Friday, April 30, 2010

Your Mainframe Security Risk: Retirement

Jim Yurek of Vanguard Security gave an interesting talk today about mainframe PCI compliance. One benefit, for any of you mainframe types out there, is that Vanguard has made a Gartner research note written by Ant Allan available on their web site: “Why Your IBM z/OS Mainframe May Not Be as Secure as You Think It Is and What You Can Do About It”. You can get your copy by clicking here. The key findings that Jim discussed were:
  • A real shortage of mature mainframe security skills makes configuration and administration errors more likely than on other enterprise server operating systems (OSs) in the same enterprises — and less likely to be found and remedied.
  • Relatively lax compliance audits fail to identify mainframe control weaknesses, and lack of management attention can allow "worst practices" to continue. The risk of compromise has increased with greater mainframe connectivity.
  • There are fewer z/OS-specific security guidelines than for other enterprise server OSs. Mainframe-specific compliance requirements are rare, but increasing.
  • Full compliance with mainframe-specific security guidelines is difficult, and the incidence of high-risk vulnerabilities is astonishingly high.
Basically, Jim’s theory was that there is a higher probability of a mainframe data breach as less people know about the mainframe anymore. I couldn’t agree more. It was a bit of a shocker that there is no material published that explains how to configure z/OS for PCI compliance – or any compliance for that matter. Crazy. With the mainframe population of programmers and analysts all getting older and retiring I can see how Jim’s predictions may be true.

Wednesday, April 28, 2010

Will ADFS 2.0 Boost Cloud Security?

This is the title of an article by Jeffrey Schwartz over at Redmond Magazine. Jeffrey interviewed me yesterday on this topic and you’ll see my comments on ADFS 2.0 – both positive and less than positive. I am excited about ADFS 2.0 overall. Take a look at his article when you have a moment and if you have comments let him know. He’s also looking to hear from people who are planning on using ADFS 2.0!

CardSpace 2.0 Delayed

As discussed in Conrad’s keynote yesterday, Microsoft will be delaying the release of Cardspace 2.0. Here’s the blog post confirming that:

Blog Post:

We are postponing CardSpace and will communicate a new target ship date at a later time.  We will release a CTP that enables ADFS 2.0 in Windows Server to issue Information Cards.

The power of Information Cards is being greatly enhanced by fast-moving technologies such as U-Prove and OpenID.  In light of this, we are postponing CardSpace to ensure it plays an optimal role in this changing landscape. We last communicated that Windows CardSpace would ship in the first half of 2010 and we will communicate a new target ship date at a later time.

Microsoft continues to invest in the development digital identity technologies, interoperable identity standards, the claims-based identity model, and Information Cards.  For information about identity solutions we recently released, visit We are also actively participating in industry groups such as the Information Card Foundation, the OpenID Foundation, and standards bodies such as OASIS.

Technorati Tags: ,,

#tec2010 Advanced Workflows in FIM 2010 – One Year Later

Sitting in Jeremy Palenchar’s session on this topic today. He specifically called out his email ( if anyone had questions about this topic or anything FIM related. Thank you, Jeremy!

We all know how FIM utilizes Windows Workflow Foundation (WWF) but they are triggered by Management Policy Rules inside FIM. The example that Jeremy showed was centered around helpdesk password resets. Jeremy extended FIM’s password reset capability to send a new password to an end-user’s mobile phone via SMS. It was interesting to hear that the WMI interface to the FIM sync engine has changed and this changed how Jeremy’s code was built from last year to this year. His tip was to use dependency properties versus using custom code activities.

Jeremy demonstrated automated helpdesk password reset by using Microsoft Speech Server. The password was reset and the new password was sent to Jeremy’s cell phone. Jeremy had to interact with FIM’s STS (security token service) to enable this functionality. All of the code is available on Codeplex. Great demo, Jeremy!


Monday, April 26, 2010

The Experts Conference - Microsoft Keynote #tec2010

Day 1 of The Experts Conference here in Los Angeles and I'm sitting in the keynote session being given by Conrad Bayer from Microsoft. Some of the highlights of the keynote are below...

- Good to hear that all of the related directory technologies have been pulled together under Conrad. This includes RMS - Rights Management Server, too. This is definitely a step in the right direction from the perspective of actual integration across the product line and hopefully some proper integration with Active Directory. As Conrad said, "We've brought the Active Directory family together." By this Conrad meant pulling Certificate Services, Domain Services, Federation Services, Lightweight Directory Services and Rights Management Services all into one group. "More symmetry and cohesion."

- Lots of discussion about the release of FIM 2010.

- Interesting market stats on Active Directory penetration in small, medium and large businesses: Small 62%, medium 81%, large 73%. I actually thought these numbers would be higher.

- "We need to make PKI easier." - I'll say. It's really important technology that enables so much around security.

- Even in this highly Microsoft-centric audience it was interesting to see the show of hands for people looking at or working with federation and how many hands went down when Conrad asked if they were using ADFS. I believe this will change once ADFS v2 releases later this year - since ADFS is basically "free".

- "FIM will be used to construct claims based on Active Directory groups or attributes." Obviously, this is a good thing but what about customers who have data in different repositories? I don't like the fact this will mean the customer will have to synchronize that system or data to Active Directory to build that claim. This really needs to be "externalized" or loosely coupled, in my opinion.

- "Microsoft must ensure that the path to the Cloud for any customer with Active Directory is a smooth one" - Indeed!

- "The (directory) hierarchy is too rigid" - Does this mean that Kim Cameron's "polyarchy" visualization is coming back? I hope so. Conrad says this is the most exciting thing they are working on. I couldn't agree more. LDAP is terribly deficient when it comes to making directories more relationship-based. Personally, I think this could be the most exciting thing to happen around directory since Netscape’s LDAP directory was first released back in 1996. It will be really cool

- Cardspace was missing from Conrad's presentation and Pam Dingle caught that and asked what was up. Conrad's response was that Cardspace 2.0 was not ready yet. It doesn't go away but it isn't imminent to be released either. They want to add OpenID support and they are working on that along with incorporating it into Internet Explorer.

- FIMs STS may be “reconciled” since it was built before the family meeting was called.

Rumor has it that ADFS V2 is going to RTM this week. It’ll be interesting to see if that happens!

Friday, April 23, 2010

Dr. Forbin a few years later

One of my very first blog posts - Dr. Forbin would be proud! Or would he? – concerned smart grid computing and security. You know, hooking up your electric meters and appliances to the grid so power could be better regulated. As I mentioned in that post I was concerned – and still am – about the security of these projects:

Apparently I am not the only one concerned about this because Homeland Security has a working group that studies our country's infrastructure and the concept of utility disruption by terrorists concerns them. I'm much more concerned about the teenage hacker around the corner or on the other side of the country figuring out how to turn off my home's power at a whim.

Earl Perkins recently also posted about smart grids and security: The Myth of Smart Grid Security- A Response. Earl has similar worries. I don’t think much has changed since my original post on the topic over three years ago unfortunately. It frustrates me that security, in many cases, is an afterthought. Something that is considered only after a disaster, crisis or publicity forces it.
I actually do believe that much of the utility market (I worked for an electric utility for 16 years before becoming an analyst) is in denial about the scope and extent required to secure their efforts in improving the grid, wherever it may be— AMI, SCADA, customer information systems. It is a fundamental and foundational effort that will require education and awareness on a significant scale. Is it possible to do so?  Sure, but that foundation must be laid down now. We’ll crawl before we walk, walk before we run.

Thursday, April 22, 2010

Former employee uses current employees credentials for access - amazing

Caught this post on the wire “Data breached? Culprit could be a former employee”:
Griffin Hospital in Derby, Conn., announced in March that it experienced an apparent data breach allegedly caused when a previously-affiliated radiologist gained access to the hospital's picture archiving and communication system.

The hospital said the apparent breach came to its attention when it was contacted by several patients who claimed the radiologist called them to offer services at a competing hospital. Access to the hospital's PACS had been revoked when the radiologist's affiliation with the hospital ended, but the doctor allegedly used the log-in credentials of current Griffin employees to access the records of nearly 1,000 patients.
I guess I am somewhat amazed by the fact the doctor used the log-in credentials of current employees to logon. Sounds like he learned a lesson from the dude at Societe Generale in France. This is exactly what regulations like HIPAA are supposed to fix...
Passage of the Health Information Technology for Economic and Clinical Health Act in 2009 put more teeth into HIPAA laws.

Not only can health care organizations now be on the hook for fines up to $1.5 million if data are breached, but they also must notify every affected patient, the Dept. of Health and Human Services and, in some cases, the media.

Monday, April 19, 2010

You Don’t Have the Proper Privilege Level

I was sitting through our executive business reviews last week and the guys from Scriptlogic were talking about how they’ve had more than 15,000 downloads of their free Privilege Authority product since it was released a few weeks ago. That gave me a bit of incentive to write a bit more about Privilege Authority. It is a very common security – and compliance – best practice to run users with the least privileges possible, and elevate application and ActiveX control privileges only when absolutely needed. Why do I like this solution so much? Well, beside the fact that it is free I like that it uses Microsoft Active Directory and Group Policy to distribute Privilege Authority rules to client machines. Pretty much everyone is using Active Directory. Group Policy is a feature of Windows Server that was included in the original Windows Server 2000 but I really don’t believe it is used to the extent that it could be at most companies. Sure it’s used by nearly everyone to set password policies but it is difficult sometimes to find a company that is using it more extensively. Privilege Authority leverages Group Policy for more. What could be better than a free tool that leverages included functionality in Windows Server?

Some of the common rules that come with Privilege Authority include:
  • allowing users the ability to install Adobe Flash Player
  • allowing users to change the date and time of their system
  • allowing Java Runtime 6 updater to run as an Administrator
  • allow Adobe Reader updater to run as Administrator
  • allow users to run System Properties
  • allow users to run Internet Explorer with Admin rights
There are three types of custom rules that you can create:
  1. A file rule, where the path of the executable is specified.
  2. A folder path, in which case the rule will be applied to all processes run from the path.
  3. An ActiveX rule where a URL is specified.
I also wanted to mention that there is community support for Privilege Authority at Not only can you ask questions, make product suggestions or submit bugs but you can also upload or download policy files (rules). I took a quick look and saw policy files were available to run the Blackberry Desktop Software, UPS Shipping Module and Adobe Updater as administrator.
I’m not sure why anyone would want to pay for a tool that manages local administrative privileges when you can download Privilege Authority for free. Try it out.

Friday, April 16, 2010

Burton Group postpones Catalyst Europe

Looks like there's another casualty to the Iceland volcano...
Dear Catalyst Conference Attendee,

In response to the continuing situation in Europe regarding the eruption of the volcano in Iceland, which has severely disrupted air travel, we are taking the immediate precaution of postponing the Burton Group Catalyst Conference scheduled to be held 19-22 April in Prague, Czech Republic

We are as disappointed as you about this but we believe this could impact our ability to deliver the quality experience which we have always provided to our clients. Therefore we do believe that postponing the conference is the prudent course of action given the current situation.

We wanted to provide you with as much notice as possible so you are able to make any necessary changes to your plans but we will also be following up with you personally via phone shortly so that we can assist you in any way possible.

We will cancel your hotel reservation. Please contact your airline directly with regards to your flight bookings as we are assuming these will all have unique rules associated to them.

We will get back to you as soon as possible with details on the re-scheduling of the conference.

If you have any other questions please don't hesitate to contact us by replying to this email or calling + 1 801 308 8349 (available 24 hours).

Thank you for your understanding.


Jamie Lewis
President, Burton | Gartner Inc.

Tuesday, April 13, 2010

Privilege Authority for Windows

Our friends at Scriptlogic recently released Privilege Authority – a free tool that gives Windows administrators granular control over administration rights for the first time. IT teams can create “elevation rules” specifying the Windows features, applications or ActiveX controls that end users can manipulate, while maintaining restrictions on all other functions. Those rules are transferred to the desktop client using Group Policy eliminating the need to install any new software.

ScriptLogic has also launched the Privilege Authority Community Forum, where Privilege Authority users can exchange rules that allow for certain end user configuration changes. Some rules are already available providing the ability for end users to access system properties, run iTunes® and BlackBerry® Desktop installers, install an Adobe® Flash® Player after download, and run Adobe® Reader®. More than 5,000 IT administrators downloaded Privilege Authority in the 24 hours following availability.

In addition to elevation rules, which are created by a template wizard, Privilege Authority also features:
  • Common Rules: Privilege Authority ships with several pre-configured common rules that are already designed to handle the most common elevation requirements in organizations today.
  • Automatic update of rules: Privilege Authority regularly checks the Privilege Authority Community Forum for updated common rules and downloads new rules when they are available.
If you’re interested in managing Windows desktop privileges this is a tool that you should check out. And best of all, it’s free!

Monday, April 12, 2010

Sorry Sun, but you’re “terminal”

I was talking with a Quest customer late last week about identity management. I started my questions with “What do you have for identity today” to get a level-set on where the customer was. The first comment they made was that they were a Sun identity management shop but they had just received their notice of the “terminal release” of the Sun IAM provisioning suite. Therefore, they were going to review options across-the-board.

It’s truly unfortunate to see this happen but the road is littered with great software companies that had crappy marketing - Banyan comes to mind as another.

So the official word is getting out. What are you hearing?

Saturday, April 10, 2010

Surge protecting your whole house

We just bought new appliances for our house – refrigerator, oven and dishwasher. I found out – accidentally – that many people had to replace their oven after it was “fried” by an electrical surge. It seems that convection ovens, microwaves, dishwashers and refrigerators are very much chip-controlled devices nowadays. Normally, it’s pretty easy to protect your computer or an appliance by the use of an off-the-shelf surge protector. I’m sure we all have one or more at our office and home office. However, I was most concerned about our new convection oven which is hard-wired into 220V. There’s no way to surge protect it with an off-the-shelf surge protector. So, after a little research, we had an electrician install a whole house surge protector (pictured below). He picked one made by the folks at EATON Corporation (Cutler-Hammer) that comes with a $75,000 insurance policy to cover any damages that might occur. Total cost to me, including labor: $350. Is it worth it? I think so. Time will tell but I feel better knowing that we have protected our whole house and we have an insurance policy thrown in for electrical damage.

If you’re anything like me you probably have lots of equipment at home. Maybe you should spend the few dollars for the insurance and piece of mind too.
The CHSP Ultra™ is the most advanced AC surge suppression product to date. Along with the following accessories:
• SurgeTel™ protects four telephone and modem lines.
• SurgeCable™ protects two cable and/or satellite TV lines.
• SurgeEthernet™ provides innovative protection for high speed Internet service. It can be mounted on the sides,top, or bottom of a load center.

Tuesday, April 06, 2010

Extend your Corporate Active Directory Boundary to your Blackberry! #WES2010

Do you use a Blackberry? Will you or someone from your company attending Blackberry’s WES2010 conference? If so, please let them know that our own Jason Fehrenbach will be speaking at this event in Orlando, FL at the end of this month (Apr 27-29). Details on Jason’s session “WA21 – Extending Your Corporate Network Boundaries with Confidence” - are below. Jason will be co-presenting with Chris Johnson from RIM.

Session Title: Extending Your Corporate Network Boundaries with Confidence

Abstract: This session provides an understanding of how single sign on for the BlackBerry® smartphone will enable your enterprise to securely extend your corporate network boundaries. This feature enables users to access corporate applications securely without having to repeatedly enter credentials on their device. We’ll cover integrating the BlackBerry platform with a Single Sign On in the Active Directory, deployment methods and more.

Key Takeaways for Attendees:
· Learn how to connect to the corporate network wirelessly on the BlackBerry smartphone with security and ease
· See features that make this easy to deploy
· Find out how your enterprise can do more, securely

If you’re interested in how to extend Active Directory to your Blackberry and what benefits that will bring you and your company be sure to attend this session.

Monday, April 05, 2010

What organizations are spending on IT security?

This is the title of a Gartner report that was recently released. If you are a Gartner client you might want to take a look at it. It’s written by Vic Wheatman one of Gartner’s IT security team who has been around forever. Why is the article interesting? In the security priorities section it is interesting to see how important identity management is to these priorities and hence what organizations are spending their money on. If anyone things IAM is dead or dying you wouldn’t get this from Gartner’s report.

For obvious reasons I can’t quote more from their report but if you are a Gartner client you should check the report out.

Saturday, April 03, 2010

iPad tsunami is now on the way…

So today people started drooling, walking into street lights and generally bumping into people and buildings while looking at their new iPads. There’s lots of new coverage of folks waiting in lines and all the general hub-bub we see for significant new product launches. While I was trolling the news today I came across this article which caused me to drool over my Apple stock. If this could be true:

iPad Sales to Hit 7 Million in 2010 and Triple by 2012 

Then I practically coughed my early morrning coffee all over my LCD screen when I read this: “iSuppli regards its iPad sales forecast as conservative.”

With Netflix streaming, ABC and nearly 1,400 apps ready to go today I can see the water receding. It’s not just low tide. The iPad tsunami is on the way!

P.S. Even the White House web site is now iPad-ready:

Photo credit above

Friday, April 02, 2010

MITS Altair 8800 inventor dies

I read this article in today's Seattle Times about Dr. Henry Roberts passing away. While I never owned an Altair I started my "programming" career having to hand-load the binary software program for a punch card reader into a DEC PDP 11. That was probably "advanced" compared to the Altair.

The Altair inspired Bill Gates and Paul Allen. In many ways, the Altair - and Dr. Roberts - were the catalyst for Microsoft and the dynamic duo of Gates and Allen. Up until the end Dr. Roberts was interested in technology:
...he never lost his interest in modern technology, even asking about Apple's highly anticipated iPad from his sick bed.
Dr. Roberts helped to change our world.

Thursday, April 01, 2010

Transparent cloud wanted - apply within

I read “Compliance Under a Cloud” in CIO magazine and loved the ambiguity of how we are going to address security regulations and compliance for the cloud. “It depends” seems to be an answer thrown around a lot. The concluding paragraph is heavy. By “heavy” I mean that there a lot of work required to properly address the problems. Obviously, if you can’t audit your cloud because it is not transparent then you are in trouble. At the end of the day, the cloud is just another platform “out there” and your requirements for audit and security will still have to apply to that platform.
Using cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you're considering these services, you need to think through what use cases make sense, closely review contracts and service-level agreements and understand how the cloud service meets compliance requirements. Insist on "right to audit" clauses and general transparency on the controls in use. Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific industries, but for now—caveat emptor!
Caveat emptor indeed!