Meeting IAM Gaps and Challenges with New Product Offerings

PathMaker Group has been working in the Identity and Access Management space since 2003.  We take pride in delivering quality IAM solutions with the best vendor products available.  As the vendor landscape changed with mergers and acquisitions, we specialized in the products and vendors that led the market with key capabilities, enterprise scale, reliable customer support and strong partner programs.  As the market evolves to address new business problems, regulatory requirements, and emerging technologies, PathMaker Group has continued to expand our vendor relationships to meet these changes.  For many customers, the requirements for traditional on premise IAM hasn’t changed.  We will continue supporting these needs with products from IBM and Oracle.  To meet many of the new challenges, we have added new vendor solutions we believe lead the IAM space in meeting specific requirements.  Here are some highlights:

IoT/Consumer Scalability

UnboundID offers a next-generation IAM platform that can be used across multiple large-scale identity scenarios such as retail, Internet of Things or public sector.  The UnboundID Data Store delivers unprecedented web scale data storage capabilities to handle billions of identities along with the security, application and device data associated with each profile.  The UnboundID Data Broker is designed to manage real-time policy-based decisions according to profile data. The UnboundID Data Sync uses high throughput and low latency to provide real-time data synchronization across organizations, disparate data systems or even on-premise and cloud components.  Finally, the UnboundID Analytics Engine gives you the information you need to optimize performance, improve services and meet auditing and SLA requirements.

Identity and Data Governance

SailPoint provides industry leading IAM governance capabilities for both on-premise and cloud-based scenarios.  IdentityIQ is Sailpoint’s on-premise governance-based identity and access management solution that delivers a unified approach to compliance, password management and provisioning activities. IdentityNow is a full-featured cloud-based IAM solution that delivers single sign-on, password management, provisioning, and access certification services for cloud, mobile, and on-premises applications.  SecurityIQ is Sailpoint’s newest offering that can provide governance for unstructured data as well as assisting with data discovery and classification, permission management and real-time policy monitoring and notifications.

Cloud/SaaS SSO, Privileged Access and EMM

Finally, Centrify provides advanced privileged access management, enterprise mobility management, cloud-based access control for customers across industries and around the world.  The Centrify Identity Service provides a Software as a Service (SaaS) product that includes single sign-on, multi-factor authentication, enterprise mobility management as well as seamless application integration.  The Centrify Privilege Service provides simple cloud-based control of all of your privileged accounts while providing extremely detailed session monitoring, logging and reporting capabilities.  The Centrify Server Suite provides the ability to leverage Active Directory as the source of privilege and access management across your Unix, Linux and Windows server infrastructure.

With the addition of these three vendors, PMG can help address key gaps in a customer’s IAM capability.   To better understand the eight levers of IAM Maturity and where you may have gaps, take a look this blog by our CEO, Keith Squires about the IAM MAP.  Please reach out to see how PathMaker Group, using industry-leading products and our tried and true delivery methodology, can help get your company started on the journey to IAM maturity.

With today’s increasing Mobile Enterprise Security Threats, do you have a strategy to mitigate the risk on your Corporate Network?

Corporations are increasingly utilizing mobile enterprise systems to meet their business objectives, allowing mobile devices such as smart phones and tablets to access critical applications on their corporate network.  These devices provide advanced technologies over traditional desktop clients, such as: information sharing, access from anywhere at any time, data sensors, location, etc. But what makes these mobile devices desirable, by their very nature, also poses a new set of security challenges.  Reports by research agencies in recent years show an alarming trend in mobile security threats listing as top concerns: Android malware attacks, and for the IOS platform issues with enterprise provisioning abuse and older OS versions.

These trends highlight the need for corporations to start taking seriously a mobile security strategy at the same level to which cyber criminals are planning future attacks. A mobile security strategy might involve adopting certain Mobile Security Guidelines as published by standards organizations (NIST) and Mobile OWASP project. See the references at the end of this document:

The following guidelines are a subset of Mobile Security Guidelines I pulled from various published sources with most coming from NIST. It is by no means a comprehensive list, however they can be considered as a starting point or additional considerations for an existing mobile security strategy.

1 – Understand the Mobile Enterprise Architecture

You should start with understanding and diagramming the flow from mobile application to business applications running on the back-end application server. This is a great starting point and should be done at the beginning stages, as most of the security guidelines will depend on what is known about the architecture.

  1. Is the mobile application a native application or mobile web application? Is it a cross-platform mobile application?
  2. Does the mobile application use middleware to get to the back-end API, or does it connect directly to a back-end Restful based Web Service?
  3. Does the mobile application connect to an API gateway?

2 – Diagram the network topology of how the mobile devices connect

Is the mobile device connecting to the business application servers over the cellular network or internally through a private WiFi network, or both? Does it go through a proxy or firewall? This type of information will aid in developing security requirements; help with establishing a QA security test bed and monitoring capability.

3 – Develop Mobile Application Security Requirements

At a high level, a security function must protect against unauthorized access and in many cases protect privacy and sensitive data. In most cases, building security into mobile applications is not at the top of the mind-set in the software development process. As such, these requirements should be gathered as soon as possible in the Software Development Life Cycle (SDLC). It has been my personal experience in many cases that you have to work with application software developers in adopting best security practices. So the sooner you can get that dialogue going the better. Security objectives to consider are:  Confidentiality, integrity, and availability. Can the mobile OS platform provide the security services required? How sensitive is the data you are trying to protect. Should the data be encrypted in transit, and in storage? Do you need to consider data-in-motion protection technologies?  Should an Identity and Access Management (IDAM) solution be architected as part of the mobile enterprise system? Should it include a Single Sign On functionality (SSO)? Should there be multi-factor authentication, role based or fine-grained access control? Is Federation required? Should the code be obfuscated to prevent reverse engineering?

4 – Incorporate a Mobile Device Security Policy

What types of mobile devices should be allowed to access the organization’s critical assets. Should you allow personal mobile devices, Bring Your Own Devices (BYOD’s) or consider only organization-issued or certified mobile devices to access certain resources? Should you enforce tiers of access? Centralized mobile device management technologies are a growing solution for controlling the use of both organization-issued and BYOD’s by enterprise users. These technologies can remotely wipe the data or lock the password from a mobile device that has been lost or stolen. Should Enterprises consider anti malware software and OS upgrades to become certified mobiles on the network? To reduce high risk mobile devices, consider technologies that can detect and ban mobile devices that are jail broken or rooted, as these can pose the greatest risk of being compromised by hackers.

5 – Application Security Testing

According to a study performed by The Ponemon Institute, nearly 40% of 400 companies surveyed were not scanning their applications for security vulnerabilities, leaving the door wide open for cyber-attacks. This highlights the urgency for security teams to put together some sort of security vetting process to identify security vulnerabilities and validate security requirements as part of an ongoing QA security testing function. Scanning application technologies typically conduct two types of scanning methods: Static Application Security Testing (SAST) which analyzes the source code and Dynamic Application Security Testing (DAST), which sends modified HTTP requests to a running web application to exploit the application vulnerabilities. As the QA scanning process develops, it can be automated and injected into the software build process to detect security issues in the early phases of the SDLC.

6 – System Threat Model, Risk Management Process

What will typically come out of the application scanning process will be a list of security vulnerabilities found as either noise, suspect or definitive.  It will then be up to the security engineers knowing the system architecture and network topology working with the application developer to determine whether the vulnerability results in a valid threat and what risk level based on the impact of a possible security breach. Once the risk for each application is determined, it can be managed through an enterprise risk management system where vulnerabilities are tracked, fixed and the risk brought down to a more tolerable level.

7 – Consider implementing a Centralized Mobile Device Management System

Depending on the Mobile Security Policy that is in place, you may want to consider implementing a Centralized Mobile Device Management System especially when Bring Your Own Device (BYOD) mobiles are in the mix that can:

  • For mobile devices, manage certificates, security setting, profiles, etc through a directory service or administration portal.
  • Policy based management system to enforce security settings, restrictions for organization-issued, BYOD mobile devices.
  • Manage credentials for each mobile device through a Directory Service.
  • Self service automation for BYOD and Reducing overall administrative costs.
  • Control which applications are installed on organization-issued applications and check for suspect applications on BYOD mobile devices.
  • A system that can remotely wipe or lock a stolen or loss phone.
  • A system that can detect Jail-broken or rooted mobile devices.

8 – Security Information and Event Management (SIEM)

Monitor mobile device traffic to back-end business applications. Track mobile devices and critical business applications and correlate with events and log information looking for malicious activity based on threat intelligence. On some platforms it may be possible to integrate with a centralized risk management system to specifically be on alert for suspicious mobile events correlated with applications at higher risk.

References:

Leadership Essential in Cybersecurity Dynamics

Are your C-level leaders sending a clear message about Cyber Security?

Despite the high profile security breaches making news headlines and increased attention around cyber risks, executives in the C-suites are still lacking commonality and communication of a clear goal when it comes to a cybersecurity strategy. These individuals need to work together to manage their organizational risks to help prepare, mitigate, and minimize the damage caused by cyber incidents.

Every organization needs a clear strategy and roadmap with supporting tools that protect critical assets. Read more about this topic and the crucial role the C-suite plays in the dynamics surrounding Cybersecurity.

https://securityintelligence.com/c-suite-dynamics-can-impact-the-organizations-cybersecurity/

A Sobering Day for All CEOs

Sadly, the CEO presiding over Target during the recent data breach resigned today.  See USA today article.

This series of unfortunate events for Target begs a key question relating to the risks every company CEO faces today. Did Target leadership ask the right questions about overall IT security and the risk every company faces?

Protecting a company from Cyber bad guys is a never ending battle.  It’s a game of leap frog with some serious consequences if you get behind.  With all the opportunity for full-time, professionally paid, government backed hackers to spend all day every day figuring out new ways to wreck a company, the priority for combating this enemy needs to be pretty high on the list for every CIO and CEO.  But it’s not just about spending all the money you can afford to spend.  It’s about understanding where to spend the money on the right technology.

How do leaders responsible for protecting a company sort out all the noise from the real threats?  This has become a constant exercise in analyzing risk and applying financial priorities accordingly.

As fast as the bad guys are coming up with new ways to exploit a target, new innovative minds are working to counter their moves.  Many of these great technologies are being folded into a portfolio of products and solutions that can be layered across an enterprise to protect and prevent the latest threats from creating the worst kind of headlines.

IBM has been on a major buying spree for the last several years snapping up some of the best and brightest technologies and resources across the globe.  They are quickly assembling an array of tools that are being shaped into the worlds best security risk analysis platform.  By leveraging this risk-based assessment direction, IT leaders can depend on technologies that will not only provide the intelligence about where to address risk, but can be assured that these technologies are probably the best that money can buy.

IBM is currently the third largest security company in the world with the goal of being the largest and the best.  As a Premier IBM Business Partner, we see this investment first hand.  See ComputerWorld’s perspective.

PathMaker Group serves our customers by planning, implementing, and managing these security solutions across the enterprise.  IT Security is a rapidly changing, complex business and our partnership with IBM helps us keep our customers one step ahead of the bad guys.

Target Data Breach

How did they pull it off and how can you safeguard your environment from a similar event?

The Target Stores data breach started by exploiting a vulnerability in an externally facing webserver.  Once inside, hackers took command of an internal server and planted malware on the Point of Sale devices in stores all over the US.  The harvested data was stored internally until the hackers reached back in to grab the millions of credit card account records that were stolen.  More details can be found at http://krebsonsecurity.com/

With the tools available today, how could this event happen?  What can you do to safeguard your environment from a similar incident?

PathMaker Group recommends the following measures:

  1. Assess the overall security posture of your organization.  Our company provides a rapid assessment covering 16 security domains enabling you to understand where you may have major gaps.  We can help you prioritize these gaps to help you to maximize your risk mitigation.
  2. Test your environment (and your website code) for vulnerabilities.  External and internal penetration testing is a necessary starting place, but if you develop your own website code, scanning your application code prior to releasing the system to production is essential as these techniques and tools will surface many more vulnerabilities.  We can help with both of these services.
  3. Leverage security intelligence technologies to correlate and identify suspect events before massive damage can occur.  We can rapidly deploy an industry leading solution for you in a matter of days including setting up a managed service.

For help or more information, please contact PathMaker Group at 817-704-3644

Keith Squires, President and CEO, has been in high demand by the media to add insight to this recent news.  Radio and television news interviews, including CBS National News, are available to view at the following link:

http://www.pathmaker-group.com/home/pathmaker-group-news/

Breach at Target Stores Affect 40 Million Customer Card Accounts

Target suffered a major data breach losing credit, debit and Red card numbers for as many as 40 million customers across 1900 stores in US and Canada. This will go down as one of the largest breaches in recent history and it comes at the worst possible time.  Consumers may have to cancel their cards just they are trying to finish Christmas shopping.  Target says the issue has been resolved. Keep an eye on your accounts and if you see any suspect activity, cancel your card right away.

Are you doing everything you can to prevent a breach like this at your company?

Talk to PathMaker Group about our 16 domain security assessment.

http://www.pathmaker-group.com/services/security/assessments/

Learn more about the Target breach at their corporate website

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

 

Have you had your Security Wellness Check?…

So you think your organization is secure . . . think again! IBM X-Force 2013 mid-year report says that many of the breaches recently reported were a result of “poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice.” Covering the basics is exactly what we help companies achieve through our “SecurePath” 16 domain rapid security assessment. In one week we can review your security posture, cover all your bases and help you prioritize the big security gaps in your environment.

Ingestible Computers

Today I had the opportunity to be a guest on over a dozen Fox News Radio affiliates around the county to discuss the topic of the “password pill.”

These tiny, ingestible “smart pills” may be making their way to a pharmacy near you as early as next year.  These traveling sensors are in the form of pills which are swallowed and then powered on by stomach acid.  They transmit low frequency signals to a wearable patch and then a smart phone app.  The pill passes through the body in about 24 hours and can then be recycled!  Eeww!  Several companies are making these in various forms including a consumer version that would send information to your cell phone.

The technology is already FDA approved.  In fact, astronauts have been using these for years to help monitor vital health indicators.  We can expect the technology to be main stream for consumers by next year.

For medical applications, this would enable sending real-time data about health conditions and effectiveness of medications directly to your doctor.

For password or authentication applications, the “password pill” can act as a form of strong authentication where YOU become a form of a password.  This provides stronger security than something you know or something you have (and can be stolen or misplaced). Read more

Got Bot?

The world of malware (literally bad software) has some interesting terminology. Botnets and Zombie networks sound like they should be different, but they are basically the same thing. The imagery of masses of robots (ala I Robot) or hordes of Zombies from Night of the Living dead is surprisingly a relatively accurate description. Botnets or Zombie Nets are collections of computers that have been infected with a specific class of malware that is managed by an external ‘Controller’. Ok, Zombie hordes are not easy to manage, but the robot masses are. I’ll use the term botnets to refer to both.

Botnets can be used for many different illegal purposes such as distributed denial of service (DDoS) attacks, mass spam mailings, illegal data collection and more. Like the domestic robots in the movie I Robot, malware bots establish themselves unobtrusively in your network through the same types of mechanisms as a virus, worm, Trojan or other malware. In fact, Trojans, malware that masquerades as legitimate software, are often used to distribute ‘Bot’ malware. That ‘swimware calendar’ program you downloaded may look nice, but underneath there may be some malware silently doing bad things to your computer. Read more

Strengthening the Authentication of Your Users

They say a chain is only as strong as its weakest link.  In the world of IT systems, you don’t want that weak link to be user authentication.  Once a hacker gains access to a system as a valid (potentially high level) user, the amount of damage they can do is unlimited.  There are different ways to validate a user’s identity and they have different levels of security.  Using the three little pigs as an analogy, let’s take a look at the options:

1)      The straw house – This is what we call single factor authentication.  This just involves something you know or have.  An example for physical security is a badge that is tapped on a door reader to gain access.  If someone gets hold of the badge, that’s all they need to walk into the building.  Another in the IT world is the familiar user ID and password.  It’s what a majority of users use to gain access to their computer’s OS and applications. This has the potential to be fairly secure, but often times isn’t due to poor password choice.  Users frequently pick passwords that are easy for them to remember which means they are easy for hackers to crack. Once they know the password they have total access to the system/application.  Read more