Perfection Series: “Data Loss Prevention – Taking it to the Next Level with McAfee DLP Integration in Stopping Data Leakage” by Andy Thurai

Intel recently announced that by combining the strength of Intel® accelerated processing and McAfee® enterprise-level security we are taking our solutions to the next level and help our customers to extend their applications far beyond the traditional perimeters in a very secure manner.

I had a privilege of a preview to our integration between the Enterprise Service Gateway (ESG) and McAfee DLP (Data Loss Prevention) and it was amazing. I am so excited and wanted to share with you some of those features and what you can expect in coming releases.

McAfee DLP is a data leakage solution that safeguards business critical information by scanning the network for sensitive data and ensuring that it doesn’t leak outside the corporate network. It also offers pre-configured policies for HIPAA, PCI, etc.

ESG is a Swiss army knife, which can be used as a secure gateway, XML Firewall, application level gateway, identity mediator, Web Service proxy, edge security device, etc.

Obviously this applies only to data in motion and not for data at rest. What is more interesting is that it is policy driven and can be identity based or role based. Now, that is powerful.

The ESG is in the line of traffic and sends the messages to DLP to find out if any part of the message is considered sensitive. If the message is considered sensitive then it can be terminated. Keep in mind it could apply as a reverse proxy as well for the incoming messages if you want messages containing certain sensitive information to enter your enterprise for compliance, auditing reasons.

 

As you can see, integrating with a DLP is as simple as dragging the DLP action item and dropping it in the palette.  Once you’ve done this, enter the host/port and any other relevant information and your workflow is DLP activated. Essentially this means all of your edge devices can be connected to one central place to scan for outgoing sensitive information to stop sensitive data leaks. Now imagine the power of that. All of your edge devices – whether it is Application Firewalls, Web Gateways, XML Firewalls – can all be connected to a central place, which can scan your outgoing (and incoming if necessary) messages for sensitive information based on corporate policies and compliance requirements.

The great thing is you can start building policies as needed. McAfee DLP has functionality is known as capture. Using McAfee capture technology you can not only look for data, but you can capture all the data that is going out.  The captured data helps you see real world patterns of data usage and possibly replay this history to adjust and refine your scans.  This provides the comfort and confidence that you are aware of planned and new threats as they evolve.

We integrated with McAfee DLP, not just to show off that we are part of a bigger security organization, but also because this is a top notch solution available in the market. As you can see in the picture below by Gartner and Forrester the analysts agree.

 

 

 

 

 

I hope you will be as excited as I am when you see this solution in action and see how easy it is to configure and use (and re-use).  If you need more information on this or on our solutions in general please check out www.intel.com/go/identity or reach out to me.

 

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel

Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field sales, technical teams and customer executives. Prior to this role he has held technology architecture leadership and executive positions with L-1 Identity Solutions, IBM (Datapower), BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

He blogs regularly at www.thurai.net/securityblog on Security, SOA, Identity, Governance and Cloud topics. You can find him on LinkedIn at http://www.linkedin.com/in/andythuraiandythurai.

What You Need to Know about API Security

Since the growth of APIs “hockey-sticked” around 2005, the proliferation of web-based APIs has spanned every industry and vertical from e-commerce to map services to enterprise. APIs like that of Twitter, Amazon, and Netflix garner billions of API calls every day, and these represent just a few of the more visible.  With this rapid growth, on the order of 300-400 new APIs arriving each month, security is an ever-increasing concern.  Enterprise focused, SaaS based APIs are among the fastest growing segments, and in light of this, securing company assets and Data Loss Prevention are paramount.  The perimeter of enterprise networks has become amorphous as workflows increasingly leverage platforms and applications beyond the firewall.  So what does that mean for your organization’s security?

Attend our May 10^th webinar featuring Intel, McAfee, and tech analyst & CTO, Dan Woods for an advanced perspective on what you should do to ensure API Security, specifically as related to Authentication, DLP, and Validation Controls.

 For more information about Intel Expressway Service Gateway — with free webinars, tutorials and expert blogs on securely exposing Web Services in the Cloud, please visit us at: www.intel.com/go/identity

Intel Expressway Outpaces IBM DataPower by 6x to 10x in a Direct “Apples to Apples” Comparison

Prior to the release of Intel’s XEON processor E5-2600, Intel Expressway Service Gateway (also available as McAfee Services Gateway under the McAfee Cloud Security Platform Suite) was already providing superior performance and value. However, with the record breaking E5-2600 – delivering leadership performance, best data center performance per watt and break through I/O innovation, the distance between — front-runner Intel, and IBM WebSphere DataPower XI50 has  increased dramatically.

Our customers can take advantage of continuous chip improvements with the easily upgradeable software appliance form factor. Intel Expressway Service Gateway outpaces IBM DataPower by 6x to 10x in a direct “apples to apples” comparison at a fraction of the total cost.

Read this performance comparison report to learn all about it:

For more information about Intel Expressway Service Gateway — with free webinars, tutorials and expert blogs on securely exposing Web Services in the Cloud, please visit us at: www.intel.com/go/identity

Webinar: Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing (April 26)

Join us for what will be a very informative webinar on Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing

April 26th 2012 – Time: 10:00 AM PDT, 1:00 PM EDT

> Register Now

Employees love the convenience and utility of collaborative file sharing applications like Box. Sharing contracts, graphics/video files, or other corporate content using a cloud-based service empowers users to share information directly with external partners-outside traditional enterprise security controls.

While you want to encourage productivity, you also need a strategy that addresses how you’re going to control access to file sharing applications and inspect data before it leaves the enterprise.

In this webinar Intel, McAfee and Box join forces to discuss how your sensitive content can be protected throughout the collaboration life cycle—from access and upload to download and distribution.

You will learn:

• Overview of typical file sharing use cases and workflows
• Streamlining access for users
• Tying federated authentication to corporate ID stores
• Adding 2nd factor strong authentication for sensitive document security
• Blocking sensitive files from upload
• On-prem, 100% in the cloud, and hybrid SaaS access options

As a bonus, all attendees will be eligible to receive a free enterprise trial account from Box.

 

 

 

 

 

For additional information, please visit www.intel.com/go/identity

 

 

Andy Thurai, on Defining and Measuring “Perfection”

A few weeks ago I had a conversation with a customer of mine and we discussed this very topic. How do you measure perfection? It’s a good question worthy of inquiry. I was really surprised at the different answers suggested in the conversations that ensued.

Perfection is, as stated by Merriam-Webster dictionary, “broadly, a state of completeness and flawlessness, an unsurpassable degree of accuracy or excellence”. Some would also would say perfection is the absence of judgment.

If you operate within a Math or Science context, the term perfection is actually used to designate a range of diverse concepts. These concepts have historically been addressed in a number of discrete disciplines, notably mathematics, physics, chemistry, ethics, aesthetics, ontology and theology.

To an extent, “perfection” is a state of mind. Why am I telling you all of this?  I was asked the question “Is your solution Perfect for our situation”?  So instead of pursuing a quest for the meaning of perfection (and the meaning of life) I thought I would take this opportunity to write a series of blogs within which I am going to highlight our solution capabilities and recent enhancements that may make our solution perfect for you! (You knew that plug was coming right)?

A few years back (I used to work for a competitor at that time), I was visiting a customer of ours to discuss a complex architectural issue they were having. I sat down with the Security Architect, Enterprise Architect, and the CISO of a big insurance company (who shall remain unnamed) to discuss an issue.  At the time, to show me the issue at-hand, they pulled up a specific transaction to analyze. There it was, the admin password for the system (the holy grail), for their important backbone component, baring its nakedness to us in clear text. In all fairness, the ‘most verbose log feature’ was turned on to debug a specific issue in that situation. After we joked about the fact that I then knew the admin password for their the backbone and for their entire enterprise, I was told I was going to spend most of my life in a corner of their data center sleeping on a rug!

The conversation got very serious when we talked about how admin passwords should NEVER be displayed, in clear text, on any log for any reason.  I took this noted and avoidable vulnerability back to my Product Management/Engineering teams. To my surprise, the concern was brushed aside as a non-issue.

A risk of this magnitude could easily be considered a major compliance issue if you are an organization that deals with HIPAA and/or PCI compliance. Regardless of whether you have the most verbose mode turned on or not, if you leave PCI or PII (personally identifiable information) clearly visible in logs, in clear text, you are creating potential breaches. As is sometimes the case, log data gets lost and at the most innoportune time — could be unearthed during an audit. Aside from exposing one’s self to the risk associated with not properly safeguarding data, those risks multiply when failed audits lead to very expensive fines.

The California supreme court recently ruled in a case, Pineda v. Williams-Sonoma, that zipcodes are really “personally identifiable information” (PII).  In a California’s Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal‘s decision the supreme court made a ruling on this.  Penalties of up to $250 for the first violation and $1,000 for each subsequent violation could accrue, without there even being any allegations of harm to the consumer.

Section 1747.08 of this law states that a retailer cannot ask their customers for PII information (including zip codes), or record it during credit card transactions. (I have distilled the legalese for you. However, those so inclined may read about the ruling in its entirety at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1747-1748.95. Though this information is applicable only to PCI compliance right now, there are laws pending in California (and in other states) around the essence of PII.  This may end up being germaine to medical records, EHR (Electronics Health Records), and prescription Information, etc.

Initially it could be limited to include SS#, PAN (credit card info), date of birth, zip codes, address, age, gender, password (in the corporate world), etc. However, safeguarding data could potentially expand into several other domains. All organizations need to be cognizant of how the laws and regulations continue to change at a state and national level and how they may vary from one country to another.  Imagine if you are using a cloud provider, which is hosting your data in a country (not of your) choice, where you have virtually no control.

In the next few blogs I am going to talk about our Log Redact, Data Redact, Data privacy, Compliance, Encryption and Tokenization capabilities, which will help address some of the aforementioned issues. They not only help you address today’s needs but will also enable you to “change direction” as necessary as incipient changes come to fruition.

You may already know that Intel acquired McAfee, the leader in the security software business, over a year ago.  We are quickly seeing the successful integration of both entities.  However, as part of this perfection series, I’m going to share with you in greater detail, our integration efforts with McAfee security components. At the end of this series, you’ll get a sense of palpable energy abound, and the synergies that are helping us to bring even better solutions together for our customers.

As far as that company that had given me a rug to sleep on in the datacenter corner for sharing their family secrets?  I wish I had this solution set handy when I was at that meeting!  Oh well, comfortable sleep is often over rated anyways.

If you would like a sneak preview of some of the solutions that I’m going to address in this blog series, please visit:

http://www.intel.com/go/identity

http://software.intel.com/en-us/articles/Expressway-Tokenization-Broker-Reduce-PCI-Scope/

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

 

Our SaaS CloudSSO – par excellence

Essentially that is what it is. Recently we announced our Force.com based Cloud SSO solution. What is unique about this is that we are the first (and as of now the ONLY) solution that will allow Force.com user identities to be federated not only across Force.com applications, but also across other cloud providers as well.

We provide Identity for the cloud in the cloud – now that is different, isn’t it?

I know, I know… there are about half of a dozen vendors that claim to provide a Cloud SSO solution. So why are we different or better than the others?

We provide a fusion, bringing together the best of McAfee and Intel.   We bring years of advanced security research ,  our multi-tenant offering cloud security suite from McAfee, coupled with Intel’s Identity offering that includes SSO, hardened provisioning/de-provisioning and an escalated authentication (OTP) solution.

Everyone knows that salesforce.com is all about the cloud and SaaS, right? But once you set up your users/ identities in the Force.com platform it can be only used there. If you need to setup another SaaS application then your administrator needs to setup the user base all over again. Even though there are tools available to make this process easier it is still a chore. Imagine if you could have the power to set up the identities and policies once and run forever. If your users have to remember only ONE password then you could enforce the passwords to be very strong. This would not only reduce the security risk (imagine a SaaS application having a weak password… what can be more dangerous than that) but it could also help with eliminating a lot of help desk password reset calls from frustrated users.

One pivotal and unspoken benefit is the  increase in productivity where a user can seamlessly navigate between applications.

Our solution also includes a hardened, proven provisioning/ de-provisioning which takes care of syncing identities across applications and across multiple cloud providers. And there is also a built-in escalated authentication of identity using a second form factor which comes in handy when someone tries to use sensitive applications. Our OTP (One Time Password) solution allows the users to provide the second factor (of what you have in addition to what you know).

If you missed our recent announcement about the beta release at RSA check it out here.

http://www.networkworld.com/news/2012/022712-intel-cloud-sso-256621.html

http://software.intel.com/en-us/blogs/2012/02/27/introducing-cloud-idaas-intel-cloud-sso/

For more details check us out IntelCloudSSO.com

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

 

 

 

451 Group Report on Intel Cloud SSO

As we introduced Intel Cloud SSO Beta last week at RSA conference, Steve Coplan, Senior Analyst with the 451 Group Enterprise Security Practice wrote a report on Intel’s solution.

Few highlights from the report:

• Intel’s cloud access broker strategy, predicated on the convergence of authentication and federation with API governance, as well as roadmap integration of McAfee security functionality, makes for a compelling vision.
• Intel is looking to make a splash by providing bundled pricing for application connectors, federated single sign-on (SSO) and authentication.
• As we outlined some three years ago, by introducing a new network topology, cloud computing establishes the need for a new network device that we refer to as a cloud access gateway. As the API revolution takes hold, security and access management for the cloud is a stepping stone to solidifying Intel’s ambitions to addressing the opportunity.

You can read the complete 451 Group research report here.

Intel introduces IAM as-a-service for cloud apps

At the RSA conference 2012 this week, we’re excited to introduce a new cloud service “Intel Cloud SSO” for Enterprises to provide Identity and Access Management (IAM) for cloud applications from the cloud. The service runs on Salesforce’s Force.com platform as-a-service (PaaS), and offers secure seamless single sign-on access to 100+ SaaS applications through pre-built connectors. End users have to remember just one password to login into the service’s SSO portal, from where they can launch all the applications they are allowed to access. This single sign-on experience eliminates password sprawl, improving security and user productivity. To help Enterprise IT deal with on-boarding/off-boarding of users, the service includes role based automated provisioning/de-provisioning of user accounts into cloud apps.

Intel Cloud SSO service is the cloud version of the Intel Expressway Cloud Access 360 (Intel ECA 360) on-premise software which was released during last year’s RSA conference 2011. We’ve implemented “Freedom Licensing” for both products that allows customers to use either Intel Cloud SSO or Intel ECA 360, or both, for the same license fee, providing ultimate flexibility to our customers.

The service provides enhanced security and improved IT controls by:

• Including One-time Password based step-up authentication when accessing secure cloud apps. The built-in One-time Password technology supports mobile soft-tokens through a downloadable mobile app.
• Customers using Intel Ultrabook client devices to access cloud applications can leverage the service’s seamless trusted device authentication by integrating with Intel Identity Protection Technology.
• Including policies that IT can use to restrict access to cloud apps based on various contextual elements such as: which mobile device the user is accessing from, accessing from corporate network or not, etc.
• Customers can use their corporate identity store (such as Active Directory) and Kerberos to authenticate into service’s SSO Portal, thereby eliminating even the password required to sign in to the service’s SSO portal.

Do I need to be an IAM expert to use it?

No. When we were building Intel Cloud SSO, we laid out basic tenet for the service – keep it simple. Anybody should be able to configure and use it, and shouldn’t require special skills. Having worked with other IAM systems in the past, this wasn’t an easy goal to achieve …

How can I get access to the service?

Currently, the service is in a Beta phase. You can apply for Beta by visiting www.intelcloudsso.com.

Is it available through McAfee?

McAfee (an Intel company) already sells Intel ECA 360 software as McAfee Cloud Identity Manager under the McAfee Cloud Security Platform (read post), and plan to include this service in its portfolio later this year.

Vikas Jain is Director of Product Management at Intel Corporation responsible for Cloud Identity and Security Products. You can follow him on Twitter @VikasJainTweet

Gunnar Peterson on Understanding Cloud Security Standards, part 3

Moving applications to the Cloud puts many enterprises in an accustomed position, the technology and processes that their business depends on aren’t under their sole control, but rather a mix of responsibilities. The move to the Cloud is not a simple “forklift” migration where bits are copied to a Cloud Provider, instead the architecture and assumptions must be reviewed and refreshed to meet the needs and constraints of Cloud systems.

Implementing authorization services with standards like XACML empowers the security architect to enforce policy via a Gateway and answer the authorization queries from the source with the freshest and most specific data. Often the information needed to resolve authorization requests is stored beyond the directory and only available in a database or other repository.

The Cloud presents real integration challenges to the enterprise, what Gartner calls Cloudstreams and Cloud Service Brokerages focus on “integration, governance, and security impact points.”

In Part 1, we examined four Anti-Patterns that enterprises should avoid as they move the Cloud. These four Anti-Patterns are at the heart of dealing with the “Complexity Kills” problem that Gartner’s research shows as a recurring theme in Cloud migrations.

Anti-Pattern	Description	Mitigations
Low/No Access Control	“we’ll see if it works and then turn on security later”	Strong access control protocols for authentication and authorization
Replicating User Accounts	copying in full or an extract your Enterprise directory to the Cloud Provider	Retain enterprise provisioning on Cloud Consumer side
Copying Credentials	Copying Enterprise Access Credentials to Cloud based services	Implement Federated Identity
“Trusted” Proxy	Gateway lacks support security services and standards	Implement improved access control, audit logging and monitoring on the Gateway

In Part 2, we looked at how open standards like SAML, Oauth, and OpenID can be used to mitigate the Anti-Patterns, when it comes to fine grained authorization and Attribute based Access Control that many Cloud applications require, standards like these are necessary but not sufficient for the overall identity architecture.

The old enterprise perimeter was based on network firewalls, but today applications are integrated, distributed via Cloud and consumed via Mobile apps. The network firewall is severely limited in this context. Fine grained authorization and Attribute Based Access Control help close out the gaps in Cloud Security by providing a Dynamic Perimeter that manages access control across these contexts.

Today’s reality is that users, systems and data are distributed. The genie is not going to be put back in the box, but access control policy enforcement can and should be centralized.

Centralizing access control policy enforcement is essential for:

• For Security architects to understand the boundaries in the system,
• For developers to know what and where to code for authorization operations
• For auditors to be able to review
• For testers to be able to identify vulnerabilities

Gateways are ideal for providing the Policy Enforcement Point function, to intercept requests before they reach the resource and ensure the request is authorized.

The trend line  in access control points to more fine grained access control and to have authorization decisions be policy based (rather than hard coded).

 

 

The four Anti-Patterns that we discussed show why trends continue in the direction of increased granularity and policy based access control.

Low/no access control – “we’ll see if it works and then turn on security later”

Access control is too important to be left up to developer discretion. Authorization and access control should be configured in policy, not hard coded. Externalizing the application’s authorization gives the enterprise several important advantages, including flexibility to route authorization requests to the system that has the most specific and freshest information.

Replicating user accounts – copying in full or an extract your Enterprise directory to the Cloud provider

XACML separates the Policy Enforcement Point (PEP: which protects the app) from the Policy Decision Point (PDP: which has the information to grant or deny the authorization request). This logical separation enables the enterprise to deploy its PEP on the Cloud Provider side to implement authorization enforcement while routing requests to PDP’s with the freshest and most specific attributes to answer the authorization request.

Separating the PEP and PDP means that the Gateway can intercept the request to the resource, route the request to the system with the freshest and most specific information, and enforce the policy. This pattern allows for a flexible, best of breed authorization architecture with the PEP and PDP tuned to control the authorization workflow. The PEP is responsible to enforce the chain of responsibilities in authorization and the PDP carries out the responsibility via querying data sources to grant or deny access.  Note, the information needed to make the grant or deny access may cross from Cloud Provider to enterprise Cloud.

Copying credentials – sometimes Enterprise copy credentials to Cloud based services; and thereby create a new pool of identity risk to manage.

Separating the PEP and PDP eliminates the need to hard code individual credentials to resolve access control challenges. This is because the PEP queries the PDP on behalf of the user to verify user’s attributes against the authorization target including the Resource and Action requested.

“Trusted” proxy – where trust is in name only

Trust, but verify means auditability. When authorization logic is strewn across millions of lines of code, auditing is impossible. Auditable systems must have authorization rules and logic that are clear and straightforward to review. Pulling key authorization policies out of the code and into XACML policies allows the Auditor to assess the target and ensure it meets the system owners’ goals.

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at http://1raindrop.typepad.com.

What the Analysts are Saying…

Read what the analysts are saying about Intel & McAfee’s cloud access broker strategy.

Here’s a “birds-eye-view” on our new Analyst Consensus page

-Jeff