I read several articles about research on the behavior of IT professionals recently.  The research was sponsored by security vendor Cyber-Ark.  Amazing stuff!  A third of all IT professionals surveyed could still access the company's network after they left the job.  A third admit to snooping and peeking at  information like people's personal emails, salary info and other juicy tidbits.  Most shocking: 50% of all IT professionals still keep passwords on Post-It notes.  These are administrative passwords!!  The really omnipotent accounts!!

The press release from Cyber-Ark has more details.  The survey was of 200 IT professionals at April 2008's Infosecurity Exhibition Europe, and it was entitled "Trust, Security and Passwords". 

Interestingly, these folks admitted these things in an anonymous survey, but aside from that they might never be detected in their snooping - admin passwords generally give privileged and anonymous access to systems.

One point: there's a difference between snooping and corporate-policy-based monitoring of company IT assets.  The survey was pointing out the fact that IT administrators can inappropriately access information and they count on not being caught.

I spent some time recently chatting with Ross Duncan, VP of Channels at Gemalto, due to my role as product manager for Citrix Password Manager.While Citrix remains "strong authentication agnostic", Ross raised some great points: - Passwords are bad - I don't think anyone will argue this point!  There have been many solutions to enforce management of passwords to mitigate the inherent weakness.  Then those "solutions" that make passwords more complex can cause user convenience problems - plus bad behavior such as passwords written down, using the same password for many applications, and so on.  Then the help desk calls are both extensive and expensive.  - eSSO means putting all the keys to the kingdom in one place.  This allows IT to use hyper-secure passwords (20+ characters, special characters, etc.) that change rapidly.  However, the end user now has only ONE password to know - therefore there is a case to augment it with a strong authentication device like Gemalto smart cards. - Coupling of eSSO and smart cards brings the ultimate in convenience with maximum security - the user inserts their card, enters their PIN, and they can securely access the system.  This is much easier then entering user name/password - easier and more secure. - Vendors like Gemalto are integrated with Citrix Password Manager, smooth roaming/Hot Desktop, XenApp and CAG, which is convenient for customers.
We also discussed the merits of converging logical and physical security.  This always looks great on powerpoints, but it has been a real slow starter in real life.  It's been discussed for 8 years that I personally know about, but the actual implementations are lagging.  It always struck me this way: the physical security personnel and the IT security personnel are usually in different areas within and organization, and there are numerous political barriers to having the two groups work together and contribute budgets to make a badge/technology/management decision together.  I know Gemalto has partnerships to do this, but it seems to me to face obstacles.  Would like to hear comments!
 

I attended the Courion Converge show, with the theme "Demystifying Provisioning and Access Compliance,"  in Chicago last week.  Courion, if you don't know it, is one of our partners and a reseller.   Courion provides a Courior suite of products, including AccountCourier, which CPM is tightly integrated with for user provisioning.  Converge is their yearly customer event.  Citrix was a Platinum sponsor.

 Courion AccountCourier is seamlessly integrated with Citrix Password Manager for eSSO.  See a flash demo here.

 Observations from Converge:

- The main industry vertical customers attending were financial and health care.   User provisioning is a key issue and it is very expensive to do manually 

- RoleCourier is gaining traction as customers are using it to avoid complexity, excessive roles, and political situations that arise when doing role-based provisioning

- ComplianceCourier is getting a lot of interest for its capability to enable business managers to periodically review and verify employee access rights

- There was a great customer presentation from Goodyear Tire and Rubber Corporation, where they discussed a previous failed attempt at implementing IAM, followed by their project with Courion, which is rolling out very smoothly.  One interesting note: a focus on educating and motivating users to appreciate the new system really pays off.

Autonomic security, AKA, self-healing, self-defending, situation aware security, or feedback-based security management, has long been a dream in distributed IT computing.  It could be the reason that this dream was not realized is that it is too hard to do in distributed computing.

 Enter virtualized computing, with centralization and much greater control over the [wily careless security-ignorant only-cares-about productivity] user.  Now does that change the complexion of the problem?

 The enemy is the usual: malware, such as worms, viruses and trojans, plus future attacks we don't even know about now.   Malware designers unfortunately have the upper hand, with ever stealthier approaches to evil.  Most security countermeasures are simply responses to known threats.  Thus the bad guys are controlling the game.

With virtualized computing, IT asserts more control.   Might it not be possible to realize autonomic security more effectively?  One of the problems distributed computing has is relentless complexity and lack of control.  With distributed computing, the end user is in the driver's seat!  Maybe if all end users were very diligent about security this would be fine.  This is sadly not the case.

 Autonomic security affords the luxury of not relying on a human to notice things are stealthily going amok.  It is possible to monitor what is going on in the network, applications, OS's, processors, and so on.  With a virtualized environment, does this not become easier?

To be clear, it is possible autonomic computing actually creates additonal security challenges, dong things automatically like changing system configurations, interconnections and so on, creating interesting entrees for malware designers.

I'd very much enjoy a dialog on the following thought: in a centrally controlled virtualized environment, is security innovation possible?  Given that we can get better information about what is going on, for example anomolous behavior such as a processor being hit abnormally, or other anomolies such as buffer overflows or abnormal accesses or sensitive data being touched in any way, could we not modify the enterprise security policy on the fly?  Could we have software to look at the collective of information now at our fingertips and change security policy appropriately? 

 The model I have in mind is human behavior.  If you are walking down the street and it's daytime, and it's a cheerful sunny day, and nothing suspicious is going on, we behave in a way to maximize productivity and pleasure.  In contrast, if you're walking down the street and it's dark and late, and there are strange- looking people about, and they are looking at you with too much interest, your security posture changes and security becomes more important than productivity and pleasure (until you get out of the situation.)

So could we not use that model and have an adaptive security policy that intelligently changes, based on the information available.  Not attacks per se, as there is software that does that already.  What if we could look at the health of the network and applications and decide that situation is not normal and a more restrictive security policy is now required?  Productivty and pleasure take a back seat when it's "code red".

I'd like to hear from folks with thoughts in this area!

Several striking aspects:

• All presentations about security in a virtualized environment were mobbed.  People were pretty angry when turned away at the doors of the presentation rooms, but fire marshall regulations prevented people from standing at the back.  It appears this is the "next interesting thing" in security, and there is great curiosity.  On the reality side, there were very few products / technology for sale to address the potential issues.  I believe there are a great many startup companies currently in stealth mode in this area.
  
• The days of radical and revolutionary change in security from the late '90's and early '00's are way over.   The big vendors seem to be just pulling together "fix it all" suites as best they can through acquisitions.
  
• Michael Chertoff's presentation was a tad scary: he mentioned that government agency computers are all interconnected, and that security is not consistent across all agencies (some have 24/7 monitoring for security and some don't).  This is bad for the obvious reason - just like in the movies, the bad guys can find an innocuous-looking, under-protected entrance and get to the agencies of interest.  The other scary part was that Mr. Chertoff seemed to think 24/7 monitoring was the main thing.  I'd tend to focus on preventative measures, vulnerability assessment, intrusion detection, user training, Identity and Access Management, strong authentication and other areas as well, but they were not mentioned.
  
• Bruce Shneier's presentation on security rationalization was provocative.  He focused on the separation between reality, feelings and models by "experts" when it comes to assessing security risks.  One example was the Tylenol scare, and it was successfully addressed from a commercial standpoint by adding hermetic seals to bottles.  It made people feel better.  The reality is that a syringe could inject poison pretty easily, but people feel better.  He also introduced the notion of "security theatrics", where the media and security vendors exaggerate risks and cause people to feel bad when the reality just doesn't match.  Interesting concept.

RSA Conference is growing: attendance was estimated at 17,000

This is a little-known fact that may be very interesting for customers who want SSO, but realize Password Manager does not natively support your language.  We have an SDK available for partners to do their own translations of the CPM UI.  It is available for free, and has already been requested by partners in Russia, Czeckoslovakia, Sweden, Italy and Poland.

This SDK can be used with standalone CPM and XenApp Platinum (Single Sign-on powered by Password Manager.)  Both offerings are the same code base.

Our terms are intentionally simple: the local Citrix rep approves the partner to me, partner signs a EULA, I give the partner access to the SDK via FTP, and the partner owns the resultant work effort (of course CPM licenses are still required for the customers purchasing translated versions from the partner.)

The caveats are that the business partner is responsible for keeping up with changes as new releases are provided from Citrix, and the local Citrix account team vouches for the integrity of the partner.  We need to be sure the UI delivered is of quality, hence the local team involvement.

If you're interested, please have your Citrix rep contact kate.brew@citrix.com

 Would also appreciate comments on this approach - yea or nay!

Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.)  As it turns out, those answers are more valuable than passwords.  If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts.  Yes, that includes your online bank account and it's a very real problem.  In fact, I have a friend so paranoid about this that he swears his favorite color is "three."

 Some of the issues around personal security questions are kind of interesting.  For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions.  Let's call that one "sensitivity".  Another issue is what I'll call "changeability" - your favorite movie may change from month to month.  Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was.  Both of those are completely unguessable in my case so I am probably safe on that problem. 

 Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.

We can't forget the punctuation marks either.  Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account.  Have to be careful on that one.

 We are finding that the more flexibility you can allow the better on these personal security questions for CPM.  Let companies write their own personal security questions that are more obscure than place of birth.  Let people choose between a number of security questions that they find unique and easy to remember.

In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!

I've been talking to a customer in the midst of a large rollout of Citrix Password Manager and heard some interesting items.  This is a very positive Citrix customer, but they don't want users aware of CPM. 

 Now, being software developers, we just assumed everyone would want to be aware of our cool SSO application.  But this customer, and apparently others, want their SSO solution to be transparent to users.

Why?  They have high turnover and their end users are unsophisticated from an IT perspective.  Their users have limited patience and get frustrated if they feel like they are getting slowed down.  So, even though CPM is saving them time and increasing security, the IT folks want CPM to be "invisible" so that users don't get the wrong perception (i.e., while CPM is launching they get irritated.)

We've already made some changes to the product to address this, but this customer experience convinces me we need to do more.

Another tidbit: training their new workers to use SSO is more easier than training established employees who already have bad habits like writing down their passwords, guessing a good bit, and getting locked out a good bit. 

Without Single Sign-On, users are left to their own devices (such as yellow stickies) to retain the many different passwords they need.

Trouble was that security vendors were so eager to provide this functionality (starting about 10-12 years ago), and the hype was so great, and the technology was so immature, that early SSO projects often had tragic results.  Early implementers in some cases dumped millions in services dollars to coax the immature SSO product into actually working for a subset of their applications.

 Well, the technology is mature now, and SSO really works!

With the Citrix SSO product, Citrix Password Manager (CPM), we have a very successful install base of customers, with many implementations with more than 50,000 users.   Very conveniently, CPM is included as the SSO XenApp Platinum component, bringing more value to users as well as value to IT administrators in increasing actual security by eliminating bad user behavior.

At Summit in January I ran into an interesting Citrix partner - Xceedium.  It's a security company with an appliance product, called GateKeeper, that is complementary to XenApp.  It enforces security policy by providing compartmentalization and containment.

Say you are outsourcing development.  The GateKeeper provides capability they call "LeapFrog Prevention" to isolate and contain users to authorized applications and network devices.  So your outsourced developers can't do DNS look up, NFS mount, ICMP to LeapFrog to unauthorized areas and information.  It also provides tracking and reporting for compliance reasons. 

In a XenApp environment, their agent monitors each user process and prevents unauthorized apps from trying to leapfrog to another device.  They also provide tracking for all CLI and prevent unauthorized CLI, so it adds to the security features of XenApp at the application layer with control over the command line/infrastructure layer.

The GateKeeper is complementary to the SmartAuditor session recording feature of XenApp, adding keystroke logging and session recording for CLI.

For customers who have audit and compliance requirements, Xceedium is an extremely interesting addition to XenApp.  They're already verified Citrix Ready too.  As a bonus, Gatekeeper is Common Criteria certified to EAL3.

[www.xceedium.com]

I just got a really nice note from a Citrix rep in Australia abut the "Cookbook" available for Citrix Password Manager.  He suggested we have similar tools for all Citrix products for our partners to use.

The CPM Cookbook, AKA Citrix Password Manager Project Guide, has been on MyCitrix for a while, but I am noticing people usually can't find it.  It contains information on sizing services revenue, developing scope of product deployment, justifying ROI, writing the Statement of Work, creating the project plan and documents and templates for training and other useful tasks.

It is located here on MyCitrix, under reference desk for CPM, under Whitepapers Exclusively for MyCitrix Users: https://www.citrix.com/English/myCitrix/refDeskResults.asp?Category=product&ResourceId=7181

If you have any problem getting it, I'd be happy to send you a zipped copy.  Please contact me at kate.brew@citrix.com

I just got a really nice note from a Citrix rep in Australia abut the "Cookbook" available for Citrix Password Manager.  He suggested we have similar tools for all Citrix products for our partners to use.

The CPM Cookbook, AKA Citrix Password Manager Project Guide, has been on MyCitrix for a while, but I am noticing people usually can't find it.  It contains information on sizing services revenue, developing scope of product deployment, justifying ROI, writing the Statement of Work, creating the project plan and documents and templates for training and other useful tasks.

It is located here on MyCitrix, under reference desk for CPM, under Whitepapers Exclusively for MyCitrix Users: https://www.citrix.com/English/myCitrix/refDeskResults.asp?Category=product&ResourceId=7181

If you have any problem getting it, I'd be happy to send you a zipped copy.  Please contact me at kate.brew@citrix.com