Webinar: Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing (April 26)

Join us for what will be a very informative webinar on Applying Strong Authentication and Data Loss Prevention to Collaborative File Sharing

April 26th 2012 – Time: 10:00 AM PDT, 1:00 PM EDT

> Register Now

Employees love the convenience and utility of collaborative file sharing applications like Box. Sharing contracts, graphics/video files, or other corporate content using a cloud-based service empowers users to share information directly with external partners-outside traditional enterprise security controls.

While you want to encourage productivity, you also need a strategy that addresses how you’re going to control access to file sharing applications and inspect data before it leaves the enterprise.

In this webinar Intel, McAfee and Box join forces to discuss how your sensitive content can be protected throughout the collaboration life cycle—from access and upload to download and distribution.

You will learn:

• Overview of typical file sharing use cases and workflows
• Streamlining access for users
• Tying federated authentication to corporate ID stores
• Adding 2nd factor strong authentication for sensitive document security
• Blocking sensitive files from upload
• On-prem, 100% in the cloud, and hybrid SaaS access options

As a bonus, all attendees will be eligible to receive a free enterprise trial account from Box.

 

 

 

 

 

For additional information, please visit www.intel.com/go/identity

 

 

Our SaaS CloudSSO – par excellence

Essentially that is what it is. Recently we announced our Force.com based Cloud SSO solution. What is unique about this is that we are the first (and as of now the ONLY) solution that will allow Force.com user identities to be federated not only across Force.com applications, but also across other cloud providers as well.

We provide Identity for the cloud in the cloud – now that is different, isn’t it?

I know, I know… there are about half of a dozen vendors that claim to provide a Cloud SSO solution. So why are we different or better than the others?

We provide a fusion, bringing together the best of McAfee and Intel.   We bring years of advanced security research ,  our multi-tenant offering cloud security suite from McAfee, coupled with Intel’s Identity offering that includes SSO, hardened provisioning/de-provisioning and an escalated authentication (OTP) solution.

Everyone knows that salesforce.com is all about the cloud and SaaS, right? But once you set up your users/ identities in the Force.com platform it can be only used there. If you need to setup another SaaS application then your administrator needs to setup the user base all over again. Even though there are tools available to make this process easier it is still a chore. Imagine if you could have the power to set up the identities and policies once and run forever. If your users have to remember only ONE password then you could enforce the passwords to be very strong. This would not only reduce the security risk (imagine a SaaS application having a weak password… what can be more dangerous than that) but it could also help with eliminating a lot of help desk password reset calls from frustrated users.

One pivotal and unspoken benefit is the  increase in productivity where a user can seamlessly navigate between applications.

Our solution also includes a hardened, proven provisioning/ de-provisioning which takes care of syncing identities across applications and across multiple cloud providers. And there is also a built-in escalated authentication of identity using a second form factor which comes in handy when someone tries to use sensitive applications. Our OTP (One Time Password) solution allows the users to provide the second factor (of what you have in addition to what you know).

If you missed our recent announcement about the beta release at RSA check it out here.

http://www.networkworld.com/news/2012/022712-intel-cloud-sso-256621.html

http://software.intel.com/en-us/blogs/2012/02/27/introducing-cloud-idaas-intel-cloud-sso/

For more details check us out IntelCloudSSO.com

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

 

 

 

March 29th Analyst Webinar – Identity and Access Management in the Cloud: Real or Mirage?

 

 

 

 

Traditional IAM solutions have not kept pace with cloud innovation and new approaches to identity and access management are gaining ground. Should you move your IAM infrastructure to the cloud? What is the role of related standards? These and more questions will be addressed in a free webinar “Identity & Access Management in the Cloud: Real or Mirage?”, hosted by Intel and industry analyst firm KuppingerCole on March 29, 2012 at 10:00 AM Pacific (1:00 PM Eastern, 7:00 PM CEST).

In this webinar KuppingerCole Sr. Analyst Dave Kearns will discuss the benefits and challenges of moving use identities to the cloud. Vikas Jain, Director of Product Management at Intel, will follow with an overview of Intel Cloud SSO, Intel’s newest identity and security solution for the cloud. Click here to register for this informative event.

Government Solutions Resource Center

If you haven’t already seen it, Intel^® Application Security & Identity Products has released a new Government Solutions Resource Center  that is a must-see. Whether you are looking for information on Identity Credential Access Management, High Assurance, Cross Domain Information Sharing, NIEM, NSTIC or other info about other current Government concerns, I highly recommend you check out this resourceful center. Among other things, it has webinars featuring distinguished NIST leaders, pertinent information on a whole range of relevant topics, and introduces how Intel & McAfee are addressing some of the current IT challenges in the Government.

 

 

Intel® And Box® Join Forces For Increased User Convenience And Security

Cloud-based solutions empower organizations to exploit leading-edge technology, reduce costs, and improve productivity. A prime example is using secure file sharing solutions like Box® (www.box.com) to enhance collaboration, both within the organization and between enterprises.

Today, we are pleased to announce that Intel® has entered into a relationship with Box, a leader in the on-line file sharing and collaboration market. Now, Box customers can accelerate access to, and better protect, files stored on the Box cloud platform with end-to-end user account lifecycle management, consistent with enterprise security policies.

Box customers can use Intel® Expressway Cloud Access 360 (Intel® ECA 360) to provision and manage accounts on the Box platform, provide single sign-on (SSO) to their customers, and improve security with strong, multi-factor authentication, when needed. The combination of Intel ECA 360 and Box will help drive usage, improve productivity and address regulatory compliance directives. For more, visit the  Secure File Sharing resource page.

Cloud Access 360 2.0 version released

We’re happy to announce general availability of Intel Expressway Cloud Access 360 (ECA 360) 2.0 release. This new release adds a range of exciting new features designed to simplify and improve our customers ability to manage user’s access to popular cloud applications. Key new features and benefits include:

Built-in SSO portal	An out-of-box SSO portal is available with the product that can run standalone or embedded inside existing portals such as Sharepoint. Users authenticate once to the portal and enjoy convenient, seamless SSO access to any authorized cloud app. As SSO portals expose keys to the kingdom, login to it can be protected with 2-factor authentication using mobile based One Time Password (OTP) offered through the bundled OTP module.
More connectors	New out-of-the-box connectors are  available for popular cloud apps such as Microsoft Office365, Cisco WebEx, Box.Net, Service-Now, SugarCRM, Zoho, EchoSign, Schoology, and Joomla.
Transparent HTTP form-based SSO	Not every SaaS application support SAML based federation today. This feature allows customers to bring non-SAML apps into the SSO portal providing convenient, seamless access to users and enabling IT to achieve better control and visibility on SaaS application usage. This is achieved by enabling users to register user ID and password once on a web site and capturing the data for transparent SSO the next time the user accesses the app. The process is transparent to the user as they don’t even see the log-on screen.
Salesforce as an Identity Provider	Instead of authenticating the user against Active Directory, ECA 360 allows the user to be authenticated using Facebook, Google, Yahoo, and any OpenID provider. With this release, Salesforce as an Identity Provider has been added to this list. This enables our customers to let its contractor, partner and affiliate users to login into ECA 360 SSO portal using Salesforce credentials and further access cloud applications they are authorized to access.
Enterprise-class scalability	ECA 360′s ability to support more than 10,000 concurrent user authentications has been tested and verified.
Higher performance and availability	ECA 360 administrators can now run multiple instances in a clustered environment.
Other improvements	These include: support for short URL entry in a mobile browser, new compliance reports, and various bug fixes.

To learn more about the new and improved ECA 360 v2, please visit our web site at www.intel.com/go/identity.

Security Expert, Gunnar Peterson, on Understanding Cloud Security Standards, Part 2

For any technology, it’s important to understand what problems it’s meant to address. In the last post we looked at Cloud Security Anti-Patterns. An Anti-Pattern represents an ineffective or counterproductive practice. In moving to the Cloud several Anti-Patterns have emerged that enterprises should be on the look out for and Identity architecture goals to address these issues for Cloud applications. Enterprises moving to the Cloud should identify if they have Anti-Patterns summarized in the following table and seek to mitigate:

Enterprises moving to the Cloud must avoid the Cloud Security Anti-Patterns. Luckily there are a set of open standards to use in this endeavor. Unfortunately, for enterprises there are many standards to choose from and it can be difficult at first to decipher what standards are addressing which problem set.

SAML, OAUTH, OpenId, and XACML are widely regarded by Cloud Security Alliance, Cloud providers, and the tech community as a whole as key building blocks to the Cloud. In each case, these standards have a unique value proposition towards addressing the Cloud Security Anti-Patterns.

Low/no access control – “we’ll see if it works and then turn on security later” This mindset is not limited to Cloud applications, its been around since the dawn of IT, but its at the root of many of thorniest issues in security. When security is not factored into the design at the beginning stages its very, very complicated to add it in later.

Home builders will often run wires and pipes inside walls of the homes they are building, leaving stubs where sinks, appliances and electric outlets can be added later. After all, who wants to rip up their walls just to add a new electric outlet?

Enterprises moving to the Cloud must look for strong access control protocols that enable:

• Tamper proof credentials
• Encrypting sensitive data
• Secure attribute exchange
• End to end authentication

Cloud security standards like SAML, OAUTH, OpenId, and XACML enable enterprises to move their applications and data to the Cloud while still implementing an access control regime that meets policy goals around enterprise control as described above.

Like deciding where the sinks should go while building out your houses’ foundation – with all the choices in identity standard, it can be difficult to know which one enterprises should implement. What’s important is to choose a Identity standards for you applications that are designed for newer Cloud applications because low and now access control leaves too many holes.

Replicating user accounts – copying in full or an extract your Enterprise directory to the Cloud provider. There are several security and compliance nightmares at work here. The Enterprise directory’s purpose in life is for the Enterprise to manage its user accounts, provision, deprovision, and assign group and role membership so that the business runs efficiently. Adding points of administration is a proven way to make this process less efficient and more error prone.

Of course, the problem with Replicating user accounts to the Cloud is immediately clear for most security architects, but the solutions can seem more elusive. The solution in this case requires that the Enterprise Directory stays under Enterprise control and management while still allowing for fine grained access control decisions on the Cloud Provider side. The challenge then is to facilitate the movement of identity information from the Enterprise-controlled User directory and give the Cloud provider applications the attributes they need to make authorization decisions. Oh, and your users would probably like Single Sign On (SSO) as well.

This is where standards like SAML provide a lot of value. Enterprises using SAML designate their Enterprise Directory as the Identity provider and the Cloud Service Provider consumes identity information as needed from the enterprise directory. The key distinction here is that the Cloud provider doesn’t manage the identity information. SAML profiles provide the standard protocols that enable applications to provide Single Sign On user experience and securely exchange attributes. This means the Cloud provider can make access control decisions based on identity information in the Enterprise directory without owning the management (and risk) of that directory.

Copying credentials – sometimes Enterprise copy credentials to Cloud based services; and thereby create a new pool of identity risk to manage. Related to the previous Replicating User Account Anti-Pattern, sometimes Enterprises will seek a temporary work around for Cloud Applications by copying credentials like system accounts and passwords that enable a magical, back door access to certain apps or data. Like all magic, its fun for a kids’ party trick, but not for running a business on.

Enterprises using Cloud application should focus on getting the benefits of the Cloud – scale, distribution, cost savings – but not confuse those benefits with a system that should be trusted with enterprise secrets. Credentials should remain under direct enterprise governance. Copying credentials like passwords to the Cloud Provider simply introduces too much risk where the credentials can be used to effect changes to enterprise accounts and systems.

As with the Replicating User Accounts Anti-Patterns, Enterprises should seek to enforce a separation with Identity Management (owned on the Enterprise side) versus Identity Consumption (owned on the Cloud Provider side) through standards like SAML, OpenID and oauth.

“Trusted” proxy – where trust is in name only As we discussed in Part 1, the first step to dealing with Cloud Security Anti-Patterns is deploying a Policy Enforcement Point to give the Information Security team a place to implement controls that avoid the Anti-Patterns and enable more robust security architecture. There is not a magic “pizza box” that you can simply route your Cloud traffic through to get the kind of security Cloud applications need.

The Proxy or Gateway that you select for mediating the communications to your Cloud provider(s) should be selected based on its support for identity and access standards, monitoring visibility, and ease of integration. The Cloud Security Alliance (https://cloudsecurityalliance.org/) guidelines provide a robust starting point for planning for these capabilities; these should be factored in from the very first Cloud deployment for your enterprise.

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at http://1raindrop.typepad.com.

Forrester Cloud Jam Session DAY 1: Adaptive Strong Auth & Federated SSO – The New Power Couple

Join us this Wednesday, July 27, 2011 at 10am Pacific (replay will be available after initial broadcast) as Eve Maler, Principal analyst at Forrester and Vikas Jain, Director of Product Management for Intel Cloud Identity and Security shed light on how strong authentication should be added to deliver an enterprise class secure cloud access implementation.

Register here:

Enterprises are adopting federated SSO to cloud SaaS apps such as Google Apps and Salesforce to reduce helpdesk costs associated with password resets. But there’s another good reason to centralize authentication in the enterprise: it lets you you perform two-factor strong authentication to enable secure access to these cloud applications. Strong authentication via hardware tokens has been used to secure internal app access for some time, but recent events have shown this method to have serious downsides. As the cloud, partners, and a remote workforce drive demand for access to sensitive applications outside the traditional firewall, clearly a more convenient, adaptive, and portable strong authentication model is required. The emergence of federated internet SSO and mobile-based software tokens provide a more powerful, flexible approach.

McAfee’s new Cloud Security Platform includes Intel’s Cloud Access 360

McAfee (Intel subsidiary) announced the McAfee Cloud Security Platform that includes 2 modules from Intel – Intel Expressway Cloud Access 360 (ECA360) and Intel Expressway Service Gateway.

Follow the data

The platform helps build secure bridge to the cloud by securing all content and data traffic – including web, identity and email traffic – moving between an organization and the cloud. “By securing the data and traffic before it travels to or through the cloud, we help businesses extend their security practices and policies into the cloud.”, said Marc Olesen, senior vice president and general manager, Content and Cloud Security, McAfee.

Forrester’s Jonathan Penn noted that as data and applications are moving to the cloud, customers are faced with 2 issues • How do I secure the data? • How do I control access to the applications consuming data?

While McAfee Web Protection and McAfee Email Protection stops threats to web and email data, Intel ECA360 secures access to cloud applications and Services Gateway secures access and stops threats to cloud services.

ECA360 Benefits:

1. Get access control to cloud applications
2. Reduce risk through multi-factor authentication and automated de-provisioning
3. Increase compliance through centralized audit store logging access to all cloud applications

ECA360 Features:

1. Federated Single Sign-On (SSO) – into SaaS applications such as Salesforce, Google, and custom applications deployed on PaaS.
2. 2-factor strong authentication – provided through convenient mobile tokens or SMS and email.
3. Provisioning and De-Provisioning of users – policy based automation of this task

Deployment:

ECA360 co-exists with McAfee Web Protection (on-prem or SaaS) through the following deployment architecture.

CloudTweaks.com Discusses Expressway Cloud Access 360

Make sure to read the informative and insightful discussion about Intel Expressway Cloud Access 360 between Intel Director of Product Management for Application Security and Identity Products, Vikas Jain, and Anthony Park, from Cloudtweaks.com. Read the post and understand why Anthony calls Cloud Access 360 a “very impressive and elegant solution”.

Posting can be found here

Intel® Expressway Cloud Access 360 is a software product that enables federated access from the enterprise to the cloud and vice-versa. It bundles provisioning, federated single sign-on(SSO), strong authentication, and client aware access control – all into one packaged solution providing control, visibility and compliance to enterprises adopting cloud SaaS applications.

You can learn more about Expressway Cloud Access 360 and even download an evaluation of the software by visiting www.dynamicperimeter.com