Palo Alto Networks – Accredited Configuration Engineer (ACE) 6.1
Eliminating Passwords in the Enterprise
While issuing an enterprise credential with a strong password is fairly easy to accomplish, managing that password over the credential’s lifetime is more difficult. User password resets, compromised passwords and a lack of synchronized passwords across enterprise systems all cause problems for users, IT departments and security professionals.
And users truly hate passwords. There are too many to remember, each system has different rules, and there is a lack of standards for reset processes.
A positive associated with passwords is that they are well understood by both providers and end-users. They offer portability, through reuse and single sign-on, and are supported by all identity and access management (IAM) platforms. Corporate policies for using passwords with credentials are also well established.
But, usability and security of password-backed credentials are in decline and a passwordless future is something that keeps coming up in the IAM conversation. So what will it take?
I do not believe it will be any one technology or single method that replaces passwords in enterprise access management. There are simply too many user, business, application and compliance requirements out there for a one-solution-fits-all scenario.
In the online world we have an embarrassing number of authentication options. Biometrics examples include the iPhone fingerprint reader and the up-and-coming Nymi band. Hardware tokens have been here for a while. Smartphone tokens work fairly well. And this stuff is not really all that new—in 2007 I blogged about authenticators such as fobs, proximity cards and USB tokens.
With all of these options, it does not seem likely that any one technology will swoop in to corner the market and single-handedly replace passwords. But that’s okay—I don’t think we need a killer authenticator or login process. A better option is a flexible IAM solution that offers adaptive (or context-based) authentication.
Today, access management systems provide a traditional username plus password credential:
Figure 1 – Traditional Access Management
The access manager software has logic that determines that a username and password are required, and both must match the entry in the directory—pretty straight-forward stuff. But this is an old approach, invented when users’ screens were green and bellbottoms were cool.
If we want to eliminate passwords, we need a better access manager—one that supports adaptive authentication.
Let’s say we want to improve the experience by accepting either a username plus password, or a username plus equivalent authenticator. And, let’s assume we have issued mobile phones with contact-less technology to our users. In this case, the adaptive authentication process might work something like this:
Figure 2 – Adaptive Access Management
The access rules (white boxes) direct the authentication process. (This is a simple case—using adaptive access management, you can extend this flow to include multiple authenticators and checks.)
As products mature, the flexibility to add logic and capabilities to these processes will increase. The more rules you implement, the more secure—yet potentially just as easy—the access can become.
Wait: you mean secure OR easy right? Isn’t there always a trade off? Well, the implementation of adaptive authentication technology may be difficult, but the user experience can be simplified. If all we need is to eliminate passwords, then the alternate authenticator needs to be as strong and, hopefully, easier to manage. If the contact-less smartphone is that authenticator, we meet or improve on both security and ease-of-use.
The point is that the combination of authenticators—aligned with the level of assurance required by the network, application or service—is what matters. It does not matter that a password is involved.
Once the right technology is implemented, the process to migrate away from passwords is fairly straightforward: offer users an option to log in with their phones and watch the migration occur on its own. In six months, force the switch and you have eliminated passwords entirely.
There is a catch (of course). The organization’s password and access policies will need to change. In my experience, these policies are specific to passwords (length, composition, etc.) and cannot support adaptive authentication as I have just described.
It is critical to create policies and standards for authentication assurance (and identity proofing), based on the sensitivity of information. The types of rule sets necessary to implement compliant adaptive authentication can then be based on clear policy. IAM expertise is needed to do this effectively.
Because business, IT architecture, security and privacy teams need to be on board, the benefits and risks associated with adaptive authentication need to be understood. Critically, the organization’s leadership also needs be informed of the risks of current password-based access management in order to secure support. All this takes time and skill to do well.
Adaptive authentication, revamped policies and senior management support—that’s what it will take to eliminate passwords. Are you ready to say goodbye to your passwords?
Mike Waddingham
President, Code Technology Corp.
Blogger, CodeTechnology.ca
[ISACA]
Why You Shouldn’t Study for Certification Exams
As to my opinion, what sets ISACA’s certifications apart from many other credentials on the market is that ISACA exams actually test your professional experience and not your exam cramming skills. Many exam items are mini scenarios that require you to apply your knowledge to typical issues arising in your daily work. You will hardly find any items that are definitional.
I recommend adapting your studying strategy and following a long-term learning approach. Using this process, try to avoid subjectivity in the sense of the idiosyncrasies of your organisation. Companies, both large and small, tend to become blind to the shortcomings in their methods and processes. And, particularly within SMEs, the number of staff in information security, risk management, IT audit or governance with whom to share insights is often limited.
To avoid these pitfalls, implement some means for acquiring and exchanging knowledge in your professional life. For example:
- Follow your professional colleagues on social media sites such as Twitter or LinkedIn. Look at who they follow to identify the thought leaders within your domain.
- Read or contribute articles for blogs and periodicals, e.g. the ISACA Journal or ISACA Now blog.
- Follow a massive open online course (MOOC). Many universities offer free online courses and classes.
- Visit professional conferences or seminars as a delegate or speaker. There are events for every budget, and speakers are often invited for free. Use the occasion to network with peers from other organisations or industry sectors.
- Join or found a professional community. Meet with other colleagues from your region or vertical. This is also a good opportunity to receive hints from successful exam takers or find peers who are also preparing for the exam.
- Volunteer at ISACA or another association. See who has an active chapter in your geographic area.
In addition to the tips above, regularly review for the exam using the study materials by ISACA including the review manual and the review questions. Keep in mind that the review manuals do not comprise a complete body of knowledge. Relate to the job practice areas (specifically the task and knowledge statements) that provide the basis for the exam. Identify your weak spots and adapt your focus of studying if necessary.
Once you are well prepared, register for the exam. During the exam, if you are unsure of the right answer, take a business perspective on the question. Ask yourself, ‘If this was my organisation, how would I like the issue to be solved?’
This approach to learning will not only help you to become certified, but also will benefit your professional skills in general. As a side note, it also allows you to easily and almost automatically earn your CPE hours and maintain your certification.
Tim Sattler, CISA, CISM, CGEIT, CRISC, CISSP, CCSK
IT Compliance Manager, Group Information Security Officer at Jungheinrich AG, Germany
[ISACA]
Why Cyber Readiness Activities Are Important
CISSP and other security domain “paper” knowledge and testing of the core cybersecurity domains is helpful. But with the rapid change in adversary tactics and new technologies, exercising against that knowledge is critical. We must exercise our skillset to maintain vigilance on our networks day-to-day.
Both government and industry cyber readiness is critical. Often there are unanticipated vulnerabilities – in our platforms, in our behaviors – that don’t rise to the surface until we exercise and learn about the strengths and gaps in our skillset. You’ve heard it before: What you don’t know, you don’t know. Many agencies have red teams who run such ongoing testing – of systems and of people. Both are important as either systems or people can be the weakest link when protecting your networks.
Palo Alto Networks strongly believes in and supports such testing for cyber readiness. Each year, we put our money where our mouth is and participate in critical exercises and related activities – two of which are going on this week. We’re excited to be participating in two events – one in the UK and one in the U.S. – where we help arm professionals on the American and European coasts:
- In the UK, Palo Alto Networks is excited to be participating in this year’s Cyber Security Challenge UK. On the HMS Belfast in London, teams compete to test their cyber savviness. While this is fun stuff, it’s serious as well. The UK is prioritizing cyber, ensuring not only government but businesses throughout the UK can maintain the security of their infrastructure. Backed by GCHQ, the #CyberMasterClass15 on these last 2 days are the 48-hour culmination of more than 10 months of qualifying rounds. Thousands of participants are now just a few dozen of the UK’s most talented amateur cyber defenders. Read more about our role in the Challenge here.
- In the U.S., hosted by immixGroup, “Cyber Operations Tools: Stemming the Threat through I.T.” enables U.S. government agencies to train on the current and cutting edge cyber security tools available. With the need to identify and thwart intrusive attacks, training on what is already available to help them do just that is critical. Cybersecurity professionals choose to spend anywhere from an hour to a whole day with industry experts reviewing in-depth demonstrations and otherwise gaining insight into what is available to them. See full details here.
Pacific Endeavour and Combined Endeavor, which exercise the world’s militaries for communications’ readiness, also include a cybersecurity component to understand where we’re vulnerable – across the world’s defenses – and address the issues. While Combined Endeavor will return in 2016, we are quickly getting ready for the 2015 Pacific Endeavor.
We can’t stop here. As security professionals, we know the world of cyber and the threat landscape changes literally by the minute. One exercise is insufficient – we must maintain our cyber readiness skills in meaningful ways, from ongoing education plans to testing. If you’re a CIO or CISO, what are you doing to ensure that all of your teams who have an impact on the security of your network and data have the skills that they need? And are you ensuring those skills are in place across host, data center and cloud, SCADA infrastructure and the entire network that potentially touches the public domain? How do your professionals maintain that skillset on an ongoing basis? Don’t forget the people component to your programs. (Our CSO, Rick Howard, recommends some good reading on how to keep your teams trained and ready;see one of his recent nominations to the Cybersecurity Canon.)
Don’t forget, we also arm our existing customers with the very latest cutting-edge technology they can use today – as well as Ultimate Test Drive (UTD) sessions and labs for hands-on activities, at our annual user conference, Ignite 2015, coming up in just a few short weeks. This year, we’re adding luncheon roundtables where some of the brightest minds come together to discuss their challenges with the experts who have helped numerous other customers overcome the same.
Take a minute this week to think about your own team of cybersecurity professionals – and those within your organization who don’t touch security day-to-day but need to be armed with critical baseline knowledge to keep all of your network assets protected. Make it a priority to consider career development plans and training that help them to help you and your agency or company. We are all better off for it.
[Palo Alto Networks Blog]
Security Management and Internal Audit: Becoming Two Sides of the Same Coin
Excessively strengthened security controls can impact business negatively. Security-related audit findings must be viewed in context of the relationship between business goals, the threat profile and the security controls. Security management and internal audit are two separate streams, but are driven by similar goals and fundamentally can be two sides of the same coin.
Sometimes, security controls are relevant to/appropriate for the infrastructure, but not relevant for the business itself. This results in the organization’s internal audit team finding weaker security controls within the infrastructure. In such situations, collaboration between security management, internal auditors and business must resolve the trade-off between compliance and noncompliance to the organizational security policies. Security management must be able to explain the business rationale for weaker controls to the auditors and simultaneously communicate the risks clearly to the enterprise’s management of not being compliant to the strengthened security policies. By doing so, security management ensures that the risk is understood and accepted by management.
Utilizing a risk-based approach to security management practice and internal audit can enable both streams to add value to the organization. It can help security management to identify and prioritize the more vulnerable components of the infrastructure and address those exposures appropriately. Similarly, a risk-based audit approach can help auditors to perform audits on the more critical parts of the infrastructure, understand the business requirements properly, and, reduce time and cost by conducting a more focused audit.
Enterprises’ organizational data centers increasingly are being managed by outsourcing partners. When it comes to partners’ compliance with an organization’s security policies, outsourced contracts that are poorly defined with regards to security can raise financial and fulfillment issues, putting the whole business at risk. Therefore, security management must be involved in every stage of the outsourcing lifecycle—from initial negotiations through to sign-off and maintenance of the contract. Additionally, security management must convince management, internal auditors and outsourcing partners to reach an agreement on the best solution and the way forward for the organization while mitigating the risks highlighted by the audit team.
Well-defined security management practices and their alignment with the business and internal security audit ensure the protection of organization’s information, data and IT services, and helps the organization to meet its objectives. As larger organizations increasingly adopt outsourcing strategies, the onus on the security management practitioner is growing too. With new threats emerging and technologies evolving, ensuring overall security of the organization can become a challenge from cost, process and effort standpoints if outsourcing contracts do not accommodate security policy updates too. Hence, it is critical that business management involves its security management practice when outsourcing its infrastructure.
Depending on organization’s business goals, resources and threat profile, security management can take a risk-based approach to advise which components of the infrastructure should be outsourced and yet be compliant with policies while mitigating the findings of the internal audit team. Security management and internal audit must work hand in hand to effectively secure the business. Otherwise, the two streams can become counterproductive to the cause.
Muhammad Waheed Qureshi, CISA, CIPP/IT, CISSP, ITIL V3 Foundation
IT Security Analyst, Accenture -Sweden
[ISACA]
