CSA Updates Cloud Security Framework

DECEMBER 20, 2010 
BY NETWORK COMPUTINGHTTP://WWW.NETWORKCOMPUTING.COM/DATA-PROTECTION/CSA-UPDATES-CLOUD-SECURITY-FRAMEWORK.PHP :FEATURED ARTICLES ON CLOUD SECURITY

The question isn't will cloud computing become the future of IT, but when. According to MarketsandMarkets (M&M), the global cloud computing market will reach $121.1 billion by 2015 ("Global cloud computing market: global forecast, 2010-2015"). Although it represents just a portion of the overall IT cloud market, public cloud providers' revenues will reach $45 billion by 2013, according to IDC. This represents a compound annual growth rate of 26 percent, more than six times the forecast growth rate for traditional IT spending. ButIDC also says that businesses are more concerned about the risks involved, including security, availability and performance, than the benefits of flexibility, scalability and lower costs.

That's where the Cloud Security Alliance, a not-for-profit organization addressing best practices for providing security assurance within cloud computing, comes in. Created last year by a coalition of industry practitioners, corporations, associations and other stakeholders, CSAhas announced version 1.1 of its Cloud Controls Matrix (CCM) Security Controls Matrix, part of the CSA GRC (governance, risk management and compliance) Stack.

Designed to provide a security framework for cloud vendors and customers, version 1.0 of the CCM--a catalog of cloud security controls aligned with key information security regulations, standards and frameworks--was introduced in April 2010. One of the key objectives was to bridge this hodgepodge of national (i.e., NIST), international (i.e., ISO 27001/27002) and industry (i.e., PCI) security regulations, standards and frameworks. Version 1.1 updates the first release to accommodate recent changes in many of the frameworks' elements.

Marlin Pohlman, one of the CCM co-chairs and chief governance officer at EMC, says that there were a number of changes that came out between versions 1.0 and 1.1, including HIPPA (Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry) support. "We did remapping, so that's why its an incremental as opposed to version release." He says CCM should help companies better position themselves if they are in the cloud services space.

Cloud security is a massive undertaking, but Pohlman says there has been significant advancement since CSA was formed less than two years ago. A number of standards groups, industry associations and governments--especially in the United States, United Kingdom, Japan and Europe--have been adopting various elements, and CCM is being seen as seminal work around cloud standards for ISO. CSA has a unique change control philosophy that will be reflected in version 2.0, which Pohlman is responsible for steering. It will redefine the controls of the supply chain, on the multitenancy, multitier business model and on multijurisdictional aspects. "In 2.0 we have refocused on the tenant as the primary owner of risk," says Pohlman said. Existing controls to address those specific pain points will be revised in the next version.

Open Source Identity Management Software

The following table lists a list of representative Open Source Identity Management Products, some of those products work in the cloud environment. Readers are encouraged to do more research to see which product fit their cloud identity needs.

Open Source IAM Project	Description
WBSAgnitio	WBSAgnitio provides network services, directory services, certificate services and identity management. WBSAgnitio integrates all multiple features and components in a single physical or virtual box and comes with a browser based web interface for administrative purposes. It also has web services (based on RESTful) for easy integration of an application for remote management.
OpenAM, OpenDJ, OpenIDM	OpenAM is ForgeRock’s solution to host and continue development of Sun Microsystems' OpenSSO product since Oracle taken over of Sun. OpenDJ is ForgeRock’s solution to host and continue development of Sun Microsystems' OpenDS product since Oracle taken over of Sun. OpenIDM is created from scratch and borrowed a lot of ideas from Sun IDM and support Sun IDM features and functionalities and is based on OpenESB.
WSO2 Identity Server	WSO2 Identity Server is an open source identity & entitlement management server and has the following features: ·          Entitlement engine with XACML 2.0 support. ·          Claim based security token service. ·          Information Cards provider supporting managed Information Cards backed by user name / password and self-issued cards. ·          Information Cards support for SAML 1.1/2.0. ·          OpenID provider. ·          Multi-factor authentication with Information Cards ·          Extension points for SAML assertion handling. WSO2 offers Identity as Service and other cloud service via its WSO2 Stratos brand.
OpenIAM	OpenIAM provides three open source IAM products: ·          Identity Manager for user life cycle management, ·          Access Manager for multifactor authentication, coarse and fine grained authorization, XACML 2 support, Single Sign On, Identity Federation, and Integration with development frameworks such as Spring Security. ·         Entitlement Server for RBAC and ABAC using XACML.
SourceID	SourceID is an open source multi-protocol project for enabling identity federation and cross-boundary security and enables cross-boundary single sign-on, dynamic user provisioning and identity attribute sharing.
Shibboleth	Shibboleth is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. Key concepts within Shibboleth include: Federated Administration, Access Control Based On Attributes, Active Management of Privacy and used OpenSAML.
OpenSAML	OpenSAML is a set of open source Java and C++ libraries that are fully consistent with the SAML 1.0 and 1.1 CR specifications.
Jasig Yale CAS	The Central Authentication Server (CAS) is an single sign-on  authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. CAS became a Jasig project in December 2004.
OpenSPML	The toolkit offers an easy-to-use interface for configuring, issuing and interpreting standards-compliant provisioning requests across diverse identity infrastructures.
OpenPrivacy	A reference implementation of the Reputation Management Framework (RMF). OpenPrivacy's core project is designed to ease the process of creating community with reputation enhanced pseudonymous entities. The RMF is primarily a set of four interfaces: Nym Manager, Communications Manager, Storage Manager and Reputation Calculation Engine (RCE).
NMI-EDIT Consortium	The primary goal of the NMI-EDIT Consortium, part of the NSF Middleware Initiative (NMI), is to improve the productivity of the research and education community through development, testing, and dissemination of architectures, software, and practices in the areas of identity and access management. The NMI-EDIT’s efforts comprise a coordinated set of core middleware tools in the areas of identity and access management architectures, standards for deployments, related directory schemas, and tools. Current major projects include the collaboration management platform, groups management toolkit, and the Shibboleth single sign-on and federating software.
Spring Security	Spring Security provides your applications with comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities. Spring Security offers support for SAML, Kerberos, and oAuth.
JOSSO	JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. JOSSO supports SAML and can be integrated with Spring Security for fine grained access control.
JPAM	JPAM is a Java-PAM bridge. PAM, or Pluggable Authentication Modules, is a standard security architecture used on Unix, Linux and Mac OS X systems. JPAM permits the use of PAM authentication facilities by Java applications running on those platforms.
Open Web SSO	The Open Web SSO project provides core identity services to facilitate the implementation of transparent single sign on as an infrastructure security component. The goal of Open Web SSO project is to provide an extensible implementation of identity services infrastructure that will facilitate single sign on for web applications hosted on web and application servers. This project is based on the code base of Sun Java(tm) System Access Manager product.
Higgins	This project is developing an extensible, platform-independent, identity protocol-independent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information. In addition Higgins aims on providing a social relationship data integration framework that enables these relationships to be persistent and reusable across application boundaries. It organizes relationships into a set of distinct social contexts within which a person expresses different personas and roles.
OpenID4J	A library that allows you to OpenID-enable your Java web application.
Fortress	Based on OpenLDAP, Fortress is a suite of IAM products for authentication, authorization and auditing. The following is the list of the product. Fortress – (Core) Free download Commander – (Fortress Admin GUI) Sentry – (OpenLDAP Admin GUI) En Masse – (Policy Server) Perimeter  – (SSO Server) Patroller  – (Audit Viewer)
OpenRegistry	The project was initiated by Rutgers University in Mar 2008, late became a Jasig Incubator project in Jan 2009, and in late 2009, SFU joined the project. The project has solid data model and its major focus is on User Provisioning and De-Provisioning workflow.

Secure Multi-Tenancy for Cloud Architecture with NetApp, Cisco, and VMware

The following text is from cloud.com

A Secure, Enterprise Cloud Architecture
NetApp, Cisco, and VMware have partnered to create a unique enterprise cloud architecture that includes all server, storage, and networking hardware and software to facilitate sharing, reuse, and dynamic resource allocation. Our architecture takes the risk out of transitioning to a cloud infrastructure while delivering the advanced capabilities you need to succeed.

Key features include an efficient, always-on infrastructure with elastic scalability; integrated data protection; advanced automation; and the ability to transparently migrate both applications and data across the infrastructure. We've brought together years of combined experience to create a multi-tenant environment in which separate applications or customers can share the same server, storage, and networking infrastructure with complete isolation so sensitive information is never compromised.

The individual technologies are — by themselves — the best the industry has to offer. Together, these technologies offer unique synergies that greatly simplify the deployment and management of IT infrastructure and applications with:

• Unmatched end-to-end security and isolation in virtualized environments
• Simplified, unified architecture
• Lower cost
• Greater business agility
• Less risk

More details, please see: 

http://www.netapp.com/us/technology/secure-multi-tenancy.html

$13B Gov’t Cyber Security Spending by 2015

According to Input: Federal Information Security Market, 2010-2015 illustrates that demand for vendor-furnished information security products and services by the U.S. federal government will increase from $8.6 billion in 2010 to $13.3 billion in 2015 at a compound annual growth rate (CAGR) of 9.1%.

RSA SecuID SDK for Android

PR NEWSWIRE

Dec 13, 2010

BEDFORD, Mass., Dec. 13, 2010 /PRNewswire/ -- RSA, The Security Division of EMC (NYSE: EMC) announced the availability of the RSA SecurID® Software Token for Android(TM) that is engineered to enable an Android powered device to be used as an RSA SecurID authenticator, providing convenient and cost-effective two-factor authentication to enterprise applications and resources.

(Logo: http://photos.prnewswire.com/prnh/20101213/NE16032 )

Additionally, RSA is releasing a new Software Development Kit (SDK) for the Android platform that is designed to allow developers to embed RSA SecurID two-factor authentication directly into Android applications and gain competitive advantage by offering this additional layer of security. Mobile applications that directly integrate RSA SecurID technology provide organizations with the assurance that their resources are engineered to be protected from unauthorized access without any usability impact to the end user. The SDK is available free of charge for all RSA Secured® partners.

"Being able to offer the RSA SecurID tokens to our users on many of the most popular mobile platforms such as Android is a convenient and cost-effective way to deploy strong authentication in our enterprise," Tim Prendergast, Network Architect at Ingenuity Systems, Inc. "Deployment on smart phone platforms is done electronically so it's simple and fast for our IT organization to provision, eliminating any lag time if an end-user needs to get a new token. Our employees love it because the tokens are easily accessed on the mobile devices they already own and carry."

The new RSA SecurID Software Token for Android is engineered to generate a one-time password that changes every 60 seconds, enabling secure access to corporate resources. The solution complements the broad range of authentication methods offered by RSA, giving customers a choice in authentication methods based on risk, cost and convenience.

The RSA SecurID Software Token for Android is designed for enterprise users whose organizations have implemented the RSA SecurID system. The token can be installed directly onto Android enabled devices at no cost via a simple download from Android Market(TM). With minimal help from their IT department, users can enable the application with a unique software token seed, creating a convenient, secure and cost-effective RSA SecurID authenticator.

"The smart phone is revolutionizing the way consumers and commercial organizations are doing business," noted Mark Diodati, Research Director at Gartner. "The smart phone will become the default strong authenticator for users in the near-term; it means one less device that the user must carry. It's important that strong authentication methods like one-time password devices are supported on smart phones, and that developers have an easy way to embed this high-quality authentication method into mobile applications."

The use of RSA SecurID software tokens helps decrease total cost of ownership for organizations as they don't require any physical shipping, can be revoked and automatically redeployed if an employee leaves the company with their Android enabled device eliminating the need for replacement tokens. Additionally, having the software authenticator on business-critical smart phones reduces the number of costly technical support calls for misplaced tokens.

"It's no secret that mobile computing has exploded recently and we do not expect that trend to slow down at all. This enormous growth and proliferation gives us a strong opportunity to leverage these devices as authenticators and enable new forms of authentication to our customers to establish identity," said Tom Corn, Chief Strategy Officer, RSA, The Security Division of EMC. "Leveraging mobile devices running on the Android platform to deploy RSA SecurID technology allows customers a seamless delivery of two-factor authentication across cloud or on-premise applications."

The RSA SecurID software token for the Android mobile platform will be available for free download Dec. 22, 2010 from Android Market. It is enabled for users with a unique software token seed purchased by IT organizations that have deployed RSA® Authentication Manager.

Introducing the Skylab Community Project

Introducing the Skylab Community Project
CLOUD SECURITY | MARCH 24, 2010
http://pulsene.ws/tDlr

Creative ideas for new startup

If you are thinking to start a new company, here are some ideas and hope you can give me the initial credit if you happen to read my blog and started the company and make it successful.

1: A Search box which could search both public information (like Google) and protected and secured content (like share point, outlook e-mail, shared files server, etc). The basic idea would be to have user identity being seamlessly integrated into your search box, and for secured content, the identity can be federated using SAML or oAuth or OpenId. I have some very elaborated idea of how to make it work. If you are interested in this space and would like to work with me, please send me an e-mail. I am doing this in my spare time, so any support would be very beneficial.

2: Educational App in the Facebook. As you all know, majority kids over 13 years old in US are in Facebook now. How can we make their time useful, educational, fun is the biggest real world problem. If we can solve this problem, this would be our biggest contribution to our next generation and to our world. I welcome comments and suggestion on this and will be happy to talk with anyone who is interested in this idea.

I will post more ideas in new blog post.

Thanks

Ken Huang

HP to expand Cloud and Security Business in Asian Pacific area

According to CMS Wire:

At a media event in Barcelona, Spain, vice president and general
manager for HP's Business Technology Optimization, Robin Purohit, said
the company plans to expand its market share in Asia Pacific by 2011.
While he did not disclose the details of this target, he identified
two areas where HP plans to achieve this growth: security and cloud
computing.

Security and Datacenter Management
"Many companies are looking to improve their core security
capabilities but do not have the necessary skilled manpower to do so,
which is why we see a clear opportunity for us to play in this space,"
Purohit says. HP has highlighted its recent acquisition of security
providers Arcsight and Fortify Software to boost the company's
capability in providing managed security services to clients.

Meanwhile, cloud computing is another area where HP plans to ramp up
activities in the Asia Pacific region. More particularly, HP cites its
capabilities in managing disparate, virtualized datacenter systems,
which are a foundation of cloud computing services. Purohit says HP is
in a position to help businesses manage their data systems through a
networked infrastructure, with their experience in datacenter and
cloud technologies.

Application Lifecycle Management
Additionally, HP has identified application testing to be another
opportunity in the region. Outsourced BPO industries in India, China
and the Philippines are seen as potential growth areas for HP's
Application Lifecycle Management (ALM) 11 platform, which was launched
at the HP Universe 2010 conference, likewise in Barcelona.

Michael Sher, HP Asia Pacific & Japan director for application quality
sales says that the company sees "huge opportunities" for ALM 11 in
the region. He cited rising labor costs and scalability as being
advantages of automated application quality and performance testing.Gartner predicts that Asia Pacific sees an aggressive growth in

enterprise IT spending in 2011, expenditures expected to top US$ 312
billion. This includes a projected 11.3% growth in software and 9.3%
in IT services, fueled by the booming BPO industry in the region,
among others.

$1 Billion Market for User Provisioning

Recent Gartner report (revised on 11/5/2010) indicate that in 2010, User provisioning market reached $1 Billion. Oracle, IBM, CA still the market leader.

More information on:

http://www.gartner.com/technology/media-products/reprints/oracle/article157/article157.html

Finally I decided to turn off "Conversation Feature" with my Gmail

I believe myself think chronologically and for this reason I never get used to the features in gmail which show you the threads of e-mail which has the same subject lines. I find very hard to locate the e-mail and reply to e-mail if the e-mail I need to find is inside a big long thread of e-mails especially if the e-mail thread is very long. I really dislike this feature. Luckily, I was able to turn this off, and if you need to know how, here is how it works.

1) Sign into your gmail account.

2: Click on  Settings.

3: Click on General Tab and you will see the following Conversation on or off. And click off. 

This is how it worked for me.

Ken Huang

WikiLeaks fallout: it is about Identity and Access Managment and Encryption

The recent WikiLeaks includes Department of State and some big
financial institutions and technology companies have made big
headlines in the news.

I believe that two key measures to prevent this kind of leak is
Identity and Access Management(IAM) and Encryption of data at rest and
in the transit. IAM is not just technology, it is about process,
procedures, and policies. Agencies need to evaluate current IAM
practises with existing technologies and see if there is any holes in
SoD, Least privilege, user provisioning, and de-provisioning, fine
grained access control, etc. Department and Agency wide IAM strategy
is crucial to prevent the leak in the future. As data encryption and
key management, this can be combined with IAM strategy to protect data
in transit and at rest.

The financial institution and big technology companies are not
exempted from the data leaks such as wikiLeaks, and it is very
important to have a consistent and enterprise wide IAM strategy.

I welcome any comments.

Is Hybrid 2.0 a game change in security testing?

HP has recently released Hybrid 2.0 which combines black box testing with source code and binary code analysis. In my professional experience, I have done both black box testing with manual and automatic review of source code. I personally found that manual and targeted source code review and ethical manual hacking outperform any tools use. I would be interested in any insights and comments on Hybrid 2.0.

Accodring to eWeek: "Security Lacking in Most Virtualized IT Environments"

The following is from eWeek
(http://www.eweek.com/c/a/Virtualization/Security-Lacking-in-Most-Virtualized-IT-Environments-Survey-Says-408929/)
and I quote

".... Hypervisor privileges pose other concerns. The administrator
accounts on hypervisors generally have extensive access privileges
with very few limitations and security controls. The study found that
73 percent of surveyed organizations are concerned about the
privileges granted to hypervisors and the potential for abuse by users
with administrative control. However, 49 percent of those concerned
companies have not implemented any privileged user management or
security log management systems to mitigate the risk, the survey
found.

Even though the majority of the business and IT leaders said
virtualization would help improve IT operational efficiency, security
remains a concern, with 39 percent saying virtual environments are
more difficult to secure than physical environments.

Almost 85 percent of the organizations said "cloud privacy and
compliance issues" and "cloud security issues" inhibit plans to move
from virtual environments to a private cloud, the report said.

About a fifth of the companies in the survey said their IT staff does
not have the skills or funds to implement security in a virtual
environment, researchers found. About half, or 55 percent, of those
organizations cited budgetary restraints and the "upfront cost" of
implementation, and 53 percent named the "complexity of managing
security across virtual environments and platforms."

While over 84 percent of the surveyed managers prefer integrated
products that seamlessly secure physical and virtual environments,
just over half, or 56 percent, actually have implemented, or are in
the process of implementing, such systems, the researchers found.

While automation is considered important to secure virtual
environments, integrating security management with infrastructure
management or with incident and problem management do not appear
highly important for most respondents, according to the report.

Organizations will "struggle to automate their processes and reap the
real rewards of virtualization," said Nosseir.

Despite all the interest around virtualization, it is not yet the
standard for production environments. Only 34 percent of the
participating companies have deployed server virtualization for more
than 50 percent of their systems, the researchers found. The companies
have rolled out even less for other types of virtualization, such as
storage, application and desktop, the researchers said. For example,
only 8 percent of the organizations in the report has desktop
virtualization for more than 50 percent of the enterprise, according
to the report.

"Despite the rapid growth in server virtualization, many organizations
still have quite a way to go before they reach the level of maturity
and automation required to reap the true benefits of virtualization,"
said Nosseir.

Only 65 percent of the business managers enforced a separation of
duties for administrative tasks across virtual platforms, the report
said. More than 40 percent of the surveyed executives claimed to not
use automation tools for access certification, privileged user
management or log management, according to the study. In fact, only 42
percent perform

regular access certifications for privileged users or are able to
adequately monitor and log privileged access, researchers found.

Automation technologies that can mitigate risks from privileged access
in virtualized environments are "not yet widely deployed," said
Nosseir.

The virtualization security report, "Security—An Essential
Prerequisite for Success in Virtualization," surveyed 335 senior
business and IT executives in Europe and the United States, CA said.
The countries included Belgium, Denmark, Finland, France, Germany,
Italy, Luxemburg, Netherlands, Norway, Portugal, Spain, Sweden,
Switzerland, the United Kingdom and the United States.

Most organizations have at least two different virtualization
technologies in their environment. VMware remains the most prevalent,
deployed by 83 percent of the respondents, followed by Citrix at 52
percent. About 41 percent run Microsoft's hypervisors, namely Hyper-V,
according to the report."

I personally recommend NIST publication on <<Guide to Security for
Full Virtualization Technologies>> (Draft).

Information and Comments on OASIS Identity in the Cloud (IDCloud) TC

OASIS Identity in the Cloud (IDCloud) TC is composed of leading IAM experts in the industry, and is now working on define various use cases for the identity and access management in the Cloud.

At time of this writing in the late 2010, sample uses cases have been proposed including identities for managing virtual machines and middleware; and identities used in IAAS, PAAS, and SAAS. There are also use cases for Federated Single Sign On using Kerberos and SAML2.0.

The use cases are still under development, and in my view, I believe that we need to define at least some common terms to formalize each use case. For example, the user community shall include the following, similar to Ping Idenity's CEO and Symplified CTO's approach, but elaborate furthermore.


Cloud Administrator:  

A person who is responsible for managing other type of user in the cloud computing environment. The duties of a Cloud administrator are wide-ranging, and vary widely from one organization to another. Cloud administrators are usually charged with manually creating other type of users if this is part of the IAM's process and procedures, reset the password for other users, unlock users who have failed certain number of login attempts and have been locked out by the Cloud Provider, run the auditing reports and compliance report, assist in the criminal investigations if there is security bleaches and access violation in the use of Cloud service, creating Virtual Machines, allocating Virtual CPU time, and network bandwidth, configuring Virtual Firewalls, etc.  Other duties may include scripting or light programming by leveraging Cloud Provider's Web Service API, monitoring cloud service usage,  bring down or start certain cloud service.  The Cloud Administrator can come from Cloud Provider or come from within Cloud Consumer's organization. It is important to follow Separation of Duty principal. The Cloud Administrator should not be able to see or change the sensitive information such as salary information, date of birth of other users, or medical information of other users. Cloud Administrator should have basic Cloud Computing skills, should understand Cloud Computing concepts and key supporting technologies.  Organizations recruiting Cloud Administrator shall do background investigation and carefully interview and exam the candidate before making an offer of hire.

Help Desk Users.

If there are many users (for example, millions of users using cloud service), the user must be supported by multi-tier help desk staff. This includes the level-one help desk staff, level-two system support staff, and level-three cloud administrators. Authorized users have the ability to change system parameters, select regular user security settings, and other configuration details through standard cloud user management administration tools.

Regular Users:

Depends on the type of Cloud Service leveraged by Cloud Provider, the regular user can be internal users within Cloud Consumer's organization (if it is internal application such as HR application)  or the end user for general public(if this is B2C environment such as internet shopping).

Contractors:  

The Cloud Consumer can hire a contractor to use cloud service to conduct outsourced business activities. In this case, the Cloud Consumer needs to make sure that the Contractor identity is established to use cloud server. Cloud Provider can also use Contractor to run part of its business, and should make sure the identity of such contractor are separate from regular users due to data privacy, privilege management and access control issues.

Partners:

  Both Cloud Consumer and Cloud Provider can have business partners and their identities in the Cloud must be established before they can use Cloud Service.

After use case formalization, the next step for the IDCloud is to do deep gap analysis of existing IAM standards such as SAML, SPML, WS Federation, etc with the use cases needed for the IAM in the Cloud. The final step for IDCloud is to crate profile of use cases which can then be used as recommended profile by the Cloud Identity providers.

Overall, this will be a gradual process and may take few years to get to the finishing line.