Wednesday, April 25, 2007

Infosecurity Europe 2007 Day 1

The Infosecurity Europe conference started today here in London and I figured that I may as well take advantage of the free registration (if registered before last Friday 20 April) and attend to catch up with all the things I've missed while I've been making the move from Sydney to London.

I'll try to sum up the day, but keep in mind that it's late so I apologise if some parts don't flow and sound disjointed.

The main things I noticed walking around the exhibition and looking at the types of companies there were:
  1. The big Enterprise Identity Management (IDM) vendors were nowhere to be seen. No IBM (well, ISS were there, but that's hardly IBM Tivoli), no Oracle, no Sun, no CA, no BMC. HP were there, but they only had a mini-demo of their IDM software. Microsoft were there in force, but they were promoting all their desktop security wares (or at least it seemed like they were - I didn't bother visiting them). The only players that were present that can be said to have anywhere near the full IDM capabilities of the big vendors were Courion and RSA.
  2. Quite a few of the smaller niche/fringe IDM point solution vendors were there. Names like Passlogix, Imprivata, ActivIdentity, Centrify, Cyber-Ark, Entrust, Evidian and Gemalto to name a few. The most interesting thing I saw was that even though Cyber-Ark only just announced their partnership with Oracle in joining the "Oracle Extended Identity Ecosystem", their stand was promoting their partnership with IBM Tivoli!
  3. The network is back. Every man and is dog is promoting some sort of product that's hooked into the network somehow. I also saw NAC everywhere! Spam and email filtering were also big as usual. The one thing that everyone tied their solution back to was...
  4. Compliance and audit. All the vendors have caught on to the fact that the biggest business driver for security at the moment is fear. Fear of the auditors and the Governments. Fear of prosecution. Fear of data loss. It all gets tied back into being compliant to whatever standard happens to be floating around today. HSPD-12. Sarbanes-Oxley. HIPAA. COBIT. You name it, someone claimed to solve it. My eyes glazed over because the big IDM vendors have been talking about it for years. Now all of a sudden it's the greatest and latest "hot" thing and the smaller companies trying to make a buck have jumped on the bandwagon. Can't blame them though. It IS a real driver. Problem with this is that it all sort of converges and customers will now find it more difficult to sort the good from the bad and figure out who is telling the truth about their product and who is trying to pull the wool over their eyes in trying to sell them a piece of software/hardware to supposedly solve all their problems. In markets like this, we invariably lose some good solutions because they can't sell their product and the bad ones stay around simply because they can. Then we're all stuck with crappy software/hardware and the computing industry looks evil yet again.
Apart from the exhibitors trying to sell products, there's also the sessions that we attend to hopefully gain some value and insight and to learn something new. Of course, there's always mixed results and some end up being a waste of time while others are really good. Nothing new here. Anyone who's ever been to an industry conference can tell you this. The next question is of course...which sessions did I attend. Before I go on, I should point out that the insulation in the speaker breakout rooms was very poor. We could hear all the noise coming from the main exhibition area even with the doors closed. It must have made it very difficult for the speakers. Anyway, here's the sessions I attended today along with my opinions:

Session: Demonstration of New Techniques Hackers are Using to Beat Your Security
Speaker: Geoff Sweeney, Chief Technology Officer, Tier-3
Audience: Mostly geeks
Geoff listed the typical security issues (compliance, unknown and internal threats etc.) and mentioned that today it is still common place to only have perimeter security (firewalls, IDS). The problem is that hackers use blended threats like social engineering combined with insiders/internal users and proliferate the distribution of malware and trojan downloads this way. He noted that enterprises need to know what's going on at all times and to monitor real time data against a measured behavioural baseline and track anomalies. Internal, unknown application threats are the "sweet spot" for threats. He summarised by saying organisations need a holistic approach, unified security management, real time response and mitigation to know what's happening, compliance focus and to remove the unknowns.

My opinions:
  • Where was the live demo?
  • It's still common place for perimeter security, but many organisations are at least thinking about or know about the other things out there. It's whether they implement it or not that becomes the real question.
  • Very "few years old" type of feel about the presentation. Many people would have heard this all before (I didn't see anyone taking notes). I certainly didn't learn anything new.
  • There was no mention of Identity and Access Management. How can someone talk about insider threats without even mentioning identity, entitlements and policies?

Session: House of Lords Science and Technology Committee Address: Internet Security
Speaker: Lord Broers, Chairman, House of Lord Science and Technology Committee
Audience: Mostly suits constantly fiddling with their Blackberry phones
This was actually quite an interesting presentation. While it didn't give any answers, it gave an insight into what the British Government are actually thinking about and gives us a level of comfort that they are willing to try to solve a few of the issues around Internet Security for the UK in particular. Lord Broers began by giving a bit of background about the House of Lords and what they call Select Committees (of which there are several). He gave examples of some of the other things they have looked into like nuclear waste disposal, allergies and energy efficiency. In this case, it was Internet Security. The reasons given for this selection was the proliferation and expansion of broadband, Internet banking, spam, phising and pedophilia. Select Committees start with a "call for evidence".

They then get feedback and go through a bunch of "evidence sessions" to flesh out the responses. The next steps are to evaluate and analyse the information and come to a conclusion which results in a report that gets submitted to parliament for debate and hopefully appropriate actions. The parliamentary debates and the report are publically available. At this stage, they're at the end of the "call for evidence" step. Examples of the questions asked are as follows:
  • What is the nature of threats to private individuals?
  • What is the scale of the problem?
  • What can and should be done about awareness and attitudes?
  • What role should hardware and software play?
  • Who should be responsible?
  • How effective are IT governance initiatives?
  • Is the regulatory infrastructure adequate?
  • Is law enforcement adequately trained to respond to Internet crime?
  • Is cybercrime new or just traditional crime using a new medium?
  • How can financial institutions be given incentives to keep consumer private data secure? US banks are legally liable for consumer losses above a certain threshold while UK banks only do this out of courtesy to their customers.
  • Should there be formal targets for policing online crime?
  • Should the UK have its own version of the US Government's IC3?
  • Can software be better configured? Mandatory secure partitions perhaps?
There was also mention of a visit to various US government departments and US vendors to have a look at what the potential solutions solutions available were and also what worked and what didn't. Overall, Lord Broers was quite impressed by what the US has in place today.

Also noted was the varying levels of advice received from various UK institutions. For example, banks will tend to downplay risks while security vendors will tend to exaggerate the issues. The hardest part about the information analysis process is going to be trying to account for these varying degrees of interests and trying to standardise the opinions somewhat.

The presentation then veered towards some initial preliminary opinions that have been formed and will be explored further. These include:
  • Too much responsibility is placed on the end users. There needs to be more responsibility taken by institutions and the IT industry in general for the risks out there. Lord Broers used an example he was given during the US visit. The example illustrated the fact that the water supply is sanitised before being supplied for consumers use. Water is not served up poisoned and then have the responsibility of filtering and sanitising the water pushed to the consumer. In this respect, the Internet should be treated like the water supply.
  • Consumers have been made to accept that everything we do online is our fault and very little is reported. But if we get mugged, the first thing we do is go to the police. This type of behaviour needs to be encouraged when it comes to the Internet.
  • Technology is not yet mature enough, but in the long run the consumer should not be held liable for anything that happens to them online through fraud, phishing, security threats etc.
  • Running a bot net in the UK is not illegal (although using one to perpetrate a crime is). This is because grid computing is essentially a bot net and they are required by legitimate sources for things like research. What types of controls can be put in place to help alleviate the risks associated with a computing grid? Should there be a license issued to people that run bot nets for example? Can people be prosecuted for using someone else's resources without consent (e.g using your electricity if they use your computer as part of their grid without your permission)?
  • There needs to be more research centres focusing on this topic at UK Universities like there are in US Colleges.
  • There needs to be better education. e.g. Internet Security should be taught at schools.
  • Part of the problem is the generational gap. Only 30-40% of parents know what their kids do online.
The main point made at the end was that the Internet is a hugely beneficial resource that MUST be protected.

My opinions:
  • There are too many things mentioned to debate. I agree with some things, others I do not.
  • Some views are outdated. It is obvious the UK government are somewhat behind the 8 ball, but you have to give them credit for trying to do something about it.
  • I couldn't quite make sense of some of the concepts he was talking about. "Computer partitioning on computers to make the Internet a safer place"? Huh? I suppose he was just paraphrasing some concept and that was his way of understanding it.
  • It was interesting to at least see the types of questions the UK government are trying to address in this space. There are solutions to quite a few things on the list...others not so much. At least they went to a logical starting point (the US Government) to get a close look at some of the solutions in place. Now the UK just have to get off their butts and do something about it...but as with all bureaucratic processes, that's easier said than done.

Session: Security and the Olympics
Speaker: Derek Wyatt MP, Labour Member for Sittingbourne and Sheppey & Chair of APIG
Audience: Mix of geeks and suits
Not really much content to do with IT security. The focus was very much on physical security. There were no solutions presented, just a bunch of questions and considerations. Here they are:
  • Focus very much on muslim fundamentalists, specifically Al Qaeda.
  • There's political pressure to hire local resources, but invariably there will be a skills shortage which will force hires from other parts of Europe. Many will be from Eastern Europe. Considerations need to be made with regards to how our enemies might try to infiltrate the process via Eastern Europe, how to perform credential and background checks for these workers (as there is no common EU shared security system), what identity scheme to use, how to back this all up and how to cope with the fact there is no common database shared between the border protection, law enforcement and transport authorities.
  • The word "Olympic" cannot be officially used until after the Beijing Olympics. This means it is difficult to get anything started officially until 2009.
  • With an expected 15,000 media, 12,000 coaches and support helpers (physio, doctors etc.), 10,500 athletes and 100,000 spectators in Britain, how does one safely screen all the areas?
  • How do we double security on all the buses and the tube?
  • What security systems should be used?
  • When and where does screening start? 3 miles from venues? 5 miles? More?
  • Can the Oyster Card be used as an ID card? Is there a better system (e.g. like Nokia do in Finland with using mobile phones to identify people)? Of course, these aren't really options because neither is an official Olympic sponsor. Visa are! As a result, Visa are responsible for much of the security around the place too (apparently that's part of the agreement with the IOC).
  • What about the Paralympics? Will there be more of a threat because of a perceived lack of security focus?
  • How are aids (e.g. wheelchairs) screened?
  • Are the streets, walkways and public transport systems designed for that many disabled athletes and security people co-located in a centralised area?
There were more considerations, but you get the idea. Apparently the point was to point out the issues and provide business opportunity for us security professionals to solve.

My opinions:
  • Not much to say really. Most of the things we could probably have figured out ourselves...especially if you know London and its infrastructure (and limitations of).
  • It was a bit of a lazy effort in terms of giving a presentation. No answers. Just a bunch of very high level things that need consideration. Selling it as a "opportunity for business" was a nice excuse on the surface, but how many of us are "approved solution providers" to the IOC anyway?
  • I suppose to a certain extent, they can't give away too much information for fear of exposing weaknesses...but there's not much to give away when there are no solutions yet.

Session: ID Management and Biometrics Implementation Forum
Chair: Stuart Okin, Head of Infrastructure, Accenture
  • Alastair MacWillson, Global Managing Partner Security, Accenture
  • Mark Kacary, Sales Director Enterprise Security, Aladdin
  • Marc Boroditsky, President and CEO, Passlogix
  • Nick Somper, Identity Management Lead UK and Ireland, Sun
Audience: Mostly geeks
The session was sponsored by Accenture, so we were put through a marketing video at the beginning with customer testimonials about how good Accenture are at Identity Management services. Stuart begin by introducing the panel and then had Alastair give the initial presentation about Identity Management. I won't go into the details because he gave a pretty stock standard Identity Management presentation that I've seen just about everyone give. Heck, I've given variations of it to customers before (only ones who are new to the problem space). If enough people ask, I'll post my notes in a future post. He did make the distinction between user centric identity and enterprise identity (which he said was where Accenture's expertise lay) so you've got to give him credit for that. He also talked about the drivers and challenges (again, stock standard stuff) and said he thought that biometrics and identity management technologies would converge because as we move forward, the identity infrastructures will be in place and be more mature. The main industries that have an interest in biometrics and identity are (unsurprisingly) government and law enforcement. Accenture ar also starting to see interest in biometrics from healthcare and transportation. Alastair sees the biggest challenges to government and industry being more robust identity systems and having identity governance principles on how to deploy identity systems. Also, there needs to be consensus on social, legal, privacy and policy considerations as well as more collaboration within the biometric and identity communities to work on common challenges.

Then came the teaser/sales pitch to get people to come back for the next session where Accenture was going to show how they implemented the miSense system at Heathrow terminal 3. I didn't find it compelling enough to turn up for that session.

Once Accenture were done with their miSense sales pitch, the panel discussion session began with the differences between "small im" and "big IM". "im" being the point solutions like SSO and "IM" meaning Enterprise Identity Management and managing organisational user account lifecycles and entitlements. Mark from Aladdin suggested starting small to address the immediate needs and then moving on to the whole enterprise solution. Nick from Sun mentioned what he calls the "extraprise" meaning business partners, contractor access and mobile employees and how this proliferates the need for the biometric, multi-factor authentication solutions. Marc from Passlogix went a little off topic and suggested that people really should be approaching things through the analysis of use cases. He used a Passlogix customer as an example. A hospital that uses fingerprint access in the general hallways, iris scanners in the operating theatres and username/password from workstations where biometric technologies aren't installed (each providing a different "level of access").

The panel session then moved on to talk about standards and the fact that there are too many of them. Marc from Passlogix took the discussion further by stating that most biometric technologies are proprietary. Implementations have an application layer built on top of the biometrics to help manage this issue and provide integration points, but that means the customer is stuck with having to maintain this. Biometrics need to go the way of PKI where certificates from multiple vendors can be centrally managed by PKI management tools. Nick from Sun chimes in by stating that many customers are now updating their outdated Federated systems to newer, open standards-based technologies and thinks that biometric implementations will follow the same path where the adoption of standards will drive customers to upgrade their implementations to be more open. The question then came from someone else about what standards Aladdin will adopt given that they are not currently in the biometrics market, but have it on the roadmap. The answer was not a particularly convincing one. It was a long winded way of saying "it depends on what standards emerge".

The next question came from an "audience plant" or "Dorothy Dixon" as it's known in some circles. It was basically asking how to combat privacy concerns whenever identity systems are implemented. The answers all came back to it being down to having the right governance processes, policies and controls in place.

The final question asked the panellists to comment on where they saw the identity market going in the next 2-3 years. Alastair's answer was essentially that public pressure will force companies to implement identity management systems. Nick from Sun's pearl of wisdom was that companies would still be on the identity implementation journey and getting their "houses in order". He then went on a bizarre tangent and mentioned stem cells and how leaving your razor behind on holidays might pose a risk in future because people may be able to steal your identity through the DNA you leave on your razon. Hmmm...right. Moving on. Marc from Passlogix went around the question and instead gave some recommendations: Practice good identity hygiene, have a high degree of flexibility through the use of standards and look at fixing the high degree risk use cases first. Mark from Aladdin thinks that everyone will be re-visiting their authentication systems there will be new requirements.

My opinions:
  • Accenture didn't really show any thought leadership.
  • The Sun guy was a little bizarre and spent the whole session trying to sell Sun's technologies (by pushing all the relevant concepts that Sun's software fit well with). Oh, and well done telling everyone indirectly that Identity Management software from Sun takes 2-3 years to implement.
  • What was the Aladdin guy doing on the panel? They admit they don't even have a product! And his last comment was the he thinks people will buy more authentication technologies (obviously from Aladdin...or so he hopes).
  • Marc Boroditsky from Passlogix knew his stuff. He didn't even try to sell SSO (well, not as blatantly as everyone else was trying to sell their stuff). He was the most competent and convincing of the panel.

Session: Identity Management: Picking the right Tools for the Job
Chair: Merlin, Lord Erroll
  • Toby Stevens, Vice Chairman, BCS Security Forum
  • Maury Shenk , Partner, Steptoe and Johnson LLP & Head of European Legal Programme SANS
  • Andy Kellett, Senior Research Analyst, Butler Group
Audience: Mostly suits
The session was split up into 3 separate presentations and a summary from Merlin, Lord Erroll.

Toby Stevens - Identity Mismanagement?

Toby began by talking about pseudonyms and how this concept protects our anonymity. This essentially takes us back to the early days of the Internet where no one really knew who anyone else online was and we all had multiple usernames and "identites" online. He defines identity management as being all about entitlement (what you can do), transactions (e.g. online services) and liability. When we talk about identity, we really mean something else. We don't really want to know who anyone is, just the bits of data that are required to provide assurance. For example, a customs officer wants to know our photo on our passport matches our appearance. It's not really about our name. It's actually all about identity assurance, not identity management. He likes the concept of federated identity and thinks there should be many disparate sub-systems all holding different bits of data populated by government, consumers and industry and kept accurate by the industry and consumers.

Maury Shank - Identity Management, a lawyer's perspective

Maury begin much the same way as Toby and had similar themes. He touched on legal implications of identity such as data protection law, human rights law, communications interception law, employment law, fraud and contractual obligations. Like Toby, he despises the term "identity theft" because in the context of the online world, it is really just our credentials that are stolen. Not our identities. Legal issues here are less significant and this is essentially traditional fraud using new techniques. He doesn't think there is a single "one size fits all" solution for identity. There should be many disparate identity sources and forms of identification for use with different purposes and in different contexts.

Andy Kellet - Realising real value from Identity and Access Management

There's not much to say about Andy's presentation. He gave yet another stock standard presentation, which was quite disappointing for an analyst. He even seemed to realise his slides were a waste of time because he skipped most of them by saying "yes we've covered that". He basically gave a few summary slides and ended with detailed slides of the summary points. Nothing thought provoking or new. His main point was that Identity projects are too complex as are the service delivery models.

Merlin, Lord Erroll summarised as follows:
  • There needs to be a good, secure way of providing electronic identity.
  • There needs to be a balance between centralised and de-centralised systems for identity.
  • There needs to be a level of anonymity in certain cases. For example, if you're calling up a government department to ask about a certain process, they begin by asking for an identification number. When they have that, they also have an indication that you're probably not doing something correctly (even if it's unintentional). This means they could potentially come after you for the unintentional offence. So what happens? People don't call to ask for help.
  • Do we really need to be identified everytime? We really just need to know that someone is authorised to do something.
  • The national ID card is not a bad idea. It is the national identity register that is the problem. It centralises all information relating to a person's interactions with the government. This means it can be tracked and opens people up to things like blackmail and so on.
  • There needs to be proper mutual authentication between consumers and institutions. Too often, institutions don't provide consumers with any authentication and expect us to trust they are who they say they are (Ian's note: I've mentioned this many times before, most recently in this post).
  • Having a centralised identity register still forces the government to provide "back doors". Active field agents (spies) will either need their details obscured or they may need multiple credentials/records. People on the witness protection program need to have their details changed and have to assume a new identity that is untraceable to their original one. Gender re-assignment operations also force a change to the system for that particular person's identity (although it's a little easier because it's just a name and gender attribute modification and should still be traceable to their original record).
  • Main point: One centralised database is not the answer. Smaller, distributed systems is the better way to go and federation plays a key part in all this.
My opinions:
  • All raise interesting and valid points and are good conversation starting points.
  • Did the Butler group guy lose his slides and was forced to pull out his slides from a few years ago?

Phew! That was a lot to write. Possibly my longest blog post ever.

That was my day in summary. Should be plenty here to digest and discuss. Feel free to post as many comments as you like.

No comments: