Aujas US

An IDG Ventures Company

Windows Azure: Build Secure Applications by Design

Introduction to Azure

The Windows Azure Platform is a Microsoft cloud platform offering that enables customers to deploy applications and data into the cloud. Windows Azure Platform is classified as ‘platform-as-a-service’ and is part of Microsoft’s cloud computing strategy. It provides developers with on-demand computing and storage space to host, scale and manages web applications on the Internet through Microsoft datacenters. The platform provides a cloud operating system called Windows Azure that serves as a runtime for the applications and provides a set of services that allows development, management and hosting of applications off-premises.

Windows Azure has three core components: Compute, Storage and Fabric. As the names suggest, Compute provides a computation environment with Web role and Worker role, while Storage focuses on providing scalable storage (Blobs, Tables, Queue, and Drives) for large-scale needs. Fabric makes up the physical underpinnings of the Windows Azure platform similar to the network of interconnected nodes of servers, high-speed connections, and switches.

Conceptually, the repetitive pattern of nodes and connections suggests a woven or fabric-like nature. Compute and Storage components are part of the Fabric. It also provides high-level application models for intelligently managing the complete application lifecycle, including deployment, health monitoring, upgrades, and de-activation.

Microsoft Azure Security

Microsoft Azure

Consumers are responsible for application and data security with Microsoft Azure, which is under the PAAS model

Cloud security is an evolving world with new threats and challenges. A smart customer would look at all the necessary security risks and would handle all data in cloud with clear risk mitigation plans. Security in the Azure platform is of paramount importance and Microsoft has built security controls into the platform.

Cloud computing models and the security responsibility matrix are defined in the table at right.

Microsoft’s Azure Platform falls under the PAAS model. Microsoft has implemented and provided various security features such as:

  • Identity and Access Management at all levels
  • Isolation of data through separate physical containers
  • Encryption of data in the fabric through on demand
  • Run time security Full trust versus Partial trust
  • Security libraries for security

Though Microsoft has built-in security in its architecture with App fabric and SMAPI (Service Management API), companies that move to this platform must ensure the security of their independent applications. The application developers have to use the right tools and APIs to secure and deploy the application. 

There is no “Magic Wand for Security”

Azure has ensured security at various layers within its architecture and at various VM and its Fabric engine. This security will ensure the customers that data is not leaked outside of their VM. Though Azure has security innovations to aid application development and deployment, the responsibility of securing applications is left to customer.

This means if end-customers have to build applications that are secure by design and secure by default it is in the hands of the Azure application developers and architects. Security is not static and it’s a constant threat which has to be mitigated at all levels of the application and platform. Azure provides many security API’s that could be used to protect the data and access but it’s up to the end-customer to decide what is appropriate for the kind of data that needs protection.

As the chart above explains, the PAAS model requires security SME’s with core knowledge on the platform related security, with understanding of the Windows Azure runtime trust models and the security protections and responsibilities of each cloud layer. Companies need to build complex “Gatekeeper” based design with the help of design patterns such as control access context, advisor, interceptor, and web roles patterns.

The latest addition to the foundational technologies in the .Net framework is the Windows Identity Foundation (WIF). It enables Azure developers to offload the identity and authentication logic, providing a solid development mode based on separation of concerns pattern. A simple or traditional role-based access to advanced and sophisticated access control policies can be implemented with the help of WIF.         

When it comes to cloud-based solutions, it is more important for software designers and developers to anticipate threats at design time than is the case with traditional boxed-product software deployed on servers in a corporate datacenter. Designing secure applications in Azure is about choosing the right sets and understanding the responsibilities. A traditional model of application development will result in the same vulnerable application. But with better knowledge on Azure platform, it’s possible to build more secure applications in less time and with less effort.

Developers and designers also need to understand the basics of building applications on cloud:

  • Build cloud apps, not apps in the cloud
  • Design fault tolerant systems, nothing fails
  • Design for scalability
  • Loosely couple application stacks (IOC)
  • Design for dynamism
  • Design distributed
  • Build security into every component
  • Backup application & user data
  • Distribute applications

Conclusion

Computing solutions that use Windows Azure are very compelling to companies wishing to trim capital expenditures. However, security remains an important consideration. Security architects and developers need to understand the threats to the software developed for “the cloud” and use appropriate secure design and implementation practices to counter threats in the cloud environment.

The progression from classic client-server computing, to web-enabled applications, to applications hosted in the cloud, has changed the boundaries of applications and a striving need for compliance drives security. These boundary shifts and compliance requirements makes understanding the threats to Windows Azure-based software all the more important.

Advertisements

May 20, 2011 Posted by | Cloud Security, identity and access management, Risk management | , , | Leave a comment

More than Password Resets – Identity and Access Management’s Real Value

Security with single sign-onYou’ve probably heard enough about the benefits that an Identity and Access Management (IAM) program can bring to you. Most of the benefits pitched to customers from various vendors revolve around specific features of the products, and are generalizations at best.

For example, password reset is available as a feature, and the obvious benefit is reduced helpdesk costs. Plain and simple!  There is, however, much more to the story.

When you go ahead with an IAM program, this is what you are really setting out to do:

Streamline processes

Setting up an IAM solution forces one to optimize and define processes that carry no ambiguity, because automation cannot be achieved when there is ambiguity. Don’t count on the partner who is on keen to migrate your existing processes into the IAM system without questioning the need or sense behind that process.

Example: Quite a few customers insist on having the employee’s manager approve the request first, and then send it to a secondary owner for a final approval. When questioned, the response often is, “We don’t trust our managers. They may approve just about anything that someone requests, so we need someone else take a look at it.” The question we then pose is, “Why have the manager approve something when you don’t trust his judgement?” Or “Have the manager approve requests, but educate the users about the responsibility they carry when they approve something.” You get the idea.

Streamline data across systems

This is an opportunity to bring consistency to how data values are treated by applications across the organization.

Example: The location for a person maybe “SFO” in one application, “California” in another, and “Calif.” in yet another application.

Traditionally, each application owner is used to operating in a silo, and comes up with a naming convention designed to suit the needs of the hour and the application. Standardizing the values across applications lets the organization take charge by bringing in the ability to centrally manage various aspects of user properties, rights, etc.

This change often sees the greatest amount of inertia, but is the one that truly lets organizations leverage their IAM investment. The solution isn’t to avoid standardization. The solution (and opportunity) is to strengthen change management.

Build a platform for future application development

Traditional application development models cater to embedding the authentication and authorization into the core of the application itself. With an IAM program- in place, you have the luxury and comfort of asking application developers to develop just the business logic in their application. All authentication and authorization related decisions can then be delegated to the IAM platform, resulting in

a)      Application developers focused on core business functionality

b)      Having a secure, and proven mechanism for authentication and authorization decisions

c)       Achieving a complete view of who can do what in which application

In a nut shell, most IAM programs are about implementing a vision. It is an opportunity to question what has been done for years, to optimize, streamline and strengthen the way the organization functions, and to discard the legacy that has ceased to provide value.

To quote Sara Gates, former VP of Identity Management for Sun Microsystems, “Identity Management is like putting brakes on your car. Why do cars have brakes?” Everyone says, ‘So they can stop.’ But the real reason cars have brakes is so they can go faster.”

When you are looking for the partner to steer you in the right direction when it comes to such an important topic, Aujas can help.  Call me and learn more about how we have delivered IAM projects to clients globally.

December 20, 2010 Posted by | identity and access management, Risk management | , , | Leave a comment

Single Sign-On – Choosing Practical over Paranoid Security

Security with single sign-onAs various business processes are automated in enterprises, a complex IT landscape is created. Multiple applications and platforms require different authentication checks before granting user access. Users need to sign on to multiple systems, each involving a different set of credentials. As a result, accessing systems gets increasingly complicated and frustrating for users and hampers their daily tasks.

Implementing a single sign-on (SSO) security functionality can significantly simplify systems access. SSO provides a unified mechanism to manage user authentication and implement business rules determining user access. As only one set of credentials are needed to access multiple systems, SSO improves usability, increases productivity and reduces helpdesk expenses, without compromising system security.

SSO also reduces human error, because the user logs in once and gains access to all systems without being prompted to log in again for each, a major component of systems failure.

Why is SSO relevant?

The need for SSO is accentuated by several issues enterprises face including:

  • Enforcing strong security and password policies at a central level
  • Multiple helpdesks
  • Need for helpdesks to engage in more value-adding tasks rather than be consumed by resetting passwords for users
  • Management of multiple platforms and application models
  • Risk of unsecured, unauthorized administrative and user accounts

SSO types you need to know

Two of the most important types of SSO are:

Enterprise SSO

Enterprise single sign-on (ESSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The ESSO automatically logs users in, and acts as a password filler where automatic login is not possible. Each desktop/laptop is given a token that handles the authentication.

Web SSO

Single sign-on for web-based applications and few supported proprietary closed source web applications. It is a browser-based mechanism, with single sign-on to applications deployed on web servers (domain).

The main differences between ESSO and Web SSO approaches are given in the table below.

SSO comparison

ESSO can provide tangible benefits to an enterprise through:

  • Enhanced user productivity – users are no longer bogged down by multiple logins and they are not required to remember multiple IDs and passwords
  • Improved developer productivity – developers get a common authentication framework – developers don’t have to worry about authentication at all
  • Simplified IT administration – the administrative burden of managing user accounts is simplified. The degree of simplification depends on the applications since SSO only deals with authentication
  • Reduced password fatigue from different user name and password combinations
  • Reduced IT costs due to fewer help desk calls about passwords
  • Improved security through reduced need for a user to handle and remember multiple sets of authentication information
  • Reduced time spent re-entering passwords for the same identity.
  • Integration with conventional authentication such as Windows username/password.
  • Centralized reporting for compliance adherence like ISO 27001, etc.

Clearly, SSO functionality is a practical approach to security management in an enterprise. Its detractors highlight that once a password is breached through SSO, then other systems become highly vulnerable. However, while weighing the pros and cons of the SSO approach, its benefits in the form of lesser maintenance and increased usability far outweigh the disadvantages. It can even ensure a better protection of the single password, with stronger policies in place, which may not be practically possible if there were multiple passwords to remember. SSO can be a suitable choice for most enterprises which are struggling with the burden of managing multiple accesses.

December 7, 2010 Posted by | identity and access management, IT security, Physical Security controls | , , , , | Leave a comment

Identity and Access Management – This must be your project, not your partners’!

Lessons Learned

Identity and Access RiskHaving been through numerous Identity and Access Management (IAM) implementations, we see two common denominators in terms of customer expectations that rear their ugly heads rather frequently:

  1. Let’s integrate everything that we have, and
  2. Let’s do it all at once

One can understand the excitement we all go through when we contemplate having a solution that allows us link so many applications, streamline processes with workflow automation and synchronize attributes across the board. While that excitement is infectious and contagious, the sound voice of reason must be heard and listened to.

It is natural for you to want to do as much as you can with a product, and it is human to want all of it done yesterday. Hence, the onus lies on the domain experts to work closely with customers (as partners, not vendors) and plan out a deployment that gives the customers the most results as soon as possible and additional benefits over subsequent phases.

The “good” partner helps the customer prioritize their needs and requirements, and establish plans to achieve those objectives over phases. Strong project management and planning are the keys to a successful IAM program. The products from various vendors are unlike those of 5 years ago, they are now mature, stable and scale exceptionally well, unless hacked to death to fulfil a few exotic requirements.

We cannot lose sight of the top benefits of having a robust IAM program toa company:

  1. IT systems and applications are constantly compliant with a variety of regulations, there are few gaps in access recertification
  2. Processes and access governance have been streamlined – business demands, business approves, and business gets – with minimal or no IT intervention
  3. Password reset is automated and secure, and helpdesk costs are under control
  4. Peace of mind

 

So next time you want to know whose side the “partner” is on, throw a plan too ambitious at them. While most will try to give you what you demand, you will know during the course of their approach whose interests they have in mind, yours or their own.  After all, it is your project and responsibility.

November 22, 2010 Posted by | identity and access management, Identity Theft, IT security, Risk management | , , , | Leave a comment

Information Risk Management Concerns in Merger & Acquisition – A Point of View

Integrating Risk, Compliance and Security Components into the Post-Merger Integration Process

M+AOver last few years, the Merger and Acquisition space has witnessed high growth. However, as experience shows,  getting a deal executed is only half the job done. Capturing the actual value in M&A comes from appropriate and timely post-merger integration of people, operations, processes, information systems, and culture.

Historic data indicates that most M&A deals failed to realize value due to ineffective post-merger integration. This has forced companies to look at post M&A integration activity as a program with set milestones. Companies today create separate integration teams with a Project Management Office and clear reporting structure. While companies look at retaining customers and key employees, integrating finance and IT functions, and addressing tax and other operational issues, they often fail to identify and address the risk and control environment. This can affect a company’s security and internal control environment.  Appropriately addressing security, risk and control issues can save time and compliance cost while minimizing business and legal risk for the combined entity.

Key Security, Risk and Control Challenges

1.       How to address compliance requirements and create an effective risk and control environment

When two companies merge, their separate compliance requirements need to be integrated. With different structures, processes, geographies and separate applicability, it becomes difficult to remain compliant, especially during post-merger integration.  Further, the risk profile of the merged entity might be different from the pre-merger entities, as there are significant changes in materiality, processes, supporting technology, and control owners.

Implications- Non compliance, ineffective and inefficient internal audit functions, lack of key risk and control owners, and a higher cost of compliance are some of the common implications.

2.       How to manage access rights for employees, customers, affiliates and third parties in an integrated environment

Mergers bring new users, applications and legacy systems to be integrated for simple, faster and secure access to data.  Therefore managing appropriate access to data is critical from both risk and compliance perspectives.  Inappropriate access to confidential data can lead to information leakage and loss in competitiveness along with non –compliance penalties.

Implications- Failure to manage access rights to business critical applications and data can lead to a) Unauthorized access to critical business data; b) No access to authorized users; c) Excess privileges to some/all users; d) Fewer privileges to authorized user; e) Operational ineffectiveness due to inappropriate access management.

3.       How to address privacy requirements of the combined entity

Two companies storing Personally Identifiable Information (PII) for employees, business partners and customers are managed through separate privacy programs, processes and systems. 

Implications– Disclosure of private information to unauthorized users can lead to regulatory and legal implications.

4.       How to manage business continuity during transition phase while integrating different IT systems, operations and people

Consolidating ERP, CRM, and other business, combining complex infrastructures of two organizations and changing how people access organization data and critical business applications warrants a robust and updated business continuity plan for recovery and continuity in the event of any disaster or malfunction of IT system or access infrastructure.

Implications- Unavailability of business critical applications preventing access to business data.

Next Week – Part 2 – Approach

November 15, 2010 Posted by | identity and access management, IT security, Mergers and Acquisitions, Risk management | , , , , | Leave a comment

Converged Identity and Access Management – Final

Final in the series “Converged Identity and Access Management”

ID and access managementThe IT infrastructure is the backbone of a converged solution, allowing key business data to be shared across systems. For example, a company’s physical security system typically does not have critical business data such as employee status, whereas the HR department’s IT system has such knowledge.

Converging physical security with IT security isn’t easy, but the extra effort it requires can be beneficial, especially for financial, healthcare, and defense organizations. Convergence affords organizations the opportunity to align security with overall business goals, streamline business processes such as provisioning and investigations, and centralize security operations and policies.

Developing common protocols for managing access to company assets and data enables more efficient provisioning and management. Different physical and logical security systems should leverage extendable interfaces of identity management solutions and thus stay in sync. The key benefit is that security personnel continue to use tools best suited to their jobs and HR personnel continue using HR tools. Converged security systems therefore allow users to improve Return on Investment (ROI).

Key Steps for Convergence

To bridge the organizational gap, the physical security department should work directly with the IT security team to identify:

  1. Authoritative sources of key data used to determine whether a person has permissions to use a resource or access an area.
  2. Compliance or audit needs.
  3. Any business or security concerns that are unique or are especially important to an organization.
  4. Various business processes such as on-boarding, off-boarding and the responsibilities of different systems.
  5. Policies for managing employees who doesn’t have any logical accounts, e.g., cleaning staff, caterers, etc.
  6. Privacy and security policies that clearly define what personal information is to be collected, how the information will be used, who can access the information, how the information will be protected, and how the individual will control its use and provide updates to the information over time.

Effective Convergence through Events Correlation

With converged access control, organizations can correlate disparate physical and IT security events. For example, it may not seem suspicious for an employee to use a computer. However, physical/logical correlation might ensure the employee is able to access logical resources, only after he has swiped his ID card at the entry door. Or, some of the logical resources can get locked for a user as soon as he leaves the premises by using his card at the door.

Conclusion

The convergence of Identity and Access control systems is helping enterprises better protect their intellectual property, monitor the access to restricted areas and comply with regulations. It improves the operational efficiency of existing physical security systems and resources. How organizations choose to implement this is should be aligned with their business strategy and security and compliance requirements.

November 8, 2010 Posted by | identity and access management, IT security, Risk management | , , , | Leave a comment

Number of Breaches Going Up and Up!

Identity TheftInformation management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In issue 17 of Risky Business, I posted this brief article and supporting statistics for you to read.  I was curious to see in one month how the data changed, I assumed it would go up, but by how much.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043
2010 Breach List (as of 10-5-10): Breaches: 533 Exposed: 13,517,866

2010 Breach List (as of 11-2-10): Breaches: 571 Exposed: 14,000,609

November 8, 2010 Posted by | Cyber Crime, identity and access management, Identity Theft, Risk management | , | Leave a comment

Understanding the Need for Converged Access Control

Access managementAccording to a study conducted by Carnegie Mellon University – critical system disruptions, loss of information of customers and partners, loss of confidential intellectual property,  brute-force attacks, fraud, reputation risk, etc. were mostly attributed to actions by insiders.

The grave dangers of insider threats, arising from employees retaining their system and/or having physical access even after job termination, can be understood from a shocking incident that took place recently. A US-based Water Service Company auditor, who resigned from his post, sneaked into the company’s building and accessed a former coworker’s computer to transfer $9 million from the company’s fund to his personal account. 

Insider threats, in which the disgruntled employees or ex-employees, gain access to computer systems or networks of the enterprise, is one of the cases of improper Identity Management!

Proliferating Disconnected Identities – Root Cause for Mismanagement of Identities!

In most organizations, it is seen that logical and physical identities often see excessive increase in numbers, making it difficult for the organization to track and manage all the identities effectively. 

On the logical side, an employee may have one identity within the enterprise HR system, such as a SAP system. That identity typically consists of salary, benefits, insurance and other specific employee details. Then there is a logical identity, for the same employee, within the information technology department’s directory software – such as those from Microsoft, Novell, CA, Sun Microsystems, or Oracle. This directory controls the permissions for network, database and software applications for the logical identity. Within the organizations’ Intranets, databases and applications, the user may have still more identities, in the form of different user IDs and passwords or PINs he/she uses to log into each logical resource of organization. This employee will have at least one more identity: a physical credential of some sort used for access to organization infrastructure –workstations, buildings, floors, parking garages, warehouses, research lab etc.

Then, there are cases of merger or acquisitions of organizations which often results in more than one brand of Physical Access Control System (PACS) in the organization. In enterprises with more than one brand of PACS and several facilities or areas users must enter, a user may have more than one physical access credential—and therefore, more than one physical identity.

Unconverged identity management systems either result in error-prone manual interventions or security issues!

Next: The Need for Converging Identities

November 4, 2010 Posted by | Access control, identity and access management, Risk management | , , , | Leave a comment

Stuxnet Accelerates Exponential Decay!

Exponential-decayOften, change within the technology arena is seen through the lens of Moore’s Law; computer power doubles every eighteen months.  Many predictions of the Law’s demise have come and gone.  As technology approaches the physical limitations inherent in Moore’s Law, innovation has accelerated.  Moore’s Law was convenient for expressing technology’s exponential growth.

However, the Law’s converse – exponential decay – has eclipsed the “Law” and is unrestrained.  The broader concept of exponential decay operates unreservedly.  Exponential decay spurs innovation, is unrestrained by the present, and arises from the half-life of earlier developments. 

Information Security solutions are following a similar construct: exponential decay.  The perimeter defense built to address external threats has degraded to also-ran status.  Expanding business needs and active circumventing the perimeter, rendering it less-and-less effective.

The progression of security threats, similarly, follows an exponential decay model.  Hacking has given way to monetization attacks and espionage; sophistication grows, barriers to entry decrease, and specialization rises.  Exponential decay, also, produces geometric increases in records and funds lost in breaches.

Stuxnet’s introduction to the world represents the next stage of exponential decay.  It epitomizes a militant threat capable of incapacitating industrial production.  However, such a sophisticated cyber capability encourages derivatives. 

Stuxnet’s independent mutation ability and intra-communication has profound considerations.  An enterprise (military, government, academic, industrial, etc.) should consider themself compromised, irrespectively, by some form of cyber-malice capable of harvesting or destroying value.  Intra-communication is difficult to detect.

One enterprise defense from mutation and intra-communication within the enterprise is layered protection (versus layered defense).  While the enterprise perimeter an anachronism, externally, it has value inside the enterprise.  Tightly controlling access by limiting access gives the protection and time to address such attacks. 

Emerging technologies that allow enterprise to build layered, trusted perimeters, a ring-within-rings, are the exponential decay’s response to these new threats.  Watch for DLP, SIEM, and GRC applications to add layered perimeter capabilities and tracking of intra-communication.  Include intra-communication monitoring within perimeters as a required feature in product selection or expansion.

Authored by Charles King, CISSP – King Information Security, LLC

November 4, 2010 Posted by | Access control, identity and access management, Risk management | , , | Leave a comment

The Need for Converging Identities

Access managementPart 2 in the Converged Identity and Access Management Series

One of the most important reasons for converging identities is that logical and physical identities multiply when they are disconnected; it’s time-consuming, expensive and inefficient to manage them. And this applies across the organizations domain – IT, physical security, business units and risk managers.

Another equally pressing issue is that security can be more easily compromised when physical and logical identities are separated. A physical identity may appear legitimate to a standalone PACS but it might no longer be trusted by the enterprise network. That’s what happens when an employee is terminated in the logical systems and that information isn’t immediately relayed to a PACS. If the enterprise has more than one PACs, and they are not integrated with each other, it may take several more steps to ensure all PACs block the ex-employee’s credentials.

Physical or logical credentials that are kept alive even after an employee has left an enterprise can be the cause for compliance gap and, at worst, can leave the virtual or physical door open for fraudulent attacks.  The federal government has acknowledged the importance of converging technologies and has been a significant driver for the development of these technologies. For example, in 2004, the Homeland Security Presidential Directive -12 (HSPD-12) was passed, requiring all federal government employees and agencies to use a converged physical and logical ID badge. Standards were created for how the badge is designed, what identity elements are present inside the card, and how the card is used for physical and logical access. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.

November 4, 2010 Posted by | identity and access management, Risk management | , , | Leave a comment