information security magazine -...
TRANSCRIPT
ECURITYECURITYSSI N F O R M A T I O NI N F O R M A T I O N
®
STAYING COMPLIANT IN THE CLOUD | SALARY SURVEY
INFOSECURITYMAG.COM
NOVEMBER 2010
I N F O R M A T I O N
Re-architect yourprovisioning systeminto a first line ofdefense for access
management
PROVISIONING 2.0PROVISIONING 2.0Re-architect your
provisioning systeminto a first line ofdefense for access
management
0 20 40 60 80
Memory Used During Scan
VIPRE Enterprise used only 50 MB RAM during manual scanLegend across x-axis: Megabytes
100 120 140
VIPRE
TrendMicro
Sophos
Webroot
Symantec
McAfee
0 20 40 60 80
Memory Used During Scan
VIPRE Enterprise used only 50 MB RAM during manual scanLegend across x-axis: Megabytes
100 120 140
VIPRE
TrendMicro
Sophos
Webroot
Symantec
McAfee
Trim
:
8x 1
0.75
inch
esB
leed
:
Top
, lef
t, ri
gh
t (.1
25 in
ch p
rovi
ded
, in
dic
ated
by
das
hed
lin
es)
Co
lor:
C
MY
K to
SW
OP
stan
dar
ds
Scre
en:
13
3 - 1
50 lp
i
Until now, antivirus engines have been Frankensteins, bolted together
from bits and pieces of different products! They’re generally slow, full of bugs,and hard to manage. VIPRE Enterprise takes a revolutionary new approachto your antivirus and antispyware protection.
» COMPLETE! All-in-one advance protection from today’s malware» FAST! High-performance & low impact on system resources, no more user complaints» EASY! Manage everything easily from one command screen» RELIABLE! Configurable, real-time monitoring technology» AFFORDABLE! Special competitive upgrade discounts available!
How does your current software compare? VIPRE Enterprise scans at a brisk 13.95 MB/sec and uses just 27% of CPU and 50 MB of RAM. In idle, it uses a mere 13.3 MB RAM with a disk footprint of just 113 MB. You’ll hardly notice it’s running!
0 10 20 30 40
CPU % Used During Scan
VIPRE Enterprise only uses 27% of CPU resources during manual scanLegend across x-axis: CPU percentage
50 60 70 80
VIPRE
McAfee
TrendMicro
Symantec
Sophos
Webroot
Kiss your antivirus bloatware goodbye
tel: 1 (888) 688-8457 | fax: 1 (727) 562-5199Email: [email protected] | www.sunbeltsoftware.com
Formerly:
TEST DRIVE FREE for 30-DAYS
www.TestDriveVipre.com
All product and company names herein may be trademarks of their respective owners.
I N F O R M AT I O N S E C U R I T Y November 20103
F E AT UR E S
25 Provisioning 2.0ACCESS CONTROL Re-architect your provisioning system into a first line of defense for access management.BY RANDALL GAMBY
33 Meeting Mandates in the CloudCOMPLIANCE Moving IT operations to the cloud requires carefuldue diligence to maintain compliance with HIPAA, GLBA andother regulations. BY JOSEPH GRANNEMAN
43 Down But Not OutSALARY SURVEY The economy is dragging down pay forinformation security profesesionals but not dampening their dedication. BY MARCIA SAVAGE
A L S O
5 EDITOR’S DESK
Noble, But No WayTo cure the botnet plague, Microsoft wants to quarantineinfected consumer PCs until they’re remediated. BY MICHAEL S. MIMOSO
10 PERSPECTIVES
The Application Security Testing GapApplication security reviews miss a critical vulnerability bynot ensurcing functional security. BY C. WARREN AXELROD
14 SCAN
Full PlateSlew of McAfee product initiatives pique interest of customers but analysts say the security giant needs to sharpen its focus. BY ROBERT WESTERVELT
17 SNAPSHOT
Stuxnet Threat
51 Advertising Index
n19 FACE-OFF
Is a Software MonocultureDangerous to Computer Security?Marcus Ranum and Bruce Schneier gohead-to-head on the concept of softwaremonocultures as a security threat.BY MARCUS RANUM & BRUCE SCHNEIER
contentsNOVEMBER 2010
V O L U M E 1 2 N U M B E R 9
www.courion.com
Ensuring the right people have the right access to the right resources...
...and are doing the right things.
• Define and apply access policy Support corporate and regulatory requirements
• Detect inconsistenciesRecognize actions or access that contradicts compliance policy
• Remediate non-compliance as appropriate Correct inappropriate access in accordance with policy
• Validate and report on effectivenessAssure policy controls are delivering desired results
Learn how Courion’s Access Assurance SuiteTM solution helps companies be compliant.
I N F O R M AT I O N S E C U R I T Y November 20105
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
55
iNoble, But No Way
To cure the botnet plague, Microsoft wants to quarantine infected consumer PCs until they’re remediated.
by MICHAEL S. MIMOSO
IMAGINE ALL THE MONEY we’d have if we indeed did get a dollar everytime we heard X?For instance, I wish I had a buck for every time I heard cybersecurity compared toa public health model. Or how about this one: I wish I had a nickel every time Iheard someone propose some kind of operator’s license for Internet usage.
Talk about Christmas shopping made easy.Microsoft is the latest to draw a parallel between cybersecurity and human
health. Silly comparison aside, at its core, Microsoft’s proposal to quarantine anddeny infected consumer PCs Internet access until their issues are remediated is anoble attempt to quell the botnet problem.
Consumer PCs, I dare say, make upclose to 90 percent of all large botnets.Why? Because people, no matter howmuch you plead with them not to do so,will click on attachments promising nakedpictures of Megan Fox. People will fall forscams about their no-longer active PayPalaccounts—even if they’ve never signed upfor a PayPal account. People, consumers inthis case, are not Windows administrators and for the most part, don’t know a botfrom their elbow. They just want unfettered access to FarmVille and Foursquareand they don’t care if on the back end, their excrutiatingly slow PC is sending Viagra spam.
So that’s argument enough in favor of Microsoft’s initiative: “CollectiveDefense: Applying Public Health Models to the Internet?” Right?
Can’t go there.Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing
Group, first hinted at this during his RSA Conference 2010 keynote. Charneyfollowed that up in early October with a more formal presentation at the ISSE2010 computer security conference in Berlin, calling for a collective approachbetween governments, big business and Internet service providers to monitorand quarantine infected machines, and notify owners that they’re offline untiltheir device passes muster. Comcast already has rolled out ConstantGuard to itscustomers, which in addition to free malware protection and backup services to
EDITOR’S DESK
People, consumers in thiscase, are not Windowsadministrators and for themost part, don’t know a bot from their elbow.
I N F O R M AT I O N S E C U R I T Y November 20106
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
its subscribers, also includes a bot notification service. The service notifies thecustomer if an infected computer routing through Comcast might be a bot.
What ConstantGuard won’t do, however, is take you offline. It won’t baryou from unfettered Internet access until remediation is applied. It does pointyou to another page where you can take steps to get your machine cleanedand to download the free antimalware software it provides.
To go beyond is the slipperiest of slopes. The obvious conflict here is thatMicrosoft might suggest that its NAP technology be at the heart of any suchefforts to clean up the Net. But beyond that, who is the arbiter of secure con-sumer configurations? Do you really want ISPs, or heaven forbid the govern-ment, deeming what passes the sniff test for a safe computer? Rogue antimal-ware scams are rampant on the Internet now; wouldn’t this proposal kick thedoor open for a spate of new scams targeting consumers worried their PCswon’t be allowed to connect to Facebook? And targeted attacks backed by azero-day vulnerabilty or two won’t abate because of this.
Microsoft has done exceptional work improving the security ecosystem. Itwas instrumental in shutting down the Waledac botnet family and has takensimilar steps with other organized malware efforts. Patch Tuesday has intro-duced consistency into organizations’ vulnerability management programs,while the Security Development Lifecycle (SDL) has improved the security of Microsoft’s products to the point where they’re not the scourge of theInternet that they once were. Also, many enterprises have cherry-picked bitsand pieces of Microsoft’s internal SDL process and adopted it for their respec-tive environments to great results.
Maybe in this case, we’re just shooting the messenger. But Microsoft, despiteits advances, is still far from a security hero in many eyes. Any industry-wide orInternet-wide initiative such as this one immediately casts a shadow of suspicionabout Microsoft’s true intentions.
Android and Apple may be making inroads as computing platforms, butthe truth for the immediate time being is that Microsoft has a stranglehold on personal computing. And the reality is that Microsoft’s products are stillfeature-rich, feature-first products that make their way to market saddledwith security vulnerabilities. Nobody understands market pressures betterthan Microsoft, but if you’re going to force security onto consumers you riskinhibiting productivity, and that’s exactly what we’ve been pleading withsecurity experts to stop doing for far too many years.w
Michael S. Mimoso is editorial director of the Security Media Group at TechTarget. Send comments on this column to [email protected].
RELIABLE, SECURE DELIVERY OF APPLICATIONS ACROSS YOUR NETWORK
> Stopmalwareandinternetthreatsatthegateway
> Protectyourorganizationfromsocialnetworkingsecuritythreats
> Provideweb-basedthreatprotectionwithouttheneedforadditionaldownloads&patches
Learnmoreatwww.bluecoat.com/security
©2010 Blue Coat Systems, Inc. All rights reserved.
I N F O R M AT I O N S E C U R I T Y November 20108
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
MUST READ!
COMING IN
DEC/JANDATA ACCOUNT-ABILITY AND TRUST ACT
Legislative debate continuesover the Data Accountabilityand Trust Act (DATA). Thelegislation, which would man-date reasonable security poli-cies and procedures to pro-tect data containing personalinformation, as well as breachnotification, would be theclosest thing we have to anational data privacy law. In this article, you’ll learndetails about DATA, includinghow it defines personal infor-mation, encryption require-ments outlined in the act,reporting requirements,potential penalties and more.
SECURITY’S ROLE IN VENDOR MANAGEMENT
Virtually every businessdepends to some extent onthird parties to provide prod-ucts and services. Inevitably,some of those third partieswill require access to confi-dential corporate and/or customer information. It isincumbent that the third partycan ensure the data entrustedto them remains confidential.This article will discuss someof the key risk managementprinciples relative to infosecu-rity within vendor manage-ment, including informationclassification, prioritization,quantification and location,and developing effective due diligence processes.
SECURITY CONSIDERATIONSIN DISASTERRECOVERY
In planning for a disaster oroutage, companies are intenton ensuring critical businessprocesses remain operational,but they can overlook security,putting sensitive data at risk.This feature will look at criti-cal considerations, includingrecovery site security, andsecure transmission of data to backup sites.
In the war on cybercrime, no one has your back like Kaspersky Lab.
Take BackThe Endpoint!
It’s a war out there.And the endpoint is the new battlefront.Together, we can defeat cybercrime.
usa.kaspersky.com/take-back-the-endpoint www.kaspersky.com
I N F O R M AT I O N S E C U R I T Y November 201010
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
aThe ApplicationSecurity Testing GapApplication security reviews miss a critical vulnerability by not ensuring functional security. BY C. WARREN AXELROD
APPLICATION SECURITY has become information security’s “mot du jour,” as it shouldbe since the majority of hacks purportedly occur through the application layer.The rapid increase of interest in application security is evidenced by the explo-sive growth in membership in groups such as Open Web Application SecurityProject (OWASP), and the appearance of specific certifications, such as theCertified Secure Software Lifecycle Professional offered by ISC2. And it isapparent from the recent corporate acquisitions of such application securitytesting players as Ounce Labs and Fortify, by IBM and HP respectively, that the big guys also are recognizing the importance of application security.
I have long been a strong advocate of ensuring that applications reflect userrequirements, are engineered with security in mind, designed with securityarchitectures, and built using secure coding practices. Such coverage goes along way towards improving the overall security state of applications, which are commonly held to be among the most popular vectors used by those withevil intent to gain access to data and perpetrate fraud, among other crimes.
However, functionality testing and security reviews do not cover what isperhaps the greatest vulnerability area of all, namely, ensuring that applicationsdo not authorize functions which specific users are not supposed to perform.There are good reasons for this gap. First of all, application testers are usuallyonly interested in verifying that applications perform their intended functionscorrectly. Second, application security tests are done against language-specificsecurity vulnerabilities and errors, such as the OWASP Top 10 Web applicationvulnerabilities and the CWE/SANS Top 25 Most Dangerous Software Errors,without having to understand the intended functionality of applications.Third, the scope of what I call “functional security testing” is orders of magni-tude greater than other forms of testing. And fourth, there are very few individ-uals who understand both the business intent of applications as well as securityconsiderations.
Here’s a personal example to illustrate what I mean. Before Web applicationsbecame popular and application security became the serious issue that it is
PERSPECTIVES
I N F O R M AT I O N S E C U R I T Y November 201011
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
today, client-server systems were all the rage. I was asked to provide “securitytest scripts,” which I interpreted to mean scripts that gave assurance a particularapplication did not allow unwanted functionality by users not authorized forthose functions. The testers, who were very familiar with the application’s func-tionality, had already created some 600 functional test scripts. I came up withsome 10,000 first-order security test scripts. That is to say, having been given sometraining in the functionality of the application, I formulated all the potential pathsthrough the application that a user might try. However, I did not include second,third and higher order scripts, such as when a user performs one function followed by another function and then another; that would have resulted inliterally millions of potential scripts.
Even so, my proposed scripts weregreeted with amusement since run-ning 10,000 test scripts was clearlyunrealistic given the cost and thetime it would take. We compromisedby instituting the statistical approachof sampling and confidentiality limitscommonly used in manufacturing.We ran a certain number of random tests and, depending on the confidenceresulting from the tests, decided whether or not to perform further tests. Thenet result of this approach to software assurance was that the system wasextremely stable. After it had been running for about three months, we did see a second-order error resulting from a user performing a sequence of tasksthat revealed more information than authorized; the cause was a failure to initialize a particular buffer. This occurrence would likely have not been detected unless a much broader series of tests had been done.
Interestingly, a very similar approach was recently advocated for testinghardware in an article in the August 2010 issue of Scientific American, “TheHacker in Your Hardware.” The author, John Villasenor, writes: “Because …rogue hardware requires a specific trigger to become active, chipmakers willhave to test their [threat] models against every possible trigger to ensure thatthe hardware is clean … Companies [should] test as best they can, even thoughthis necessarily means testing only a very small percentage of possible inputs. Ifa block [of circuits] behaves as expected, it is [then] assumed to be functioningcorrectly.”
Environment also plays a critical role in the testing of hardware and soft-ware. Often applications are installed on a variety of platforms and infrastruc-tures, so that testing scripts should be created for the many situations in whichthe software and hardware might be used. This, of course, expands the numberof potential test scripts enormously.
We compromised by institutingthe statistical approach of sampling and confidentialitylimits commonly used in manufacturing.
I N F O R M AT I O N S E C U R I T Y November 201012
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
While security professionals have promoted testing using misuse and abusecases and fuzz testing, which involves entering random data, specific guidanceas to the form of such analysis and skills needed for such tests is rarely providedin sufficient detail for this type of testing to be effective. This is understandablesince security professionals prefer to deal with generic approaches without get-ting into particular application functionality. This is also to be expected due tothe enormity of the task, which several experts in nonfunctional security testinghave argued. Nevertheless, I believe that some level of functional security testingneeds to be done, if only on a sample basis. It is certainly better than beggingoff from any such testing.w
C. Warren Axelrod, Ph.D., is a senior consultant with Delta Risk and research director for financialservices with the U.S. Cyber Consequences Unit. He recently led a software assurance initiative forthe Financial Services Technology Consortium, and was formerly business information security officer and privacy officer for the wealth-management division of Bank of America. His publicationsinclude Outsourcing Information Security and Enterprise Information Security and Privacy.Send comments on this column to [email protected]
Database protection and compliance made simple.Guardium, an IBM Company, provides the simplest, most robust solution for continuously monitoring access to high-value databases and automating compliance controls for heterogeneous environments – assuring the integrity of trusted information and enabling enterprises to drive smarter business outcomes.
• Gain 100% visibility and control over your entire DBMS infrastructure.
• Reduce complexity with a single set of cross-DBMS auditing and access control policies.
• Enforce separation of duties and eliminate overhead of native DBMS logs.
• Monitor privileged users, detect insider fraud and prevent cyberattacks.
• Automate vulnerability assessment, data discovery, compliance reporting and sign-offs.
For more information, visit www.guardium.com/InformationSecurity
Copyright © 2010 Guardium, an IBM company. All rights reserved. Information is subject to change without notice. IBM, and the IBM logo are trademarks of International Business Machines Corporation in the United States, other countries or both.
At McAfee’s annual user conference in September,executives at the security vendor set out to assure customers and partners that they have a clear productstrategy as the company enters into marriage withIntel. The multi-pronged plan drew customer interestbut industry observers say the security giant needs tohone its priorities if it wants to succeed.
While it isn’t likely that innovative hardware-basedsecurity products will be released this year, McAfeePresident and CEO Dave DeWalt hinted just weeks afterIntel announced its plan to acquire the company thatnew technologies are already in the pipeline. Until then,he said the vendor would continue to innovate with itssoftware-based endpoint security initiatives. His messageresonated with some McAfee customers who expressedtheir interest in the prospects of hardware-based securityand McAfee’s new virtualization platform, an antivirussoftware package called MOVE that secures XenDesktopvirtual machines and VMware servers.
Tom VanderZwaag, a security solution center man-ager at Santa Clara, Calif.-based Affymetrix, a maker ofmicrochips for DNA analysis, says his firm is consider-ing virtualization for its testing and administrativefunctions, a cost-cutting move that had him lookingmore closely at McAfee’s software at the conference.
“We’re getting into the virtualization space, so we’re trying to understandthe impact of these products,” he says. “Obviously with budgetary constraintswe’ll probably be moving into a pilot mode soon and we see some potential,especially in the testing area and repeatable customers.”
Analysis | MCAFEE
SECURITY COMMENTARY | ANALYSIS | NEWSSCAN
Full PlateSlew of McAfee product initiatives pique interest of
customers but industry analysts say the security giantneeds to sharpen its focus. BY ROBERT WESTERVELT
I N F O R M AT I O N S E C U R I T Y November 201014
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
I N F O R M AT I O N S E C U R I T Y November 201015
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
McAfee has been working with both Citrix Systems and VMware to applyits antivirus software to the network layer of a virtualized environment withminimal performance degradation. The company plans to integrate theMOVE platform into its ePolicy Orchestrator (ePO) central managementconsole.
Along with the broad announce-ment around virtualization,McAfee’s DeWalt reiterated thepromise of improving security by placing it inside silicon ratherthan part of the operating system.“Instead of running in the applica-tion layer, we have to think abouttechnologies at a lower level in thestack,” DeWalt says.
DeWalt also touted McAfee’s“Security Connected” initiative, which brings together its endpoint, network,and mobile products into a complete “ubiquitous” security platform. Butsome industry analysts and customers say the security giant needs to prioritizeits direction. Andrew Braunberg, a research director at Washington, D.C.-based Current Analysis, says Intel has a strong track record of listening to its customers and anticipating what should come next, a benefit that couldhelp McAfee find its way.
“[McAfee] has its fingers in so many different directions that it reallysums up what their challenge or opportunity is right now,” Braunberg says.“Their problem is deciding what to jump on first.”
Joshua Corman, a research director at The 451 Group, agrees that morefocus would help McAfee.
“I felt that all the messages were on ubiquity: putting McAfee everywhere,”Corman says, adding, “It’s not just about being ubiquitous; it’s also aboutimproving the caliber.”
Still, some customers were excited about the future painted by McAfee.Alexander Leach, a reverse engineer at a defense contractor, says the entiresecurity industry is thinking about hardware-based security products. As malware grows more sophisticated, hardware-based technologies may showpromise in defending networks, but the technologies being developed won’t be the smoking gun needed to snuff out cybercriminal activity for good, he says.
“There’s been a lot of talk about moving towards hardware, and there’sprobably going to be some pretty cool stuff from [Intel and McAfee], but it’salways going to be a cat-and-mouse game no matter how we approach it,”Leach says. “It’s just like digital rights management or any other type of thing
“[McAfee] has its fingers inso many different directionsthat it really sums up whattheir challenge or opportunityis right now. Their problem isdeciding what to jump on first.”
—ANDREW BRAUNBERG, research director, Current Analysis
I N F O R M AT I O N S E C U R I T Y November 201016
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
like that; security through obfuscation only works so much.”The challenge for McAfee will be to continue to develop ePO while it rolls
out new hardware-based products, says a global infrastructure security man-ager in the agriculture industry. There is a need for McAfee to improve datasharing within the centralized management console so security vendor prod-ucts and even some McAfee products can pull data out of ePO to help secu-rity teams conduct analysis.
“One of the challenges I think we’ve had in this space for years is that there’s noone silver bullet, but there’s a whole holster full of them,” he says. “We buy all kindsof different tools, there’s a lot of overlap, and I spend a lot of time and a lot of man-hours having people that are interpreting data from one system and looking at it inthe context of another system.”w
Robert Westervelt is the news editor of SearchSecurity.com. Send comments on this article to [email protected].
I N F O R M AT I O N S E C U R I T Y November 201017
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
SNAPSHOTStuxnet Threat By Information Security staff
The Stuxnet Trojan quickly grabbed the attention of security researchers when it surfaced this summer. The highly complex malware uses multiple techniques,including zero-day vulnerabilities, to target industrial control systems. Symantecpublished an analysis of Stuxnet, along with a timeline for the malware, in October.Symantec researchers note that while Stuxnet was discovered in July, it existed atleast a year earlier. Here’s a summary of some of the main events from Symantec’sStuxnet timeline with an October update.
“ ”We’re still seeing products come outthat are susceptible to vulnerabilitiesthat quite frankly have been in the wild for quite some time.
—MARK WEATHERFORD, vice president and chief security officer, North American Electric Reliability Corp. (NERC)
OVER
-HE
ARD
June, 2009 Earliest Stuxnet sample seen.
June 17, 2010 Virusblokada, a security firm in Belarus,announces that it found a new malware sample using an unpatched vulnera-bility to spread to removable drives. The vulnerability is later identified as the Windows Shell flaw.
July 16, 2010 Microsoft issues security advisory for “Vulnerability inWindows Shell Could Allow Remote Code Execution.”
July 19, 2010 Siemens report that they are investigating reports of malware infecting Siemens WinCC SCADA systems.
Aug. 2, 2010 Microsoft issues patch for the Windows Shell vulnerability.
Sept. 14, 2010 Microsoft releases patch to repair Print Spooler vulnera-bility targeted by Stuxnet, and reports two other privilege escalation vulnera-bilities used by the malware.
Oct. 12, 2010 Microsoft releases patch for one of the privilege escalationvulnerabilities.
Your One Stop Shop for All Things Security
Nowhere else will you find such a highlytargeted combination of resourcesspecifically dedicated to the success oftoday’s IT-security professional. Free.IT security pro's turn to the TechTarget Security Media Group for the information they require to keeptheir corporate data, systems and assets secure. We’re the only information resource that providesimmediate access to breaking industry news, virus alerts, new hacker threats and attacks, securitystandard compliance, videos, webcasts, white papers, podcasts, a selection of highly focused securitynewsletters and more — all at no cost.
Feature stories and analysis designed to meetthe ever-changing need for information onsecurity technologies and best practices.
Learning materials geared towards ensuringsecurity in high-risk financial environments.
UK-focused case studies and technical advice onthe hottest topics in the UK Security industry.
Information Security strategies for theMidmarket IT professional.
www.SearchSecurity.com www.SearchSecurity.com
www.SearchSecurity.co.UKwww.SearchFinancialSecurity.com
www.SearchSecurityChannel.comwww.SearchMidmarketSecurity.com
Technical guidance AND business advicespecialized for VARs, IT resellers andsystems integrators.
Breaking news, technical tips, security schoolsand more for enterprise IT professionals.
sSec Fullpg Ad:Layout 1 2/5/09 11:39 AM Page 1
I N F O R M AT I O N S E C U R I T Y November 201019
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
?POINT by BRUCE SCHNEIER
IN 2003, a group of security experts—myself included—published a paper saying that1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with anessay that basically said we were full of it. Now, eight years later, Marcus and I thoughtit would be interesting to revisit the debate.
The basic problem with a monoculture is that it’s all vulnerable to the same attack.The Irish Potato Famine of 1845–9 is perhaps the most famous monoculture-relateddisaster. The Irish planted only one variety of potato, and the genetically identical potatoessuccumbed to a rot caused by Phytophthora infestans. Compare that with the diversity ofpotatoes traditionally grown in South America, each one adapted to the particular soiland climate of its home, and you can see the security value in heterogeneity.
Similar risks exist in networked computer systems. If everyone is using the sameoperating system or the same applications software or the same networking protocol,and a security vulnerability is discovered in that OS or software or protocol, a singleexploit can affect everyone. This is the problem of large-scale Internet worms: manyhave affected millions of computers on the Internet.
If our networking environment weren’t homogeneous, a single worm couldn’t do so much damage. We’d be more like South America’s potato crop than Ireland’s.Conclusion: monoculture is bad; embrace diversity or die along with everyone else.
This analysis makes sense as far as it goes, but suffers from three basic flaws. Thefirst is the assumption that our IT monoculture is as simple as the potato’s. When theparticularly virulent Storm worm hit, it only affected from 1–10 million of its billion-plus possible victims. Why? Because some computers were running updated antivirussoftware, or were within locked-down networks, or whatever. Two computers might berunning the same OS or applications software, but they’ll be inside different networkswith different firewalls and IDSs and router policies, they’ll have different antivirus pro-grams and different patch levels and different configurations, and they’ll be in different
Is a software monoculture dangerous to computer security?
FACE—OFFSECURITY EXPERTS MARCUS RANUM & BRUCE SCHNEIER OFFER THE IR OPPOSING POINTS OF V IEW
I N F O R M AT I O N S E C U R I T Y November 201020
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
parts of the Internet connected to different servers running different services. As Marcuspointed out back in 2003, they’ll be a little bit different themselves. That’s one of the reasons large-scale Internet worms don’t infect everyone—as well as the network’sability to quickly develop and deploy patches, new antivirus signatures, new IPS signatures, and so on.
The second flaw in the monoculture analysis is that it downplays the cost of diversity.Sure, it would be great if a corporate IT department ran half Windows and half Linux,or half Apache and half Microsoft IIS, but doing so would require more expertise andcost more money. It wouldn’t cost twice the expertise and money—there is some over-lap—but there are significant economies of scale that result from everyone using thesame software and configuration. A single operating system locked down by experts is far more secure than two operating systems configured by sysadmins who aren’t so expert. Sometimes, as Mark Twain said: “Put all your eggs in one basket, and thenguard that basket!”
The third flaw is that you can only get a limited amount of diversity by using two operating systems, or routers fromthree vendors. South American potato diversity comes fromhundreds of different varieties. Genetic diversity comes frommillions of different genomes. In monoculture terms, two is little better than one. Even worse, since a network’s security isprimarily the minimum of the security of its components, adiverse network is less secure because it is vulnerable to attacksagainst any of its heterogeneous components.
Some monoculture is necessary in computer networks. Aslong as we have to talk to each other, we’re all going to have to use TCP/IP, HTML,PDF, and all sorts of other standards and protocols that guarantee interoperability.Yes, there will be different implementations of the same protocol—and this is a goodthing—but that won’t protect you completely. You can’t be too different from everyoneelse on the Internet, because if you were, you couldn’t be on the Internet.
Species basically have two options for propagating their genes: the lobster strategyand the avian strategy. Lobsters lay 5,000 to 40,000 eggs at a time, and essentiallyignore them. Only a minuscule percentage of the hatchlings live to be four weeks old,but that’s sufficient to ensure gene propagation; from every 50,000 eggs, an average oftwo lobsters is expected to survive to legal size. Conversely, birds produce only a feweggs at a time, then spend a lot of effort ensuring that most of the hatchlings survive.In ecology, this is known as r/K selection theory. In either case, each of those offspringvaries slightly genetically, so if a new threat arises, some of them will be more likely tosurvive. But even so, extinctions happen regularly on our planet; neither strategy isfoolproof.
Our IT infrastructure is a lot more like a bird than a lobster. Yes, monoculture isdangerous and diversity is important. But investing time and effort in ensuring our
“A single operating systemlocked down by experts isfar more secure than twooperating systems config-ured by sysadmins whoaren’t so expert.”
—BRUCE SCHNEIER
&
I N F O R M AT I O N S E C U R I T Y November 201021
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
current infrastructure’s survival is even more important.w
Bruce Schneier is chief security technology officer of BT Global Services and the author of Schneier on Security. For more information, visit his website at www.schneier.com.
COUNTERPOINT by MARCUS RANUM
“YAWN! The death of the Net predicted”….
Eight years later, monocultureremains a poor and misleadingcomparison. Why do we need toanalogize about computers as ifthey were biological systems? Weought to be perfectly capable of assessing them on their own terms. We have a richvocabulary of security terminology, based on a set of commonly understood principles,so why do we feel it’s important or useful to squint hard and say, “Computers are kindof sort of like biological organisms; therefore, they’re likely to fail in similar ways”?Computers fail like computers, and organisms fail like organisms—any resemblancesbetween the two are largely coincidental.
Let me illustrate how silly these analogies can get with a sim-ple thought experiment. Suppose for a few minutes we’re goingto pretend a network plus a bunch of computers is an organism.We can construct one analogy that sounds pretty scary by saying,“Computers, of course, don’t have an immune system.” Or, wecan construct another analogy by saying, “The system adminis-tration team plus the combined security researchers at all theantivirus/antimalware vendors plus configuration managementsoftware is the immune system.” See what I mean? We’re wasting
time arguing about which analogy is better, which is pointless. It makes more sense totalk about computer security problems using the language of computer security, whichis rich enough, even if you exclude the marketing buzzwords.
In fact, the monoculture concept only seems to carry zing because the biologicalmetaphors obscure the basic silliness of the concept. Talking about it in the language of computer security, what the monoculture fearmongers are saying is something (trying to be fair) like: “Too many computers share a common operating system, andtherefore share its common flaws; consequently, at a certain point a shared vulnerabilitycould be used to cause massive, cascading failures of critical infrastructure. Therefore,be very afraid.”
“Computers fail like com-puters, and organisms faillike organisms—any resem-blances between the twoare largely coincidental.”
—MARCUS RANUM
I N F O R M AT I O N S E C U R I T Y November 201022
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
However, in the real world we observe that:• The first part of that scenario has already happened; in fact, it has happened
about once a week for the last 15 years.• The second part of that scenario hasn’t happened, or even anything close to it.
Why not? Because every computer/network out there is managed differently,patched differently, has different addressing and routing schemes, different firewallrules, different configuration management practices, different diagnostic and analyticcapabilities, and different system administrators. If you don’t get blinded by the shinyanalogy, you realize pretty quickly why the monumental collapse scenarios haven’thappened since Robert Morris, Jr. took down a small but significant percentage ofthe nascent Internet for several hours, back in 1988.
There are large numbers of systems that are managed and configured in lock-step—for example, smartphones, certain point-of-sale terminals, and ATMs. Generally theytend to be special-purpose systems, “walled gardens,” or consumer-oriented systemswhich need zero demand for system administration. In fact, many of those systems runMicrosoft Windows—the very stuff that the monoculture paper warned us about. Butthere haven’t been meltdowns, outside of the occasional entire application-specificload-out (such as one particular bank’s ATM network, or a specific wireless provider’ssmart phone) toppling over, briefly. What we see is exactly what we’d expect to see if themonoculture idea were absolutely wrong: Whenever a new vulnerability is discovered,some systems topple, some are immune, some quickly react with workarounds, andhome users wonder why their personal computers have suddenly gotten a bit slower.
A more formal explanation why monoculture isn’t a problem can be found inCharles Perrow’s 1999 book “Normal Accidents,” in which he analyzes failures in termsof the complexity and interdependence of systems. In Perrow’s worldview, a system can be said to be “tightly coupled” if the correct function of one component dependssubtly on another, and another in turn. The greater the degree to which componentsare interdependent, the more likely they are to experience complex, unpredictable accidents—accidents that Perrow says are easily enough understood in hindsight butare nearly impossible to model predictively because the interdependencies are not discoverable in advance of the accident.
Now, consider modern networks, systems, and software in that light: some piecesare interdependent and others aren’t. Yes, a lot of systems depend on components suchas DNS, but the upper layers “understand” that it’s a piece of the system that fails, andtry to fail gracefully along with it. You won’t, however, see one service provider build-ing deliberate interdependencies with a competitor unless it’s angling for a featuredspot on FAIL Blog. The systems and networks we depend on are exactly as wobbly andunreliable as they possibly can be, and yet still function; failure is a built-in fact of theenvironment, and that’s why “belt and suspenders” remains the byword of geek chic.
The monoculture argument was, barely concealed, nothing more than an extended
I N F O R M AT I O N S E C U R I T Y November 201023
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
whine about Microsoft’s market dominance—and I happen to know that the mainauthors were all Mac users. I suspect that security was less the real issue than the frus-tration Mac users felt a decade ago at being blown off by corporate IT. But look what’shappened: the technology landscape has changed, and now there are two completelydifferent operating system/application stacks—neither of which has yet toppled in acatastrophic failure.
That’s partly because of market dynamics; it seems that when one vendor gains asufficiently strong lock on a market it over-prices and under-innovates until a cheaper,cooler, and shinier alternative becomes attractive. The entire history of the computerindustry is a swirling jumble in which one company dominates enough to becomescary and create its competitors—the way IBM’s lock on business computing in the1970s triggered the departmental computing revolution of the 1980s, and “big IT”and system administration in the 1990s justifies the “cloud computing” backlash.
Monoculture won’t happen because every vendor needs to differentiate its productsin the marketplace if there is still room to innovate. The “all the eggs in one basket”scenario you’re worrying about is a natural reaction to the vendor-inspired technologyfragmentation of the 1980s; it’s just the normal ebb and flow of the market.w
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator,teacher and speaker. For more information, visit his website at www.ranum.com.
Keep Productivity High and Security Threats Low
Social Media and Web 2.0 platforms like Facebook, Twitter and YouTube are everywhere. Even at work. That means more viruses, more malware and lessproductivity. It is a triple threat to your business.
Smart IT managers recognize these productivity and performance damage losses from Web 2.0 and are taking steps to address them. Steps like installing NETGEAR® ProSecure® content security appliances.
ProSecure security appliances keep productivity high and security threats low by blocking the Web 2.0 applications you don’t want while allowing access to the ones you do.
NETGEAR ProSecure-handling the triple threat that is Web 2.0. Isn’t it time you looked into a reliable, affordable and simple solution?
Learn more at www.prosecure.netgear.com
NETGEAR, the NETGEAR logo, Connect with Innovation, and ProSecure are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Other brand names mentioned herein are for identification purposes only and may be trademarks of their respective holder(s). Information is subject to change without notice. © 2010 NETGEAR, Inc. All rights reserved.
wWHEN ORGANIZATIONS THINK of access management, single sign-on, login credentialsand smart cards come to mind. But before a single username and password is issuedor a hard token is handed to an employee, the resources and privileges that he or shewill access have already been set up. This action of provisioning a user’s access isaccomplished through a series of request channels, workflows utilized for approvals,and finally the set up of an account or multiple accounts on the organization’s appli-cation servers. In the past, this was done through a series of coordinated processes andperformed by a pool of local administrators. Today, these same functions are com-monly done by an automated user provisioning system. However, despite the use ofthis technology, access management is still a big problem for many organizations.
One issue is that the focus of many of these systems is to provision, or on-board,an individual. But the services of deprovisioning, or off-boarding, accounts as anindividual changes responsibilities within the organization or leaves are still not well defined. Human nature drives personnel to be diligent when application access
PROVISIONING 2.0Re-architect your provisioning system into a first
line of defense for access management. BY RAN DALL GAM BY
ACCESS CONTROL
I N F O R M AT I O N S E C U R I T Y November 201025
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
I N F O R M AT I O N S E C U R I T Y November 201026
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
rights are needed but when they are no longer needed, the request to remove thesesame rights is often put on the back burner. This causes access creep, which isbecoming a key data leakage and compliance concern for security professionals.What’s more, a difficult economy and downsizing only exacerbate the problem andunderscore the need for additional automated mechanisms to off-board users andcut off their network access.
Because of this problem, many organizations are going back to the drawingboard and rethinking their provisioning—and now deprovisioning—strategies,and beginning to look at other identity management technologies to get accessmanagement back under control. Businesses have come to realize that by imple-menting the optional components that ship with these tools such as reporting,role-based access management and advanced workflow, and integrating themwith other security tools such as audit re-certification and security informationand event management (SIEM) tools, the provisioning system can be re-architectedto become a vital component of an organization’s access control infrastructure.
HOW PROVISIONING WORKSWhen provisioning systems were initially implemented to on-board users, fourcomponents were deemed mandatory: the request interface; a basic workflowengine; a logging system to troubleshoot and query the actions taken by the system;and the connectors used to join the targeted applications to be controlled by the
system. With these components inplace, organizations could automateaccess rights to many of their networkand internal business systems. And over time, this configuration has beenexpanded to include any number ofsecondary level applications, whichextended the sphere of influence ofthe provisioning system.
Over the years, the evolution of provisioning technology has provided newfeatures and services. Today’s provisioning systems ship with services to provideaccess management governance. For example, the basic logging mechanisms wererecognized to contain the system of record information for user access—whoapproved the access, when access was granted, and which applications were provi-sioned. With built-in reporting capabilities, this information has been found to beinvaluable to audit and compliance personnel as evidence of authorized access forverifying compliance to regulations such as Sarbanes-Oxley, PCI, GLBA, FERC/NERC, Basel II and HIPAA. But work is still needed as organizations are findingthis information is incomplete. With the struggle to deprovision users, many timesshowing when a user’s access rights were removed is missing from the record.
Today’s provisioningsystems ship withservices to provideaccess manage-ment governance.
I N F O R M AT I O N S E C U R I T Y November 201027
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
Also, in the past, provisioning systems managed user access rights on an indi-vidual-by-individual basis. Inconsistencies were continuously found due to thecustomization of individual access and in how users were provisioned. Two usersperforming the same function were sometimes provisioned with different accessrights even if this was done only hours apart. This approach also didn’t providemuch business benefit over the manual provisioning process since automationshowed very little cost improvement. But several years ago, provisioning systemsstarted shipping with role-based access controls (RBAC). RBAC revolutionizedprovisioning by allowing user access management to be based on the function theindividual performed. RBAC profiles are now in place in many provisioning systems,allowing economies of scale in managing access rights for large populations ofworkers performing similar tasks—such as software engineer, account manager or surgeon.
With advancements in workflowengine technology, the provisioningworkflow engines have also beenenhanced to the point where theycompete with many commercialstandalone workflow engines used by many business functions. This hasallowed provisioning systems to devel-op complex workflows and to takeadvantage of process options like dele-gation of authority, identification ofseparation of duty problems, line ofbusiness approvals, and temporaryapprovals—to compensate for tempo-rary worker changes like vacations andextended travel.
Provisioning systems have alsomodified their request interfaces to allow easy development of Web-based requestforms that can be integrated into internal and external portals. Intelligence has alsobeen added to the forms so self-service requests can be customized based on RBACroles and a series of rules to provide customized request forms based on who theperson is, the role they play and where they’re located: on premise, in a controlledremote facility or a hotel kiosk.
Finally, many provisioning vendors such as IBM, Oracle and Novell have nowrecognized the need for data normalization. This function ensures that identitydata replicated across several identity stores are in synch. In the past, this has beenthe responsibility of identity management meta-directories. But this feature hasbeen merged into the provisioning product. This has not only eased the internal
With advancementsin workflow enginetechnology, theprovisioning work-flow engines have
also been enhanced to the pointwhere they compete with manycommercial standalone workflowengines used by many businessfunctions.
I N F O R M AT I O N S E C U R I T Y November 201028
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
integration that was required to allow these two technologies to work together; ithas provided better data quality for the identity repositories managed by the provi-sioning system.
MISCONFIGURATION AND MONITORINGOrganizations have found that just implementing a standalone provisioning systemdoesn’t necessarily mean the company has control over its access management strug-gles. A common flaw of a provisioning system is its configuration. Many provision-ing vendors have been asked by their potential customers, “If we buy this system willit work correctly?” And of course the answer is, “Yes, if you configure it right.” Provi-sioning systems are like a block of wood and a picture of a sailing ship: The ability tocarve the block of wood to recreate the sailing ship is directly proportional to theskills of the person welding the knife. Due to the complexity of access managementprocesses and workflows, poor management of existing stand-alone applications andincomplete business requirements, many provisioning systems have been found toinaccurately provide proper access rights. Some have faltered to the point of beingdecommissioned—even though in post mortem analysis the system was found to be working correctly but was misconfigured.
This requires a provisioning system’s actions to be checked to ensure the accessrights provisioned are correct. Organizations have found that besides using a provisioning system as an access governance tool, a recertification system is alsoneeded to perform these checks. These tools are implemented with connections to the same endpoint systems managed by the provisioning system. By extractinginformation from these systems and independently analyzing the access permis-sions based on the same roles and rules used by the provisioning system’s configu-ration, the recertification tool can independently verify the provisioning system iscorrectly issuing access rights.
Also, errors in access may not be the fault of the provisioning system but ratherthat of the requestor. Recertification systems address this problem by providing theability to assign management roles to the user rights under scrutiny. This serviceentails notifying responsible managers that a recertification task is required, usuallythrough an email message with a link back to the recertification interface. The man-ager is then presented with the users under his or her domain and the access rightsand services they have access to. The manager is responsible for reviewing theaccesses and determining any changes required—add, delete or modify. Once the changes are identified, the recertification system can then execute a series ofelectronic requests to the provisioning system to make the appropriate changes.
Because of the complexity of today’s provisioning environment, even using areliable recertification tool doesn’t ensure 100 percent access management cover-age. But perimeter monitoring tools used to thwart insider attacks, malware andexternal hacker attacks can help guard against unauthorized or incorrect access.
I N F O R M AT I O N S E C U R I T Y November 201029
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
These SIEM tool suites, along with data leakage protection tools, log monitoring,and firewall traffic analysis tools, sit in many large organizations performing con-stant monitoring of network traffic, looking for sensitive information attemptingto leave the perimeter of the organization.
These tools capture both pre-meditated attacks and inadvertentinformation leakage events. Whilethey don’t proactively modify enduser access, they do log, and ifconfigured to do so, block sensitiveinformation from being sent outsidethe organization’s domain by unau-thorized users. Many times the waythe user who initiated this informa-tion transfer gained access to thedata from inappropriate access, oraccess that was not removed as theuser’s role changed over time. Infor-
mation captured by the SIEM tool can be used to determine which system theinformation originally came from, and many times to identify the user who origi-nated the action. By having security incident response personnel working closelywith identity management administrators, errors in access management can bequickly resolved.
PROVISIONING EVOLUTIONProvisioning systems work well in controlling access but the world continues tochange and so does the access management environment. To date, terminations,or off-boarding events, are still difficult to manage. With the recognition of thisproblem, many provisioning architects and administrators are learning to workwith their counterparts in human resources, compliance and security administra-tion to understand the complexities of off-boarding individuals. As the processesare better understood, new connections to the provisioning system from the appli-cations used by these groups are feeding the provisioning system’s workflows toenable deprovisioning.
Another area under exploration is the impact on access management of a federated business model using a blended workforce of internal and third-partypersonnel. Today’s provisioning systems have been configured as “push” systems.This means requests are made to the provisioning system and access rights arepushed to the applications and systems under its control. But provisioning systemswill have to be at least partially reconfigured as an access “pull” system. Withongoing work to establish strong external identities through standards like
Information cap-tured by the SIEMtool can be used to determine whichsystem the infor-
mation originally came from, and many times who the userwas that originated the action.
I N F O R M AT I O N S E C U R I T Y November 201030
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
OpenID, SAML, and OAuth, provisioning systems will have to have the ability toconsume, or pull, identities from other sources outside the organization’s domainin order to manage a changing workforce.
This movement towards external identities is clearly indicated by the KantaraInitiative. Kantara is developing strong Internet identity service profiles where,
much like PayPal provides verifiedfunds services, independent vendorswill provide verified Internet identi-ties. The hope is that an individualwill sign up to have a service man-age their identity, and using thestandards listed above, will verifyand communicate this identity toall the companies that want to con-sume an identity for the individual,including his or her workplace.This means that in the near future,enterprise provisioning systems will have to base their access man-
agement capabilities on a combination of Internet, asserted identities and localroles in order to accommodate this changing federated business model.
Identity management virtual directories, like RadiantOne Virtual DirectoryServer, will also have a strong impact on provisioning systems. These technologiesabstract identity information from the individual sources of identity within theorganization’s infrastructure. By rolling up identity and access information to asingle virtual view, provisioning systems will no longer need individual connectorsto the systems they manage. One connection to the virtual directory will servicemany underlying identity stores, minimizing the complexity of end system access.
Finally, just as meta-directory functionality has been melded into the baseprovisioning platform, recertification services are becoming more closely coupledwith provisioning. Soon these two will merge. But the jury is still out on whetherrecertification will consume provisioning systems or if provisioning systems willconsume recertification. There is movement from both sides and the marketplacemay have to determine which wins out.
With all these changes, the evolution of the provisioning system is still in astate of rapid change. This requires organizations to closely monitor the state ofthe market and plan a multi-phase architecture enhancement for this technology.But does that say that those few who haven’t implemented a provisioning systemshould wait for change to slow? No. Access management can be a business inhibitorif ignored. With federated business models, cloud computing, ever-growing regula-tory compliance requirements, and blended workforces, provisioning technologies
Kantara is develop-ing strong Internetidentity serviceprofiles where,much like PayPal
provides verified funds services,independent vendors will provideverified Internet identities.
I N F O R M AT I O N S E C U R I T Y November 201031
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
are needed to provide the necessary controls to keep these factors in check. Aspreviously stated, provisioning isn’t the only answer but it must be positioned atthe center of an organization’s access management tool set in order to enable thebusiness to be granted seamless access to its services and resources.
While companies are reluctant to speak about their provisioning experience—many see their provisioning system deployment strategy as a competitive advan-tage—it’s easy to identify which have done access management well. All that’s necessary is to look at any list of the most innovative and creative companies inthe marketplace. No doubt if the covers of the company were lifted up, a hardworking provisioning system will be found successfully chugging away.w
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance companywho has worked in the security industry for more than 20 years. He specializes in security/identitymanagement strategies, methodologies and architectures. Send comments on this article [email protected].
AD
PR
AM
CWRSA025 - PRINT ADS
DTPSecurity Mag Online - ROUND 1
TRIM: 8" X 10.875" - BLEED: 0.125"
©2010 EMC Corporation. All rights reserved. EMC, RSA, RSA Security, the RSA logo and the RSA Conference logo are registered trademarks of EMC Corporation in the United States and/or other countries.
All other marks are trademarks of their respective companies.
Protect your business from malicious characters.Join us as we celebrate the 20th anniversary of RSA® Conference.
Gain insightsChoose from 210+ sessions targeting today’s
security challenges.
Go in-depth Dive into a variety of topics with 15 targeted program tracks.
Strengthen your network Connect with peers and speakers—information security’s
best and brightest.
Re� ne your tools Discover cutting-edge technologies and innovative
solutions from 350+ companies.
SAVE$700
when you register
by November 19
Early Bird Savings
Register early and save. Go to www.rsaconference.com/techtarg
Follow the Adventures of Alice & Bob at www.rsaconference.com/alice&bob
oe b r 19ember 1999
RSA025_SecMagOnline_R1.indd 1 8/12/10 2:30 PM
33
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
You have a dilemma. The company you work for hasdecided it will be moving some of its core IT operations
to the cloud. As the information security officer, dreadbuilds as you think about all of the confidential and pro-
prietary data moving out of your control. All of the regula-tory requirements governing that data start to run through
your head. Does your company realize the risk surroundingwhat they consider a simple cost reduction?
This is the reality most information security professionalsface. The cloud computing revolution is upon us. It is impossi-
ble to ignore the talk everywhere about potential uses and costsavings for this new style of computing. This new computing
model also forces a shift in thinking about information securityand privacy, as well as compliance. The policies and procedures
that information security used in a client-server computing modelneed to be reviewed and overhauled. This is a new frontier for com-
puting that comes with a new set of risks and organizations need tobe prepared.
The fact to keep in mind is that cloud computing is not an entirelynew concept (see p. 38). The idea of utilizing shared computingresources through a recurring expense model has been around sincethe dawn of information technology. Cloud computing adds to this
model somewhat by including connectivity over the Internet. And for us in age of Sarbanes-Oxley,
HIPAA, and other regulations and industry standards, it comes with compliance challenges.How do you maintain compliance and helpyour company achieve the cost savings prom-ised by cloud computing? Let’s take a look atsome of the major regulatory mandates and
how companies can implement a cloud-based solution without jeopardizing
compliance.
COMPLIANCE
MEETING MANDATES IN THE CLOUD
Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA
and other regulations.BY JOSEPH GRANNEMAN
I N F O R M AT I O N S E C U R I T Y November 2010
I N F O R M AT I O N S E C U R I T Y November 201034
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
HIPAAThe HIPAA security rule went into effect in 2005 with the purpose of safeguard-ing patient privacy through the use of technology, procedures and policies. It cancomplicate the adoption of cloud computing in health care but it is not impossibleto adopt cloud solutions while remaining compliant with HIPAA. Cloud computingservices must be considered just as any other outsourcing agreement. The key to a successful and compliant implementation of a cloud computing solution beginswith a detailed due diligence procedure and risk assessment. This focus on riskassessment and management is the most important factor to consider when evaluating any solution in regards to HIPAA compliance.
The due diligence assessment is criticalin determining the risks and mitigationstrategies that the cloud computingprovider has put in place. This is veryimportant with HIPAA compliance as itcontains very strict requirements for theencryption of personal health information.Any exposure of unsecured informationrequires a breach notification to thepatient. Your company will be listed onthe U.S. Department of Health & HumanServices website if there are 500 or more
patients involved and possibly face civil charges of up to $1.5 million. Your state’sattorney general also has the right to investigate and enforce HIPAA for these violations if the fine is not enough of a deterrent.
Writing the due diligence requirements for auditing potential cloud serviceproviders can seem daunting. It may not be necessary to reinvent these require-ments as a number of them can be satisfied by reviewing a SAS 70 from the cloudprovider. A Statement on Auditing Standards No. 70 or SAS 70 is an auditingstatement issued by the American Institute of Certified Public Accountants(AICPA) for auditors to review the controls of a third-party service such as acloud provider. This statement provides an audited, comprehensive list of all ofthe controls in place at the organization. There are two types of SAS 70: A Type Ireport includes the auditor’s opinion of the design of the controls while a Type IIalso includes the auditor’s opinion of the operating condition of those controls.The SAS 70 Type II report can provide a solid foundation for any cloud servicedue diligence process.
HIPAA requires that any third party that needs access to an organization’s healthcare information must sign a business associate agreement. This applies to cloudcomputing vendors as well. These agreements are simple in scope and should not be the only contractual information security language exchanged between the
The key to a successful andcompliant implementation ofa cloud computing solutionbegins with a detailed duediligence procedure and
risk assessment.
I N F O R M AT I O N S E C U R I T Y November 201035
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
health care customer and the cloud computing vendor. However, this agreementserves a very important function. The business associate agreement now requiresthe cloud computing vendor to comply with HIPAA just as any other health careprovider. This change was rolled out in the HITECH Act as part of the retooling of HIPAA that occurred with the 2009 American Recovery and Reinvestment Act.This relatively new development allows a prospective customer to evaluate a cloudservice offering using HIPAA regulations as the standard.
I D ENTITY MANAG EM ENT
Careful Planning RequiredAuthentication and managing identities becomes all important in the cloud.
“Who are you?” is not just a classic rock song. Authentication is a requirement to comply with all of the majorfederal regulations such as HIPAA, GLBA, and Sarbanes-Oxley, but can be easily overlooked when companiesdesign their cloud services strategy. The lack of an identity management system can introduce risks and hiddencosts, adversely affecting any cloud services implementation and exposing the company to possible loss or liti-gation. Complexity grows as a company adopts multiple cloud-based solutions where users are required to usedifferent identities to perform their daily work. Identity management in the cloud requires careful planning of boththe technology and processes involved.
Provisioning accounts is an important issue with cloud-based services as proprietary company data is nowaccessible from anywhere. This creates a need for automated, real-time account management and the ability torapidly deprovision accounts. How long will an ex-employee have access to company data after he or she hasbeen discharged? The account privileges granted through this process need to be granular and support role-basedaccess. They should also be periodically reviewed to verify appropriate permission levels and uncover any outdatedaccounts.
Federated authentication must be considered with the adoption of cloud-based services. The increasing num-ber of user accounts and passwords will increase complexity and cost if a company utilizes multiple cloudproviders. It will be necessary to deploy federated accounts, allowing account synchronization between the sys-tems and simplification for the end user. Security Assertion Markup Language (SAML) is one of the preferredopen standards for cross Web service domain authentication. Not all cloud providers support this form of feder-ation, so it must be considered in the due diligence phase.
There is another authentication issue to consider when utilizing cloud based services: strong or dual-factorauthentication should be an option, depending on the sensitivity of the information or service. The company mustconsider the ramifications of a compromised account on confidential data stored in the cloud. There have beenenough attacks on Gmail accounts for example, that Google now posts a warning if an account has been accessedfrom China. Google has responded by offering dual-factor authentication for business accounts. Dual-factorauthentication is also an option for the popular online video game World of Warcraft. The confidential data of acompany is likely worth more than a video game user account, so the level of authentication required for accessingthis data should reflect this value.w
—JOSEPH GRANNEMAN
The Academy Pro © Owned by Black Omega Media Group Incorporated The Academy Pro © Owned by Black Omega Media Group Incorporated
Traditional learning methods have always been about flooding students with as much information as possible within a given time frame -- often referred to as 'drinking from a firehose'.
The Academy Pro allows information security professionals to learn about today's most important technologies on demand and at their own pace.
Check out The Academy Pro at Check out The Academy Pro at www.theacademypro.com
Traditional learning methods have always been about flooding students with as much information as possible within a given time frame -- often referred to as 'drinking from a firehose'.
The Academy Pro allows information security professionals to learn about today's most important technologies on demand and at their own pace.
Check out The Academy Pro at Check out The Academy Pro at www.theacademypro.com
Sponsored by:
Teaching you security...one video at a time.Teaching you security...one video at a time.
I N F O R M AT I O N S E C U R I T Y November 201037
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
GRAMM-LEACH BLILEY ACTThe Gramm-Leach-Bliley Act (GLBA) is interesting for its impacts both on themodern economy and information security. The bill was originally authored togive banks the freedom to merge with other non-bank related businesses to formthe large conglomerate banks of today. Commercial banks were now allowed todo investment banking as well as commercial banking, which set the stage for thefinancial catastrophe that followed in 2008. The financial privacy sections of GLBAwere not the primary impetus for this legislation but have the most impact on theselection of cloud services in the financial industry.
Financial institutions must take reasonable steps to ensure that the cloud servicesprovider is capable of the appropriate safeguards defined in GLBA. The cloudprovider must be under a contract similar to the HIPAA business associate agree-ment. However, this agreement must contain more detail as there are no require-ments for the cloud services provider to be covered under GLBA in the same waythat a HIPAA business associate would be covered under HIPAA. This agreementneeds to include all of the technical security provisions to comply with GLBA aswell as assignment of liability and other damages. It must also support the abilityof the cloud services provider to honor your customers’ requests to opt out ofsharing their financial information.
This contract may sound onerous but any competitive cloud services providerwill be able to meet or exceed these specifications. Only cloud services providersrunning data centers in their garages will object to these contract stipulations.
SARBANES-OXLEYSarbanes-Oxley is another law that has implications for information security eventhough the primary motivations were quite different. Passed in 2002 in the midstof multiple corporate accounting scandals, this law created far-reaching controlsand audit requirements for publicly traded companies in order to restore publicconfidence. Sarbanes-Oxley Act Section 404, “Management Assessment of InternalControls,” contains the information pertinent to any business looking to utilizecloud services while maintaining compliance. This section mandates documentedprocesses and controls for any publicly reported corporate financial information.It also requires that the corporate officers personally sign and approve the finalreports and verify if there are any deficiencies in these controls. These controlsbecome less visible when these systems are running in the cloud. This requiresserious scrutiny of the cloud provider, just like HIPAA and GLBA.
The due diligence process for selecting a cloud service provider for a companycovered under Sarbanes-Oxley is somewhat different than HIPAA and GLBA,which are primarily focused on the privacy of customer or patient data. Sarbanes-Oxley is focused on financial reporting processes and accuracy so the due diligencerequirements need to change accordingly and account for data providence, datalineage and change control. Data lineage is a difficult task when an application
I N F O R M AT I O N S E C U R I T Y November 201038
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
has been converted to a cloud service. The data lineage requirement of Sarbanes-Oxley is simply defined as knowing where your data came from. It is outside ofthe company’s control when using a cloud service so it must be defined as part ofthe initial contract. The cloud service provider should be able to provide a high-level architectural overview of the application it’s hosting. The provider shouldalso be required by contract to have this architecture audited periodically andprovide appropriate documentation to assist in the customer’s annual financialaudits.
Data providence is another consideration that is complicated by utilizing acloud service. The data providence requirement of Sarbanes-Oxley is the act of verifying the accuracy of the financial data in the application. This mayrequire that the cloud service provider periodically demonstrate its quality control processes. The customer could also be involved in the verification ofthese processes either through direct data sampling or third-party audit review;either of these two solutions needs to be included in the contract between thecompany and the provider.
Change control is another important requirement for Sarbanes-Oxley com-pliance that must be considered. The cloud vendor needs to be able produce a
H ISTO RY
Nothing NewThe idea of using shared computing resources to save money has been around for years.
WITH ALL THE buzz about cloud computing, you’d think it was something new but some of the first cloud com-puting systems were created long ago.
One of the first early examples of this model was the service bureaus of the 1970s and 1980s. Businessesrecognized the value of information technology at the time but could not afford the capital or operating costsrequired. Businesses commonly collected data for input during the day and paid for a bureau with a mainframecomputer system to process all of that data in a nightly batch. Mainframe and terminal technology lent itselfvery well to this type of shared computing model, just as the Web does today.
The risks were somewhat different than with modern cloud computing. Mainframe systems in those days utilized punch cards for data input. The cards would have data recorded by punch operators during the day andthen get transported to a data center for processing at night. This would get particularly interesting during thewinter months when the transportation of the cards would be threatened by weather. There have been many stories about IT workers of the time resorting hundreds of thousands of punch cards because the truck the cardswere traveling in rolled over after hitting a bad patch of ice.w
—JOSEPH GRANNEMAN
I N F O R M AT I O N S E C U R I T Y November 201039
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
3939
detailed log of changes and proposed changes in order to comply with thisrequirement. This log needs to include the testing plan as well as a fallback plan.This is not just necessary for compliance; the implementation of any untestedchanges to the cloud environment could cause a failure in the associated businessprocess, which could have serious business ramifications.
A standard approach to Sarbanes-Oxley compliance that can be adapted tocloud services is application of the COSO and COBIT frameworks. Both of theseframeworks contain objectives compatible with Sarbanes-Oxley Section 404 com-pliance. COSO is a complete match of these requirements while COBIT exceedsthem. The requirements of either framework can be restated and applied to acloud services provider. For example, one of the requirements of COBIT is to“acquire and maintain technology infrastructure.” A company could require that a cloud provider produce an architectural plan and device refresh strategy; thisprovides some compliance with the data lineage requirement as well as changecontrol. These requirements need to be addressed in the contract directly or as an attachment.
STATE LAWS In addition to federal regulations, there are many state laws that must also be considered by companies looking at moving to the cloud. Forty-six states, theDistrict of Columbia, Puerto Rico and the Virgin Islands have enacted breachnotification laws due to the rampant increase in identity theft. The primary focusof all of these laws is the protection of an individual’s data privacy, which is similarto GLBA and HIPAA but far less in depth. All of the laws have subtle differences in the types of data that comprise a breach and the methods of notification andrestitution. The main takeaway is that a company will have to specify breach noti-fication requirements that correspond to the location of the data in any contractwith a cloud service provider. Companies need to understand which state law hasjurisdiction in the case of a data breach.
Some states have adopted even more stringent security requirements, includingArkansas, California, Connecticut, Maryland, Massachusetts, Nevada, Oregon,Rhode Island, Texas and Utah. These laws require businesses to implement “reasonable” security measures and risk management programs. The CaliforniaFinancial Information Privacy Act takes GLBA to the next level with civil liabilitydamages of up to $2,500 per violation, for a total of up to $500,000 per occurrence.Massachusetts adopted some of the most stringent information security legislationin the U.S., which also resembles strengthened GLBA requirements. This lawrequires that a business obtain written certification that a cloud provider has acomprehensive information security program, and take reasonable steps to verifythat cloud providers with access to personal information have the capacity to protect that information.
EUROPEAN UNIONComplicating compliance in the cloud are all the various international privacylaws. Almost every country has its own version of these regulations from Albaniato Zimbabwe. One of the advantages of cloud computing is that the cloud servicecould be located anywhere in the world, but this can be problematic if thatcloud service is located in another country. It is vital for companies to realizethat data location matters when it comes to legal jurisdiction.
Individual privacy is culturally more important to the countries in theEuropean Union. There are theories that this is result of World War II andhow information was used to persecute individuals of different races, religionsand political affiliations. Examples of this cultural importance of privacy canbe found in the European Union Data Protection Directive 95/46/EC of 1995.
This regulation deserves serious consid-eration when considering utilizing cloudservices from this part of the world.
There are two standards defined bythe directive for the protection of per-sonal data: The quality standard statesthat data processed about an individualmust be accurate and only collected forspecific and legitimate purposes, and
the legitimacy standard states that data can only be processed if the owner ofthe data has given their consent. The directive also defines special protectionsfor certain categories of personal information: It is illegal to process informa-tion revealing racial or ethnic origin, political opinions, religious beliefs,union membership or sexual preferences under any circumstance. Also, itprovides every person with the right to compensation for damages shouldtheir information be breached.
Where the EU Directive differs dramatically from U.S. privacy protectionsis the way it defines companies as either data controllers or data processors.A data controller is responsible for maintaining “appropriate technical andorganizational measures to protect personal data against accidental or unlaw-ful destruction or accidental loss, alteration, unauthorized disclosure oraccess.” A data processor can only operate with explicit instruction and alegal contract with the data controller, and must maintain the privacy andsecurity of the information while in its custody but the ultimate responsibilityfor compliance is on the data controller. Cloud services could fall into eithercategory and customers should utilize a detailed due diligence process to verify the security controls are sufficient for data controllers. Once again,these controls should be stated in the contract with the cloud serviceprovider.
I N F O R M AT I O N S E C U R I T Y November 201040
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
It is vital for companies torealize that data locationmatters when it comes
to legal jurisdiction.
The other issue that organizations in the United States need to accountfor is that the directive restricts the transfer of personal data to countriesthat lack equivalent privacy protections. The directive defines the UnitedStates as just such a country. This rule can present a challenge when anorganization is utilizing a cloud service in one of the EU countries only tofind it cannot legally transfer information somewhere else. However, there is a way for an organization to be legally allowed to transfer information outside of the European Union. The U.S. Department of Commerce providesa “Safe Harbor” framework that allows a company to comply with the direc-tive by requiring that an organization self-certify that it has the appropriateprivacy protections in place.
ALL ABOUT THE CONTRACTThere is a lot for a company to consider when moving to cloud-based services.It is vitally important that the company design a due diligence process toverify the security controls of the cloud service provider. The due diligenceprocess must match the level of compliance and risk required for the type ofservice. For example, there should be much more scrutiny of a cloud-basedsolution that is housing personal medical information than one that’s simplyhosting the company website.
The SAS 70 can be a good starting point for the due diligence process.The results of the due diligence process and any other required controls mustbe specified in the contract. This contract is mandated by almost every regu-lation and is just good common sense. The company should also requireperiodic audits to verify compliance with the controls stated in the contract.High-risk services that are moved to the cloud may require also require onsiteaudits by the customer.
Cloud computing is just a modern version of the old idea of shared com-puting resources. There is no reason to fear the cloud with a solid due dili-gence process and a contract with specified controls. Cloud computing hasdifferent risks but not necessarily more serious risks than internally hostedsolutions. The final decision to use cloud services or not should be based on business strategy. It’s the role of information security to help steer thebusiness through the cloud to make an informed decision.w
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both health care and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active Infra-Gard member. Send comments on this article to [email protected].
I N F O R M AT I O N S E C U R I T Y November 201041
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
• ISO 17799/27002 Compliance
• Application Vulnerability Testing
• Security Audits and Assessments
• Security Architecture and Design
• Identity Management
• Penetration Testing
• Security Best Practices and Policy
• Emergency Incident Response
• System Hardening
• Technology Strategy
• ASP Assessments
your
If you want a practical IT security plan that addresses
your real business risks, contact us today at 888.749.9800
or visit our web site at www.systemexperts.com/public.
• ISO 17799/27002 Compliance
• HIPAA and PCI DSS Compliance
• Application Vulnerability Testing
• Security Audits and Assessments
• Security Architecture and Design
• Identity Management
• Penetration Testing
• Security Best Practices and Policy
• Emergency Incident Response
• System Hardening
• Technology Strategy
• ASP Assessments
System Experts.indd 1System Experts.indd 1 6/17/08 9:48:41 PM6/17/08 9:48:41 PM
43
iINFORMATION SECURITY PROFESSIONALS may not be getting paid many bonuses in thisbattered economy but they remain dedicated to their field.
Those were some of the findings of the first-ever Information Security/Search-Security.com salary survey, which polled 256 readers on their pay and a variety ofcareer related questions. Readers expressed their views on security certifications,rated the most important factors in choosing a job, and revealed what kind ofbonuses they’re getting—or not getting, in most cases.
“The economy is affecting pay scales across the board, not just security,” says Jay Arya, information security officer at an East Coast-based bank. Yet securitypros will weather the storm and don’t plan to switch careers, he adds: “They plan to continue because it’s a growing field. People are recognizing security isn’t anoption anymore—it’s a requirement. A lot of regulations are driving the fact youneed security.”
Read on for more details from the survey, thoughts from security and recruitingexperts on what employers are looking for, and the current career climate for infor-mation security pros.
SALARY SURVEY
DOWN BUT NOT OUTThe economy is dragging down pay for information
security professionals but not dampening their dedication.BY MARC I A SAVAG E
I N F O R M AT I O N S E C U R I T Y November 201043
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
I N F O R M AT I O N S E C U R I T Y November 201044
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
ECONOMIC DOLDRUMSDespite some encouraging signs, an economic recovery remains tepid at best,often resulting in stagnant salaries and few bonuses. Of the 256 survey partici-pants, nearly 52 percent estimate their bonus this year at zero and about 50percent don’t expect anything more next year. About eight percent estimatetheir 2010 bonus at $10,000 and about 5 percent estimate it at $2,000. AmongCISOs, CSOs, and information security directors, 48 percent estimate their2010 bonus at zero and 15 percent estimate a $10,000 bonus.
Salaries vary widely, but about 20 percent of survey respondents reportedreceiving an annual salary this year of $50,000 to $75,000. Experience paysoff, with salaries for CISOs, CSOs, and information security directors trend-ing up: Roughly 26 percent report 2010 annual salaries between $115,000and $135,000. The CISO respondents to the survey report that their 2010salaries range from $97,000 to $101,000.
A separate compensation survey of 460 infosecurity professionals con-ducted this spring by InfoSecLeaders.com, an information security careercontent website, shows that salaries are trending downward. More than sevenpercent of respondents took a pay cut, one-third received no pay increase,and nearly 44 percent received less than a five percent raise.
The InfoSecLeaders.com survey also shows that bonuses are a big part of a security pro’s compensationpackage, with nearly half of therespondents reporting that theircompensation includes a bonuscomponent. However, 35 percent say they received less of their bonusthan expected and nearly 40 percentreceived less than 10 percent of theirbonus. As a result, infosecurity prosare discounting the importance of bonuses in their compensationpackage, the survey indicated, withonly 6.4 percent viewing theirbonuses as part of their expectedcompensation.
“Bonuses aren’t getting paid,” saidLee Kushner, president of LJ Kushnerand Associates, an information secu-rity recruitment firm, and co-founderof InfoSecLeaders.com.“They’re nota great tool for compensation.”
What is your 2010 annualsalary, excluding bonus,to the nearest thousand
27 respondents
0
1
2
3
4
5
6
7
8
0%
1
2
3
4
5
6
7
8
$135K$130K$125K$115K
7.41 7.41 7.41
3.70
I N F O R M AT I O N S E C U R I T Y November 201045
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
Security professionals overall aren’t too pleased with their compensationsituation, according to the InfoSecLeaders survey: More than 60 percent saythey’re either slightly or significantly underpaid. At the same time, nearlyhalf believe that being in security entitles them to more compensation than a similarly experienced IT pro.
CERTIFICATION DEBATE There are a lot of security certificationsavailable on the market, but opinionsare divided on whether they add up to more pay or career advancement.
The Information Security/SearchSecu-rity.com survey showed that 54 percentfeel certification has either definitely or somewhat helped advance their careerwhile 44 percent feel certification helped increase their pay. Among CISOs,CSOs, and information security directors, those numbers soar to 89 percentand 77 percent respectively.
For Sheryl Harkleroad, information security official at a large health careprovider, there’s no question that having the Certified Information SystemsSecurity Professional (CISSP) credential helped advance her career and boosther pay.“Having a CISSP was a key component to my being offered my current
job—certification was required,” shesays. “The CISSP helped qualify mefor the job, where I received a 25percent pay raise.”
Arya agrees that certification playsa significant role for informationsecurity professionals. “Without cer-tification, one’s professional credi-bility can be questioned,” he says.
Most security professionals have asecurity certification and not havinga certification can sometimes excludesomeone from an opportunity butit’s not the magic bullet that drivespay, Kushner says.
“Having the CISSP evens theplaying field. It gets you a ticket tothe dance but it doesn’t let you comehome with any dates,” he says. “Thecertification might be what gets you
What is your estimated2010 bonus?
256 respondents
0%
10
20
30
40
50
60
$5K$2K$10K$0
51.56
8.205.47 4.69
“Bonuses aren’t gettingpaid. They’re not a greattool for compensation.”
—LEE KUSHNER, president, LJ Kushner and Associates,and co-founder of InfoSecLeaders.com
I N F O R M AT I O N S E C U R I T Y November 201046
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
in the door, but it doesn’t necessarily equate to success.”When companies look for senior-level security executives, they’re more
concerned about finding someone whose background is similar to theirother top business executives, he says. Security professionals can become too focused on building skills that are important within information securityand neglect the skills needed to compete with other business leaders.
“In order to get that board-level respect that security pros want, they haveto start speaking the language of the people they’ll be interacting with—theCFO, the COO,” Kushner says. “A lot of security professionals have fallenshort. They stop their career development at measuring the bar among secu-rity pros instead of measuring themselves against the broader marketplace.”
Paul Rohmeyer, a faculty member in the graduate school at Stevens Insti-tute of Technology and a consultant, believes security certifications still areessential for CISOs and ISOs, but he’s noticed that some companies are put-ting employees from other departments into the security role and then send-ing them out to obtain certification. For example, a bank promoted a well-
SPEN D I N G
Security BudgetsSurvey shows security makes up less than 10 percent of IT budget for many
In addition to career-oriented questions, the InformationSecurity/SearchSecurity.comsurvey polled readers on their organizations’ security budgets. About 42 percent of the256 survey participants say less than 10 percent of their companies’ IT budget is spenton security.
Earlier this year, Gartner Inc. estimated that efficient and secure enterpriseswould reduce their share of security spending by three to six percent of their over-all IT budgets through 2011. The average percentage of the IT budget spent on secu-
rity in 2010 is five percent, down from six percent last year, according to the research firm, which cited fastergrowth in other IT areas that were gutted in the recession.
However, depending on the nature of a company’s business, 10 percent would be appropriate, says Hord Tipton,executive director of the nonprofit certification organization (ISC)2. “The more sensitive your data is, the morerisk you have and the more you should be spending on security,” he says.
To win funding for information security projects, security managers need to be able to speak budget talk andcommunicate risk in plain, simple terms, Tipton advises. “You need something beyond just scare tactics,” he says.“You have to show those folks what the cost to the company would be due to a significant breach.”w
—MARCIA SAVAGE
I N F O R M AT I O N S E C U R I T Y November 201047
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
regarded employee with no technicalsecurity experience into the ISOposition, he says.
“It seems that’s a low-cost alter-native for some. They’d rather givethe security skills to someone whoknows their business,” he says. “Ifyou look at the average salariesdemanded by anyone with anynumber of years as a security officerplus a credential—in some ways,they’re priced out.”
JOB CONSIDERATIONSFor information security profession-als, work isn’t all about the money.Ninety-two percent of surveyrespondents rated job satisfaction as either a very important factor orthe most important factor in theirchoice of a job, ahead of salary. Sixty-eight percent rated salary as a veryimportant or the most important factor while 64 percent rated job responsi-bilities as the top factor or a very important factor.
“It’s a relatively high-stress position,” Rohmeyer says. “It’s tough enoughby nature. If you don’t have a good environment and there’s a dysfunctionalteam, then it’s even tougher.”
Arya says in any job, not just security, a person’s morale suffers if he orshe isn’t happy. “The pay scale also matters, but if you’ve got job satisfactionin your career, the pay scale will follow,” he says.
For Harkleroad, the most important factor in choosing a job—in currenteconomic conditions—is job security. “I would not have left my last job with-out feeling a certain degree of job security,” she says.
The InfoSecLeaders.com compensation survey indicates that informationsecurity is a labor of love: Almost 70 percent of respondents report that theyhaven’t ever changed jobs solely for money. While 93 percent rank money asa factor in a job search, only eight percent say it’s the most important factor.
Interestingly, nearly an equal number of InfoSecLeaders.com survey par-ticipants say they’d take a pay cut if it meant keeping their job (49 percent)or receiving additional training or education (47 percent).
Ongoing training is important in information security, says Hord Tipton,executive director of the nonprofit (ISC)2, which issues the CISSP and related
48.15%Definitely40.74%
Somewhat
I do not haveany certifications
11.11%
Do you feel certification hashelped advance your career?
(CISOs, CSOs, informationsecurity directors)
27 respondents
I N F O R M AT I O N S E C U R I T Y November 201048
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
credentials: “No one can declarehim or herself immune from theneed to be better educated aboutsecurity.”
He adds, “We all get lazy, tiedup in our jobs and don’t take thetime to do the training and typesof things that are necessary tokeep abreast of the trends in thechanging world of emerging tech-nology.”
PROFESSIONAL DEDICATIONEconomic issues aside, informa-tion security professionals are adedicated bunch: 54 percent of Information Security/SearchSecurity.com surveyparticipants plan to continue to pursue a career in security over the nextfive years. Among survey respondents who identified themselves as CISOsor ISOs, that number soars to 81 percent.
The results speak to a belief in the future of the field, Rohmeyer says:“Security is a long-term operational requirement. It’s not a short-lived problem that’s going to be overcome. It’s part of the landscape.”
(ISC)2’s Tipton says security is a growing field that offers a lot of oppor-tunities. He cites a finding in (ISC)2’s 2008 Global Information SecurityWorkforce Study, which was conducted by Frost & Sullivan. The analyst firmestimated that the number of information security professionals worldwidewould grow from approximately 1.66 million in 2008 to almost 2.7 millionby 2012.
“Most companies are starting to step up to the plate,” Tipton says.“Management is more responsive; they’re more supportive of security people. The stars seem to be aligning. They’ve got momentum and theyshould take advantage of that.”w
Marcia Savage is Editor of Information Security. Send comments on this article [email protected].
Very important or mostimportant factor in choice of job:
256 respondents
0% 20 40 60 80 100
Job satisfaction 92%
Salary 68%
Job responsibilities 64%
Location 63%
Benefits 63%
Career advancement 52%
I N F O R M AT I O N S E C U R I T Y November 201050
TABLE OF CONTENTS
EDITOR’S DESK
PERSPECTIVES
SCAN
SNAPSHOT
FACE-OFF
PROVISIONING
CLOUD COMPLIANCE
SALARY SURVEY
SPONSORRESOURCES
TECHTARGET SECURITY MEDIA GROUP
ECURITYSI N F O R M A T I O N
®
EDITORIAL DIRECTOR Michael S. Mimoso
EDITOR Marcia Savage
ART & DESIGNCREATIVE DIRECTOR Maureen Joyce
COLUMNISTSMarcus Ranum, Bruce Schneier, Lee Kushner, Mike Murray
CONTRIBUTING EDITORSMichael Cobb, Eric Cole, James C. Foster, Shon Harris, Richard Mackey Jr., Lisa Phifer, Ed Skoudis, Joel Snyder
TECHNICAL EDITORSGreg Balaze, Brad Causey, Mike Chapple, Peter Giannacopoulos, Brent Huston, Phoram Mehta, Sandra Kay Miller, Gary Moser, David Strom, Steve Weil, Harris Weisman
USER ADVISORY BOARDEdward Amoroso, AT&TAnish Bhimani, JPMorgan ChaseLarry L. Brock, DuPontDave DittrichErnie HaydenPatrick Heim, Kaiser PermanenteDan Houser, Cardinal HealthPatricia Myers, Williams-SonomaRon Woerner
SEARCHSECURITY.COMSENIOR SITE EDITOR Eric Parizo
NEWS DIRECTOR Robert Westervelt
SITE EDITOR Jane Wright
ASSISTANT EDITOR Maggie Sullivan
ASSOCIATE EDITOR Carolyn Gibney
ASSISTANT EDITOR Greg Smith
INFORMATION SECURITY DECISIONSGENERAL MANAGER OF EVENTS Amy Cleary
VICE PRESIDENT/GROUP PUBLISHER Doug Olender
PUBLISHER Josh Garland
DIRECTOR OF PRODUCT MANAGEMENT Susan Shaver
DIRECTOR OF MARKETING Nick Dowd
SALES DIRECTOR Tom Click
CIRCULATION MANAGER Kate Sullivan
PROJECT MANAGER Elizabeth Lareau
PRODUCT MANAGEMENT & MARKETINGCorey Strader, Andrew McHugh, Karina Rousseau
SALES REPRESENTATIVESEric Belcher [email protected]
Patrick Eichmann [email protected]
Leah Paikin [email protected]
Jeff Tonello [email protected]
Nikki Wise [email protected]
TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch
PRESIDENT Don Hawk
EXECUTIVE VICE PRESIDENT Kevin Beam
CHIEF FINANCIAL OFFICER Jeff Wakely
EUROPEAN DISTRIBUTIONParkway Gordon Phone 44-1491-875-386www.parkway.co.uk
LIST RENTAL SERVICESJulie BrownPhone 781-657-1336 Fax 781-657-1100
INFORMATION SECURITY (ISSN 1096-8903) is published monthly with a combined July/Aug., Dec./Jan. issue by TechTarget, 275 Grove Street, Newton, MA 02466U.S.A.; Toll-Free 888-274-4111; Phone 617-431-9200; Fax 617-431-9201.
All rights reserved. Entire contents, Copyright © 2010 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any meanswithout permission in writing from the publisher, TechTarget or INFORMATION SECURITY.
I N F O R M AT I O N S E C U R I T Y November 201051
SPONSOR RESOURCES
GFI Software, formerly Sunbelt Software
See ad page
• Comparing Antivirus Scanning Performanceand System Resource Utilization
• When Less is More: Why Small CompaniesShould Think Outside the Box for ProtectingEndpoints
Courion
See ad page
• Learn why Gartner Recognizes Courion as amarket leader
• Ensure Your Access Certification StrategyAchieves Your User Access and ComplianceGoals
Blue Coat
See ad page
• Ensure your web is secure
• Block Malware & Web Threats in the Cloud
• Protect Your Data across the network
Kaspersky
See ad page
• Take Back the Endpoint
• 10 Ways IT Enables Cybercrime
Guardium
See ad page
RSA Conference 2011
See ad page
• Register early and save
• 20th Anniversary
The Academy Pro
See ad page
• Free infosec videos for the informationsecurity community.
SystemExperts
See ad page
Glasshouse Technologies
See ad page
NETGEAR, Inc.
See ad page
• Click Here to Chat LIVE with a NETGEARSecurity Expert
• The Role of the Internet in the Propagationof Malware