Compliance In The Cloud Era–New Pressures

Interesting article in Information Week going over the results where they surveyed 422 business technology professionals about compliance. Not surprising one of the top technologies identified to aid in compliance was identity management.

The image above – from the article – is interesting. A whole 6% of businesses will use the cloud regardless of compliance concerns. The other 94% of the businesses – according to the graphic – either won’t put data in the cloud that is subject to compliance or need to assure themselves that they’d remain compliant. I hate to be glass “half-empty” but one could read that as 94% of respondents won’t risk the cloud for data subject to compliance.

With all of the hype around privileged account management it is interesting to see that there are nearly no vendors that support PAM for cloud service providers. Also, the same goes for both discovery of data in the cloud that might be subject to compliance regulations (e.g. an Excel spreadsheet with social security numbers in an Office 365 document) and data loss protection (DLP) solutions.

So either a lot of companies (i.e., more than 6% noted in the graphic) are just doing it or they are leveraging private clouds. But, if they are leveraging private clouds they still have issues managing privileged accounts and discovery/DLP.

Yes, the cloud is generating new pressures.

Yahoo’s Unbelievable Lapse

Well, the title in this article says it all and if you’re like me you probably still can’t believe it.

The error that led to the breach of nearly half a million user passwords from Yahoo was so basic, that the security expert who first spotted it didn’t  believe it. “When I first looked at it, I thought it was fake because there’s no way Yahoo would store 450,000 passwords in the clear”

That being said, I’ll remind everyone that Google has a similar faux-pas in 2008. For a quick refresher on that incident check out my blog entry from then: http://jacksonshaw.blogspot.com/2008/09/google-age-and-single-sign-on.html. And, as quoted then:

As an industry we shouldn’t be making the kinds of mistakes we made 15 or 20 years ago.

Well, it seems we’re still making those kind of mistakes. What Yahoo allowed to happen is not only unbelievable but unconscionable. There’s a good article on creating strong passwords but does having a strong password really matter if the password is stored in clear-text on a back-end server somewhere? If some of this doesn’t push us to better use and better integrate two-factor authentication into our lives I am not sure what will.

In the meantime, I’ll go and change my Yahoo password…

Technorati Tags: Yahoo,password,hack

There’s a lot of 10 year Active Directory anniversaries happening

I spend a lot of time talking to customers. I wish I could spend more because you really do get a view into their world, their problems and their priorities. My uber-goal is to try to amalgamate those customer visits and see trends that provide me insight into the overall market.

One trend that I have started to see is the number of customers that have been telling me that their Active Directory design and architecture is more than 10 years old and they’ve decided it’s time for an overhaul.

Do you remember what we are all first told by Microsoft about Active Directory security architecture? Here it is: “A domain is the security boundary in AD.” Then, we were told: “Ooops, a domain isn’t the security boundary in AD. A forest is the security boundary.” So what ended up happening is a lot of companies – especially banks and multi-nationals – architected and deployed their Active Directory with multiple forests. Now the “ooops” has come back to haunt them.

Many companies have found that managing multiple forests is a pain in the butt. What’s worse is that with the advent of the cloud and things like federation and Office 365 there are scenarios where having multiple forests really, really complicates things. So many customers are working at reducing the number of forests in their environment and also reducing the number of domains while they are at it. In fact, I met one multi-forest, multi-national bank that simply decided to start over from scratch: They set up a brand new single forest and are migrating over to it. (Aside: that same customer already had 5, yes 5, IAM platforms in use. Amazing!)

Is it time for your 100,000 mile/10 year engine overhaul? If so, we have a great tool to help you called Quest Migration Manager for Active Directory. It has 10 years of experience helping customers through these exact scenarios.

The Sad World of Passwords: Is X.500 the answer?

Martin Kuppinger commented on both John and my posts on this topic. Martin, as usual, added some pretty good meat to the discussion. There’s a couple of points I wanted to emphasize that I thought were particularly important:

• We also know that user acceptance is key to success

This is possibly the #1 issue to security in general. It has to be easy for the user. Ever forget your car keys somewhere? Have to go downstairs to get your wallet so you can get your credit card number to complete an order on a machine upstairs? That type of inconvenience is difficult to overcome around security. I am not convinced that NFC is the panacea here either. I’m sure it’ll be awesome if you happen to have your NFC device at-hand, charged and ready to go.

• Trust frameworks will be dealing with the complexity of having many IdPs

Hmmm, communication between multiple IdPs? Maybe we’ll need to have a master IdP in each country responsible for “chaining” these transactions to lower-level IdPs and communicating between country-level IdPs? Might we need referrals between these IdPs? What about caching? Shades of X.500!

Yes, I remember how successful X.500 was: At the Interop conference in Atlanta in 1995 an attendee came up to me at the Zoomit booth and said: “How do you speed up things 500 times?” That’s when I knew it was time to move on.

Yes, this will be complicated…

Technorati Tags: Martin Kuppinger,KuppingerCole,QSFT,Quest Software