- A real shortage of mature mainframe security skills makes configuration and administration errors more likely than on other enterprise server operating systems (OSs) in the same enterprises — and less likely to be found and remedied.
- Relatively lax compliance audits fail to identify mainframe control weaknesses, and lack of management attention can allow "worst practices" to continue. The risk of compromise has increased with greater mainframe connectivity.
- There are fewer z/OS-specific security guidelines than for other enterprise server OSs. Mainframe-specific compliance requirements are rare, but increasing.
- Full compliance with mainframe-specific security guidelines is difficult, and the incidence of high-risk vulnerabilities is astonishingly high.
Friday, April 30, 2010
Wednesday, April 28, 2010
As discussed in Conrad’s keynote yesterday, Microsoft will be delaying the release of Cardspace 2.0. Here’s the blog post confirming that:
We are postponing CardSpace and will communicate a new target ship date at a later time. We will release a CTP that enables ADFS 2.0 in Windows Server to issue Information Cards.
The power of Information Cards is being greatly enhanced by fast-moving technologies such as U-Prove and OpenID. In light of this, we are postponing CardSpace to ensure it plays an optimal role in this changing landscape. We last communicated that Windows CardSpace would ship in the first half of 2010 and we will communicate a new target ship date at a later time.
Microsoft continues to invest in the development digital identity technologies, interoperable identity standards, the claims-based identity model, and Information Cards. For information about identity solutions we recently released, visit http://www.microsoft.com/forefront/en/us/default.aspx. We are also actively participating in industry groups such as the Information Card Foundation, the OpenID Foundation, and standards bodies such as OASIS.
Sitting in Jeremy Palenchar’s session on this topic today. He specifically called out his email (email@example.com) if anyone had questions about this topic or anything FIM related. Thank you, Jeremy!
We all know how FIM utilizes Windows Workflow Foundation (WWF) but they are triggered by Management Policy Rules inside FIM. The example that Jeremy showed was centered around helpdesk password resets. Jeremy extended FIM’s password reset capability to send a new password to an end-user’s mobile phone via SMS. It was interesting to hear that the WMI interface to the FIM sync engine has changed and this changed how Jeremy’s code was built from last year to this year. His tip was to use dependency properties versus using custom code activities.
Jeremy demonstrated automated helpdesk password reset by using Microsoft Speech Server. The password was reset and the new password was sent to Jeremy’s cell phone. Jeremy had to interact with FIM’s STS (security token service) to enable this functionality. All of the code is available on Codeplex. Great demo, Jeremy!
Monday, April 26, 2010
- Good to hear that all of the related directory technologies have been pulled together under Conrad. This includes RMS - Rights Management Server, too. This is definitely a step in the right direction from the perspective of actual integration across the product line and hopefully some proper integration with Active Directory. As Conrad said, "We've brought the Active Directory family together." By this Conrad meant pulling Certificate Services, Domain Services, Federation Services, Lightweight Directory Services and Rights Management Services all into one group. "More symmetry and cohesion."
- Lots of discussion about the release of FIM 2010.
- Interesting market stats on Active Directory penetration in small, medium and large businesses: Small 62%, medium 81%, large 73%. I actually thought these numbers would be higher.
- "We need to make PKI easier." - I'll say. It's really important technology that enables so much around security.
- Even in this highly Microsoft-centric audience it was interesting to see the show of hands for people looking at or working with federation and how many hands went down when Conrad asked if they were using ADFS. I believe this will change once ADFS v2 releases later this year - since ADFS is basically "free".
- "FIM will be used to construct claims based on Active Directory groups or attributes." Obviously, this is a good thing but what about customers who have data in different repositories? I don't like the fact this will mean the customer will have to synchronize that system or data to Active Directory to build that claim. This really needs to be "externalized" or loosely coupled, in my opinion.
- "Microsoft must ensure that the path to the Cloud for any customer with Active Directory is a smooth one" - Indeed!
- "The (directory) hierarchy is too rigid" - Does this mean that Kim Cameron's "polyarchy" visualization is coming back? I hope so. Conrad says this is the most exciting thing they are working on. I couldn't agree more. LDAP is terribly deficient when it comes to making directories more relationship-based. Personally, I think this could be the most exciting thing to happen around directory since Netscape’s LDAP directory was first released back in 1996. It will be really cool
- Cardspace was missing from Conrad's presentation and Pam Dingle caught that and asked what was up. Conrad's response was that Cardspace 2.0 was not ready yet. It doesn't go away but it isn't imminent to be released either. They want to add OpenID support and they are working on that along with incorporating it into Internet Explorer.
- FIMs STS may be “reconciled” since it was built before the family meeting was called.
Rumor has it that ADFS V2 is going to RTM this week. It’ll be interesting to see if that happens!
Friday, April 23, 2010
Apparently I am not the only one concerned about this because Homeland Security has a working group that studies our country's infrastructure and the concept of utility disruption by terrorists concerns them. I'm much more concerned about the teenage hacker around the corner or on the other side of the country figuring out how to turn off my home's power at a whim.
Earl Perkins recently also posted about smart grids and security: The Myth of Smart Grid Security- A Response. Earl has similar worries. I don’t think much has changed since my original post on the topic over three years ago unfortunately. It frustrates me that security, in many cases, is an afterthought. Something that is considered only after a disaster, crisis or publicity forces it.
I actually do believe that much of the utility market (I worked for an electric utility for 16 years before becoming an analyst) is in denial about the scope and extent required to secure their efforts in improving the grid, wherever it may be— AMI, SCADA, customer information systems. It is a fundamental and foundational effort that will require education and awareness on a significant scale. Is it possible to do so? Sure, but that foundation must be laid down now. We’ll crawl before we walk, walk before we run.
Thursday, April 22, 2010
Griffin Hospital in Derby, Conn., announced in March that it experienced an apparent data breach allegedly caused when a previously-affiliated radiologist gained access to the hospital's picture archiving and communication system.I guess I am somewhat amazed by the fact the doctor used the log-in credentials of current employees to logon. Sounds like he learned a lesson from the dude at Societe Generale in France. This is exactly what regulations like HIPAA are supposed to fix...
The hospital said the apparent breach came to its attention when it was contacted by several patients who claimed the radiologist called them to offer services at a competing hospital. Access to the hospital's PACS had been revoked when the radiologist's affiliation with the hospital ended, but the doctor allegedly used the log-in credentials of current Griffin employees to access the records of nearly 1,000 patients.
Passage of the Health Information Technology for Economic and Clinical Health Act in 2009 put more teeth into HIPAA laws.
Not only can health care organizations now be on the hook for fines up to $1.5 million if data are breached, but they also must notify every affected patient, the Dept. of Health and Human Services and, in some cases, the media.
Monday, April 19, 2010
Some of the common rules that come with Privilege Authority include:
- allowing users the ability to install Adobe Flash Player
- allowing users to change the date and time of their system
- allowing Java Runtime 6 updater to run as an Administrator
- allow Adobe Reader updater to run as Administrator
- allow users to run System Properties
- allow users to run Internet Explorer with Admin rights
- A file rule, where the path of the executable is specified.
- A folder path, in which case the rule will be applied to all processes run from the path.
- An ActiveX rule where a URL is specified.
I’m not sure why anyone would want to pay for a tool that manages local administrative privileges when you can download Privilege Authority for free. Try it out.
Friday, April 16, 2010
Dear Catalyst Conference Attendee,
In response to the continuing situation in Europe regarding the eruption of the volcano in Iceland, which has severely disrupted air travel, we are taking the immediate precaution of postponing the Burton Group Catalyst Conference scheduled to be held 19-22 April in Prague, Czech Republic.
We are as disappointed as you about this but we believe this could impact our ability to deliver the quality experience which we have always provided to our clients. Therefore we do believe that postponing the conference is the prudent course of action given the current situation.
We wanted to provide you with as much notice as possible so you are able to make any necessary changes to your plans but we will also be following up with you personally via phone shortly so that we can assist you in any way possible.
We will cancel your hotel reservation. Please contact your airline directly with regards to your flight bookings as we are assuming these will all have unique rules associated to them.
We will get back to you as soon as possible with details on the re-scheduling of the conference.
If you have any other questions please don't hesitate to contact us by replying to this email or calling + 1 801 308 8349 (available 24 hours).
Thank you for your understanding.
President, Burton | Gartner Inc.
Tuesday, April 13, 2010
ScriptLogic has also launched the Privilege Authority Community Forum, where Privilege Authority users can exchange rules that allow for certain end user configuration changes. Some rules are already available providing the ability for end users to access system properties, run iTunes® and BlackBerry® Desktop installers, install an Adobe® Flash® Player after download, and run Adobe® Reader®. More than 5,000 IT administrators downloaded Privilege Authority in the 24 hours following availability.
In addition to elevation rules, which are created by a template wizard, Privilege Authority also features:
- Common Rules: Privilege Authority ships with several pre-configured common rules that are already designed to handle the most common elevation requirements in organizations today.
- Automatic update of rules: Privilege Authority regularly checks the Privilege Authority Community Forum for updated common rules and downloads new rules when they are available.
Monday, April 12, 2010
It’s truly unfortunate to see this happen but the road is littered with great software companies that had crappy marketing - Banyan comes to mind as another.
So the official word is getting out. What are you hearing?
Saturday, April 10, 2010
If you’re anything like me you probably have lots of equipment at home. Maybe you should spend the few dollars for the insurance and piece of mind too.
The CHSP Ultra™ is the most advanced AC surge suppression product to date. Along with the following accessories:
• SurgeTel™ protects four telephone and modem lines.
• SurgeCable™ protects two cable and/or satellite TV lines.
• SurgeEthernet™ provides innovative protection for high speed Internet service. It can be mounted on the sides,top, or bottom of a load center.
Tuesday, April 06, 2010
Session Title: Extending Your Corporate Network Boundaries with Confidence
Abstract: This session provides an understanding of how single sign on for the BlackBerry® smartphone will enable your enterprise to securely extend your corporate network boundaries. This feature enables users to access corporate applications securely without having to repeatedly enter credentials on their device. We’ll cover integrating the BlackBerry platform with a Single Sign On in the Active Directory, deployment methods and more.
Key Takeaways for Attendees:
· Learn how to connect to the corporate network wirelessly on the BlackBerry smartphone with security and ease
· See features that make this easy to deploy
· Find out how your enterprise can do more, securely
If you’re interested in how to extend Active Directory to your Blackberry and what benefits that will bring you and your company be sure to attend this session.
Monday, April 05, 2010
For obvious reasons I can’t quote more from their report but if you are a Gartner client you should check the report out.
Saturday, April 03, 2010
Then I practically coughed my early morrning coffee all over my LCD screen when I read this: “iSuppli regards its iPad sales forecast as conservative.”
With Netflix streaming, ABC and nearly 1,400 apps ready to go today I can see the water receding. It’s not just low tide. The iPad tsunami is on the way!
P.S. Even the White House web site is now iPad-ready: http://Mobile.WhiteHouse.gov
Photo credit above
Friday, April 02, 2010
The Altair inspired Bill Gates and Paul Allen. In many ways, the Altair - and Dr. Roberts - were the catalyst for Microsoft and the dynamic duo of Gates and Allen. Up until the end Dr. Roberts was interested in technology:
...he never lost his interest in modern technology, even asking about Apple's highly anticipated iPad from his sick bed.Dr. Roberts helped to change our world.
Thursday, April 01, 2010
Using cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you're considering these services, you need to think through what use cases make sense, closely review contracts and service-level agreements and understand how the cloud service meets compliance requirements. Insist on "right to audit" clauses and general transparency on the controls in use. Perhaps in the future cloud services will emerge that are tailored to meet the compliance requirements of specific industries, but for now—caveat emptor!Caveat emptor indeed!