Tuesday, August 21, 2012

Is seven USC’s lucky number or will they crap out?

USC just had their sixth data breach since 2006 according to this report. This one exposed confidential information of 34,000 people in the College of Education.

No evidence has been found that the hackers have accessed or used any information on the server, but USC has sent notifications to everyone in the database to place fraud alerts on their credit files, school officials said.

One would have thought that after perhaps the second or third breach at USC they’d figure out they needed some serious help and serious introspection. Will their be a seventh? If there’s a seventh and heads don’t roll you can be assured that someone came up lucky.

There’s not enough detail to even guess at what the security issue or problem may have been. During the same month there was another security breach related to credit card data at USC cafeterias and dining halls. I’m not sure why both weren’t reported at the same time since they both happened the same month.

This kind of reminds me of all the scams that people fall for and they’d say that they’d get calls from all kinds of scammers after they fell for one or two scams. I wonder if USC has become a target of Internet scammers because they aren’t doing enough to secure their systems and now appear like an easy target?

Let’s hope there isn’t a seventh report in the making. Remember, seven is only lucky on your first roll in craps – every other roll and a seven craps you out…

Monday, August 20, 2012

Quest One & Data Governance

Today we released Quest One Identity Manager – Data Governance Edition. I’m particularly excited about this release because it is built on Quest One Identity Manager and is based on a very scalable and capable identity infrastructure.

By being based on Q1IM we get to leverage all of the capabilities of our underlying identity management platform like data synchronization, provisioning, workflow, segregation of duties, reporting and, most importantly, a common user interface for users of either product.

Some of the other key features include:

  • Restricted Access – Define access policies for your organization to ensure that sensitive unstructured data is only accessible to approved users. Quest One locks down sensitive data such as files, folders and shares across NTFS, NAS devices and SharePoint.
  • Data Owner Assignment – Determine and assign the appropriate owner of data for all future access requests by evaluating usage patterns and read and write access.
  • Simplified Auditing – Identify user access to enterprise resources such as files, folders and shares across NTFS, NAS devices and SharePoint to provide key information during audit preparations. 
  • Automated Access Requests – Use built-in workflows to automatically direct access requests from the request portal to the appropriate data owner. Approved requests are automatically and correctly fulfilled, with no burden on IT.
  • Access Verification – Ensure that only approved users have access to specific resources, including those who have left the organization or department or whose roles have changed. Quest One enables you to monitor user and resource activity, and configure and schedule a recertification process for data owners to verify and attest to employee access.
  • Personalized Dashboard – View trends, historic and current data access activity, and attestation status on a personalized dashboard with reports that can be used to prove compliance to auditors.

More information about Quest One Identity Manager – Data Governance Edition can be found here.

Wednesday, August 15, 2012

The Answer to Verification and Authentication?

I tweeted a very interesting article by Dan Raywood titled “A question of verification and authentication.” It’s a good article and I certainly recommend reading it. There’s a comment in the article from Richard Law, CEO of GB Group that reminded me of something. His firm’s verification technology is used as a third-party solution to verify users by retailers, banks and gambling websites.

The system it built in 2004 verifies 13 million people a year and its vision is to verify anyone anywhere in the world at any time and to be a true enabler of online business.

Law said that if an instance were to arise where GB Group became the trusted issuer, it would have to convince everyone to give them their data and it would issue a token that would be verifiable to them.

For some reason my memory bank spit out that what we might need has already been predicted in the movie “The Forbin Project.” A supercomputer that controls our identity data and can positively verify us. But, I’m positive that would never come to happen. Would it?

Law’s technology would take 536 years to verify the world’s population at 13M per year. It just goes to show you that we have a Colossus of a project on our hands and we haven’t really even started to or tried to verify identities that our outside of the developed world.

This problem will never go away. Just because we have fire insurance doesn’t mean there will never be a fire. The same goes for identity verification. We have to accept the fact that no matter how much insurance we put around identity we’ll never prevent 100% of identity theft or misuse of identity.

In the United States most banks still issue credit cards without chips. Why don’t they move to a more verifiable, more secure platform for transactions? The cost of doing nothing hasn’t exceeded the cost of the fraudulent transactions. Who needs fire insurance if you have enough money to re-build and you don’t care about the damage you incur due to the fire?

Monday, August 13, 2012

Cloud complications sinking security?

Any solution that claims security, but moves identities and credentials off premise is a security risk.

A wise statement from SecureAuth co-founder Garret Grajek in his blog commentary on the Mat Honan affair. It rang a bell with me based on some research I’ve been doing since last year on this topic:

Why aren’t customers deploying federation for access to cloud services that support federation?


  1. Federation is complicated and we don’t have the expertise (or want to get the expertise) to manage it.
  2. We want “one throat to choke” if there’s a problem. “I don’t want to call the cloud provider to have him tell me it is Microsoft’s ADFS and call Microsoft to have them tell me it is the cloud provider or some other piece of my infrastructure.”
  3. Password synchronization is something we already do and are comfortable with. (A variation of #1)

I think Garret’s blog post gives a good overview of why #3 above is an issue. I’ll say it can be especially concerning if it is your Active Directory password that is being synced to multiple cloud properties.

Another bid of good advice:

An enterprise needs to retain the “keys to the kingdom” by (1) Retaining the identities (2) Conducting the authentication (3) Federating the identity and (4) Logging the Access for secure cloud usage.

Couldn’t agree more about giving away the keys to the kingdom! And I know many companies are behind here – especially when it comes to logging & auditing.

Wednesday, August 01, 2012

Will third time be the charm for DropBox?

So it’s the second time that DropBox has been hacked. Lots of coverage about the hack which came to my attention here. I hope everyone remembers the previous hack from last year.

Now DropBox is adding two-factor authentication after the horse has bolted from the barn – twice. Will there be a third hack?

After last year's embarrassing data breaches, Dropbox promised to implement additional safeguards "to prevent this from happening again." Whoops, it just happened again.

DropBox is an excellent product. I use it. I really like it for probably the same reasons you guys do but I continue to be amazed that cloud-based apps don’t come out of the box with two-factor as an included – preferably for free – feature. I mean even supporting something like Symantec’s VIP token would be a plus and not hard to add. (I know, we’ve added it to our Webthority product)

This simply re-enforces two things:

  1. Despite all of the surveys that say people are concerned about cloud security the vendors (aka YOU the product managers at these companies) aren’t listening.
  2. Simplicity, coolness and ease-of-use will continue to trump security. (i.e., People like me who know better are using the product without enhanced security)

Oh, I wonder if the users who were hacked have mentioned to their employers that perhaps some of their data was compromised? Yah, right.

The company also said that one of those stolen passwords was used to access a Dropbox employee’s account, which contained a project document with user email addresses.

Where’s my cloud compliance solution…? Is it possible to prevent this from happening again? What’ll happen if (when?) this happens a third time to DropBox? Does your company have a written policy about the use of cloud-based file sharing solutions? What is the air speed velocity of an unladen swallow? (This last question is to see if: a) you have read this all the way thru; b) you know Monty Python; and, c) you get the fact that cloud security is verging on being a great Monty Python skit)