Webinar: Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing (April 26)

Join us for what will be a very informative webinar on Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing

April 26th 2012 – Time: 10:00 AM PDT, 1:00 PM EDT

> Register Now

Employees love the convenience and utility of collaborative file sharing applications like Box. Sharing contracts, graphics/video files, or other corporate content using a cloud-based service empowers users to share information directly with external partners-outside traditional enterprise security controls.

While you want to encourage productivity, you also need a strategy that addresses how you’re going to control access to file sharing applications and inspect data before it leaves the enterprise.

In this webinar Intel, McAfee and Box join forces to discuss how your sensitive content can be protected throughout the collaboration life cycle—from access and upload to download and distribution.

You will learn:

• Overview of typical file sharing use cases and workflows
• Streamlining access for users
• Tying federated authentication to corporate ID stores
• Adding 2nd factor strong authentication for sensitive document security
• Blocking sensitive files from upload
• On-prem, 100% in the cloud, and hybrid SaaS access options

As a bonus, all attendees will be eligible to receive a free enterprise trial account from Box.

 

 

 

 

 

For additional information, please visit www.intel.com/go/identity

 

 

RSA 2012 Interview with Andy Thurai, Chief Architect of Intel’s Application Security & Identity Products Group

Watch this interview between Tom Field and Intel Application Security & Identity Products Group, Chief Architect Andy Thurai.  Andy talks about API management and the attendant issues including security, management, auditing, metering, monitoring and monetization.

You’ll hear Andy talk about Social APIs vs other APIs, as well as how Intel is providing mobile enablement. Andy talks about a platform that is technology, security, and identity agnostic, so that when messages are sent to a hosted app or a partners app, one has the appropriate mechanism to consume those messages coming in from mobile devices. Listen to Andy talk about Intel’s latest announcement made at RSA, about Cloud SSO  — visit www.intelcloudsso.com for more information.

RSA 2012 Interview with Andy Thurai

Intel® And Box® Join Forces For Increased User Convenience And Security

Cloud-based solutions empower organizations to exploit leading-edge technology, reduce costs, and improve productivity. A prime example is using secure file sharing solutions like Box® (www.box.com) to enhance collaboration, both within the organization and between enterprises.

Today, we are pleased to announce that Intel® has entered into a relationship with Box, a leader in the on-line file sharing and collaboration market. Now, Box customers can accelerate access to, and better protect, files stored on the Box cloud platform with end-to-end user account lifecycle management, consistent with enterprise security policies.

Box customers can use Intel® Expressway Cloud Access 360 (Intel® ECA 360) to provision and manage accounts on the Box platform, provide single sign-on (SSO) to their customers, and improve security with strong, multi-factor authentication, when needed. The combination of Intel ECA 360 and Box will help drive usage, improve productivity and address regulatory compliance directives. For more, visit the  Secure File Sharing resource page.

Cloud Access 360 2.0 version released

We’re happy to announce general availability of Intel Expressway Cloud Access 360 (ECA 360) 2.0 release. This new release adds a range of exciting new features designed to simplify and improve our customers ability to manage user’s access to popular cloud applications. Key new features and benefits include:

Built-in SSO portal	An out-of-box SSO portal is available with the product that can run standalone or embedded inside existing portals such as Sharepoint. Users authenticate once to the portal and enjoy convenient, seamless SSO access to any authorized cloud app. As SSO portals expose keys to the kingdom, login to it can be protected with 2-factor authentication using mobile based One Time Password (OTP) offered through the bundled OTP module.
More connectors	New out-of-the-box connectors are  available for popular cloud apps such as Microsoft Office365, Cisco WebEx, Box.Net, Service-Now, SugarCRM, Zoho, EchoSign, Schoology, and Joomla.
Transparent HTTP form-based SSO	Not every SaaS application support SAML based federation today. This feature allows customers to bring non-SAML apps into the SSO portal providing convenient, seamless access to users and enabling IT to achieve better control and visibility on SaaS application usage. This is achieved by enabling users to register user ID and password once on a web site and capturing the data for transparent SSO the next time the user accesses the app. The process is transparent to the user as they don’t even see the log-on screen.
Salesforce as an Identity Provider	Instead of authenticating the user against Active Directory, ECA 360 allows the user to be authenticated using Facebook, Google, Yahoo, and any OpenID provider. With this release, Salesforce as an Identity Provider has been added to this list. This enables our customers to let its contractor, partner and affiliate users to login into ECA 360 SSO portal using Salesforce credentials and further access cloud applications they are authorized to access.
Enterprise-class scalability	ECA 360′s ability to support more than 10,000 concurrent user authentications has been tested and verified.
Higher performance and availability	ECA 360 administrators can now run multiple instances in a clustered environment.
Other improvements	These include: support for short URL entry in a mobile browser, new compliance reports, and various bug fixes.

To learn more about the new and improved ECA 360 v2, please visit our web site at www.intel.com/go/identity.

Security Expert, Gunnar Peterson, on Understanding Cloud Security Standards, Part 2

For any technology, it’s important to understand what problems it’s meant to address. In the last post we looked at Cloud Security Anti-Patterns. An Anti-Pattern represents an ineffective or counterproductive practice. In moving to the Cloud several Anti-Patterns have emerged that enterprises should be on the look out for and Identity architecture goals to address these issues for Cloud applications. Enterprises moving to the Cloud should identify if they have Anti-Patterns summarized in the following table and seek to mitigate:

Enterprises moving to the Cloud must avoid the Cloud Security Anti-Patterns. Luckily there are a set of open standards to use in this endeavor. Unfortunately, for enterprises there are many standards to choose from and it can be difficult at first to decipher what standards are addressing which problem set.

SAML, OAUTH, OpenId, and XACML are widely regarded by Cloud Security Alliance, Cloud providers, and the tech community as a whole as key building blocks to the Cloud. In each case, these standards have a unique value proposition towards addressing the Cloud Security Anti-Patterns.

Low/no access control – “we’ll see if it works and then turn on security later” This mindset is not limited to Cloud applications, its been around since the dawn of IT, but its at the root of many of thorniest issues in security. When security is not factored into the design at the beginning stages its very, very complicated to add it in later.

Home builders will often run wires and pipes inside walls of the homes they are building, leaving stubs where sinks, appliances and electric outlets can be added later. After all, who wants to rip up their walls just to add a new electric outlet?

Enterprises moving to the Cloud must look for strong access control protocols that enable:

• Tamper proof credentials
• Encrypting sensitive data
• Secure attribute exchange
• End to end authentication

Cloud security standards like SAML, OAUTH, OpenId, and XACML enable enterprises to move their applications and data to the Cloud while still implementing an access control regime that meets policy goals around enterprise control as described above.

Like deciding where the sinks should go while building out your houses’ foundation – with all the choices in identity standard, it can be difficult to know which one enterprises should implement. What’s important is to choose a Identity standards for you applications that are designed for newer Cloud applications because low and now access control leaves too many holes.

Replicating user accounts – copying in full or an extract your Enterprise directory to the Cloud provider. There are several security and compliance nightmares at work here. The Enterprise directory’s purpose in life is for the Enterprise to manage its user accounts, provision, deprovision, and assign group and role membership so that the business runs efficiently. Adding points of administration is a proven way to make this process less efficient and more error prone.

Of course, the problem with Replicating user accounts to the Cloud is immediately clear for most security architects, but the solutions can seem more elusive. The solution in this case requires that the Enterprise Directory stays under Enterprise control and management while still allowing for fine grained access control decisions on the Cloud Provider side. The challenge then is to facilitate the movement of identity information from the Enterprise-controlled User directory and give the Cloud provider applications the attributes they need to make authorization decisions. Oh, and your users would probably like Single Sign On (SSO) as well.

This is where standards like SAML provide a lot of value. Enterprises using SAML designate their Enterprise Directory as the Identity provider and the Cloud Service Provider consumes identity information as needed from the enterprise directory. The key distinction here is that the Cloud provider doesn’t manage the identity information. SAML profiles provide the standard protocols that enable applications to provide Single Sign On user experience and securely exchange attributes. This means the Cloud provider can make access control decisions based on identity information in the Enterprise directory without owning the management (and risk) of that directory.

Copying credentials – sometimes Enterprise copy credentials to Cloud based services; and thereby create a new pool of identity risk to manage. Related to the previous Replicating User Account Anti-Pattern, sometimes Enterprises will seek a temporary work around for Cloud Applications by copying credentials like system accounts and passwords that enable a magical, back door access to certain apps or data. Like all magic, its fun for a kids’ party trick, but not for running a business on.

Enterprises using Cloud application should focus on getting the benefits of the Cloud – scale, distribution, cost savings – but not confuse those benefits with a system that should be trusted with enterprise secrets. Credentials should remain under direct enterprise governance. Copying credentials like passwords to the Cloud Provider simply introduces too much risk where the credentials can be used to effect changes to enterprise accounts and systems.

As with the Replicating User Accounts Anti-Patterns, Enterprises should seek to enforce a separation with Identity Management (owned on the Enterprise side) versus Identity Consumption (owned on the Cloud Provider side) through standards like SAML, OpenID and oauth.

“Trusted” proxy – where trust is in name only As we discussed in Part 1, the first step to dealing with Cloud Security Anti-Patterns is deploying a Policy Enforcement Point to give the Information Security team a place to implement controls that avoid the Anti-Patterns and enable more robust security architecture. There is not a magic “pizza box” that you can simply route your Cloud traffic through to get the kind of security Cloud applications need.

The Proxy or Gateway that you select for mediating the communications to your Cloud provider(s) should be selected based on its support for identity and access standards, monitoring visibility, and ease of integration. The Cloud Security Alliance (https://cloudsecurityalliance.org/) guidelines provide a robust starting point for planning for these capabilities; these should be factored in from the very first Cloud deployment for your enterprise.

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at http://1raindrop.typepad.com.

Forrester Cloud Jam Session DAY 1: Adaptive Strong Auth & Federated SSO – The New Power Couple

Join us this Wednesday, July 27, 2011 at 10am Pacific (replay will be available after initial broadcast) as Eve Maler, Principal analyst at Forrester and Vikas Jain, Director of Product Management for Intel Cloud Identity and Security shed light on how strong authentication should be added to deliver an enterprise class secure cloud access implementation.

Register here:

Enterprises are adopting federated SSO to cloud SaaS apps such as Google Apps and Salesforce to reduce helpdesk costs associated with password resets. But there’s another good reason to centralize authentication in the enterprise: it lets you you perform two-factor strong authentication to enable secure access to these cloud applications. Strong authentication via hardware tokens has been used to secure internal app access for some time, but recent events have shown this method to have serious downsides. As the cloud, partners, and a remote workforce drive demand for access to sensitive applications outside the traditional firewall, clearly a more convenient, adaptive, and portable strong authentication model is required. The emergence of federated internet SSO and mobile-based software tokens provide a more powerful, flexible approach.

Security Expert, Gunnar Peterson, on Leveraging Enterprise Credentials to Connect with Cloud applications

Many pundits say that you must pick a Cloud Provider and trust them. I beg to differ. First off why should we trust the Cloud Provider? A Cloud Consumer wants to leverage the Cloud Provider’s capabilities for functionality and scale where it makes but why should this equate to blind naïve trust? And anyway, what specifically is the Cloud Consumer trusting the Cloud Provider? As the old country music song says, “In God, we trust, all others pay cash.”

Instead of blindly trusting the Cloud provider to do the right thing (and a glance at any recent news will show how hard this is in practice) it makes more sense for the Cloud Consumer, e.g. you, to limit how much control you choose to pass to the Cloud Provider. One technique for accomplishing this is to retain control of User Account Management at the Cloud Consumer site.

When the Cloud Consumer retains the responsibility for User Account Management, the security architecture gains in several ways:

• Choice of authentication techniques
• Freshest, most accurate data, and the ability to leverage enterprise provisioning
• Visibility into account usage
• Auditability of user account stores
• Verification of account ownership

To realize these benefits the Cloud Consumer company must ensure that their local user account information and sessions can be integrated with the Cloud Provider. A starting point for most of these efforts relies on using SAML as a strong, standard based method to integrating Cloud Consumers with Cloud Providers. The Cloud Consumer plays the role of the SAML Identity Provider and the Cloud Provider plays the roles of the SAML Relying Party. This style enables the Cloud Consumer to retain control of the User Accounts and issue standards-based assertions for the Cloud Provider to make run time decisions based on authentication, authorization and attribute sharing scenarios.

Enterprises have demonstrated the desire to explore a wide variety of authentication techniques, driven in some cases by authentication strength and other times by constraints. Below is a list of authentication methods supported in the SAML standard:

• IP
• IP Password
• Kerberos
• Mobile One Factor Unregistered
• Mobile Two Factor Registered
• Mobile One Factor Contract
• Mobile Two Factor Contract
• Password
• Password Protected transport
• Previous Session
• Public Key X.509
• Public Key PGP
• Public Key SPKI
• Public Key XML Digital Signature
• Smartcard
• Smartcard PKI
• Software PKI
• Telephony
• Telephony Nomadic
• Telephony Personalized
• Telephony Authenticated
• Secure remote password
• SSL/TLS Client Authentication
• Time Sync Token
• Unspecified

First off, holy protocol soup, Batman! What this clearly shows is that authentication remains a moving target. Recent troubles at RSA (http://online.wsj.com/article/SB10001424052702304906004576369990616694366.html) show there is not an end in sight to this trend. Authentication is clearly something that enterprises will continue to iterate on and attempt to improve upon.

As security architects, we should expect authentication technologies to continue to evolve and support a wide variety of techniques. The architecture should insulate the consuming applications like Cloud Providers from this change, and the standard SAML tokens and protocols give us a way to do this.

 

The enterprise user’s credential, whether 2 Factor, Password, PKI or one of the myriad of other choices is insulated from the integration between the Cloud Consumer and Service provider. This separation of concerns means that changes in authentication technology or in Cloud application should not ripple through the architecture. The separation of authentication concerns from the Cloud creates a pragmatic way to address the enterprise authentication and credential choice locally at the Cloud Consumer.

To enable this separation, the security architect should work on design patterns along the following integration points:

• User
  • Identify enterprise user credential types in use for Cloud Applications
• Cloud Consumer
  • For the Credential types in play identify where and how they can be integrated with Access software such as SAML Identity Providers
  • Identify what use cases and level of support is required from the Identity Provider – authentication, authorization, and attribute sharing
• Cloud Provider
  • Agree upon protocol and formats and what authentication context is required to propagate to the Cloud provider.
  • Ensure that the Cloud Provider targets can consume the selected identity use cases – authentication, authorization and attribute sharing
  • Ensure that session management implements a consistent policy

The role of the SAML provider providing access in this case play a dual role crossing the chasm from byzantine enterprise authentication to more open Cloud Providers while not losing the fidelity of the original session.

For further research on how this may apply to your planned Cloud application scenarios, the Dynamic Perimeter site shows a number of real world Use cases and integration examples

http://www.dynamicperimeter.com/products/cloudaccess360

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at http://1raindrop.typepad.com.

McAfee’s new Cloud Security Platform includes Intel’s Cloud Access 360

McAfee (Intel subsidiary) announced the McAfee Cloud Security Platform that includes 2 modules from Intel – Intel Expressway Cloud Access 360 (ECA360) and Intel Expressway Service Gateway.

Follow the data

The platform helps build secure bridge to the cloud by securing all content and data traffic – including web, identity and email traffic – moving between an organization and the cloud. “By securing the data and traffic before it travels to or through the cloud, we help businesses extend their security practices and policies into the cloud.”, said Marc Olesen, senior vice president and general manager, Content and Cloud Security, McAfee.

Forrester’s Jonathan Penn noted that as data and applications are moving to the cloud, customers are faced with 2 issues • How do I secure the data? • How do I control access to the applications consuming data?

While McAfee Web Protection and McAfee Email Protection stops threats to web and email data, Intel ECA360 secures access to cloud applications and Services Gateway secures access and stops threats to cloud services.

ECA360 Benefits:

1. Get access control to cloud applications
2. Reduce risk through multi-factor authentication and automated de-provisioning
3. Increase compliance through centralized audit store logging access to all cloud applications

ECA360 Features:

1. Federated Single Sign-On (SSO) – into SaaS applications such as Salesforce, Google, and custom applications deployed on PaaS.
2. 2-factor strong authentication – provided through convenient mobile tokens or SMS and email.
3. Provisioning and De-Provisioning of users – policy based automation of this task

Deployment:

ECA360 co-exists with McAfee Web Protection (on-prem or SaaS) through the following deployment architecture.

Force10 cloud-in-a-rack includes Intel’s Cloud Access 360

Force10 Networks, the leader in high-performance data center networks has entered into an agreement with Intel to incorporate Intel Expressway Cloud Access 360 (ECA360) software into its top-of-rack (ToR) switching solutions to extend the functionality of its Open Automation Framework delivering secure cloud-in-a-rack solution. “We expect the combined solution will help move the Enterprise beyond tightly controlled private clouds to more scalable, open public cloud deployments.”, said Girish Juneja, director, application security and identity products at Intel. The initial integration is being done with Force10 S-Series S7000 Open Cloud Switch and virtual appliance modules.

Benefits:

Customers receive following benefits from this integration. 1. With ECA360 deployed in ToR switch of a cloud-in-a-rack solution, latency associated with additional network hop is greatly reduced given Force10’s 40Gbe network connectivity. 2. ECA360 secures access to both applications deployed on Force10’s cloud-in-a-rack and applications accessed in public cloud. Built-in multi-factor authentication reduces risk and provides enhanced security. 3. Applications deployed on Force10’s cloud-in-a-rack become federation enabled accepting SAML and OAUTH tokens, and can single sign-on (SSO) with public cloud applications such as Salesforce and Google Apps.

For a complete feature list visit the ECA360 product page.