Blog posts tagged with 'cpm'


04 Jun 2008 03:10 PM EDT

I spent some time recently chatting with Ross Duncan, VP of Channels at Gemalto, due to my role as product manager for Citrix Password Manager.While Citrix remains "strong authentication agnostic", Ross raised some great points: - Passwords are bad - I don't think anyone will argue this point!  There have been many solutions to enforce management of passwords to mitigate the inherent weakness.  Then those "solutions" that make passwords more complex can cause user convenience problems - plus bad behavior such as passwords written down, using the same password for many applications, and so on.  Then the help desk calls are both extensive and expensive.  - eSSO means putting all the keys to the kingdom in one place.  This allows IT to use hyper-secure passwords (20+ characters, special characters, etc.) that change rapidly.  However, the end user now has only ONE password to know - therefore there is a case to augment it with a strong authentication device like Gemalto smart cards. - Coupling of eSSO and smart cards brings the ultimate in convenience with maximum security - the user inserts their card, enters their PIN, and they can securely access the system.  This is much easier then entering user name/password - easier and more secure. - Vendors like Gemalto are integrated with Citrix Password Manager, smooth roaming/Hot Desktop, XenApp and CAG, which is convenient for customers.
We also discussed the merits of converging logical and physical security.  This always looks great on powerpoints, but it has been a real slow starter in real life.  It's been discussed for 8 years that I personally know about, but the actual implementations are lagging.  It always struck me this way: the physical security personnel and the IT security personnel are usually in different areas within and organization, and there are numerous political barriers to having the two groups work together and contribute budgets to make a badge/technology/management decision together.  I know Gemalto has partnerships to do this, but it seems to me to face obstacles.  Would like to hear comments!
 

18 Apr 2008 05:18 PM EDT
posted by Kate Brew

Several striking aspects:

  • All presentations about security in a virtualized environment were mobbed.  People were pretty angry when turned away at the doors of the presentation rooms, but fire marshall regulations prevented people from standing at the back.  It appears this is the "next interesting thing" in security, and there is great curiosity.  On the reality side, there were very few products / technology for sale to address the potential issues.  I believe there are a great many startup companies currently in stealth mode in this area.
  • The days of radical and revolutionary change in security from the late '90's and early '00's are way over.   The big vendors seem to be just pulling together "fix it all" suites as best they can through acquisitions.
  • Michael Chertoff's presentation was a tad scary: he mentioned that government agency computers are all interconnected, and that security is not consistent across all agencies (some have 24/7 monitoring for security and some don't).  This is bad for the obvious reason - just like in the movies, the bad guys can find an innocuous-looking, under-protected entrance and get to the agencies of interest.  The other scary part was that Mr. Chertoff seemed to think 24/7 monitoring was the main thing.  I'd tend to focus on preventative measures, vulnerability assessment, intrusion detection, user training, Identity and Access Management, strong authentication and other areas as well, but they were not mentioned.
  • Bruce Shneier's presentation on security rationalization was provocative.  He focused on the separation between reality, feelings and models by "experts" when it comes to assessing security risks.  One example was the Tylenol scare, and it was successfully addressed from a commercial standpoint by adding hermetic seals to bottles.  It made people feel better.  The reality is that a syringe could inject poison pretty easily, but people feel better.  He also introduced the notion of "security theatrics", where the media and security vendors exaggerate risks and cause people to feel bad when the reality just doesn't match.  Interesting concept.

RSA Conference is growing: attendance was estimated at 17,000

21 Mar 2008 05:22 PM EDT
posted in XenApp by Kate Brew

This is a little-known fact that may be very interesting for customers who want SSO, but realize Password Manager does not natively support your language.  We have an SDK available for partners to do their own translations of the CPM UI.  It is available for free, and has already been requested by partners in Russia, Czeckoslovakia, Sweden, Italy and Poland.

This SDK can be used with standalone CPM and XenApp Platinum (Single Sign-on powered by Password Manager.)  Both offerings are the same code base.

Our terms are intentionally simple: the local Citrix rep approves the partner to me, partner signs a EULA, I give the partner access to the SDK via FTP, and the partner owns the resultant work effort (of course CPM licenses are still required for the customers purchasing translated versions from the partner.)

The caveats are that the business partner is responsible for keeping up with changes as new releases are provided from Citrix, and the local Citrix account team vouches for the integrity of the partner.  We need to be sure the UI delivered is of quality, hence the local team involvement.

If you're interested, please have your Citrix rep contact kate.brew@citrix.com

 Would also appreciate comments on this approach - yea or nay!

18 Mar 2008 06:01 PM EDT

Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.)  As it turns out, those answers are more valuable than passwords.  If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts.  Yes, that includes your online bank account and it's a very real problem.  In fact, I have a friend so paranoid about this that he swears his favorite color is "three."

 Some of the issues around personal security questions are kind of interesting.  For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions.  Let's call that one "sensitivity".  Another issue is what I'll call "changeability" - your favorite movie may change from month to month.  Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was.  Both of those are completely unguessable in my case so I am probably safe on that problem. 

 Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.

We can't forget the punctuation marks either.  Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account.  Have to be careful on that one.

 We are finding that the more flexibility you can allow the better on these personal security questions for CPM.  Let companies write their own personal security questions that are more obscure than place of birth.  Let people choose between a number of security questions that they find unique and easy to remember.

In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!