S.

First, it's not just within enterprises that identities need to be authenticated, but on rapidly proliferating mobile devices. Cisco announced its solution for tying enterprise mobile devices to enterprise networks at all times. Cisco has consistently talked about the power of rmobile computing and social networking and the need for enterprises to secure them rather than forbid them.

Meanwhile, a raft of big players including Google and CA announced the formation of the Open Identity Exchange. Its goal is to facilitate the exchange of trusted online credentials among private and public bodies.

And Microsoft discussed its "End to End Trust" vision for the Internet this week, a component of which is U-Prove. The goal is to securely authenticate identities, yet do so by sharing as little data as possible, to help users feel more in control of their online persona.

What we wonder about these initiatives is if it's possible for consumer-oriented strong identities to trickle into the corporate and public environment. Some of that is occurring in Europe, as explained by Nora Cox, senior manager, product management, for Entrust, in an interview.

In brief, the intelligence and investment that's gone or going into national identity cards in places like Germany, Spain and New Zealand is being viewed as a source of identity proofing that other entities could accept for transactions as well.

A national ID card in the U.S., in the form of the DHS's RealID initiative, has been beaten down by privacy and security concerns. Still, as cybercrooks try to steal our real and digital identities, such efforts might take on new life and, just as consumers drove instant messaging and are driving social networking into enterprises, it could be they'll push some identity technologies in as well.

(Hey, it's RSA: We can blue-sky too.)

Convergence: It's the Data, People

Finally, we come to convergence--which has been present at RSA, if not always obvious. If one talks about physical security systems to IT security professionals, it doesn't track. But talk about matching data like physical access logs, sensor readings, inventory movement, etc., with login data, transaction data, change data--and lights go on.

Folks who "get it" include Splunk, which bills itself as an IT search engine. Splunk doesn't search the web, though; rather, it will comb through any and all enterprise systems, looking at logs and pulling out any data requested and running queries, such as "show me who came in door X at hour Y and what they did in system Z and how did sensor V react."

"Splunk is for when you don't know what you're looking for," said Mark Seward, director, security and compliance solutions marketing for the company. In talking with us, Seward said Splunk is popular with intelligence agencies and the Department of Defense as well as many retail enterprises. While the former are secretive about their uses, the latter turn to Splunk to help them see such forces as how long their customer service calls take and why.

"It helps break down silos between operations guys and security," said Seward. "They're siloed until they start sharing data and seeing the implications."

That data sharing and correlation is the heart of convergence, not just IP-based systems and integration of physical security on the IT network.

"It's all about data, regardless of the system it comes from," said David Fowler, senior vice president, marketing and product development, for VidSys, a physical security information management vendor, in an interview with us. "Not all of it is contained in or generated by security systems."

That's common sense--and cutting through all the technical issues and divisions of security labor, it's what convergence is all about. We'll bring you more of the IT perspective on that as our RSA follow up and feature coverage continues next week.

Strong Authentication Flexes Its Muscles at RSA

Sharon J. Watson — Thu, 04 Mar 2010 11:59:30 PST

Gemalto, PassLogix, Entrust Talk Strong Authentication

Authentication, authentication, authentication--at least two factors of it, possibly more--that's a mantra we're hearing a lot at RSA this week, with a range of vendors from well established global giants like Gemalto and HID to Innovation Sandbox players like KikuSema GmbH and RavenWhite presenting solutions for how to ensure the person accessing an application is actually the physical person you think it is.

Multifactors of authentication--something you have, plus something you know--seem to be gaining credence as the baseline for secure authentication. "I don't think you can go to the cloud without two-factor authentication," said Ray Wizbowski, director of marketing communications, North America, for Gemalto, which provides a range of digital identity assurance solutions.

Further, using at least two authentication factors helps users break bad security habits and think more about security, he told Security Squared. "By introducing this technology, it makes people more mindful of security," Wizbowksi said.
At RSA, Gemalto, whose .NET smart card technology is embedded in Microsoft employees' corporate badges worldwide, announced the integration of its Protiva Strong Authentication Server with Microsoft's Forefront Identity Manager (FIM) 2010. What this means is enterprises can use the FIM interface to provision, deploy and manage smart card-based one-time password (OTP) devices linked to Gemalto's server.

Given FIM's own support for smartcard management, the combination should mean enterprises can more easily connect logical and physical access rights based on an employee's role and criteria defined in FIM. And the smartcard or another physical credential is a natural place for convergence to occur, Wizbowski said.

Gemalto also was demonstrating its solution for defeating "man in the middle" and SQL injection attacks, which are rocking the finance world in particular. In these attacks, the criminals either make users think they are connecting with their bank when they're actually at a bogus site, or the criminals hijack an authenticated online session to steal credentials and/or transfer cash.

To thwart these, the Gemalto solution puts a smartcard and reader, connected with a USB cable, at the desktop of the financial institution's customer, explained Wizbowski. Instead of connecting to the bank via a Secure Socket Layer (SSL) connection over the Internet, the smartcard serves up a browser session to the user--and can only do so if the card is in the reader and the user enters the right PIN.

"The card packages up the session," Wizbowski told Security Squared. "There's no injection capability." Before transmitting the completed session to the financial institution, it's fully encrypted. At no time is the session live on the Internet.

"The ideal customer for this is a business transacting large sums of money," Wizbowski said. Those could include mortgage closings, payrolls, wire transfers, etc. Eventually, as more laptops come equipped with card readers and/or biometric readers, as US credit cards get smarter and as consumers worry more about online security risks, such two and three-factor authentication will become more widespread, he said.

"Consumers are frustrated with payment technology that doesn't protect them," Wizbowski said.

That could be another way "consumerization" influences enterprise security: if consumers are using more smartcard and two-factor authentication technology at home--which is already the case in Europe and Asia--they should be more comfortable using it at work.

Using What You Already Have

Taking something people already have at work, are familiar with and then turning it into a second factor of authentication is at the core of the v-GO Universal Authentication Manager (v-GO UAM) from Passlogix.

With v-GO UAM, a user taps the same proximity or smartcard they used to enter the building against a reader on their PC; that's the first factor of authentication. Then the user enters a second factor--a PIN code. Tapping the badge again will lock the workstation or logs the user off.

The solution works with cards from any vendor. Further, users self-enroll: if v-GO UAM does not recognize the card the first time it is tapped, it will prompt the user through a simple enrollment screen.

"We're card agnostic, we're authentication agnostic," Michele Favaro, vice president of marketing, Passlogix, told Security Squared. "We can't tell customers how they should get into their systems."

That said, the solution offers enterprises flexibility in how strong they'd like to be with authentication, she said. For example, v-GO UAM offers self-service password retrieval, and companies can customize how tough the questions will be for a user to answer. One client will not permit any questions or answers that conceivably could be found in its human resources database, Favaro said.

Future versions of v-GO UAM will support additional authentication factors, such as USB tokens and biometrics, with enterprises able to choose which groups of employees could use which factors, depending on security needs or work environments. It can also be combined with Passlogix's single sign on solution, which in turn can be configured so that employees never know the password they're using to access applications.

That scenario, using a building card plus a password generated by the system but unknown to the user, thwarts social engineering criminal schemes, Favaro said. "We're taking the keys out of the front door," she said.

More Convergence at the Credential Level?

The actual front door of an enterprise has traditionally been the domain of physical access control systems and their vendors. Today, some of these and other physical security vendors are asking more questions about how to extend their offerings into the digital realm, said Nora Cox, senior manager, product management, for Entrust, the Ottawa-based digital identity security solutions provider.

"It's market driven," Cox told Security Squared, pointing out that the physical access space is a fairly mature market. "They'd like to take that same credential and use it for more things."

Her colleague, Mike Moir, product manager, said compliance is driving enterprises to consider stronger authentication, but that cost remains an issue in what technologies they adopt and how converged the solutions might be.

"Most of the regulations are very loose, requiring you to do 'something,' but what is that 'something?'" he said. Most enterprises tend to opt for something less expensive than a smart card. Yet they remain concerned about damage to their brand and reputation from a data breach, Moir said.

"It makes more sense to manage one system than two diverged," he said of the usual separation of physical access and logical/network access. Doing so would enable enterprises to get more return on investing in the more expensive--and more secure--authentication factors.

# # #

Microsoft Forefront Identity Manager User Cuts Costs, Improves Compliance, Lays Convergence Foundation

Sharon J. Watson — Wed, 03 Mar 2010 09:23:40 PST

First American Title Insurance Company creates audit trails, improves productivity with role- and criteria- based identity management and user provisioning

Microsoft yesterday announced at 2010 RSA Conference the official release of its Forefront Identity Manager, an identity and access management tool designed to work across heterogeneous systems, including card management systems.

Brendan Foley, director of product management in the identity and security business group at Microsoft, briefed Security Squared about that announcement, We'll have more in coming days about Forefront Identity Manager (FIM), especially its use of claims-based assertions, its ability to synchronize identities across disparate sources and how it integrates with strong authentication methods and their support systems.

For now, we'll let users tell the FIM story: At the briefing, we also spoke with First American Title Insurance Company, in the persons of Cameron Cosgrove, vice president, infrastructure; and Scott Weir, IT manager, desktop architecture group. They talked about their experiences with using FIM for role- and criteria-based identity and access management.

The convergence angle: Cosgrove and Weir discuss associating First American Title employees with identities rather than IP addresses--and the identities are built on roles and criteria that conceivably could include physical access rights. Further, those physical permissions could be correlated with data access rights, and both might vary with an employee's location on any given day, with FIM provisioning and deprovisioning in the background on the fly. As Weir says below, employees always have access to the resources they need, while First American has a clear audit trail for compliance.

Also of convergence interest: Cosgrove and Weir are evaluating multifactor authentication solutions at RSA to complement their logical access solution. Multifactor or strong authentication schemes are a natural intersection between the logical and physical identity worlds.

What follows is a transcript of our conversation at the RSA Conference Tuesday, edited for clarity.
*****
Cameron Cosgrove, First American Title: Our industry is real estate, and our fundamental business is property title insurance, helping people transact their real estate business. We are a global company, and we have a footprint of about 13,500 employees in the United States [and] we have deployed FIM to all 13,500.

One of the first challenges we wanted to address is the provisioning of users and deprovisioning. With 13,000 people all across the U.S., we are serving markets that are large and small, so we have large offices and small offices in the U.S. Employees need access to the system quickly--or when they leave, we need to de-provision quickly. Prior to FIM, we were doing that manually through HR requests, tickets going into our help desk. It would probably require a day or two days of elapsed time to complete by the time we would gather all the pertinent information about the new employee.

When they got de-provisioned, it was the same process--again, time consuming and sometimes subject to errors.

With FIM, we have fundamentally redesigned the way we provisioned people. Before FIM, when we provisioned someone like yourself, we'd say, okay, Sharon Watson has access to that resource, that chair, that drive, that's what you have. What FIM has enabled us to do is put a lot of process and structure around that which we can automate.

For example, we can now create roles and groups and criteria, and we can automate the provisioning based on that. We can create a marketing group; within that group, we can create marketing associate vs. marketing manager vs. marketing executive [roles]. We can then provision by role exactly what they need as part of the group they are a member of. In addition to that, we can establish unique things that they need for their role, and then the criteria allows us to know that they are in this state, this county, this office, this is their manager, so we can automate provisioning of anything that is relevant to those criteria.

We are synchronizing our HR system using FIM to Active Directory, so any time someone moves in the company, whether they move locations, cost centers, managers or change jobs, FIM will automatically associate that with the new provisioning that they need to have and de-provisioned what they don't need to have. So what used to take two days--[now takes] two seconds.

We think we are probably going to be able to redeploy at least one FTE from what we do now to other things because we are automating this.

Defining Roles

Sharon J. Watson, Security Squared: How laborious was it to figure out what the policies should be? I'm thinking in terms of [definitions], such as managers need access to what kind of application...

Cosgrove: That was a lot of work. I think Scott spent a couple of months, not doing any technology, just going through the company culture, trying to build consensus on these rules definitions. That was probably the biggest challenge we faced in the adoption of the technology. Implementing the tool is relatively easy compared to shifting the entire culture around these fundamental definitions, to first of all, do we all agree that these are the right roles? Then, do we agree that these are the accesses they should have?

Scott Weir, First American Title: That's absolutely right. The biggest challenge we had was getting consensus from the separate groups out there as to what actually should make up the employee profile. That's where we came up with the fact we needed multiple levels to answer the questions of what job do you do, where do work and who do you do that work for.
Each one of those at a branch level provide certain access but maybe everyone in that entire state needs similar access. As Cameron pointed out, you might have a specific job code like a marketing associate who would have real finite access but then maybe something broader in the marketing role definition [says] this resource needs to be shared by all of marketing. Really quantifying that was the pillar of our work.

Cosgrove: Another area we used FIM to improve is characterized by moving people away from an IP association...associating someone with an IP address to associating them with an identity..being able to surface a profile to the end user that is an aggregation of all the various silos of where we have information about the employee, surface it in a FIM portal so they can see an allover view of all the different ways they have access and the ways we recognize and define them in the company, to their name, the spelling of their name, the home address, their phone number, their work location, their job title, on and on and on. So they can also have input: that's correct, that's not correct. They can self-service update that. Then we have bidirectional updates that can go back to the source system and make that update. Versus today, you have to know that's information that's in [a particular] system, and as a result, most people don't update that. Just keeping phone numbers, cell phone numbers, correct has been a challenge.

One of the things we've deployed is Microsoft Office Communicator, and we use Active Directory as our single source of truthful information. It's reading that, so if I bring up Active Directory and hover over someone's name, now I get up-to-date phone numbers, their office location, things like that. It does improve our ability to stay in touch with people and keep up our employee information.

Streamlining Audit Trail Creation

The other thing it's helped us do: we have compliance requirements, like every company does, and one of the things we've been able to automate is consistent rules for access based on the role and the criteria. Because we have a tool that implements people's access rights against that criteria and that role, we know it's consistent, we know it matches our standard. We didn't have that before. In addition to that, when an auditor wants to review who has access to something....let's say an exception is made. The FIM tool will automate the capture of that approval by pushing a message out to the manager requesting they approve providing access to this resource by this employee. If they say yes, that becomes highly auditable. So it's improved our ability to be audited and streamlined the whole authorization process.

SJW: What kind of credentials do you issue to employees? That's one of my areas of interest--the intersection of these logical and physical security issues and particularly in identity management, knowing the person logging into an application is physically who you think it is. Are you pushing this all the way down to using a smartcard to gain access to facilities, so you know they're in the building and so now they're allowed to get into the network?

Weir: In our industry, given that we're so disparate in how our businesses line up...we've got very small offices that have two or three employees that don't have an office security system. Then we've got campuses in Dallas and Santa Ana that house multiple thousands of employees, [so] what we're really keying around is the classification of the identity itself and using those criteria to make sure they have access to what they need.

If there is an exception request, if they do need access to something--we call it the multiple hat syndrome, where we've got a person who works in San Francisco but two days a week they fill the same role and work in San Bernardino. Well, what we can do now is say, HR's provisioned us with the data that says you're in San Francisco, you've matched all the criteria, you have that access, now we'll be able to have an exception level and grant you access in this other office you work in with an approval mechanism. Eventually--and that's one of the things we want to find while we're here--is some of the different ways of multifactor authentication and how it integrates--

Cosgrove: And tie it in. That's on our roadmap to look at. What we've done prior to the physical access is more virtual-based access, so we are able to federate our identities to the cloud. So we've implemented that already with our email backbone, which is hosted in the cloud, then we federate our identities to it through FIM, keep it synchronized so mail gets routed to the right exchange.

Greater Productivity

The last thing we've done that I would characterize as a pretty big win is group and distribution management. Again, everything ties back to people's roles and their criteria--cost center, office location, that type of thing--so now when we link all of those to distribution lists in Exchange, you get on all the right DLs. The key is keeping those current. Prior to FIM, that was a completely manual effort. People would send in tickets: please update this DL, please add this person, please take this person off. Now it's automated. So when somebody moves to a different location or group or role, they're automatically deprovisioned out of the old DL and provisioned into the new DL.

FIM is a very easy-to-use tool. That's why our V.1 implementations let us do things like federate to the cloud but also, with respect to distribution list management, to deploy a portal to our corporate communications group...they can use this portal to create ad hoc DLs on the fly to meet whatever unique communication distribution need and with our Exchange environment, we can actually hide that DL so only they have access to it. But because FIM created it, behind the scenes it's automatically updated so they know the correct people are on it, and they can use that DL to send out whatever they need. That's something they can do on a self-service basis. So from that perspective, it's improving our corporate communications, lowering our cost to do that, because prior to that, we'd have to use different tools and use different request cycles to get it all done.

###

HP, Cloud Security Alliance Identify Top Cloud Security Risks

Sharon J. Watson — Mon, 01 Mar 2010 05:57:31 PST

Top Six Threats Report Results Released at RSA Conference

How do you know who's doing what in the cloud you've built, bought or rented? The answer for too many early cloud adopters is: They don't.

That's one of the results caused by the six key security risks of cloud computing, being presented today in a report commissioned by HP and conducted by the Cloud Security Alliance. Three of these risks, categorized as "abuse and nefarious use," "malicious insider risks" and "account service and traffic hijacking" each relate to an enterprise's ability--or inability--to authenticate who is getting to the cloud and authorize and track what they are doing once there.

"The cloud is not occupied by your IT person--you really have no idea what's going on in there," said Chris Whitener, chief security strategist, HP, to Security Squared in a pre-release briefing. He suggested some IT departments are too quick to assume the cloud practices the same security measures they do. "Faith-based IT is a real problem."

The other three risks are insecure application programming interfaces (APIs); shared technology vulnerabilities; and data loss and leakage.

Whitener noted that none of the six threats is unique to the cloud: disgruntled or thoughtless employees can misuse or lose data stored on USB drives, while bad programming is bad programming wherever it occurs. However, cloud architectures tend to amplify the impact of one user's actions, he said.

"If you can swipe one account, you have access to a lot more within the cloud," Whitener said.

Similarly, even if just a few companies use poor security connecting to or within the cloud, they could be increasing the risk profiles for other cloud users. "That's probably the most prevalent right now," he said.

From a converged perspective, extending identity management and strong authentication practices out to the cloud seems to be making a lot of sense. The challenge is, as Whitener said, many enterprises seem to think there's not much risk in just giving the cloud a try.

"If you're going to do something in the cloud, think about it," he said. Consider the risks, how the application and its data might be used by other departments or users, think through security, Whitener urged. "Don't just slap it up."

During RSA, Security Squared will be talking with a variety of identity management vendors, including CA Security Management, HP, IBM, Microsoft and Novell, about their view of extending identity infrastructure out to the cloud and where they are in supporting physical/logical identity convergence and related security policies that seem to us to be key building blocks in making the cloud safe and compliant.

# # #

New to Security Squared from RSA? Please be sure to sign up for our free newsletter (we don't share personal data) so you don't miss any of our unique perspective about where physical and logical security naturally intersect.

PhoneFactor Builds on Strong Authentication Platform with SMS

Sharon J. Watson — Mon, 01 Mar 2010 06:01:30 PST

Vendor Claims to Be First Offering Text-Based Out-of-Band Authentication

PhoneFactor today announced it is adding Short Messaging Service (SMS) to its two-factor authentication platform. It's one of several announcements and demonstrations of strong authentication pervasive at this year's RSA Conference.

With PhoneFactor's original authentication platform, users enter a user name and password into an application. The PhoneFactor system then places a call to the user's telephone; authentication is achieved when the user answers. A user may also enter a PIN for another layer of security.

With its new SMS-based platform, PhoneFactor sends a one-time pass code to the user's mobile phone. The user authenticates in one of several ways, depending on the security requirements: texting back the code; entering the code into the application; entering a PIN plus the code. For very sensitive applications, PhoneFactor also offers voice biometrics.

In a pre-RSA briefing with Security Squared, PhoneFactor CTO Steve Dispensa emphasized the authentication in all cases occurs "out of band," that is, on a second channel. "With out-of-band, compromising the computer isn't enough to cause problems," he said. A cybercrook may have obtained a user's id and password--but is unlikely to have the user's telephone or mobile device, which is a different device on a different network.

Even if the cell phone is lost, Dispensa pointed out users generally are quick to notice that and take steps to get a new one. That's in contrast the time it might take to notice a rarely used keyfob or other token is missing.

The SMS-based platform could help enterprises address the issue of SQL injections and man-in-the-middle attacks, in which bad guys take over an legitimately authenticated Web or VPN session. In those cases, Dispensa said, "The only thing that doesn't look right is the transaction itself."

In these situations, a text message could be sent that includes details of the transaction, such as a funds transfer amount and destination, and prompts the user to indicate whether the transaction should be permitted. The application owner can even use a fraud alert code the user can punch in immediately to signal trouble..

Dispensa noted the flexibility of PhoneFactor's authentication platforms to integrate with a variety of applications and support various use cases, all without custom programming. The platform integrates with Active Directory or an LDAP-based directory, synchronizing its user accounts with those in the enterprise directory. So it integrates with enterprise Single Sign On solutions and can replace other one-time token devices.

PhoneFactor's platforms could also be used as a second authentication device at physical access points, Dispensa said, such as providing a code needed to enter a restricted area.

For users turning to smart phones to transact web business, as long as the voice and data channel are separate, the out-of-band security separation holds, he said.

Strong authentication is one of the themes at RSA this year, with a number of companies presenting new or enhanced solutions for helping enterprises ensure the physical person signing into an earthbound or cloud-based application is who they think it is. Security Squared will especially be looking at how these solutions intersect with and enhance other security systems.

###

Please sign up for our free newsletter (we keep all personal data private) to get all of Security Squared's unique coverage of the natural intersection of physical and logical security solutions.

Milestone To Train 'Green Beret' Integrator Force

Steven Titch — Mon, 01 Mar 2010 06:04:06 PST

As part of an aggressive attack on the high-end of the video surveillance management system market, Milestone Systems is offering integrators an intensive training program for winning business from Fortune 1000 companies.

Unveiled at last week's Milestone Integration Platform Symposium in Hollywood, the Milestone Value Selling (MVS) Program aims to create a "Green Beret" level of channel partners, said Lars Thinggaard, president and CEO of the company, in a reference to the U.S. Special Forces, an elite branch of the U.S. Army whose members are specially trained for extremely difficult and hazardous missions.

The MVS Program will focus on identifying and communicating the return-on-investment propositions integrated security systems can offer large end-users. Integrators will learn how to identify and understand a large enterprise's strategic business mission and its risk factors, and then design an effective solution that addresses both.

Security Consultants International will provide the two-day training course, Thinggaard said.

After addressing the opening session of the MIPS meeting, Thinggaard expanded on the Value Selling Program and its significance for integrators in the video interview below.

Securing Identities in the Cloud with Existing Enterprise Tools

Sharon J. Watson — Mon, 01 Mar 2010 06:05:07 PST

Ping Identity on Cloud Identity Security Fundamentals

At SecureWorld Expo in Houston last week, Security Squared's Sharon J. Watson talked with Mike Donaldson, vice president-marketing for Ping Identity, which offers identity solutions for cloud computing and federation of identities among trading partners. She asked Donaldson about the fundamental steps an enterprise should take to ensure it knows who is doing what in its cloud-based applications and data.

Milestone Launches Smart Client Upgrade

Steven Titch — Mon, 22 Feb 2010 11:34:57 PST

Milestone Systems has issued a new release of its XProtect Corporate video management software coupled with a substantially upgraded version of its Smart Client graphical user interface that makes VMS control and operation easier for rank-and-file security personnel.

Unveiled Thursday during its 2010 Milestone Integration Platform Symposium (MIPS) in Hollywood and carried live worldwide via webcast, Milestone XProtect Corporate 3.1 features support for Microsoft Windows 7 and Server 2008 Release 2, a server failover feature for additional redundancy, and streamlined installation and optimization procedures.

But the most significant addition to the package is Smart Client 5.0, the latest version of the XProtect graphical user interface. The upgraded interface increases the space for camera windows while reducing and simplifying menu bars and pull downs, said, Eric Fullerton, Milestone's chief sales and marketing officer, who declared it "the most user-friendly GUI on the market." The new version of the software is available now and can be downloaded from the Milestone web site.

Users can choose to display control buttons they wish to use and hide others, eliminating clutter and confusion. Users can also overlay control buttons on specific camera feeds to independently playback footage while other feeds in other windows continue to stream live. It also features a wizard-based rules system.

One new feature, dubbed Sequence Explorer, presents a series of video sequences as thumbnail images, seperated by user-defined intervals. Using this feature, a user can quickly find and jump to a recorded event, reducing investigative times. Once the event is found, the user can immediately synchronize all cameras to the same time to view all surveillance footage of the incident.

The Sequence Explorer caught the attention of Charles Wilde, president of EPS, a Milestone integrator based in Canal Winchester, Ohio. "It is easy to use for those who might not be tech-savvy," he said, adding that he looked forward to "kicking the tires" on the new release.

As VMS software becomes more feature-rich, ease of use is becoming more of a user demand, Fullerton told Security Squared after the presentation. "As new features are being added, interfaces are getting complex," he said, "Users are getting lost."

XProtect 3.1 and Smart Client 5.0 are the first of a series of enhanced products and features that Milestone has in the pipeline. Smart Client 5.0 will be supported on the upcoming release of XProtect Enterprise 7.0. said Christian Bohn, head of product management. Releases in 2010 will also emphasize ease of use and scalability, with an aim to putting integrators in a position to continue to add value to security systems they sell as their clients grow.

The company is planning to introduce a federation platform on its XProtect Corporate software by the end of the year, Bohn said. This platform, is essence a management server, will sit above isolated "islands" of VMS systems that tend to proliferate in user networks, yet provide a central management interface into all of them.

Milestone is also planning to introduce a unified interface that will streamline API integration up and down the XProtect line. Right now, the same application requires a different API or plug-in depending on whether the XProtect platform is Corporate, Enterprise, Professional or Basic+. The uniform interface, the form of a shell, will allow one API to work across all platforms. "It will have all the hooks you need to get the application done and working across all Milestone platforms and Smart Client," Bohn told Security Squared.

Extending Enterprise Identity and Security Tools to the Cloud

Sharon J. Watson — Fri, 19 Feb 2010 12:34:19 PST

Cloud-based computing, also known as hosted services and Software-as-a-Service, may reduce IT infrastructure expense but it can't shake off the need for enterprises to know which humans are doing what in the cloud.

Accomplishing that can draw on more traditional tools: strong authentication methods physical security professionals can champion to ensure the human presence matches the digital persona, and IT-based identity management tools to help define what the digital persona may do.

At the SecureWorld Expo in Houston February 11, we chatted with Mike Donaldson, vice president of marketing for Ping Identity, and Darren Platt, CTO and founder of Symplified, to understand more about where convergence and the cloud can or should come together. (See also our video conversation with Mike.)

Leveraging Existing Investments

Today's enterprise employees are demanding SaaS applications and their use is "exploding," said Donaldson. Companies are approaching Ping to manage employee identities among these applications, in which users may create accounts and passwords that aren't necessarily secure, he said. While the cloud problem may be new, the enterprises Ping works with generally have significant identity and access management systems in place. Ping's federated identity solution draws on these tools to distribute already-validated identity data to a supplier or other trusted business partner using Security Assertion Mark-up Language, or SAML. "We leverage the security the enterprise already has," said Donaldson.

Ping's integration with existing enterprise authentication tools enables hosted applications to look much like enterprise-based applications to a user. For example, when a user who has logged into the enterprise network wants to access a hosted application, he simply clicks on a link. Ping extends the enterprise network's validation of the user's identity to the cloud and/or trading partners via SAML, yet makes the process invisible. "There's a lot of technology under the cover to make it easy for the user," said Donaldson.

An alternative approach would be for a user to attempt to login to a cloud application, whereupon she'd be redirected to authenticate to the enterprise server before being granted access. In this way, Donaldson explained, the user's enterprise id is re-used, and the service provider doesn't need to duplicate and maintain it, eliminating a potential security issue.

Ping generally sells to large and technically sophisticated companies, such as Fortune 100 firms exchanging data with trading partners and identity/federation service providers like Exostar. However, Donaldson noted that Ping can integrate with Active Directory, making that the basis for a cloud identity solution if an enterprise doesn't have comprehensive identity management tools.

Identity from the Cloud or in a Box

By contrast, Symplified targets medium and smaller-sized entities that often don't have an extensive identity infrastructure or the ability to manage SAML, said Darren Platt, CTO and founder. Yet these are the very companies extensively adopting cloud-based applications and can experience proliferating user accounts and identities with little oversight.

Like Ping, Symplified will work with an enterprise's existing identity management system to extend user access roles and security policies to the cloud. Symplified, though, also styles itself as providing cloud-based traditional identity management services, such as access control, authentication, user management, compliance and auditing. These tools, which can also be used for authentication to internal network-based applications, also are available in the form of an on-premise appliance Symplified calls its Identity Router.

Platt explained the Identity Router draws user access policies from Active Directory or a Lightweight Directory Access Protocol-based directory. It can then authenticate user identities, either to internal or intranet applications, or out to the ecosystem of Software-as-a-Service destinations to which Symplified has connections, from Google to ADP to SalesForce.com.

The access process is transparent to users, who simply log onto the enterprise network once and then have seamless access to internal and cloud-based applications. In turn, the ease and breadth of such access has companies looking at stronger authentication methods, Platt said.

Getting Strong with the Cloud

"A lot of people think single sign on (SSO) necessitates [strong authentication] because they've concentrated their risk behind that one credential," said Platt.

He noted concentration of access to many applications does have its benefits: better security policies governing more applications and elimination of lists of passwords, to name two. Further, two or more factors of authentication also mitigate much of the risk of SSO. Still, Platt said whether and when to use stronger authentication is a risk management decision. "You have to apply the right security controls to the situation," he said.

"The place where the user comes in the door to the application is critical," Ping Identity's Donaldson said, noting the process has to be easy, yet secure, and can build on what the enterprise has already invested in. "Do one strong authentication to the [enterprise] directory, then leverage that," Donaldson said.

That makes it important to have an authoritative source for identity data that can be used for physical access control solutions as well as access to internal and cloud applications, so that enterprises get more utility out of their investments in stronger credentials and/or authentication methods.

"The user store is where convergence has to happen," said Platt, who pointed out how user administration issues grew ever more complex as enterprises created user silos around their individual web applications. For secure cloud identity management, he emphasized that enterprises should try to have as few points of administration for user data as possible, structure access policies based on various attributes about a person, such as their business role, then ensure these are enforced out to the cloud.

Given the well-understood weakness of passwords to protect enterprise assets, Donaldson expects to see increasing use of multiple factors of authentication and stronger credentials. "I think you will see the two worlds come together more than in the past," he said.

* * *

Our editorial note: As the use of stronger credentials to extend secure identities to cloud-based (and other) enterprise applications becomes more likely, physical, network and IT security professionals should logically partner on how best to get the most value from these investments. While it might not matter where an application resides, it might be very important to know the location of the user opening it. Credentials that span logical and physical assets, and physical/logical identities linked across these to those credentials, provide such data as well as greater security and are natural convergence points.

###

Do You Have a BZPP?

Steven Titch — Wed, 17 Feb 2010 17:29:33 PST

The U.S. Department of Homeland Security has been authorized to fund security studies of selected infrastructure and plant operations in areas it has deemed high-risk. DHS has allocated approximately $48 million--$6.9 million in Texas alone--for the creation of Buffer Zone Protection Plans (BZPPs) that address the security of pre-designated Tier 1 and Tier 2 critical infrastructure and assets, including chemical facilities, financial institutions, nuclear and electric power plants, dams, stadiums, and other high-risk, high-consequence facilities and the communities around them.

BZPPs identify security vulnerabilities, recommend ways to fill those gaps, and develop an overall emergency/threat response plan, according to Sgt. Michael Macha (Ret.), of the City of Houston Mayor's Office of Public Safety and Homeland Security. BZPP grants are administered by the Federal Emergency Management Agency though the State Administrative Agencies. The SAAs work with the state homeland security advisor and state and local agencies to disperse funds.

Speaking at the recent 2010 Industrial Fire, Safety & Security Expo in Houston, Macha said participation is voluntary, although he recommended it. "Eighty-five percent of U.S. critical is owned by the private sector," he said. Coordination between public safety and private security can be much more efficient if information and plans are in place. The Houston-Galveston area, with its port and high concentration of refineries and chemical plants, is among the DHS pre-identified areas deemed eligible for BZPP grants.

From a strategic perspective, BZPP can aid security executives a method of measuring security costs against the potential risk factors they would mitigate. Basically, BZPPs provide

* Knowledge as to the specific critical assets at a facility;
* Knowledge of the critical paths to failure;
* Knowledge about the presence and nature of hazardous materials and the consequences of their release into the environment;
* Access to pre-incident action plans;
* A total risk profile.

"It tells us, 'this is what we have, this is what we need, and this is how we fill in the gaps,'" said Macha. Once a plan is formulated, it offers options that CSOs can present to management, as well as potential cost benefits. For example, BZPPs can be used in certification processes, which in turn could lead to a reduction in insurance costs, he said.

On a technical level, BZPPs show where security equipment, suchttp://www.experteditorial.net/securitysquared/cgi-bin/mt/mt.cgi?__mode=view&_type=entry&blog_id=1h as video cameras, should be deployed for greatest effectiveness. BZPPs, for example, will identify the perimeter points where a potential target can be best observed. "Where are the best places for people to watch you? Then you know where to put cameras to watch those people," Macha said.

Once formulated, BZPP plans are classified, accessible only to officials with clearance for Chemical Vulnerability Information (CVI), Protected Critical Infrastructure Information (PCII), Law Enforcement Sensitive (LES) For Official Use Only (FOUO) documents, Macha said.

More information on BZPPs can be found here. Information about SAAs can be found here.

TWIC Card Reader Update and Demo

Steven Titch — Wed, 24 Feb 2010 06:32:59 PST

The U.S. Coast Guard has narrowed its evaluation of Transportation Worker Identity Card (TWIC) readers to two vendors, Datastrip and MaxID, according to a Coast Guard officer who spoke at last week's Industrial Fire Safety & Security Expo in Houston.

Lt. Matt Derian, chief, waterfront facilities and security, said the Coast Guard aims to make a decision this spring.

The Maritime Transportation Safety Act requires TWIC cards to be issued to anyone who needs access to secure areas of any U.S. seaport. TWIC cards are issued after a background check and carry a photograph, a bar code, a PIN number and a fingerprint scan.

More than 1 million TWIC cards have been issued since the spring of 2009, but the Coast Guard has not completed selection of a portable TWIC card reader that can be updated on a daily basis. TWIC cards are required for entry into secure areas of U.S. ports today, but there is a lag between the time the user is authorized and the card becomes usable. Likewise, if authorization is revoked, there can be a delay of several days before readers acquire that information, Derian said..

Only four classes of professionals have TWIC card exemptions: law enforecement officers, federal officials on duty, federal contractors on duty, and municipal first responders entering the port in an emergency, Derian said. The Coast Guard is currently working to modify that rule to allow first responders access during threat response exercises.

In the accompanying video, MST2 Ron Sampert demonstrates the Datastrip and MaxID readers.

March Networks Wins Maryland Transit Contract

Steven Titch — Wed, 10 Feb 2010 14:12:39 PST

The Maryland Transit Administration has awarded a contract to March Networks for mobile surveillance network that will ultimately provide live, real-time video feeds via a wireless mesh network from the MTA's fleet of 669 vehicles that service the Baltimore area.

The deal, which Peter Wilenius (pictured), March Networks' vice president of global marketing, valued in the "mid-seven figures," is the first step in a new citywide surveillance system that will converge a number of video networks and manage them from a central command-and-control point. In addition to providing greater security for the 250,000 passengers who use MTA buses each day, the video system is part of larger long-term strategy in line with city anti-crime measures and homeland security objectives, Wilenius said. The company remains in the running for more of this business, he added.

"The buses are roving eyes collecting intelligence, and can be used to identify crime, fraud and theft and capture as much evidence with as much detail as possible," Wilenius said.

The strategy is in line with the Department of Homeland Security's emphasis on gathering intelligence and information that can be correlated with other data from inside and outside the area. As noted during a conference session during last week's Industrial Fire, Safety & Security Expo in Houston, DHS is urging police, fire, emergency responders and other public and private sector workers with jobs in the field to watch for activity and situations that appear out of the ordinary.

Under the agreement, the MTA already has deployed March Networks' Model 5412 mobile DVRs on approximately 130 city buses. The entire fleet is scheduled to be outfitted by March 2011, Wilenius said.

Video is recorded as the bus travels its route, and then is automatically downloaded via wireless link when the bus reaches one of four outfitted depots. While the city's wireless mesh is under construction, the DVRs will use commercial 3G cellular networks or WiFi links, Wilenius said. The DVRs also contain GPS devices, and transit officials can track each bus as it moves through the city.

Once the mesh network is complete, the transit officials will be able to view and download video in real time, and, if necessary, push footage out police or first responders in the field. Ultimately, video receivers will be placed in some police cars, which then would be able to view direct live feeds from up to 100 meters away, according to Wilenius.

The system relies on analog cameras today, but the MTA plans to upgrade to IP megapixel and high-definition cameras over the course of the next two years, Wilenius said. The plan is to have one camera monitoring the bus interior and the other looking out the front.

The municipal transportation vertical is a strong suit for March Networks. The company has deployed mobile surveillance systems in Miami, Las Vegas, Toronto and Orange County, Calif.

Regional Fusion Centers Help 'Connect Dots' On Large-Scale Threats

Steven Titch — Fri, 05 Feb 2010 13:10:12 PST

The U.S. Department of Homeland Security is working with state and local agencies to support a network of state and regional intelligence service centers, or fusion centers, designed to gather and share information and intelligence on potential threats.

In a presentation Thursday at the 2010 Industrial Fire, Safety & Security Expo in Houston, Mike Davis, an officer with the Houston Police Department's Criminal Intelligence Division, and John Hall, DHS intelligence liaison officer at the Houston Regional Intelligence Service Center, said sound information gathering begins with understanding the difference between the way investigators and intelligence-gatherers approach and use information.

While the fusion centers have a role in threat scenarios (the Houston Fusion Center got high marks in its participation in the 2009 NLE 09 terrorism-response exercise), day to day, they constitute a single contact point for reporting, logging and tracking suspicious activity.

There are 72 fusion centers in the U.S. The Houston center covers 13 counties stretching from Beaumont to Matagorda. Each center has a DHS liaison officer, like Hall, but the centers are under local jurisdictional control. Their role is to coordinate, analyze and disseminate information up, down and across federal, state, tribal local lines, Hall said, serving as points where the proverbial dots can be connected on a potential threat. As such, fusion center personnel work with local law enforcement and private sector security colleagues in guiding the collection of information that can be used in target hardening, attack prevention and attack response.

Assisting and training both private and public security organizations in creating a culture of is intelligence gathering and sharing is a fusion center mission. Since the goal of an investigation is an arrest and conviction, detectives tend to value information that can be used to achieve those aims, Davis said. Likewise, they are trained--correctly--to keep a tight hold on information and evidence gathered in an investigation because, if leaked, it could compromise the effort.

Hall, in fact, drew distinctions between the fusion centers and agencies such as the Joint Terrorism Task Force and Immigrations and Customs Enforcement, which indeed are investigative agencies.

Intelligence-gathering is more like scouting, said Davis. The objective is to observe, record and report back, not necessarily engage. Anything out-of-the-ordinary or "doesn't look right" should be reported. As an example, Davis told of a landlord, who upon inspecting an apartment property one day, noticed that one of the regular white apartment doors had been replaced with a heavy black metal slab that was padlocked. Wisely, he called police, who found the apartment contained explosives and bomb-making equipment.

Detection of a large-scale terrorist attack, Davis said, often requires piecing together small bits of information that when assembled, sound alarm bells. Private companies should document and report incidents of trespassing, surveillance and loitering in and around secure area and share video data. Already DHS has identified a number of "gateway" crimes to terrorism--such as thefts of power or phone company vans, burglary of shops selling professional uniforms, and stolen IDs, passport, badges and official documents. Even as they investigate these crimes locally, police departments and private security agencies are urged to contact fusion centers when these incidents occur because they may fit into something larger.

Even fire departments have a role, since they can be the first on the scene at a suspicious blaze. Lee reminded attendees that it was Filipino firefighters who uncovered Al Qaeda's Bojinka plot to blow up 12 trans-Pacific airliners in 1995 after responding to an explosion at what had been a secret bomb-making lab.

In a conversation with me after the presentation, Davis said the Houston Fusion Center uses a number of technology platforms for gathering and processing data from surveillance and intrusion detection systems. Security technology integration has a role, but Davis could not discuss specifics. "There are lots of platforms. Each one has its advantages and disadvantages, which is why there are so many of them," he said.

During NLE 09, the Houston Fusion Center used Google Earth as its geographical information system, and was able to drill down to details of specific locations using other geographic software and building data that was layered on.