CSA Updates Cloud Security Framework

DECEMBER 20, 2010 
BY NETWORK COMPUTINGHTTP://WWW.NETWORKCOMPUTING.COM/DATA-PROTECTION/CSA-UPDATES-CLOUD-SECURITY-FRAMEWORK.PHP :FEATURED ARTICLES ON CLOUD SECURITY

The question isn't will cloud computing become the future of IT, but when. According to MarketsandMarkets (M&M), the global cloud computing market will reach $121.1 billion by 2015 ("Global cloud computing market: global forecast, 2010-2015"). Although it represents just a portion of the overall IT cloud market, public cloud providers' revenues will reach $45 billion by 2013, according to IDC. This represents a compound annual growth rate of 26 percent, more than six times the forecast growth rate for traditional IT spending. ButIDC also says that businesses are more concerned about the risks involved, including security, availability and performance, than the benefits of flexibility, scalability and lower costs.

That's where the Cloud Security Alliance, a not-for-profit organization addressing best practices for providing security assurance within cloud computing, comes in. Created last year by a coalition of industry practitioners, corporations, associations and other stakeholders, CSAhas announced version 1.1 of its Cloud Controls Matrix (CCM) Security Controls Matrix, part of the CSA GRC (governance, risk management and compliance) Stack.

Designed to provide a security framework for cloud vendors and customers, version 1.0 of the CCM--a catalog of cloud security controls aligned with key information security regulations, standards and frameworks--was introduced in April 2010. One of the key objectives was to bridge this hodgepodge of national (i.e., NIST), international (i.e., ISO 27001/27002) and industry (i.e., PCI) security regulations, standards and frameworks. Version 1.1 updates the first release to accommodate recent changes in many of the frameworks' elements.

Marlin Pohlman, one of the CCM co-chairs and chief governance officer at EMC, says that there were a number of changes that came out between versions 1.0 and 1.1, including HIPPA (Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry) support. "We did remapping, so that's why its an incremental as opposed to version release." He says CCM should help companies better position themselves if they are in the cloud services space.

Cloud security is a massive undertaking, but Pohlman says there has been significant advancement since CSA was formed less than two years ago. A number of standards groups, industry associations and governments--especially in the United States, United Kingdom, Japan and Europe--have been adopting various elements, and CCM is being seen as seminal work around cloud standards for ISO. CSA has a unique change control philosophy that will be reflected in version 2.0, which Pohlman is responsible for steering. It will redefine the controls of the supply chain, on the multitenancy, multitier business model and on multijurisdictional aspects. "In 2.0 we have refocused on the tenant as the primary owner of risk," says Pohlman said. Existing controls to address those specific pain points will be revised in the next version.

Open Source Identity Management Software

The following table lists a list of representative Open Source Identity Management Products, some of those products work in the cloud environment. Readers are encouraged to do more research to see which product fit their cloud identity needs.

Open Source IAM Project	Description
WBSAgnitio	WBSAgnitio provides network services, directory services, certificate services and identity management. WBSAgnitio integrates all multiple features and components in a single physical or virtual box and comes with a browser based web interface for administrative purposes. It also has web services (based on RESTful) for easy integration of an application for remote management.
OpenAM, OpenDJ, OpenIDM	OpenAM is ForgeRock’s solution to host and continue development of Sun Microsystems' OpenSSO product since Oracle taken over of Sun. OpenDJ is ForgeRock’s solution to host and continue development of Sun Microsystems' OpenDS product since Oracle taken over of Sun. OpenIDM is created from scratch and borrowed a lot of ideas from Sun IDM and support Sun IDM features and functionalities and is based on OpenESB.
WSO2 Identity Server	WSO2 Identity Server is an open source identity & entitlement management server and has the following features: ·          Entitlement engine with XACML 2.0 support. ·          Claim based security token service. ·          Information Cards provider supporting managed Information Cards backed by user name / password and self-issued cards. ·          Information Cards support for SAML 1.1/2.0. ·          OpenID provider. ·          Multi-factor authentication with Information Cards ·          Extension points for SAML assertion handling. WSO2 offers Identity as Service and other cloud service via its WSO2 Stratos brand.
OpenIAM	OpenIAM provides three open source IAM products: ·          Identity Manager for user life cycle management, ·          Access Manager for multifactor authentication, coarse and fine grained authorization, XACML 2 support, Single Sign On, Identity Federation, and Integration with development frameworks such as Spring Security. ·         Entitlement Server for RBAC and ABAC using XACML.
SourceID	SourceID is an open source multi-protocol project for enabling identity federation and cross-boundary security and enables cross-boundary single sign-on, dynamic user provisioning and identity attribute sharing.
Shibboleth	Shibboleth is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. Key concepts within Shibboleth include: Federated Administration, Access Control Based On Attributes, Active Management of Privacy and used OpenSAML.
OpenSAML	OpenSAML is a set of open source Java and C++ libraries that are fully consistent with the SAML 1.0 and 1.1 CR specifications.
Jasig Yale CAS	The Central Authentication Server (CAS) is an single sign-on  authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. CAS became a Jasig project in December 2004.
OpenSPML	The toolkit offers an easy-to-use interface for configuring, issuing and interpreting standards-compliant provisioning requests across diverse identity infrastructures.
OpenPrivacy	A reference implementation of the Reputation Management Framework (RMF). OpenPrivacy's core project is designed to ease the process of creating community with reputation enhanced pseudonymous entities. The RMF is primarily a set of four interfaces: Nym Manager, Communications Manager, Storage Manager and Reputation Calculation Engine (RCE).
NMI-EDIT Consortium	The primary goal of the NMI-EDIT Consortium, part of the NSF Middleware Initiative (NMI), is to improve the productivity of the research and education community through development, testing, and dissemination of architectures, software, and practices in the areas of identity and access management. The NMI-EDIT’s efforts comprise a coordinated set of core middleware tools in the areas of identity and access management architectures, standards for deployments, related directory schemas, and tools. Current major projects include the collaboration management platform, groups management toolkit, and the Shibboleth single sign-on and federating software.
Spring Security	Spring Security provides your applications with comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities. Spring Security offers support for SAML, Kerberos, and oAuth.
JOSSO	JOSSO, or Java Open Single Sign-On, is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication. JOSSO supports SAML and can be integrated with Spring Security for fine grained access control.
JPAM	JPAM is a Java-PAM bridge. PAM, or Pluggable Authentication Modules, is a standard security architecture used on Unix, Linux and Mac OS X systems. JPAM permits the use of PAM authentication facilities by Java applications running on those platforms.
Open Web SSO	The Open Web SSO project provides core identity services to facilitate the implementation of transparent single sign on as an infrastructure security component. The goal of Open Web SSO project is to provide an extensible implementation of identity services infrastructure that will facilitate single sign on for web applications hosted on web and application servers. This project is based on the code base of Sun Java(tm) System Access Manager product.
Higgins	This project is developing an extensible, platform-independent, identity protocol-independent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information. In addition Higgins aims on providing a social relationship data integration framework that enables these relationships to be persistent and reusable across application boundaries. It organizes relationships into a set of distinct social contexts within which a person expresses different personas and roles.
OpenID4J	A library that allows you to OpenID-enable your Java web application.
Fortress	Based on OpenLDAP, Fortress is a suite of IAM products for authentication, authorization and auditing. The following is the list of the product. Fortress – (Core) Free download Commander – (Fortress Admin GUI) Sentry – (OpenLDAP Admin GUI) En Masse – (Policy Server) Perimeter  – (SSO Server) Patroller  – (Audit Viewer)
OpenRegistry	The project was initiated by Rutgers University in Mar 2008, late became a Jasig Incubator project in Jan 2009, and in late 2009, SFU joined the project. The project has solid data model and its major focus is on User Provisioning and De-Provisioning workflow.

Secure Multi-Tenancy for Cloud Architecture with NetApp, Cisco, and VMware

The following text is from cloud.com

A Secure, Enterprise Cloud Architecture
NetApp, Cisco, and VMware have partnered to create a unique enterprise cloud architecture that includes all server, storage, and networking hardware and software to facilitate sharing, reuse, and dynamic resource allocation. Our architecture takes the risk out of transitioning to a cloud infrastructure while delivering the advanced capabilities you need to succeed.

Key features include an efficient, always-on infrastructure with elastic scalability; integrated data protection; advanced automation; and the ability to transparently migrate both applications and data across the infrastructure. We've brought together years of combined experience to create a multi-tenant environment in which separate applications or customers can share the same server, storage, and networking infrastructure with complete isolation so sensitive information is never compromised.

The individual technologies are — by themselves — the best the industry has to offer. Together, these technologies offer unique synergies that greatly simplify the deployment and management of IT infrastructure and applications with:

• Unmatched end-to-end security and isolation in virtualized environments
• Simplified, unified architecture
• Lower cost
• Greater business agility
• Less risk

More details, please see: 

http://www.netapp.com/us/technology/secure-multi-tenancy.html

$13B Gov’t Cyber Security Spending by 2015

According to Input: Federal Information Security Market, 2010-2015 illustrates that demand for vendor-furnished information security products and services by the U.S. federal government will increase from $8.6 billion in 2010 to $13.3 billion in 2015 at a compound annual growth rate (CAGR) of 9.1%.

RSA SecuID SDK for Android

PR NEWSWIRE

Dec 13, 2010

BEDFORD, Mass., Dec. 13, 2010 /PRNewswire/ -- RSA, The Security Division of EMC (NYSE: EMC) announced the availability of the RSA SecurID® Software Token for Android(TM) that is engineered to enable an Android powered device to be used as an RSA SecurID authenticator, providing convenient and cost-effective two-factor authentication to enterprise applications and resources.

(Logo: http://photos.prnewswire.com/prnh/20101213/NE16032 )

Additionally, RSA is releasing a new Software Development Kit (SDK) for the Android platform that is designed to allow developers to embed RSA SecurID two-factor authentication directly into Android applications and gain competitive advantage by offering this additional layer of security. Mobile applications that directly integrate RSA SecurID technology provide organizations with the assurance that their resources are engineered to be protected from unauthorized access without any usability impact to the end user. The SDK is available free of charge for all RSA Secured® partners.

"Being able to offer the RSA SecurID tokens to our users on many of the most popular mobile platforms such as Android is a convenient and cost-effective way to deploy strong authentication in our enterprise," Tim Prendergast, Network Architect at Ingenuity Systems, Inc. "Deployment on smart phone platforms is done electronically so it's simple and fast for our IT organization to provision, eliminating any lag time if an end-user needs to get a new token. Our employees love it because the tokens are easily accessed on the mobile devices they already own and carry."

The new RSA SecurID Software Token for Android is engineered to generate a one-time password that changes every 60 seconds, enabling secure access to corporate resources. The solution complements the broad range of authentication methods offered by RSA, giving customers a choice in authentication methods based on risk, cost and convenience.

The RSA SecurID Software Token for Android is designed for enterprise users whose organizations have implemented the RSA SecurID system. The token can be installed directly onto Android enabled devices at no cost via a simple download from Android Market(TM). With minimal help from their IT department, users can enable the application with a unique software token seed, creating a convenient, secure and cost-effective RSA SecurID authenticator.

"The smart phone is revolutionizing the way consumers and commercial organizations are doing business," noted Mark Diodati, Research Director at Gartner. "The smart phone will become the default strong authenticator for users in the near-term; it means one less device that the user must carry. It's important that strong authentication methods like one-time password devices are supported on smart phones, and that developers have an easy way to embed this high-quality authentication method into mobile applications."

The use of RSA SecurID software tokens helps decrease total cost of ownership for organizations as they don't require any physical shipping, can be revoked and automatically redeployed if an employee leaves the company with their Android enabled device eliminating the need for replacement tokens. Additionally, having the software authenticator on business-critical smart phones reduces the number of costly technical support calls for misplaced tokens.

"It's no secret that mobile computing has exploded recently and we do not expect that trend to slow down at all. This enormous growth and proliferation gives us a strong opportunity to leverage these devices as authenticators and enable new forms of authentication to our customers to establish identity," said Tom Corn, Chief Strategy Officer, RSA, The Security Division of EMC. "Leveraging mobile devices running on the Android platform to deploy RSA SecurID technology allows customers a seamless delivery of two-factor authentication across cloud or on-premise applications."

The RSA SecurID software token for the Android mobile platform will be available for free download Dec. 22, 2010 from Android Market. It is enabled for users with a unique software token seed purchased by IT organizations that have deployed RSA® Authentication Manager.

Introducing the Skylab Community Project

Introducing the Skylab Community Project
CLOUD SECURITY | MARCH 24, 2010
http://pulsene.ws/tDlr

Creative ideas for new startup

If you are thinking to start a new company, here are some ideas and hope you can give me the initial credit if you happen to read my blog and started the company and make it successful.

1: A Search box which could search both public information (like Google) and protected and secured content (like share point, outlook e-mail, shared files server, etc). The basic idea would be to have user identity being seamlessly integrated into your search box, and for secured content, the identity can be federated using SAML or oAuth or OpenId. I have some very elaborated idea of how to make it work. If you are interested in this space and would like to work with me, please send me an e-mail. I am doing this in my spare time, so any support would be very beneficial.

2: Educational App in the Facebook. As you all know, majority kids over 13 years old in US are in Facebook now. How can we make their time useful, educational, fun is the biggest real world problem. If we can solve this problem, this would be our biggest contribution to our next generation and to our world. I welcome comments and suggestion on this and will be happy to talk with anyone who is interested in this idea.

I will post more ideas in new blog post.

Thanks

Ken Huang

HP to expand Cloud and Security Business in Asian Pacific area

According to CMS Wire:

At a media event in Barcelona, Spain, vice president and general
manager for HP's Business Technology Optimization, Robin Purohit, said
the company plans to expand its market share in Asia Pacific by 2011.
While he did not disclose the details of this target, he identified
two areas where HP plans to achieve this growth: security and cloud
computing.

Security and Datacenter Management
"Many companies are looking to improve their core security
capabilities but do not have the necessary skilled manpower to do so,
which is why we see a clear opportunity for us to play in this space,"
Purohit says. HP has highlighted its recent acquisition of security
providers Arcsight and Fortify Software to boost the company's
capability in providing managed security services to clients.

Meanwhile, cloud computing is another area where HP plans to ramp up
activities in the Asia Pacific region. More particularly, HP cites its
capabilities in managing disparate, virtualized datacenter systems,
which are a foundation of cloud computing services. Purohit says HP is
in a position to help businesses manage their data systems through a
networked infrastructure, with their experience in datacenter and
cloud technologies.

Application Lifecycle Management
Additionally, HP has identified application testing to be another
opportunity in the region. Outsourced BPO industries in India, China
and the Philippines are seen as potential growth areas for HP's
Application Lifecycle Management (ALM) 11 platform, which was launched
at the HP Universe 2010 conference, likewise in Barcelona.

Michael Sher, HP Asia Pacific & Japan director for application quality
sales says that the company sees "huge opportunities" for ALM 11 in
the region. He cited rising labor costs and scalability as being
advantages of automated application quality and performance testing.Gartner predicts that Asia Pacific sees an aggressive growth in

enterprise IT spending in 2011, expenditures expected to top US$ 312
billion. This includes a projected 11.3% growth in software and 9.3%
in IT services, fueled by the booming BPO industry in the region,
among others.

$1 Billion Market for User Provisioning

Recent Gartner report (revised on 11/5/2010) indicate that in 2010, User provisioning market reached $1 Billion. Oracle, IBM, CA still the market leader.

More information on:

http://www.gartner.com/technology/media-products/reprints/oracle/article157/article157.html

Finally I decided to turn off "Conversation Feature" with my Gmail

I believe myself think chronologically and for this reason I never get used to the features in gmail which show you the threads of e-mail which has the same subject lines. I find very hard to locate the e-mail and reply to e-mail if the e-mail I need to find is inside a big long thread of e-mails especially if the e-mail thread is very long. I really dislike this feature. Luckily, I was able to turn this off, and if you need to know how, here is how it works.

1) Sign into your gmail account.

2: Click on  Settings.

3: Click on General Tab and you will see the following Conversation on or off. And click off. 

This is how it worked for me.

Ken Huang

WikiLeaks fallout: it is about Identity and Access Managment and Encryption

The recent WikiLeaks includes Department of State and some big
financial institutions and technology companies have made big
headlines in the news.

I believe that two key measures to prevent this kind of leak is
Identity and Access Management(IAM) and Encryption of data at rest and
in the transit. IAM is not just technology, it is about process,
procedures, and policies. Agencies need to evaluate current IAM
practises with existing technologies and see if there is any holes in
SoD, Least privilege, user provisioning, and de-provisioning, fine
grained access control, etc. Department and Agency wide IAM strategy
is crucial to prevent the leak in the future. As data encryption and
key management, this can be combined with IAM strategy to protect data
in transit and at rest.

The financial institution and big technology companies are not
exempted from the data leaks such as wikiLeaks, and it is very
important to have a consistent and enterprise wide IAM strategy.

I welcome any comments.