Tuesday, March 22, 2011

BAA replaces their legacy OTP solution with Quest Defender

Good case study just published about BAA’s replacement of their legacy OTP solution in favor of Quest Defender. BAA is one of the world’s leading transport companies, owning six airports in the UK, including the largest, London Heathrow. One of Defender’s main advantages is being able to co-exist with other systems so a customer can do an “as they please” migration – no forklift required. Defender’s ability to co-exist with BAA’s previous solution also ensured that continuity of service was maintained during the roll-out.
“BAA will save money because Defender tokens last at least 67 percent longer than our previous solution, and last for the life of the battery rather than having a defined life of three years,” said Fiona Hayward, IT Programme Manager. “We can renew users’ tokens when they expire, as a help desk business-as-usual process, instead of issuing 7,500 tokens in one go and incurring the costs associated with running such a project.”
Thanks to BAA for participating in our case study. I always appreciate customers who are willing to talk publicly about our products and their success.

Friday, March 18, 2011

RSA Hacked! Were they using 2-factor authentication themselves?

This has really made headlines. It’s also resulted in a number of e-mails from Quest customers happy they chose Quest Defender over RSA SecurID!

Hacker Spies Hit Security Firm RSA

Top security firm RSA Security revealed on Thursday that it’s been the victim of an “extremely sophisticated” hack.
The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software. Its customers include government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was “confident that no other … products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company also provided the information in a document filed with the Securities and Exchange Commission on Thursday, which includes a list of recommendations for customers who might be affected. See below for a list of the recommendations.

A company spokesman would not provide any details about when the hack occurred, how long it lasted or when the company had discovered it.
If you read what RSA’s Chairman said in his note he doesn’t detail if the hackers by-passed RSA’s security or how they by-passed it. I wonder if they (RSA) were using their own SecurID product to protect access to their internal networks? Gee, that’d be embarrassing if they were. Heck, it’s even more embarrassing if they weren’t! I wonder if we’ll ever be told?

Of course, if you’d prefer an alternative, there’s always Quest Defender.

Friday, March 04, 2011

Gartner on UNIX Security and the New sudo

This is the title of Mark Diodati’s (Gartner/Burton) latest blog post on Unix security and sudo. I wanted to highlight a few things from his concluding paragraph:
It’s a smart move for Quest, and it is good for enterprises that leverage sudo. It opens up sales opportunities for Quest and other UNIX security vendors (e.g., Novell, CA, Centrifly, Cyber-Ark, BeyondTrust [previously Symark], and Fox Technologies) to sell into sudo-centric environments. Quest obviously gets “first mover” advantage. Enterprises will acquire practical centralized policy management without changing the user’s experience. When the time is right, the enterprise can leverage the UNIX security product for its other capabilities.
  1. “Enterprises will acquire practical centralized policy management without changing the user’s experience”This is really important. Sudo 1.8 is completely backwards compatible with previous versions of sudo. Preserving the user’s experience was job #1.
  2. Like I said in my last post, I wonder how quickly “other” UNIX security vendors will jump on board the sudo 1.8 plugin architecture. That would certainly validate our efforts wouldn’t it? (And our leadership and vision if I may be so bold to say that)
  3. “It’s a smart move for Quest”. Yes, we agree. Let’s not forget that it’s also a smart move for UNIX/Linux customers to begin looking, and we hope eventually using, the sudo 1.8 plugin architecture.
These architecture changes in sudo 1.8 really set up sudo “for the task for large scale UNIX security deployments”.

What is the killer feature in Sudo 1.8?

Here's a link to an interview that Todd Miller did while he was at SCALE. I like Todd's response to this question:

What would you say is the killer feature of this new release?

Todd Miller:  The "killer feature" in sudo 1.8 is dynamically loaded modules.  This makes it possible for third parties to write sudo plugins that implement custom security policies and logging of command input and output.  There are a number of root access control packages out there, both Open Source and commercial.  The plugin support makes it possible for users accustomed to using sudo to continue using it even if they want/need to use different security policy for root access.  All that is required is a plugin that can assess the security policy and determine whether the user is allowed to run the command.

Personally, I am going to be very interested to see how long it takes companies and Quest competitors to jump on this band wagon and offer plugins...

Wednesday, March 02, 2011

Sudo 1.8 Brings Pluggable Policies to Root Access Control

This is the title to an article by Joe Brockmeier that just appeared in ServerWatch. Joe “gets” what both Todd Miller is trying to achieve with the 1.8 version of sudo:
We're all familiar with the venerable utility Sudo, but its feature set hasn't kept up with what many companies want for root access control. Specifically, Sudo has lacked support for policy plugins and advanced logging features. There have been a number of proprietary tools that either replace or enhance Sudo for root access control (RAC). But who wants to have to buy an add-on if you can get the features you need as part of the native toolset that comes with your *nix?
There are many, many, many companies that leverage sudo in their day-to-day operations. Most of these companies – certainly the ones that have more than 10 or 20 *nix servers to maintain – struggle with consistent management of their sudo policy files and how to do effective logging. That’s exactly why Todd has implemented “pluggability” in sudo 1.8. I can’t but help agree with Joe with respect to one of his other observations:
Previously, those features (policy management and session logging) were the domain of proprietary RAC  (root access control) tools. And Sudo 1.8 doesn't mean that companies have no opportunity to offer services on top of Sudo, but it does mean that they don't need to replace it entirely -- and shops have the option of writing their own plugin or using open source plugins. During his talk, Miller said several open source plugins are in development. No doubt quite a few open source plugins will be contributed that fit the needs of many companies, and if not you could turn to vendors like Quest, which offer add-ons for Active Directory and other proprietary features.
Joe plans on writing more about how to take advantage of these plugins. I’m looking forward to it!

Technorati Tags: ,,,,,,,