A long discussion in several media on the net was started by what appears to have been a highly entertaining presentation at InterOp in Las Vegas recently. The presentation was given by Joshua Corman, Principal Security Strategist at IBM/ISS and was called “the 7 dirty secrets of the security industry”:

networkworld.com-interop-dirty-security-secrets

Among the “secrets” is the observation that the security industry is not about security but about making money! Hardly surprising. Anyway, some of the other points made by Mr. Corman are definitely more valid.

For instance “#2: There is no perimeter”. This is interesting and points to one of our core messages (see for instance blog post …). The perimeter, in the classical LAN oriented meaning of the word, cannot be protected anymore and therefore becomes meaningless. Depending on your point of view the classical perimeter is either going away and being replaced by something else or, in other words, is “shrinking” to cover not networks but primarily applications and data. This becomes even more true in the evolution towards cloud computing where protecting the network in reality becomes identical to protecting the Internet which is obviously not practical for companies. Basically this revolves around a fundamental understanding of exactly what it is you want to protect. As opposed to trying to protect everything to the same level which is in reality what we do with a classical perimeter, where everything on the “inside” must necessarily have the same security level!

The 7th “secret”: “Security has grown well past do-it-yourself” is also very true, but probably more true than it has to be. It is unacceptable that un-necessary infrastructure complexity drives the security in a company. Excessive complexity is a major security threat to organizations – and even drives excessive costs! The starting point for any considerations about how to design, implement or re-design an infrastructure securely must begin with a fundamental simplicity principle. If you manage to design a very simple infrastructure, more people than today will actually be able to implement “do-it-yourself” security. The other major risk with the approach recommended by Mr. Corman is the risk that business people leaves security issues to the “experts”! Security must begin with all of us as individuals making conscious decisions about our own actions. The responsibility for secure conduct cannot be left to experts. Again, to be able to implement this responsibility paradigm, the infrastructure needs to be simple and transparent enough to enable non-IT, non-security savvy people to make meaningful decisions.

Simplicity is a very fundamental principle in security.

This post is triggered by a Wikipedia entry that one of my very bright colleagues pointed out to me recently:

http://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you%27re_a_dog

Read it for the fun of it, but it points to one of the fundamental challenges of secure access on the Internet, knowing “who” is trying to connect to your stuff!

When it comes to Privacy this is a highly wanted “feature” of the Internet. A feature enabling true freedom fighters to stay anonymous while fighting for democracy and freedom under totalitarian regimes, but it is also a desired feature in crime. In crime you want to stay anonymous while performing your vile deeds or better still: appear to be someone else. This issue touches on the phishing problem – another story, but also very important.

However when running a business you definitely do not want to have your users stay anonymous. You need to know exactly who they are so you can either control their access to more or less confidential data or at least send them “an offer they cannot refuse” as part of a sales effort to everyone indicating the slightest interest in your products and offerings. Anonymity is not wanted in normal business. It is another matter whether you, as a potential customer, wants to stay anonymous, but I believe everyone understands that revealing your (or just "an" ??) identity is a reasonable pre-requisite for getting service.

As we’ve repeatedly pointed out: authentication (proving who you are) is fundamental to all secure access solutions. For an indication of how difficult this really is when you cannot see your "opponent", go see:

New captcha approach

Keeping data secure is easy, very easy! Just make sure no one can get to it … no one. Obviously this doesn’t provide much value, so the main challenge becomes, not controlling the data, but ensuring only trustworthy users is given access. Two things precede access: deciding which data is sensitive, and how sensitive, and deciding which users to trust. None of these are trivial, especially the trust part is complex, but they are essential “homework” before you can start extracting value from your data by providing controlled access to it.

Controlled access comprise three main tasks: Identification, Authentication and Authorization. This is obviously a “whitelist” exercise! It is not possible to “blacklist” all the people you do not want to give access to, you have to focus on the specific users to whom you want to provide access. This is one of the reasons normal Firewall's are very poor access security devices. They do not do end-to-end Identification, Authentication and Authorization. They try to make security decisions by analyzing data at a specific point in between. Likewise encryption of data on a connection is merely a way to ensure that only specific people are given access. Encryption without Identification, Authentication and Authorization is meaningless.

Let me try to define these three terms: Identification is about finding out who you are, Authentication is about proving it and Authorization is about what you’re allowed to do – in other words – what data you’re allowed to access. A secure access system must implement all three but at the same time clearly distinguish between them.

When thinking about this, you will quickly realise how fundamental these three tasks really are for implementing security policies. If you don't know who is trying to access what it becomes impossible to implement a meaningful security policy. But finding out Who it is that is trying to do something - remotely - is definitely not trivial! These are the reasons why Identification, Authentication and Authorization are fundamental functionality in any G/On configuration. Go check out our product and technology descriptions to learn how Giritech implements this process of controlled access together with all the other important aspects of the complex task of virtual access.

What I’d like to do today is to take you back to one of the original inspirations behind our ”Network Consolidation” vision and the end-to-end paradigm of G/On. In August 1997 (Computer Telephony, august 1997, pg 16-26), an engineer at AT&T named David Isenberg released an article about a new network paradigm that he believed would redefine the future of telecommunications. The article was named ”Rise of the Stupid Network” (http://www.isen.com/stupid.html).

The article outlines a network where all intelligence lies at the ends (at the devices being connected) instead of inside the network, as is the case with the classical telephony/voice networks. The traditional telephony networks are based around a concept of very simple, and hence cheap, devices you connect to a very sophisticated network where all services reside. The pinnacle of this network paradigm is the SS7 driven ISDN network. The obvious example of the opposite, a ”stupid” network only delivering the bits, is the Internet. This change in paradigm obviously challenges the business model of the Operators that used to control all services on the telephony networks. But more importantly it also describes a network that requires a different approach to data networking. It describes the end-to-end paradigm that is fundamental to our thinking at Giritech.

What we’re trying to do with G/On is to elaborate on David Isenbergs vision to make it implementable for companies so they can reap the benefits of end-to-end networking.

For your inspiration I think you should take a few minutes to read the classic article hoping that you will better understand some of the background behind our excitement with G/On. As always I would appreciate your comments to this, please do not hesitate.

VDI, “Virtual Desktop Infrastructure” is generating a lot of headlines and grabbing the attention of many IT administrators currently. There are many good reasons for this because VDI promises to deliver major savings in terms of management and security. However one of the main issues with the discussions are that they are very technology focused.

Basically there is nothing new in the concept of VDI! When you take a look at what VDI really is – a virtual desktop managed and delivered off a central computer infrastructure – it is almost identical to mainframe computing, or the slightly more recent Terminal Services or Citrix solutions.

So when considering VDI for your organization, try to keep an open mind, so you do not miss the opportunities in simpler implementations based on legacy technology, such as Terminal Services, that might just deliver exactly the feature set you need to reap the benefits.

The network between users and applications on the VDI however contain the same set of challenges as any other network based application. It is therefore important to select an equally pragmatic approach to connect users to the VDI as to selecting which VDI technology to deploy. This is where we believe G/On has a powerful offering. A G/On based connectivity infrastructure will allow you to use any VDI technology that best matches your requirements or even combinations of different VDI technologies if that is required. Separating the network from the VDI therefore provides a very important degree of flexibility for you.

Contact us for more details on how we support the range of exciting VDI technologies available – we trust you will be positively surprised.

First I need to say that the following ideas are not mine! They are basically the words of Bruce Schneier (www.schneier.com) in his book (http://www.schneier.com/blog/archives/2007/04/a_security_mark.html), but I believe they are fundamental to everyone in the market for IT security solutions or solutions including security (what IT products doesnt?). I write this in the hope of starting a discussion on the capabilities or values (called "signals") you should be looking for when judging IT security vendors. I realise that you might use these measures against Giritech in the end, but I remain confident that we will be able to live up to them. Otherwise please do not hesitate to let us know, because it is important to us to be judged correctly.

In general economic theory (see: http://en.wikipedia.org/wiki/The_Market_for_Lemons) there exists a concept called a "Lemons Market". This is characterized by a market where the seller knows more than buyers, as is very often the case in the IT security market. Unfortunately, the theory states, one of the consequences of a "Lemons Market" is that bad products tend to drive good products out of the market. When talking about cars (which is the example upon which the theory was developed) you might end up with a bad buy ... in IT security you might end up with a Corporate disaster! However you might be able to judge the seller on specific "signals" that tells you whether the seller believes in his product or not. In used car sales one obvious example is warranty. If the seller is willing to take back the car up to 6 months or 1 year after the sale, then he is sending you a strong signal that you can safely buy his car. He is willing to take it back or at least repair without costs to you if it should fail to satisfy your expectations.

So ... now we need your help in understanding what "signals" or proof you will be looking for when buying IT security solutions? One strong signal could be references! Which is why we are very happy with the 600+ strong customer portfolio we have been building over the last 4 years. Another could be certifications, which is why we have invested significant ressources in getting our own FIPS 140-2 validation. But what other proof can we give you that will prove to you that our IT security solutions really are as secure as we claim? What are the "signals" you will be looking for?

I will look forward to hearing from you as a starting point and will promise to give you feedback later on the findings on this blog. Send me a mail: lsc(a)giritech.com if you cannot comment directly here on the blog.

A thing that has puzzled me for a while is the tendency of previous generations (including my own to be honest. I was born in 1966) to constantly underestimate the capabilities of the new generations (born in 1990 and onwards) and their access to the Internet. Although there is constant talk about this (see my post on "digital immigrants and digital natives" elsewhere on this blog for an example) I strongly believe that we do not really understand the consequences of this development!

Let me try to give just one example of what I'm thinking. The generation(s) born in 1990 are 19 years old today. They are completing their educations and have therefore begun to appear on the job markets globally. These people have never known a world without computers, without mobile phones and, most importantly, without Internet access! In other words they have grown up with all (or at least most of) the knowledge ever created on planet Earth immidiately available at their fingertips ... try to think about this for a minute! It is absolutely mindboggling.

This means that they do not have to re-invent anything. A few searches on Goggle and they have several solutions and answers to almost any problem or question they should come across - some of them wrong, some of them right. I could talk for days about the consequences of this, as there are legio aspects of this that we are only beginning to understand. One is that you can *never* assume that the kid is not able hack whatever it is you're trying to protect because he (yes, it is almost definitely a "he" for some reason ... but that'll change too) doesnt know how or doesnt have the skills ... He doesnt have to anymore! 2 searches on Google and you have 4 different ways of hacking that the guy can try. If one doesnt work the next one will. If that doesnt work he can instantly chat with 10.000 highly skilled semi-professional IT experts that are more than willing to tell him how. How can he fail? The most scary thing about this is that these generations doesnt even think about it. This is simply "the way it is". Internet access and hence knowledge access is a given fact.

A new paradigm to IT security is definitely required for this reason alone, and this is just one reason as I'm sure you all know. We think we have begun to understand some of this at Giritech and we are therefore working from an end-to-end paradigm to protecting "stuff". We believe this could be a very powerful answer to the challenges from the new generations. Give us a call to discuss, we would love to hear your opinions and feedback.

We’re often asked why we dont support One Time Passwords (OTP) as integrated part of G/On. First I need to say that we do support a range of OTP solutions, but it is true that we do not include OTP in our baseline configurations. There is actually an analysis behind this decision that I would like to share with you.

Firstly the primary logon security must be based on a username and a secret password (first authentication factor). It is all about securely and unambiguously identifying you! That is the only objective of the login procedure. Starting with a name (not secret) with an associated password that only you know – supposedly – must therefore always be the starting point for any secure login solution. It is another discussion how you make sure that your passwords are strong and remain secret.

To add additional security, a second authentication factor, something you own or posses can be added. This is where a long range of technologies comes into play – just to mention a few: unique tokens, smartcards, mobile phones and the one-time-password technologies we’re talking about here. Wait a minute - isn’t OTP a “password”? No! OTPs is about proving possession of a thing and not about passwords! The term ”one time passwords” is therefore wrong, as it creates the wrong pictures in the mind of the user. OTP’s are not about replacing the password, it is about proving possession of a third, physical authentication factor (the device generating the OTP, a list of pre-generated OTPs etc.). At Giritech we therefore prefer the term ”One Time Passcodes” instead. OTPs (and other second factor technologies) are secondary authentication level solutions. It would be a serious security flaw if you were to replace secret passwords with one-time-passwords!

So when we tried to rate the relative security level of some of the second factor authentication technologies we ended up with the following list:

1. Smartcards. Because the secret key uniquely and unambiguously identifying the smartcard is generated when adopting the card and it never leaves the actual hardware! It is extremely difficult to copy and extremely unlikely that you can guess it – very secure.

2. Realtime generated one-time-passwords. You need a device (e.g. an active token of some sort) that is synchronized with your server and generates a new passcode everytime you use it. The codes are therefore secret until they are needed and can only be used once.

3. Pre-generated one-time-passwords. A list of codes is generated with regular intervals and distributed. The codes are static in the period and have to be distributed (or generated locally) in a safe way – not quite as sacure.

When you factor in the usability of the different solutions, it became clear to us that the solution with the highest security level, smartcards, is actually also the one with the least enduser involvement (when designed correctly). And as we’ve talked about previously, overall security is dependant on simplicity. This means that making it easy for the enduser to correctly use the technologies is a pre-requisite for the overall security of the solution. It should therefore be obvious that smartcard based solutions (or similar unique token solutions) should be preferred over one-time-password based solutions.

This is why G/On will primarily support smartcard based technologies as the standard second authentication factor. We simply believe it is the most secure solution and it even has some very powerful simplification characteristics as well. One-time-passwords can only be an additional ”icing on the cake”. So when will you be ready to replace your OTP solution?

We are at Giritech obviously spending a lot of time and ressources on analyzing and trying to understand IT security. I would like to share a few fundamental insights with you today that we have found helps clarify some discussions on what security really is! This time primarily focused on the users device - the computer from which we all try to connect to the "stuff" we need to work with.

First there's the concept of the "Security Invariant". A corporate computer that has been procured and installed by trusted IT personnel inside an organization is generally accepted as being "secure" - the "Security Invariant" have been established. The corporate set of security policies describes the accepted user behaviour and corporate technologies deployed to make sure the computer stays secure - or in other words that the "Security Invariant" is maintained. What "secure" means is therefore defined by the process and policies outlining what the IT administration and users do and under what circumstances. "Secure" is thus not an universal, objective concept, but a highly local concept defined by the policies in a specific organization.

Another aspect where we see some confusion is the relation between "trusted"/"untrusted" and "managed"/"unmanaged". It seems that the term "managed" computer is generally perceived as meaning the same as a "secure" computer! This might be true, but it is not what is important. What you trust (and hence what you base the Security Invariant on) is important. The distinction should therefore be on "trusted" versus "untrusted" computers. And then you can begin the constructive analysis about the technical details that defines what a "trusted" computer is, typically one of the most important of these details is whether it is managed or not. "Managed" versus "unmanaged" is an implementation decision - "trusted" versus "untrusted" is a security decision that must preceed the first decision.

Please do not hesitate to provide your comments and feedback to this.

One of the simplest and most successful configurations of G/On enables remote workers to gain direct access to their normal desktop PCs at work from any computer outside the LAN, typically home PC's. This enables workers to work from any PC and thus does not require the company to distribute laptops to these employees. The savings are obvious! But to make this work (in the simplest setup) you will need to leave your desktop computer turned on at all times, so we are often challenged from our customers about the costs of having a computer running 24/7.

In this blog post I have therefore made some calculations on the cost of running an ordinary desktop computer to enable you to make a comparison of connecting from any existing computer to a desktop computer at work versus the costs of new laptops to all employees needing remote access (and by the way, what employees do not need remote access today?).

Estimated electricity costs of keeping an average desktop computer turned on are: 365 days x 0.12kWh x 24hrs x $0.11 /kW = 116$ / yr

Compare this with the average price of a laptop computer (e.g. a Dell Latitude) of approx. $1.000. This calculation gives a ROI of: 1.000/116 = 8,6 yrs. The average lifecycle of a laptop is 2 - 3 yrs so the costs of distributing laptops are even higher! As you can see it is significantly cheaper for a company to leave desktop computers turned on 24/7 than it is to distribute laptops to employees needing remote access. Even in this simple case where only only the costs of the laptop are included! Distributing laptops will require you to spend additional significant ressources on support and maintenance of these company owned laptops.

Obviously you might have other reasons (e.g. carbon footprint) for having policies requesting employees to turn off desktop computers when they leave work. More advanced technologies, that is also easily integrated with G/On, such as "Wake-On-LAN", Terminal Services or VDI ("Virtual Desktop Infrastructure") will allow companies to combine electricity (and hence C02) savings with remote access and make the business case for providing remote access to desktop PC's even better - both in terms of costs but also Ccarbon footprint.

For more information about the very simple G/On setup used in these calculations please send us a mail.