In my last post, I discussed the importance of user experience -> It's All About The User Experience (IAATHUX) 
Our Access Gateway team has come up with a new look and
feel that is nice and clean.   I think this is much more intuitive and consistent with the experience across Citrix Delivery Center.   Notice that they are using plugin terminology in anticipation of App Receiver.

The desktop icon has changed from the "two rubic's cubes connected by a red pipe" to the simple and easy to understand lock symbol.   The rationale here is that secure access is not just about remote access but should secure connections onsite and offsite.

The thing I like the most with Access Gateway is that with auto-reconnect, I can just live in secure connected mode all the time.  At Citrix, we run open wireless networks at most locations, so I can just put my laptop to sleep and start-up in any location (including at home) and be assured a secure connection without having to do anything.  I just see the secure lock icon in my systray and the auto reconnect happen as I transit networks. 
 
With the advantages of de-perimeterization,
I think more and more users will appreciate this model. Check out the Jericho Forum, for more on this model.

Cheers,

Gordon

 I don't know about you, but I've always been frustrated when reading articles about DNS Server Attacks and they never explain exactly how they work.  It's obvious that such a thing would be a point of extreme interest to an attacker, but how do they do it??? 

 I interviewed Ben Tucker, XenApp Developer on the Guardian Security Team, to finally understand this thing.  Ben worked previously in the Gaming Industry creating and securing slot machines, communications protocols, and distributed systems.
 
Here is a picture of Ben:       

 
 Q: What is DNS?

 A: DNS is a computer protocol that translates human-understandable web names, such as google.com, into IP addresses.  It's basically a telephone book that answers requests from a client to get them to the web site they want.   A DNS server answers requests and forms them into IP addresses so connections can be made.  A DNS server might talk with other servers until an authoritative answer is received.

 Q: What are the basic vulnerabilities of this technology?

 A: The client computer does not authenticate that the server providing IP addresses is really the right DNS server.  Therefore, the client has no verification that they are talking to the right DNS server, or a malicious entity, such as evil.com.

 This vulnerability has been around for twenty five years.  To complicate this further, DNS is a layered protocol.  A client in one layer might be the server from another layer.  So, this vulnerability pervades computers that lack trusted and authenticated communications.
 
Q: What has been done to fix this long-known vulnerability?

 A: When DNS was designed the security landscape was far more subdued than it is now.  Different ways to exploit the lack of authentication have been found over time.  Likewise, a series of mitigations have been implemented.  Until the last decade, transaction IDs were ascending and predictable.  Six years ago, a related implementation error led to an attack on the DNS protocol using the mathematics of the Birthday Paradox.  Overall, DNS has been a fertile ground for exploitation.
 
Q: So the problem was solved?

 A: No.  The recent DNS debacle involves forcing large numbers of fake DNS replies to a caching resolver while simultaneously controlling a client computer's requests.  Having a client repeatedly look for a DNS server gives the attacker more of a chance to improperly present evil.com as an authoritative DNS server.  Once the attacker beats the proper server with a response, then bankofamerica.com may look and feel correct to the user, but that user would be giving logon credentials to another entity entirely.

 Q: Why has this been in the news lately?

 A: Dan Kaminsky, a well-known security researcher, recently uncovered this problem and came up with a mitigation.

 First he uncovered a platform agnostic exploit that poisons a DNS cache within seconds.  Then, before releasing this exploit to the public, he worked with major vendors including Citrix to provide patches mitigating the problem.  Kaminsky's mitigation randomizes the protocol's source port as well as the transaction ID.  Now, the random transaction ID's are associated with random source ports, creating a more difficult problem for attackers in these race attacks.

 Q: How can Citrix help with this problem?

 A: We have two KB articles that may be helpful.  Please see:
 Vulnerability in Access Gateway Standard and Advanced Edition Appliance firmware could result in DNS Cache Poisoning (CTX118183)Vulnerability in NetScaler and Access Gateway Enterprise Edition could result in DNS Cache Poisoning (CTX117991)

 Q: Does HTTPS help at all?

 A: Yes.  HTTPS ensures that traffic is encrypted end-to-end.  With HTTPS, browsers can more easily notify users if the site being contacted doesn't match the intended site, if the certificate has expired, or if the certificate doesn't have a clear chain of trust to a known Certificate Authority.

 Another suggestion for customers is to consider using an Intrusion Detection System (IDS) from a security vendor or reputable security source.  This should be setup to guard corporate DNS server's from attacks.
   

I conferred with some of the security experts at Citrix on the topic of people and security.  Their advice came in several key areas:  

Physical access to IT assets: Gaining physical access to machines greatly increases the damage and theft of data a malicious user can do.   For this reason, admins should restrict physical access to sensitive resources - for example, restricting access to the XenApp farm to Citrix administrators with authorized access cards. 

Citrix products offer a great advantage in making it unnecessary to have applications and data locally stored, so physical access is less of an issue.  Some of our most security sensitive customers publish the application that can manipulate sensitive data but disable client drive mapping and the clipboard virtual channel and print screen functionality so that no data can leave the data center. 

Unattended and unlocked user workstations are also a liability and a policy that requires users to lock workstations when they leave the work area is strongly suggested.  System configuration to lock workstations after a few minutes of inactivity and password-protected screen savers are also good measures. 

Separation of Duties: Security policy should be such that no one person or role holds all control.  This means assigning roles in a manner in which it takes more than one person to accomplish certain tasks.  For example, if the task is releasing a binary to a customer, a software developer should not QA their own code.  Similarly, an administrator's activities should be monitored by a separate auditing role. 

Citrix brings value here as well, with a separate role for Citrix Administrators who share control of the overall system with Local and Network Administrators.  The Citrix Administrators manage only the Citrix environment, so there is additional separation of duties.

  Least Privilege:  The old "need to know" basis!  Well in this case, "need to have permission to do."  People's roles in an organization and access rights should be broken down to grant users only the privileges that they need for their particular jobs.  This applies to admins as well - for example, the database admin should not have management rights on the mail server or security console or the network. 

Citrix allows you to publish applications using different roles to further restrict access to certain data and privileges.   
The whole point of least privilege is that if an attacker is able to compromise an account, they can only do a small subset of tasks on the network/database/machine. 

Password Policies:

There are several ways people can weaken corporate security with their management of passwords.  The problem with passwords is users would like them to be easy to remember.  As a result, they may attempt to simplify things by using the following bad practices:

-         Write down their passwords

-         Set all of their application passwords to the same thing

-         Use really easy-to-guess passwords, like their dog's name

-         Use the same password every other time they change it (just alternating)

-         Using trivial and short passwords, like 123

-         Never changing their passwords 

These user antics are not good for corporate security!  Security Policy should specify:

-         Password length

-         Password complexity (require special characters, mix of letters and numbers, etc.)

-         Password history enforcement (force a new password and don't allow repeats for a certain number of passwords.)

-         Disallowing the use of dictionary words in the password

-         Prohibit the use of obvious words, like Citrix, in a password

-         Password expiry, forcing password changes 

Enforcement of this policy is a different matter.  Citrix Password Manager can help administrators enforce these policies in a corporate setting.  Plus, with CPM you can configure such that users do not even know their own passwords, very effectively preventing sharing.  As a side benefit, if the user leaves, de-provisioning and assuring the user can no longer access any assets is much easier, since the user didn't know their passwords in the first place. 

Robert O'Keefe has created a demo of how to use the Citrix Password Manager Localization SDK, which can be used to localize the CPM plugin to languages beyond those natively supported.

video:src=http://www.youtube.com/watch?v=sYxBOsIGzc8

The views expressed here are mine alone and have not been authorized by, and do not necessarily reflect the views of, Citrix.

As the Manager of Exam Development in Citrix Education, I have also focused more on exam security. Beginning last year, I focused more than ever on security measures by working with industry peers, security consultants, and exam delivery providers (Prometric and VUE) to tackle the growing problem of cheating. I have to admit that when I first began this process it felt like an unrealistic goal to tackle.

The ever growing presence of brain dumps (those web sites that sell stolen exam content) is not easy to ignore. But to make matters worse, the attitudes of some towards the use of brain dumps and other forms of cheating just makes it that more difficult. In the last year I have had more opportunities than ever to meet and get to know Citrix certificants. What they have repeatedly stressed to me is how they want Citrix Education to do something about brain dumps; that they don't want just any Joe Administrator to get Citrix Certified; that they are sick and tired of meeting "paper certified" individuals who have no experience.

So how do you eat an elephant? One bite at a time......

In 2007, Citrix Education started slowly by adopting a security plan. That security plan, addressed four areas:

Detection of test theft and fraud
Education of candidates to appropriate behavior
Development of comprehensive policies
Enforcement of policies

Citrix Education conducts web patrolling efforts 24 hours a day world wide to identify brain dumps as well as violators of our exam policies. Once a site is detected, staff members and security professionals purchase, analyze, and verify that advertised content or information is indeed the intellectual property of Citrix. Based on the information gathered, I have been able to serve legal take down notices to websites and cease and desist letters. In addition to brain dumps and auction sites, I have also discovered candidates "discussing" exam content and "sharing" answers...you know in the interest of "knowledge being FREE".

Candidates sharing exam content, is by the way, in direct violation to the NDA that all exam takers must accept before taking an exam. When initially kicking off the security initiative, I realized that many did NOT read this NDA before taking the exam. Kind of like a EULA, exam candidates see that NDA and simply scroll to the radio button marked "Yes, I agree." without ever considering what they have agreed to.....

So Citrix Education adopted a Candidate Conduct Policy that had been widely used by our IT Peers . This policy http://www.citrixtraining.com/content/index.cfm/cgroup_id:48 basically outlines everything that candidates have done in the past that is classified as illegal behavior. Additional Citrix Education policies include a retake, beta exam, and special needs testing policies: http://www.citrixtraining.com/content/index.cfm/cgroup_id:38.  A violation of any policy can result in a list of remedies including bans up to a year.

The newest addition to exam policies is that of classifying results as indeterminate. Basically based on data forensics, our security consultants identify suspicious results and depending on the strength of the data, say a 1 in 10,000,000,000 chance of a specific result occurring, I can definitely with confidence conclude that a result is not sound and will invalidate those results. Once invalidated, a result will not count toward certification.

After putting these policies and procedures in place it's been really interesting what I have found:

Once people know someone is looking, they repent and cease with their misconduct.
Education of candidates is key; in fact candidates often state that they did NOT know that they were in violation of the NDA or any other policy.
Even those with the most grave violations, seem to value the cert when they are in danger of losing it.

I hope our efforts will help Citrix Education begin to make a dent in the challenge of exam security. But I realize that a huge part of the problem is in the attitudes and lack of a universal understanding of what constitutes test theft and fraud. So my mission is simple,

To educate Citrix Certification Candidates and Certificants on what constitutes cheating and how it impacts the value of the credential in an effort to maintain the integrity and validity of our certification programs.

What I really hope to get out of this besides the above is a better understanding of our certified community. And as Citrix Education takes bite after bite of the elephant known as cheating....I can only hope that candidates and certificants worldwide will see the return to the value of certification....

The million dollar question is with all the buzz by Citrix and others on increased security initiatives, how will the cheaters respond?

Sierra Hampton is the Manager of Exam Development and has worked at Citrix for 7 years.

I read several articles about research on the behavior of IT professionals recently.  The research was sponsored by security vendor Cyber-Ark.  Amazing stuff!  A third of all IT professionals surveyed could still access the company's network after they left the job.  A third admit to snooping and peeking at  information like people's personal emails, salary info and other juicy tidbits.  Most shocking: 50% of all IT professionals still keep passwords on Post-It notes.  These are administrative passwords!!  The really omnipotent accounts!!

The press release from Cyber-Ark has more details.  The survey was of 200 IT professionals at April 2008's Infosecurity Exhibition Europe, and it was entitled "Trust, Security and Passwords". 

Interestingly, these folks admitted these things in an anonymous survey, but aside from that they might never be detected in their snooping - admin passwords generally give privileged and anonymous access to systems.

One point: there's a difference between snooping and corporate-policy-based monitoring of company IT assets.  The survey was pointing out the fact that IT administrators can inappropriately access information and they count on not being caught.

In case you missed it there is a really interesting story circulating on the Net, best told by Jim Louderback the CEO of Revision3 and victim of a DDOS attack over Memorial day weekend ( his Blog & CNET interview ). If you're a fan of Revision3 you already know that they got taken off-line for 3 days, if your not you may want to check out their site. They represent perhaps the best example of new Media and the future of TV, including HD video, channels, live and on-demand, etc, all delivered via the web. In order to achieve high quality video Revision3 utilizes BitTorrent technology legitimately for distributing content to users. The problem came about when a "legitimate" media tracking company identified a Revision3 server as a potential source of " questionable " BitTorrent traffic. Once Revision3 was made aware of this situation ( by a forum poster ) they appropriately locked down the server, what happened next was the strange part...

As reported by Revision3, the media tracking company ( presumably automatically ) launched a DDOS attack on Revision3's site flooding it with as many as 8,000 packets per second taking down the site by exceeding the capacity of limited web servers. Complicating the matter was the long weekend and unreachable staff at the offending company. Once they were finally able to get in contact the company stopped the attack and they both started to unravel what had happened.

The NetScaler system may not be positioned as protection from "good" guys ( vs. typical bad guys ) but this situation exemplifies why it is worth consideration as part of a comprehensive protection plan. That is why web based media companies like MSN, CNET, Digg, and many others rely on NetScaler's to protect their infrastructure. Among other features NetScaler protects sites from SYN flood DDOS attacks by handling all requests and only forwarding legitimate ticketed traffic to the web server, all other SYN flood requests are dropped before ever reaching the company Web Servers.

So for the next review of your security infrastructure, keep in mind who are the "good" or bad guys and are you protected either way.

I spent some time recently chatting with Ross Duncan, VP of Channels at Gemalto, due to my role as product manager for Citrix Password Manager.While Citrix remains "strong authentication agnostic", Ross raised some great points: - Passwords are bad - I don't think anyone will argue this point!  There have been many solutions to enforce management of passwords to mitigate the inherent weakness.  Then those "solutions" that make passwords more complex can cause user convenience problems - plus bad behavior such as passwords written down, using the same password for many applications, and so on.  Then the help desk calls are both extensive and expensive.  - eSSO means putting all the keys to the kingdom in one place.  This allows IT to use hyper-secure passwords (20+ characters, special characters, etc.) that change rapidly.  However, the end user now has only ONE password to know - therefore there is a case to augment it with a strong authentication device like Gemalto smart cards. - Coupling of eSSO and smart cards brings the ultimate in convenience with maximum security - the user inserts their card, enters their PIN, and they can securely access the system.  This is much easier then entering user name/password - easier and more secure. - Vendors like Gemalto are integrated with Citrix Password Manager, smooth roaming/Hot Desktop, XenApp and CAG, which is convenient for customers.
We also discussed the merits of converging logical and physical security.  This always looks great on powerpoints, but it has been a real slow starter in real life.  It's been discussed for 8 years that I personally know about, but the actual implementations are lagging.  It always struck me this way: the physical security personnel and the IT security personnel are usually in different areas within and organization, and there are numerous political barriers to having the two groups work together and contribute budgets to make a badge/technology/management decision together.  I know Gemalto has partnerships to do this, but it seems to me to face obstacles.  Would like to hear comments!
 

       Update **

Running Windows applications on the iPhone may not be a high priority for Steve Jobs, but for many IT users and providers the desire seems to be increasing. The recent SDK and upcoming release of the Apple 3G iPhone has increased the interest in Citrix enabling iPhone access to XenApp hosted Windows applications. We are always encouraging expanded access to XenApp from any suitable device and the iPhone appears to be a very good candidate. The great screen and touch features would provide usable viewing of apps even though they were designed for bigger screens. Plus the improved email and networking capability of the device can now make it a real contender for business use. The iPhone could be even be the " Nirvana Phone " if a new docking station was offered to provide video access to a full sized monitor plus a standard keyboard.

So the question is one of priority and market demand, where does this fit on the list of nice to have vs. must have now, and does the solution need to come from Citrix or could it be partner provided such as the Rove Mobile client for BlackBerry. We encourage your opinions and feedback.

Do you need a Citrix client for the iPhone ?	Choose
I want it for myself
I need it for my company users ( and myself )
Cool, but my company is not likely to enable it

What is the primary iPhone use case at your company ?	Choose
EMR - Patient records, view and update.
CRM - Customer records, view and update.
ERP - Process workflows, approvals, etc.
Documents - Find, view, edit, forward.
Specific line of business app

** Update 11/1/08

Yes, we are listening, and yes we are going to ship a Citrix Receiver for the iPhone ! Mark Templeton demonstrated our latest internal build at our Summit event last week and our partners gave us the same enthusiastic response as we are seeing here on the Blogs. Right now the ship schedule is first half of '09 , but keep those votes and use cases coming and help us increase the priority further ! 

*** Update 3/30/09

Check the App Store !

Follow me at  http://twitter.com/chrisfleck

Recent reports of the Debian SSL vulnerability (see US-CERT and El Reg) give thorough and careful explanations of the issue.  It's worth emphasising a few points:

•          It's where the keys are generated that matters – not where the keys are used.  So if you generated a certificate using the affected Debian platform, you're affected, even the certificate is used on a Windows platform, or some other Unix.

•          If the certificate was signed by your private CA, just follow your own standard replacement procedure. If the certificate was signed by a public CA, you'll need to go through their certificate replacement procedure.   It's encouraging that public CAs are taking a constructive attitude to this problem (see Verisign's press release, and Thawte's reissue policy, for example).

•          Don't forget to install the replacement certificate on all machines that need it (for example, if it is a wildcard certificate). 

If you think you might be affected by this problem, don't ignore it. Grasping for a silver lining – at least you can treat this as a fire drill for a nastier occasion, like your certificate being stolen.

Many news reports have recently identified the increased threat to web sites and applications from SQL injections, the most recent example being the Nihaorr1 script that resulted in over 600,000 sites being infected even including the Department of Homeland Security and the UN. Although initially identified as a Windows IIS server vulnerability, the root cause of the recent exposure goes beyond IIS and has identified lax web application coding as the culprit. A Register interview with the DHS assistant secretary for Cybersecurity is quoted as saying " our networks are only as strong as the weakest link " which makes sense but also identifies how vulnerable web applications are on the web. If a company is relying on the variability of programmer security knowledge and limited QA testing to protect their web app from yet to be defined threats, it's no wonder that so many sites are exposed and hacked. 

Perhaps one of the ways to better protect an organization from the next undefined attack is to look at minimizing the impact of variability. A common best practice in the manufacturing industry is to evaluate every process and implement techniques and tools to reduce variability so as not be overly dependent on a final test or inspection which always has some level of escapes. This is the core of the Six Sigma  technique that many world class manufacturers utilize to improve product quality.  

As applied to IT protecting Web Applications, a tool that can be implemented to reduce the impact of programmer variability is to utilize a Web App firewall such the positive security model feature of the NetScaler Application Firewall. This feature recognizes best coding practices for HTML and Industry HTTP standards and automatically blocks Web App behavior and variations outside a known-good model. The result is a significant reduction in the risk created by variable programmer skills and expensive but incomplete QA testing.  In the specific example of the Nihaorr1 attack, a recent test validated that the NetScaler Firewall was indeed able to block the Nihaorr1 script using the default configurations. Additionally the learning features of the App Firewall can be used for more granular configurations and protection as well.  

So before the next threat to your web applications is discovered, it may be worth further investigation as to the human influence of variability in IT operations and consider steps to mitigate the risks.   

Should government employees be allowed to use personal systems? Many government CIOs/CISOs are reluctant and prohibit employees from using non-government furnished equipment. This is problematic for many reasons including:

• Organizations have an increasingly mobile workforce that needs to be able to work from anywhere. On the government side, it may be the census taker, the CDC scientist in a 3^rd world country, a DEA agent in the field or our soldiers in the Middle East. All of these roles need access to the applications and information critical to their mission (and sometimes, even their lives).
  

• The government has had a strong telework mandate for years now, but the scope of outfitting every employee with government-furnished equipment (GFE) at home is cost prohibitive. And requiring a GFE doesn't fit how today's workforce operates nor does it address the need for emergency ad-hoc access.
  

• Many agencies' continuity of operations plans aren't practical as they require a "check-out of GFE resources". Two years ago, during the Potomac River floods, many of our agencies were under water and unable to supply GFE to their workforce...same was true during Hurricane Katrina.
  

• A younger workforce, or "Echo Boom" generation, doesn't want to use GFE, they want to use their personal systems! The ability to utilize a platform of choice is increasingly a recruiting/retention issue - especially with mobile devices. The US Government is expected to lose 70 percent of its existing workforce by 2011 and needs to address all of the factors that lead to attrition. This is one of the largest issues in government. (See my recent blog posting)
  

Aside from the mounting pressure for unfettered access, security concerns for government systems often greatly exceed those of civilian systems.  How do you hand someone a laptop with a large hard disk, give them access to a wealth of information, allow that information to be distributed and maintain needed security controls? Even with encrypted hard drives, the control of physically distributed data continues to lead to data loss and distribution worries. The root problem transcends the GFE vs. personal debate.

The reaction we're seeing from the government in disallowing the use of personal systems and tightly controlling GFEs is indicative of a bigger problem:  the client/server computing model implies the deployment of a "trusted client".  Increasingly, the inability to provide and maintain a trusted client at all times has resulted in data loss and compromise.  It's because the "trusted client" model does not allow for the security controls that are necessary and essential for a distributed workforce.

To accommodate security for today's distributed workforce, consider a model where defined applications and services are delivered - not deployed. By adopting the delivery model, stringent controls can be applied to applications and desktops that remain under the protection of the datacenter, with only keystrokes, mouse clicks, and screen refreshes traversing the network. In this delivery model, authentication, logging, the ability to copy, paste and print can all be controlled on an application-by-application and user-by user basis. Combined with the abstraction and isolation of virtualization, resources and systems are separated from each other with a security boundary that allows sensitive data to be accessed on personal systems.

Embracing delivery and virtualization allows the government (and other organizations) to provide users the freedom of a "platform of choice" and the organization to maintain the required security controls. Don't make a federal case out of the laptop debate - deliver a solution that truly addresses the underlying needs.

[by Kristin Taylor and Kurt Roemer]

Everybody has heard the stories and wants to believe - but there's no such thing as "PCI Compliant" products*.

People are constantly asking the question: Is "Product X" PCI compliant? The short answer is: No.

The long answer requires some careful explanation.

PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes - but the result is the same: the organization is deemed compliant or not)

But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don't these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.

So, given that PCI doesn't directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?

1. Verify vendor claims - just because a salesperson says it, it doesn't make the statement true.
   
2. Rely on trusted third-parties - organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
   
3. Discuss concerns with your auditors - because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
   

There have been some wild claims with PCI - including the notion of "PCI certified products." When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.

With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard - the PCI DSS.

PCI Backgrounder

PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.

*Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval._

Looking back at the 2008 US RSA Security Conference, there was a tremendous amount of interaction, but not a readily apparent amount of innovation.

I spent the bulk of my time in meetings with customers, partners, press, and analysts. All seemed to echo the same sentiment - there's not any single "wow factor" at this year's RSA. But, that's not to say that there weren't hot topics, the two most obvious being DLP and Virtualization Security.

DLP

DLP, or Data Loss Prevention (also sometimes known as Data Leakage Prevention) is the capability to keep sensitive data from inadvertently leaving the organization. The concept and message around DLP is rather simple, but the architecture and management of DLP is where the difficulty comes into play.

When you consider all the sensitive data in most organizations, where it exists, and how it's used, you get a feel for just how big of a problem DLP needs to address. In most organizations, data isn't even regularly classified and labeled as public or non-public information. And, data has been over-distributed onto any media that can hold it (e.g. laptops, USB keys, iPods), often without any control. DLP technologies purport to get a handle around this problem and manage the access to and distribution of sensitive data.

On the surface, DLP seems like it's facing a really tough problem. And it is - if you're just trying to add controls to the existing model of data access and over-distribution. Looking at the problem with virtualization in your toolbox, though, can change our basic assumptions and bring us closer to the elusive goal of DLP.

Combining application virtualization and DLP allows authorized users to access a view of sensitive data, while providing additional context-sensitive controls around access to the data. As an example, a user in the office might be given the ability to use a data housing sensitive application on their corporate managed device only after submitting strong credentials and passing necessary security checks. A policy would prohibit them from using the application in ways that violate policy, such as printing sensitive info. Because the DLP software is integrated with the application virtualization environment in the data center, the DLP software has full control over usage of sensitive components data, and the data never leaves the datacenter. DLP can be much more effective when managed from the datacenter and the management of sensitive data on endpoints is eliminated from the equation. The same concept holds true for both application virtualization and desktop virtualization.

Virtualization Security

As the above DLP example shows, virtualization is stimulating innovative thoughts and challenging the status quo. There were many questions posed at RSA about upcoming client and desktop virtualization opportunities, in addition to current server virtualization security challenges.

On the server front, most of the discussions were around how network-level security objectives can be achieved in a virtual server environment. Organizations that have implemented server virtualization have watched as the proliferation of these environments have reduced security visibility for legacy network controls. The network folks want to know how to "see" into the virtual server environment, and how to control VM-VM communications. This is being accomplished for the most part through "security virtual appliances" or "security virtual machines" that duplicate physical network controls in the virtual realm. There appeared to be many vendors touting capabilities for scanning, IDS/IPS, and virtual firewalls with techniques borrowed from the physical realm.

The real breakthroughs appear to be just in front of us and will involve how we utilize virtual applications and desktops. The capability to virtualize and abstract for security isolation, as well as usability appear to be driving real change. These changes promise to allow user functionality to follow them anywhere, without cumbersome user configuration and management. And, with security policies built in, maintained and verified, we should see the trust models change for the better. Microsoft introduced some very interesting concepts and considerations around End-to-End Trust at the beginning of the show that extend well into virtualized client capabilities.

As the security industry matures, we'll probably witness less of a "wow" factor with each conference. But we'll all sleep a little better knowing we're getting closer to the goals of true security.

Autonomic security, AKA, self-healing, self-defending, situation aware security, or feedback-based security management, has long been a dream in distributed IT computing.  It could be the reason that this dream was not realized is that it is too hard to do in distributed computing.

 Enter virtualized computing, with centralization and much greater control over the [wily careless security-ignorant only-cares-about productivity] user.  Now does that change the complexion of the problem?

 The enemy is the usual: malware, such as worms, viruses and trojans, plus future attacks we don't even know about now.   Malware designers unfortunately have the upper hand, with ever stealthier approaches to evil.  Most security countermeasures are simply responses to known threats.  Thus the bad guys are controlling the game.

With virtualized computing, IT asserts more control.   Might it not be possible to realize autonomic security more effectively?  One of the problems distributed computing has is relentless complexity and lack of control.  With distributed computing, the end user is in the driver's seat!  Maybe if all end users were very diligent about security this would be fine.  This is sadly not the case.

 Autonomic security affords the luxury of not relying on a human to notice things are stealthily going amok.  It is possible to monitor what is going on in the network, applications, OS's, processors, and so on.  With a virtualized environment, does this not become easier?

To be clear, it is possible autonomic computing actually creates additonal security challenges, dong things automatically like changing system configurations, interconnections and so on, creating interesting entrees for malware designers.

I'd very much enjoy a dialog on the following thought: in a centrally controlled virtualized environment, is security innovation possible?  Given that we can get better information about what is going on, for example anomolous behavior such as a processor being hit abnormally, or other anomolies such as buffer overflows or abnormal accesses or sensitive data being touched in any way, could we not modify the enterprise security policy on the fly?  Could we have software to look at the collective of information now at our fingertips and change security policy appropriately? 

 The model I have in mind is human behavior.  If you are walking down the street and it's daytime, and it's a cheerful sunny day, and nothing suspicious is going on, we behave in a way to maximize productivity and pleasure.  In contrast, if you're walking down the street and it's dark and late, and there are strange- looking people about, and they are looking at you with too much interest, your security posture changes and security becomes more important than productivity and pleasure (until you get out of the situation.)

So could we not use that model and have an adaptive security policy that intelligently changes, based on the information available.  Not attacks per se, as there is software that does that already.  What if we could look at the health of the network and applications and decide that situation is not normal and a more restrictive security policy is now required?  Productivty and pleasure take a back seat when it's "code red".

I'd like to hear from folks with thoughts in this area!

Several striking aspects:

• All presentations about security in a virtualized environment were mobbed.  People were pretty angry when turned away at the doors of the presentation rooms, but fire marshall regulations prevented people from standing at the back.  It appears this is the "next interesting thing" in security, and there is great curiosity.  On the reality side, there were very few products / technology for sale to address the potential issues.  I believe there are a great many startup companies currently in stealth mode in this area.
  
• The days of radical and revolutionary change in security from the late '90's and early '00's are way over.   The big vendors seem to be just pulling together "fix it all" suites as best they can through acquisitions.
  
• Michael Chertoff's presentation was a tad scary: he mentioned that government agency computers are all interconnected, and that security is not consistent across all agencies (some have 24/7 monitoring for security and some don't).  This is bad for the obvious reason - just like in the movies, the bad guys can find an innocuous-looking, under-protected entrance and get to the agencies of interest.  The other scary part was that Mr. Chertoff seemed to think 24/7 monitoring was the main thing.  I'd tend to focus on preventative measures, vulnerability assessment, intrusion detection, user training, Identity and Access Management, strong authentication and other areas as well, but they were not mentioned.
  
• Bruce Shneier's presentation on security rationalization was provocative.  He focused on the separation between reality, feelings and models by "experts" when it comes to assessing security risks.  One example was the Tylenol scare, and it was successfully addressed from a commercial standpoint by adding hermetic seals to bottles.  It made people feel better.  The reality is that a syringe could inject poison pretty easily, but people feel better.  He also introduced the notion of "security theatrics", where the media and security vendors exaggerate risks and cause people to feel bad when the reality just doesn't match.  Interesting concept.

RSA Conference is growing: attendance was estimated at 17,000

This is a little-known fact that may be very interesting for customers who want SSO, but realize Password Manager does not natively support your language.  We have an SDK available for partners to do their own translations of the CPM UI.  It is available for free, and has already been requested by partners in Russia, Czech Republic, Sweden, Italy, Greece and Poland.

This SDK can be used with standalone CPM and XenApp Platinum (Single Sign-on powered by Password Manager.)  Both offerings are the same code base.

Our terms are intentionally simple: the local Citrix rep approves the partner to me, partner signs a EULA, I give the partner access to the SDK via FTP, and the partner owns the resultant work effort (of course CPM licenses are still required for the customers purchasing translated versions from the partner.)

The caveats are that the business partner is responsible for keeping up with changes as new releases are provided from Citrix, and the local Citrix account team vouches for the integrity of the partner.  We need to be sure the UI delivered is of quality, hence the local team involvement.

If you're interested, please have your Citrix rep contact kate.brew@citrix.com

 Would also appreciate comments on this approach - yea or nay!

Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.)  As it turns out, those answers are more valuable than passwords.  If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts.  Yes, that includes your online bank account and it's a very real problem.  In fact, I have a friend so paranoid about this that he swears his favorite color is "three."

 Some of the issues around personal security questions are kind of interesting.  For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions.  Let's call that one "sensitivity".  Another issue is what I'll call "changeability" - your favorite movie may change from month to month.  Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was.  Both of those are completely unguessable in my case so I am probably safe on that problem. 

 Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.

We can't forget the punctuation marks either.  Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account.  Have to be careful on that one.

 We are finding that the more flexibility you can allow the better on these personal security questions for CPM.  Let companies write their own personal security questions that are more obscure than place of birth.  Let people choose between a number of security questions that they find unique and easy to remember.

In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!

Without Single Sign-On, users are left to their own devices (such as yellow stickies) to retain the many different passwords they need.

Trouble was that security vendors were so eager to provide this functionality (starting about 10-12 years ago), and the hype was so great, and the technology was so immature, that early SSO projects often had tragic results.  Early implementers in some cases dumped millions in services dollars to coax the immature SSO product into actually working for a subset of their applications.

 Well, the technology is mature now, and SSO really works!

With the Citrix SSO product, Citrix Password Manager (CPM), we have a very successful install base of customers, with many implementations with more than 50,000 users.   Very conveniently, CPM is included as the SSO XenApp Platinum component, bringing more value to users as well as value to IT administrators in increasing actual security by eliminating bad user behavior.

At Summit in January I ran into an interesting Citrix partner - Xceedium.  It's a security company with an appliance product, called GateKeeper, that is complementary to XenApp.  It enforces security policy by providing compartmentalization and containment.

Say you are outsourcing development.  The GateKeeper provides capability they call "LeapFrog Prevention" to isolate and contain users to authorized applications and network devices.  So your outsourced developers can't do DNS look up, NFS mount, ICMP to LeapFrog to unauthorized areas and information.  It also provides tracking and reporting for compliance reasons. 

In a XenApp environment, their agent monitors each user process and prevents unauthorized apps from trying to leapfrog to another device.  They also provide tracking for all CLI and prevent unauthorized CLI, so it adds to the security features of XenApp at the application layer with control over the command line/infrastructure layer.

The GateKeeper is complementary to the SmartAuditor session recording feature of XenApp, adding keystroke logging and session recording for CLI.

For customers who have audit and compliance requirements, Xceedium is an extremely interesting addition to XenApp.  They're already verified Citrix Ready too.  As a bonus, Gatekeeper is Common Criteria certified to EAL3.

[www.xceedium.com]