Infrablog

In the same way, the cloud emerged from software virtualization, cloud security can only emerge from the process of virtualizing security itself. As virtualization separated software from hardware, allowing enterprise software to freely move first across servers and eventually to external cloud infrastructures, security must now be separated from enterprise applications so themselves can be replaced with new cloud applications and eventually move to specialized clouds. Enterprises worldwide are already embracing the cloud for email, CRM, file sharing, collaboration, HR and other functional business applications. To properly manage cloud risk and compliance, IT needs a consistent way to inject its own security policy across cloud applications. Since these applications are operated by different cloud providers with different security capabilities, distinct security frameworks and diverse APIs, the security needs to be implemented outside these cloud applications.

That separation or virtualization of application security is the raison d'etre of Symantec O3: the creation of a security control point outside the application and under the governance of IT. The cloud security gateway integrates with the legacy security infrastructure that it fully leverages to externalize application security. In doing so, the cloud security gateway separates the security infrastructure from the application infrastructure. The application software is then free to move to the cloud. The complex security infrastructure does not need to follow it. All IT security controls remain in place. This approach of security virtualization can be applied to any type of application, internal or external, whether it is running on a private or a public infrastructure. This allows CIOs to morph their cloud strategy overtime. An enterprise can start with SaaS and virtualized application running on a private corporate cloud. These private clouds can then transform into semi-private clouds (virtual private clouds or hybrid clouds). Eventually the whole IT infrastructure for application can be replaced with public clouds such as IaaS or PaaS. The security infrastructure, on the other hand can persist. The same security policies can be enforced. There lies the true benefit of cloud security virtualization: a single security infrastructure independent of the cloud providers.

What happens next? As CIOs become increasingly comfortable with not running the infrastructure, the complex security infrastructure must also go to the cloud. Security becomes its own cloud. The cloud transformation is complete. First the cloud security gateway, then security infrastructure as a service. Like virtualization was the catalyst for infrastructure as a service, the application security gateway becomes the catalyst for security as a service.

Can it mean that security companies must become specialized security infrastructure providers? Is their fate to become exclusive arm dealers to enterprise cloud builders, instead? Interestingly, security may well be the only viable answer to the infrastructure commoditization strategy embraced by the likes of Amazon and Google. This fact alone will make it worthwhile watching the enterprise security and infrastructure markets. So let us stay tuned. The security revolution is being televised. In fact, it appears that it will be streamed straight from the cloud.

Posted by Nico Popp at 4:03 PM
Permalink | Comments (0)

The concept of cloud brokering had been drawing more attention lately. In particular, Gartner has developed quite a bit of market analysis on the topic. Most of these analyses tend to focus on the business of cloud brokering. However, I find it insightful to consider the potential technology platforms associated with cloud brokering. Very often, the largest and most durable technology businesses are strongly intertwined with differentiated, scalable, hard to replicate technology platforms (i.e. databases, operating systems, search engines) By nature, these platforms provide a long-term sustaining competitive advantage. Furthermore, when it comes to corporate strategic investment or VC funding, the ability to articulate breakout platform opportunities can prove invaluable. Platform envy can significantly increase investors' belief into a new and unproven business model such as the one we will be discussing here.

So, let us try to identify the four most compelling cloud brokering platforms, capable of fueling and sustaining large revenues within the emerging market of enterprise cloud services.

Security Brokers - The Cloud Firewall

The first platform candidate is the security broker. Security is certainly a key concern of enterprises contemplating the adoption of cloud services and infrastructures. CIO and CSO need a coherent security strategy to manage risk and compliance across cloud providers and architectures (private, public, semi-private clouds). Because of the heterogeneous nature of clouds, the proposed solution is to unify external security under a single security control point, the cloud security broker. Security cloud brokers become security hub across multiple enterprises (tenants) and cloud services, allowing enterprises to harmonize security despite differences in cloud providers' security frameworks, capabilities and APIs. The strategic technology underpinning platform is the cloud security gateway [link to previous blog]. This cloud firewall becomes the security control point for cloud. Security brokers operate or manage them. Initially, security brokers may get pinned down as identity and access brokers but as SSO and access management quickly commoditize, information security and information management become the predominant value of cloud security brokering (e.g. encryption, data loss protection, rights management, backup, archiving, eDiscovery). For cloud security brokering, large security companies such as Symantec [Link to O3] should play an important role since the platform becomes an essential delivery mechanism for security across mobile devices and cloud services. In addition to the emergence of cloud security brokers implemented as web security gateways, one should anticipate security to be increasingly delivered at the edge of the network by specialized cloud providers, a little bit like content is increasing delivered through CDN. This means that large network infrastructure providers such as Telcos and Internet infrastructure companies such as Akamai should also play an important role, especially in the SMB segment that already prefer a "no software" delivery model.

User Management Brokers - The Cloud Identity Hub

The second large cloud brokering opportunity is the "identity hub". The identity hub is identity management as a service. In the long run, the identity broker replaces traditional enterprise IDM. In the short run, the cloud identity broker supplements existing IDM systems by enabling the provisioning and life-cycle management (profile mgmt, credential reset, etc) of users across external cloud services. In that sense, the identity hub is a virtual directory in the cloud. It brokers identity from the enterprise to external clouds providers. In today's early days of cloud, legacy user repositories such as Active Directory or LDAP stores remain the enterprise authoritative identity stores. Over time, as the center of gravity of IT shifts from in-premise to cloud, the identity hubs becomes authoritative and start governing identities across both internal and external applications. On top of these multi-tenant cloud directories, user management self-services, workflow and governance services emerge, making the cloud identity broker the natural heir of today's identity management platforms. One should expect IDM companies to eventually dominate the space. However, many of these companies will be slow to embrace the cloud due to lack of cloud DNA or fear of cannibalizing their legacy business. Hesitations may leave the barn door wide open for large SaaS vendors that already think of themselves as platforms and already host house important elements of enterprise identities. CRM, collaboration services, HR SaaS such as Salesforce, Google, Box.net, Workday or SuccessFactor (now SAP) come to mind as legitimate candidates to occupy the enviable position of identity broker within the cloud eco-system.

Service Management Brokers - The Cloud & SaaS Marketplace

The third obvious cloud brokering platform opportunity is the cloud and SaaS marketplace. This cloud exchange is to the enterprise and cloud services what the Apple store is to consumers and their beloved device: the mission-critical broker service that integrates, manages, fulfills and bills cloud services. This cloud broker is essential to the transformation of IT into a business enablement function (i.e. IT as a Service). As IT transforms into a service organization focused on agile business enablement some primitives capabilities become foundational: automated procurement of cloud services, on-demand provisioning of users and elastic deployment of applications. The enterprise SaaS marketplaces become the metaphor for business functions and employees to access the new IT capabilities in self-service. IT itself become the ultimate broker but it needs a specialized technology platform. The broker makes IT truly capable of enabling heterogeneous services while ensuring capacity, monitoring SLAs, and usage-based billing across the different groups and functions that comprise a large enterprise. Integration is another critical value-add of the SaaS service broker. SaaS marketplace therefore must be more than simple SaaS stores, they must be thought as end to end platforms that can support the dynamic meshing and flexible workflow composition of external cloud services across multiple providers. They need to be tightly integrated with corporate identities and corporate information as well. These are the characteristics of a true cloud platform and potentially very large enterprise business. Cloud and SaaS marketplaces should be the promise land of the traditional middleware and system integrators such as Oracle, HP, IBM, Microsoft or Dell; unless the dominant SaaS platforms manage to "force" their way into the new market to beat the incumbents.

Data Integration and Intelligence - The Cloud Datamart

The last and maybe the largest cloud brokering platform may turn to be the cloud data mart. Son of Haddoop and Cassendra, this cloud broker rules the cloud data integration and intelligence markets. The business problem it will solve is the age-old IT challenge of business data integration and business intelligence. When corporate data actually resides across distributed cloud services and databases (HR, CRM, finance...) this old problem becomes a whole new ball game. The technology cornerstone is a cloud database, multitenant, distributed yet capable of integrity. Think of it as an intelligent data warehouse infrastructure at the edge of the network, capable of logging, aggregating, and intelligently analyzing corporate information stored across multiple enterprise SaaS services. It is both a big data challenge and a cloud integration challenge. The cloud datamart need to integrate with the CRM, HR and ERP systems of tomorrow. We already know that these systems and their data stores will no longer stand in-premise. A cloud database is a fairly thorny technical problem in itself. Cloud data integration is its business killer app. The technical and business requirements are extremely ambitious but rewarding. Can you imagine the next generation Oracle, Splunk and Business Objects as a single cloud offering?!

Business and technology predictions are of good form at the beginning of a new year. Of course, these predictions will often be defeated by the devils of execution. Most are soon forgotten. Yet, there should be little doubt that the heterogeneous and distributed nature of the cloud creates large business opportunities for cloud brokers. The shift to the cloud screams for changes in technology platforms. With changes come land grab opportunities. As product people and architects, it is thought-provoking to imagine the lands we should lay course to, in order to find the new gold. Eldorado or fool's gold, that is the only question.

Posted by Nico Popp at 8:31 PM
Permalink | Comments (0)

Today, we are announcing Symantec O3 early access program, a new approach to securing enterprise clouds. But what is Symantec O3 really about? No doubt, cloud is an inexorableIT trend. However, CIOs and CISOs often cite security as a major concern. That is not to say that the new cloud platforms are fundamentally more insecure than the computing platforms that preceded them. Quite the opposite, cloud-oriented architectures have the potential to provide stronger security than most IT organizations can achieve today.

Nevertheless, SaaS applications and cloud infrastructures challenge in their own way IT's fundamental function of defining and enforcing consistent security policies across devices, users, and information. The new cloud platforms directly conflict with the need for enterprises to establish consistent risk profiles and compliance postures. The shift to the cloud is eroding our traditional controls. Network-based security is no longer as effective since the network is no longer ours The network and its controls now belong to Salesforce, Amazon or Google.

The shift to the cloud raises a fundamental question regarding the role of tomorrow's IT. If IT can outsource desktops, applications and infrastructures operations, can IT also outsource the governance of corporate digital policies? The answer is simple. IT should no have to embrace the cloud at the cost of renouncing its "raison d'être"! We ought to be able to embrace the clouds without relinquishing the control of our own security policies.

This need to layer IT driven security independently of cloud providers drives the emergence of a new security control point. The new control point must act as a "cloud firewall." Unlike it sibling, the cloud firewall inspects outbound traffic. It is not network-centric but web-centric since Web protocols are the clouds lingua franca. The security gateway leverages identity and access control to initiate itself between all user devices (fixed or mobile) and clouds infrastructures (private or public). It creates a new layer of IT security and governance. By virtue of being inline with cloud traffic, the cloud firewall is context aware (identity, device type, location, time, etc). It is also be content-aware, providing information security through the deep inspection of HTTP streams and the application of DLP, encryption and tokenization technologies. Indeed, the cloud firewall has complete visibility. It feeds cloud access and information events into log management systems that can now correlate security information across internal and external systems across managed and unmanaged devices.

At a time where pundits are claiming the deperimeterization of the network, it is time to reinvent a new form of perimeter for the cloud. Delivering on such vision will take no less than the leading security company. The cloud firewall is the cornerstone of tomorrow's IT security. So, long live Symantec O3, the catalyst for a new form of perimeter security, a perimeter for the cloud.

Posted by Nico Popp at 1:19 PM
Permalink | Comments (0)

The two hottest areas in enterprise security are undeniably mobile and cloud. As small and large security companies go after the fast growing markets, few seems to understand that both markets will rapidly converge to be serviced through a single solution. Yet, it should not come as a surprise since both enterprise cloud and mobility are about enabling employees to access corporate resources and information from anywhere, any time.

Beyond the simple fact that mobile is about the cloud and the cloud needs to be mobile, there are profound technology-driven drivers for mobile and cloud security solutions to become one. Unlike the PC platform that preceded them, IOS and Android heavily sandbox application and data, making them very poor platforms for security software developers to replicate yesterday's agent-based security approach. Turn yourself now to the cloud and it is the same dilemma. Since an enterprise does no longer run the applications and infrastructures that host corporate data and services, it is no longer possible for security vendors to leverage traditional infrastructure hooks to provide consistent security. In particular, the network-based security controls are outside of reach since cloud vendors will not expose them.

Where does it leave us? The answer is as simple as it is obvious. Both mobile and cloud require the emergence of a new security control point that stand below mobile devices and above cloud providers. Think of it as a new layer of security. That layer of security will control and police service and data access across mobile devices, cloud data and services. It is an identity security service. It will have to control and protect the flow of information between mobile devices and cloud storage. It is an information security service. It needs to enable audits of event across mobile and cloud access . It is a log and event management solution.

Indeed, mobile and cloud security are the two faces of one and the same security, and compliance solution. The perimeter is dead, but the age of "security in the middle" only begins

Posted by Nico Popp at 3:11 PM
Permalink | Comments (1)

Every so often in technology, new trends emerge to drive large changes to society by transforming our established computing paradigms. Cloud as a computing pattern is certainly not dissimilar. The cloud carries in itself all the genes of disruption that the PC, client-server and Web revolutions embodied before it. For many, cloud computing is the logical evolution of information technology towards the utility model. From an economic standpoint, it signals the great commoditization of IT.

When large technology shifts occur, opportunities arise for new and innovative companies to displace the large and sleepy incumbents within their core markets. To understand the cloud tectonic shift, and the potential losers and winners, I devised a simple visual representation that captures the competitive landscape of cloud computing. If one thinks of the traditional computing world as the "primordial Pangea", the old world appears as a highly coupled stack with devices on top, infrastructure at the bottom and applications and development platforms snugged in-between the two dominant businesses. Although simplistic, this representations has the merit to capture the market significance of companies such as Microsoft/Intel, Oracle, SAP, HP, IBM, Cisco and EMC (the device and infrastructure incumbents).

When the shift to the cloud happens, the old continents spread apart, and the original Pangea morphs into a "cloudscape". New major classes of devices platforms appear (mobile platforms in particular). The old core platforms have transformed and taken new names (SAAS, PAAS and IAAS). The four strongholds drift apart creating "seas" of opportunities for new intermediaries (the cloud brokers). who can integrate, secure and harmonize these new heterogeneous environments. Many of these new markets are still up for grab, but a few enlightened companies have already moved in a an attempt to capitalize on explosive growth as old budget money shifts towards the new models.

The four strongholds

The cloudscape shows the four old strongholds as four new distinct and decoupled markets. Furthermore, a new generation of cloud-enabled device platforms have emerged (IOS, Android...). SAAS are rapidly replacing traditional applications in the eyes of corporate users and consumers. For developers, PAAS are becoming the environment of choice for custom web service development and deployment. At the bottom, infrastructure is becoming a commoditized utility service. The four strongholds are still differentiated markets. No real consolidation has occurred yet, as the new players are too busy battling for supremacy within their own market. Each of the four platforms appear to present a significant business model with large ecosystems acting as powerful "moats" or barrier to entry.

IAAS and the commoditization of I.T. infrastructures

The most powerful stronghold may prove the IAAS since the business model is based on very large economy of scale with razor thin margins and high volumes that cannot be realized by new entrants who may lack the CAPEX muscle or the home-grown commodity technology to enter. The IAAS vendors are rapidly commoditizing the compute and storage stack. They are now walking up the stack to subsume middleware such as RDBMS (database.com, BigTable and the No SQL movement). The next target is the network infrastructure. Large virtual private clouds soon emerge that allow enterprises to create complex segmented networks without having to buy expensive networking gear. Corporate networks are built using virtual switches. They are secured by commoditized software appliance (virtual firewall, virtual IDS and virtual IPS) sold on a usage basis. As the IAAS market consolidates around Amazon, Google, a few large global Telcos, the old IT power houses (Cisco, HP, IBM) may still be able to carve out some land for themselves. Unfortunately, some of them have lost their strategic compass lured by the temporary gold rush of the so-called private cloud market, a desperate attempt to re-invent yesterday's "build-it-yourself" model of information technology.

The battle for Development as a Service (DAAS)

The cloudscape identifies and positions the main platforms tenants and their strongholds. For example, Amazon has a strong position in infrastructure as a service (IAAS), while Salesforce is a dominant SAAS vendor. Like OS vendors before them, both are vying to leverage their strength position to become the application development platform of choice. Amazon is betting on infrastructure for their unfair advantage. Salesforce is betting on corporate business data such as customer info and collaboration artifacts. Google's bet is on becoming "Office" for the cloud, thus owning corporate unstructured data. For new businesses like Zynga, infrastructure is king. For enterprises who need to build mission-critical business applications, data is queen. Google+ is more innovative than Chatter but Google needs to become enterprise-friendly (new DNA and a large M&A likely required).

The cloud brokers and the rise of the middle-man

Nevertheless, in between these giants, there is still ample room for trusted cloud brokers who can integrate business data across multiple cloud sources and provide business intelligence across all SAAS services. In fact, the map identifies very large intermediary opportunities. Cloud brokers can become significant disintermediation businesses. The distant and heterogeneous nature of the four large cloud markets creates a real opportunity for cloud middle-men to reduce the complexity of integrating, securing and brokering the capabilities of the new cloud platforms through a unified management interface. The "device management as a service" layer (e.g. VDI in the cloud) or user and SAAS management (e.g. SAAS marketplaces and SAAS data integration as a service) are examples of these new intermediaries seeking to capitalize on the plurality of devices and SAAS platforms.

Security as a fundamental ingredient (says the wishfully-thinking security guy)

Interestingly, Security emerges as a fundamental enabler. If one considers availability as a form of security, security is in actually relevant to all forms of cloud brokering. This leads us to believe that security companies could benefit from the new world balance if they can establish partnerships with the strongholds who are about to significantly impact the distribution of security services. Moreover, security assets provide a natural beachhead for security companies to extend into cloud brokering opportunities. Conversely, security M&As could become increasingly important to cloud platform vendors or cloud platforms wannabes in search of differentiation and higher margins.

Eventually, what the cloudscape demonstrates is that in the long run, information technology is not immune to the fundamental laws of physics. Cloud computing is undeniably disruptive technology. But, in the end, the four core business strongholds still exist, granted, under new names, forms and shapes. Under the tectonic shift of cloud computing, the whole industry landscape of information technology is about to radically transform under our eyes, reminding us once again of what an old French chemist taught us a few centuries ago: "Nothing is created, nothing is destroyed, everything transforms." -Lavoisier

Posted by Nico Popp at 1:59 PM
Permalink | Comments (0)

Last week, the White House announced its official National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is the largest-ever effort by the federal government and private sector partners (including Symantec) to develop a secure, standards-based and interoperable online identity system. The goal: Improve the security and privacy of online interactions and more effectively fight cybercrime. Today's announcement marks the culmination of two years of effort by VeriSign (first as an independent company and later as part of Symantec) to help bring this important initiative to life.

At the heart of NSTIC is the concept of an Identity Ecosystem based on trusted identity frameworks. Trusted identity frameworks are the lynchpin to trusted interactions online, for everything from e-commerce to electronic health records to online voting. These frameworks will require all participating service providers to ensure the credentials they offer adhere to the same standards for identification, authentication, security and privacy. This wouldn't be a "national online identity" setup, but rather interoperability among many market offerings.

The initiative recognizes that public-private partnerships are essential for success. Symantec and other private sector companies have already created the technology for strengthening and sharing high assurance identities. Government leadership will promote, facilitate and coordinate industry to further NSTIC goals.
The government can also help overcome the three big impediments this kind of initiative faces:

1. Privacy concerns: The government can define and deploy standardized trust frameworks that help ensure citizens privacy (e.g. by working through the private sector, leveraging organizations such as the Online Identity Exchange).

2. Liability concerns: Data breaches involving personally identifiable information (PII) can easily run into the tens or hundreds of millions of dollars, depending on the number and kind of records affected. Once trust frameworks are in place, Congress can pass legislation to cap liability for organizations certified under those frameworks.

3. Business concerns: The federal government can create business incentive for trusted identity providers to join the eco-system by becoming the initial customer. That would basically prime the pump for a trusted identity service business model.

NSTIC's goals for FY11 include:

• Convene the private sector by hosting workshops on governance, privacy and technology
• Establish a governance model, standards and models for addressing liability
• Develop criteria, assess potential programs and prepare for formal funded pilot launches in FY12

These plans are ambitious, certainly, but are necessary given the escalating data breach and cybercrime threats people face every day. NSTIC will provide the means to dramatically improve online authentication and the security, privacy and business benefits it provides.

Posted by Nico Popp at 2:46 PM
Permalink | Comments (0)

It is clear that high assurance identity on the internet is going to require identity proofing. With more than 1 Billion Web users, and 3 Billion mobile users increasingly connected to the Internet, scalability is going to be essential. If high assurance identities become the norm, digital identify verification services that do not require in-person proofing could therefore turn into a significant market opportunity

Most folks in the industry would tell you that credit bureaux, and financial institutions ought to be primary beneficiaries as the new business emerges. However, the convergence of Internet, mobile and telecommunication driven by iPhone and Android could attract new market players. Mobile network operators (MNOs) have a wealth of identifiable data about us. They are also uniquely positioned to bring to market multi-channel solution. In fact, an MNO-operated ID proofing service could easily support voice and web, for brick and mortar as well as online service providers.

Them comes the unfair advantage: the mobile handset. Obviously, the biggest challenge of "person not present" identity proofing lies in the processor ability to match the person on the other side of the communication channel to the identity data. A personal mobile device provides a unique link between my digital and physical me (there is a long history that links my mobile device to my identity). For the web, it supports an out of band channel that considerably adds to the security of the verification process. From a privacy and control standpoint, the mobile phone enables a user-centric approach where the user can approve the transfer of her personal information (a sort of out of band OAUTH dance). Last but not least, location (somewhere I am) may prove of strategic importance, since an embedded GPS can correlate the proofing event to a verifiable personal location (e.g. my home). Location verification for proofing could happen "just in time" or as a post-process step. In any case, it would greatly strengthen the overall process.

There is little doubt that the combination of wireless data and handset constitute a unique recipe for enabling high-assurance identity proofing systems. The OIX will soon get to the bottom of this theory since it has recently announced the formation of a working group for telecom data. Early next month, OIX members will explore the development of a trust framework that would support the secure exchange of identity data between MNOs and relying parties while ensuring the privacy and trust of consumers. This could well be a significant step towards high-scale, high-assurance identity systems. So, good luck to new working group; we will be watching closely.

Posted by Nico Popp at 1:19 PM
Permalink | Comments (0)

I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on the Open Identity stack. The second is more enterprise cloud focused; it is driven by the Cloud Security Alliance (CSA). The CSA is developing a more SAML-oriented technology blueprint within OASIS. The technology protocols are different but the risk controls are similar. Therefore, I am hopeful that both trust frameworks will converge (I will certainly try to help them converge).

But let us re-hash the motivation of the industry that sponsors these efforts. A trust framework is necessary to enable policy makers across vertical markets (healthcare, enterprise SAAS, mobile payment, digital content) to set the security and privacy bar for identity providers, identity brokers and relying parties. For sure, across all vertical markets, the sharing of identity requires a baseline of best practices for security, and privacy as it facilitates customer adoption of cloud identity services by providing a foundation for trust.

However, there is another motivation to develop certification programs for identity services. The true 'raison d'être' for identity trust certification is that it will allow private consortia or legislators to govern liability in a multi-party transaction. In particular, one can shift the liability away from accredited identity providers on the basis that they have demonstrated the proper privacy and security controls through certification. In other words, trust certification can be used to kill the liability elephant that has been haunting the federated identity rooms for so many years.

By capping liability risk through certification, an identity trust framework would make it commercially easier for large Internet consumer, commercial banks and online payment systems to participate as identity providers in high assurance transactions such as health care, eGov services and all new breeds of cloud services. In essence, this not too different from the VISA model, where a consortium of financial institutions establishes the network blueprint, for online payment, defines the necessary security controls and is hen able to shift the liability (in this case, away from the card issuing banks (IDPs) to the merchants (RPs), who are generally responsible for charge back expenses).

Of course, certification does not happen in a vacuum. Certification is about risk management. It needs to define privacy and security controls appropriate to the transaction and information risk levels. This means that identity certification will have to discriminate among different levels of assurance (most likely, the four NIST levels of authentication) in order to adapt across multiple verticals. Howard Schmidt seems to agree with the need for identity trust frameworks and even points to a concrete market: "The president is 'concerned and very committed' to making sure that as healthcare goes electronic that 'we also have the right controls for security and privacy,' Schmidt said at a May 11 conference on privacy and security sponsored by the Health and Human Service Department. "The plan to develop a strategy will focus on ways to improve identity management. As part of that effort, the administration will roll out a 'trust framework' incorporating authentication technologies, standards, services and policies that government, industry and consumers could adopt. The key issue is that we have to instill trust in the system. If we don't trust the system, we won't use it and if we don't use it, we lose its [potential] benefits".

For all of us in the digital identity world, it is certainly encouraging to see that the federal administration is recognizing the importance of identity management and its acute need for trust policy. It is certainly not an easy issue, but it is now getting the visibility that it deserves. There is also plenty of good will in the industry to collaborate and make a trust framework for eHealth a reality. The elephant may not have quite left the building, but at least we can now all see it, and it is a good thing.

Posted by Nico Popp at 1:58 PM
Permalink | Comments (0)

When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that would make him immortal. Unfortunately, Thetis had held Achilles by the heel which was not washed over by the magic water. Achilles grew up to be a Great War hero, whose apparent invincibility had turned him into a legend. But one day, an arrow shot at him was lodged in his heel, killing him instantly.

When it comes to consumer identity, Facebook looks more and more like the Achilles' of identity. Every day, it is growing more powerful and invincible. Yet, a growing stream of concerns is gradually exposing the social warrior's vulnerability to security and privacy. Nevertheless, as a website, Facebook core usage matrix is mind-boggling:

• More than 400 million active users
• 50% of our active users log on to Facebook in any given day
• Average user has 130 friends
• People spend over 500 billion minutes per month on Facebook

However, Facebook true ambition's may well reside beyond the confine of its own Web site. If one combines Facebook Connect (authentication++), OAuth (authorization) and the Social Graph API, it is crystal clear that Facebook strategy is to become the identity fabric for the Internet. By turning the social network into an identity infrastructure, the Facebook APIs could enable an even larger business opportunity. By extending the Facebook business over external websites, the Social Graph APIs open the door to transactional business models such as Cost per action advertising, eCommerce and payment. There again, when it comes to numbers, the social network hero is showing Homeric promise:

• More than 80,000 websites and devices (including iPhone and Xbox) have implemented Facebook Connect since it launched in December 2008
• More than 60 million Facebook users use Facebook Connect each month.
• Two-thirds of ComScore's US Top 100 websites and half of ComScore's Global Top 100 websites have implemented Facebook Connect.
• Sites like the Huffington Post have seen a 500% increase in Facebook referrals after implementing Facebook Connect.
• 500,000 applications have been built on Facebook and the growth of social gaming (playdom, Zynga, Playfish, etc) is still in its infancy.

So, what could go wrong? Where could the enemy arrow strike its fatal blow to our hero? Could it be over this security glitch that exposes our chat messages to friends? Perhaps, these controversial default privacy settings that leaves our identity increasingly public? Will the threat arise from a growing reputation as a corporation trying to take advantage of our personal data to 'help itself -- and its advertising and business partners'? If there is something that could stand in the way of Facebook, it is probably Facebook itself. Indeed, the growing controversy and erosion of consumer trust surrounding Facebook privacy and security nonchalance may eventually become the Achilles' heel of the young identity giant.

Facebook is clearly an extremely innovative company and a successful platform. Of course, it must keep on running fast against the agile Twitter and the powerful Google of the world who are certainly eying with envy its privileged position as the leading Internet social platform. No doubts that the investors are placing tremendous pressure on management to drive revenue growth. Nevertheless, Facebook needs to slow down and consider the long terms implications of being the de-facto custodian of our digital lives. It must start fulfilling the responsibility that comes with millions of digital identities under management. If it is true that today's Internet generation may have less privacy concern than their elders, in the long run, consumers will not allow Facebook to manage and control their identities unless they can trust the platform.

Eventually, Facebook will have to "do the right thing" for the consumers, sometime in spite of their ignorance digital risks, and surely, despite a business model that encourages Facebook to look the other way when it comes to privacy and security. Yes, the Achilles' heel is very real, it is being exposed every week in the press, and the temptation is growing for privacy zealots and regulators who are assiduously watching the missteps. Good common business sense aside, it is time for Facebook to take responsibility and leadership for the immense security, privacy and trust challenges that our digital identities require. Maybe, it is even time for the social network to start promoting elements of security, privacy and trust within its core platform.

Posted by Nico Popp at 7:03 AM
Permalink | Comments (0)

For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us are still wondering how much IT budget is actually going to be thrown at the so-called private, hybrid and public clouds in 2010. So what is in the way of the big shift?

We had a good discussion on this topic at AlwaysOn today. At least, it seems that everyone agrees on the main challenges: integration is harsh, security is dicey and compliance seems out of reach. So, where do we start? I am starting to believe that there too, we need to provide a baseline for cloud security and trust. Like PCI for e-commerce, a certification for the cloud will not make the cloud completely secure, but it will at least provide a set of common definitions and best-practices for cloud security and trust. It will also make it much easier for enterprise customers to evaluate and rationalize the security of any cloud vendor. In fact, prospective cloud customers will be able to contractually commit cloud vendors to well documented certification levels and build additional SLA and security contractual requirements on top.

So whether you are a security vendor, a cloud provider or an enterprise, there is one more thing that we may be able to agree with: trust certification could drive cloud adoption by simplifying the definition, evaluation and contracts for cloud security, compliance and trust. Of course, it starts with identity, so time to get to work.

Posted by Nico Popp at 6:22 PM
Permalink | Comments (0)

This week is the week of the OpenID summit in Mountain View, California. We are all hoping that 2010 will be another pivotal year for open identity. There seems to be a combination of market forces that are making federated identity more attractive. In fact, we are hearing new compelling use cases for federation. A first example is cloud access and identity management. As enterprises shift their IT infrastructure and information to the cloud (as in IAAS, PAAS and SAAS applications), CIOs need to federate corporate identities with cloud service providers. For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties (and if you don't have a directory or don't want to use it for federation, Google is in the pole position to be your OP). Another interesting vertical ripe for federation is healthcare. Now that the Obama bill for healthcare has passed, one should expect a revival of health information networks (remember the RHIOs). Finally, payment, the mother of al federation, online payment, is seeing a lot of innovation too. From mobile to social games, to high assurance open identity networks led by modern payment systems such as PayPal, Amazon or Facebook could sway consumers, curb fraud and shift merchant liability where Verified by Visa has fumbled to-date.

So, what do the trusted cloud initiative, Obama's new health care bill, and next generation online payment have in common? They all require federation and stronger forms of authentication to enable trust and protect against fraud. These transactions are complex and risky. They are complex because they involve multiple independent, sometime competing organizations. Federation is needed. These transactions are also too risky because the current Internet authentication system based on name and password is too weak. High assurance identity is needed. As government and vertical industries worldwide come to the realization that their cyber security and business agenda require them to enable high assurance online transactions, federation and strong authentication will converge into new compelling trust infrastructures deployed across vertical markets.

The need for high assurance federation may provide a much needed boon for open identity technologies such as OpenID and OAuth. The point is that the adoption of a new identity management model on the Internet by consumers may require much more than single sign on, attributes exchange and authorization. As Dick Hardt put it many times, these traditional identity features are only vitamins. Most people won't go for vitamins alone. Consumers want enablement. Facebook figured that one a long time ago but tying friends discovery and activity streams to Facebook Connect. So, what is Open Identity's mojo then? I dare to suggest that the opportunity for open identity is new transaction enablement. If open identity networks can enable complex and risky transactions that are not possible online today, massive adoption will follow and altering the digital identity experience becomes palatable.

Of course, it is a security guy talking but let us consider the business model too. The business of security and trust is well understood. Credit bureaus, security companies and VISA/Mastercard have clear and compelling transactional business models. Transactional revenue model are also more compelling than advertising. The profit margins for standing in the middle of transactions as neutral third-party and enable high assurance are fairly high. Compare the addressable market to the currently minuscule market size of open identity as it stands today. Whether you look at it from a product, deployment or economic standpoint, I continue to believe that the future of open identity on the Internet rapidly is intimately linked to high assurance identity.

Posted by Nico Popp at 6:53 PM
Permalink | Comments (0)

I could not resist the temptation. Trust Seal, the Trilogy is now on Youtube.

The first act is strictly business, but you may not want to miss act II and act III with Snikko the hacker. Rest assured. I have already promised the marketing team that there would not be a sequel.

Posted by Nico Popp at 10:12 AM
Permalink | Comments (0)

The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards and roll out open identity services to US citizens. For example, the National Institute of Health can now move out of pilot phase and support accredited OpenID providers.

So, what is the Open Identity Exchange (OIX)? The OIX aims at enabling specialized trust frameworks or certification programs within a vertical community (e.g. US government, health care, financial services). Certification requirements for shared identity can be diverse and complex depending on the level of assurance required. Simply said, when it comes to trust, one size does not fit all.

You can think of a trust framework as the policy sibling of technical standards for identity. Identity policies must be set to deal with privacy, security, and liability. Once policies have been defined, certification can emerge as the foundation for trust between all parties exchanging information. However, the type of policy needed greatly depends on the sensitivity of this information, the security risks, and many other factors, including geo-political sensitivities. Indeed, the level of trust assurance required to protect access to the energy grid, electronic health care records or social web pages is clearly not the same.

The open approach that the OIX take is attractive. The OIX does not try to set the policy rules. Instead, it creates a common framework, a shared approach that will enable different communities to create their own certification rules. It is not an easy problem. But because cyber security and key governmental initiatives depend on high assurance identity management, OIX is an important first step to get there.

Posted by Nico Popp at 9:08 AM
Permalink | Comments (0)

Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the last 15 months. It is always a thrill to release a new product. It is even more exciting when there is a compelling and long term vision behind the initial release of a new Internet service.

Setting the standard for websites trust
The goal behind this new trust service is as simple as it is lofty. Is it possible to create a blueprint for trust on the Internet? Can we increase safety and trust on the web by raising the bar of security best-practices? Can we communicate trust in such simple visual way that any consumer would understand? Can we promote trust between consumers and websites as an engine for economic growth?

Trust brokering as a network service

From the late 13th century Italian Renaissance, to the early 21rst century global economy, trust has always been a fundamental tenet in the development of commerce and trade. In a world that is increasingly leveraging the web as a channel for customer acquisition, transaction and fulfillment, trust brokering is a critical yet missing network primitive. For enterprises to embrace SAAS applications, suppliers to join Internet marketplaces or consumers to select businesses on the web, the network needs trust brokering services that can certify and assert trust among parties with little prior knowledge of each other.

A pragmatic starting point for website trust
Web site trust is a multi-faceted problem. Authenticity, security, reliability, assurance, privacy and reputation are all important dimensions to ensuring trust. Therefore, setting the initial bar for Web trust is a significant challenge. Set the bar too low and the lack of substance in the attestation of trust make it irrelevant to consumers. Set the bar too high and the economic barrier to entry makes the standard irrelevant for websites. Unless a pragmatic balance is achieved, the end goal of a complete standard for trust can never be achieved. Trust Seal is VeriSign's initial step to providing an end to end solution to this challenge. We hope to have achieved such initial balance of pragmatic relevance to continuously raise the bar for trust on the Web in the years to come. So, on February 24th 2010, what does it mean for a website to be VeriSign trusted?

Authenticity with business authentication
First it means that we have verified that the web site is authentic. Basically, we verify that the website is really who they say they are. We call this process business authentication. We make sure that the business owner owns the domain name and that the business is a legitimate business. Because bad guys can easily hide between the façade of a professional web site, this is a very important step to establishing Web trust. By verifying the true identity of the website and the business behind it, accountability can be achieved. This is similar to what certificate authorities (the good ones) do when they validate an organization before issuing an SSL certificate for e-commerce. What we have done is extend a fundamental principle for trust in ecommerce to any Web domain, to any web site on the World Wide Web.

Safety with malware detection in the cloud
The second check is to evaluate how safe it is for a consumer to visit the website. We contemplated many different approaches. However, the last two years have taught us that the most dangerous thing that can happen to consumers on the Web is to be infected with malware. For that reason, we decided to tackle this significant safety issue of web malware first. The new VeriSign trust seal is dependent on a successful drive-by download malware scan. Each website is scanned daily. The seal display is automatically turned off when malware is detected. Remediation instructions are provided to the website to remove identified exploits.

Trust Signaling for the Web
consumers, we are reducing the trust signal to its simpler expression. The seal displayed on the site web pages attests that the site is authentic and safe. This is where the VeriSign heritage comes into play. Millions of consumers are already familiar with the VeriSign Secured seal for SSL. We are maintaining the brand, but extending the scope and meaning of our trust mark. The VeriSign seal becomes a simple yet powerful visual cue for consumers to assess whether a website meets transparent criteria for authenticity and safety. Trust marks for ecommerce web sites are not new. However, we believe that any commercial website, transactional, non-transactional or social Web outlets of small and medium businesses could greatly benefit from trust marks moving forward.

Beyond the web site: trust signaling in search and directories
In the long run, trust and reputation assessment should become part of the discovery process of online businesses. Popularity and page ranks are one dimension of search. How much a site can be trusted ("trust rank") is important measure as well. In fact, in the last years, safe search has emerged as an important feature for search engines and end-point security clients. Both have already integrated features to detect, signal and block drive-by malware infected websites. "White lists" of trusted sites should prove an important complement to black lists for search and navigation. Therefore, we have been working to integrate the new seal as a trust indicator in search and directory services (more on that in a future post).

As you can see, the VeriSign trust Trust seal encompasses many new features and the roadmap should keep the product and development teams busy for a while. We are thrilled to tackle one of the most critical and challenging Internet issue. So, give the new service a test run and let us know what you think.

Posted by Nico Popp at 7:38 PM
Permalink | Comments (0)

As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were essential to the exploit.

For security folks, this was a meaningful event. The level of sophistication of the attacker was unprecedented. The attack was carefully crafted. The breach was severe. For tomorrow's cyber historians, however, the breach may prove to be a tipping point. In fact, it may even change the way the world approaches cyber security and cyber warfare. So, what makes the Google hack such a game-changer? Could it be the magnitude of the attack, the significance of the targets or even the rumored origins of the perpetrators?. No, we must look somewhere else.

Start with Google. I have personally met members of the Google security team. There is no doubt that Google has a world class security team. So, if it happened to Google, it could have happened to any organization, be it private, governmental or foreign. This exposes a fundamental truth of cyber security: attackers always have the advantage. Indeed, there will always be next zero day vulnerability, the weak social engineering link or the unsuspected insider loop-hole. The Google hack simply makes the reality of cyber security more blatantly obvious and more public than any other attacks before. In cyber world, the old adage still prevails: "si vis pacem, para bellum".

This may leave governments and intelligence agencies worldwide with a difficult consideration. If the advantage lies on the attacker side, the only pragmatic cyber defense may well be cyber offense. Under this scenario, the most solid hope for protection becomes fear of retaliation. This is the old Mutually Assured Destruction (M.A.D) principle of the cold war. In tomorrow's world, the nuclear truth of yesterday takes a new meaning: do not take my smart power grid down as I will shut down yours within seconds. Do not collapse the transactional backbone of my financial institution or yours will instantly follow the same fate. Yes, if the Google teaches us something is that cyber security agencies around the globe may soon have to consider M.A.D strategies.

Disturbing thought, flawed interpretation, or irrational conclusion? I certainly hope so since the comparison with nuclear warfare does not bode well for the good cyber security guys. With nuclear threats, at least, the public opinion could find some illusion of comfort. The complexity of assembling nuclear weapons of mass destruction meant that only a handful of belligerent nations would be regarded as real threats. But here lies the second inconvenient truth of cyber warfare. When it comes to cyber terrorism, the barrier to entry is extremely low. In fact, it does not take much to build an effective cyber swat team. Training is cheap, fast and effective. Some say that it is already being done on the Internet. For sure, training material is available for free on the Web. The ultimate irony is that you can probably Google it.

**M.A.D: Mutually Assured Destruction

Posted by Nico Popp at 8:15 AM
Permalink | Comments (0)

As one of the world's leading security vendors, VeriSign has been asked to discuss the top 10 most important security areas for 2010. So, ahead of my new year's resolution, I decided to indulge (after a year working heads down on a single product, it is a fun exercise to think of all the things that you have been missing out on). Although the list is far from complete, it is clear to me that there is no recession for the bad guys. In fact, it has probably never been a more interesting time to be in the security business.

Security Prediction #1:
Cloud Security (Securing the Next IT Infrastructure)

Call it cloudmania or software as a service (SaaS) hype, data, applications, or networks: The whole IT infrastructure is shifting to the cloud. With it, a large chunk of today's IT budgets will be redistributed to the next Google of the cloud. In 2010, SaaS security will be in the forefront as chief information officers ponder their increasing reliance on external business applications: "Is my data safe? Is my security policy enforced? Am I still compliant?" Federated identity and access management services across SaaS will start providing some answers, and strong authentication will bolster identity services. Cloud platforms such as Microsoft Corp.® Azure and Rackspace will lead the industry to redefine key and certificate management within cloud environments.

Security Prediction #2:
Website Security (the Growing Threat of Web Malware)

The Web is a growing channel for malware distribution. From February to August 2009, the Google search blacklist grew by 65%. It is now very clear: Bad guys want to infect popular Web sites with malware to silently take over your desktop as you browse the Web. Their weaponry is as effective as it is diverse: hidden IFrames, obfuscated JavaScript, and malicious browser add-on objects. The arsenal and sophistication of these exploits is growing daily. Even with anti-virus running on your machine, your odds of being infected while visiting a drive-by download site may be more than 1 in 2. Let us face it: Web pages have become sophisticated programs. They increasingly become a dominant attack vectors for all the world's hackers who are seeking home computers for their botnet and consumer identities for their piggy banks. As the threat increases over time, drive-by malware protection will become an important check for any commercial Web sites.

Security Prediction #3:
Virtualization Security (Protecting the Cloud Operating System)

Securing virtualized environments is an absolute necessity. After all, virtualization is to the cloud what the browser is to the Web. Some see the hypervisor as the ultimate rootkit. We see virtualization as an opportunity to improve security through end-to-end automation. Combined, virtualization and the shift to the cloud provide a unique opportunity to transform the way we do security today. Virtualization enables security automation. Automation will streamline security deployment and ongoing management, taking us to levels that we simply could not achieve before. As virtualized switches reduce networking cost and complexity, virtualized security appliances and virtualized component certification will reduce the difficulty of deploying secure environments. For now, many questions remain: How do I secure my virtual images? How do I ensure the integrity and confidentiality of my enterprise servers, my employee desktops, and mobile phones templates and images? How do I make sure that all the data that these edge-deployed images consume and produce are protected by keys to which no one else has access? As end-point deployment converges to an automated assembly of virtualized software components (operating system, applications, firewalls, anti-virus, intrusion prevention system, intrusion detection system, load-balancer, policy servers, etc.), how do I make sure that these elements are authentic, patched, and selected according to my security policies? For many years, we have been securing code for Active X and Java applications. The next generation of trusted software may well be virtual images.

Security Prediction #4:
Mobile Security (From Mobile Phone to "Security Remote")

Thieves steal a laptop every 53 seconds, and authorities never recover approximately 97% of these devices, according to the FBI. Worse, thieves will steal one out of every 10 laptops within 12 months of purchase. With the explosion of smart phones around the world, the new mobile platforms are about to become a hacker's dream and a corporate IT nightmare. It is no coincidence that 2009 saw the first iPhone worm. In a world of untethered devices (laptops, net books, smart phones, tablets), personal and corporate data must be encrypted, remote mobile access must be strengthened, and mobile end-point security must be deployed. Over time, mobile devices and the alternate digital channel that they enable will turn into a "personal security remote control". Indeed, we all need the choice of stronger security that does not impact the convenience of our digital lives.

Security Prediction #5:
Social Networks Security (Bringing Trust to Social Communities)

There are clear and obvious dangers associated with social networking including personal data theft,malware, and scams. The most prevalent threats often involve online predators or individuals who claim to be someone that they are not. A December 2009 study from Sophos Plc. showed that 41% to 46% of contacted users "blindly accepted" friend requests from fake Facebook users created by the security firm. As businesses increasingly start leveraging social media to interact with consumers, business authentication, reputation, and trust marks should have an important role to play in the social neighborhood. Because trust is essential to any form of business, in 2010, social applications and games may seek trusted third parties to identify, certify, and signal legitimate business that comply with industry best practices.

Security Prediction #6:
Safe Navigation & Search (Surfing with Peace of Mind)

On today's Internet, clicking on a hyperlink may end up being the riskiest decisions for millions of Internet users. In a Web of phishing, drive-by malware and scams, what lies behind the link can indeed be deceiving. In 2010, Web navigation will need to get safer. Already, we are working with bity.ly to identify malicious shortened URLs. More global and impactful is the announcement to deploy DNSSEC across.COM and .Net in 2011. Because DNS is at the heart of Web navigation, the introduction of DNSSEC within the Internet infrastructure should have a profound effect on bolstering security across Web browsers, directories and search engines. Less obvious, DNSSEC could also change the way developers create secure APIs on the Web. DNS is a powerful directory protocol. Yet, most Web platform uses REST APIs over HTTP/HTTPS, and not DNS. This is due in part to the extra security and trustworthiness provided by HTTPS over DNS that is subject to MIM attacks. However, when it comes to scale and operational costs, large data lookup systems based on DNSSEC APIs could be more cost-effective than those based on HTTPS. As DNSSEC becomes ubiquitous, across the Internet fabrics, trust services, new directories and large dataset lookup systems based on DNSSEC could emerge. Someone just needs to invent the equivalent of JSON to encode key-value pairs over DNS. So could DNSSEC change the way Internet architects design open secure Internet systems tomorrow? Certainly, it will be up to the developer's community to decide, but 2010 may be the year when DNS becomes a viable alternative.

Security Prediction #7:
Network Security (Elastic DDOS Protection)

With Facebook and twitter in the bad guys cross-hair the increasing threat of distributed denial of service (DDOS) has reached unprecedented notoriety. Across the world, DDOS attacks have risen to unprecedented levels. Looking forward, our increasing reliance on public networks to support commerce, IT mission-critical applications, and communication will continue to drive the need for DDOS protection. Because DDOS protection is a game of scale, DDOS monitoring and mitigation cloud services should play a pivotal role in keeping public and private networks safe in 2010.

Security Prediction #8:
Consumer Identity Trust (the Emergence of User-Centric Policies)

The evolution of the world wide wed into a user-centric, real-time and distributed information system has never been so evident. In less than 15 years, our center of attention on the Web has already shifted from the highly centralized portals to the more distributed blogosphere, the more personal Facebook pages of our friends, and the more real-time Twitter streams of our specialized interest. Increasingly, the content and data that truly matters to each of us has become de-centralized, personal and real-time. As the Web continues this inexorable mutation into a user-centric, distributed and real-time information system, the imperative for a new identity system becomes blatantly clear. The necessity for each of us to control and protect our content and data across multiple service providers eventually drives the emergence of an open identity order that goes beyond the artificial locks imposed by large user and social communities. If the data and content that matter to us are personal, distributed and real-time, surely, these new identity services will need to ensure that they remain authentic, safe and private. In 2010, open identity systems will continue to garner momentum. Governments will begin deployment. Because Interoperability cannot be achieved with technology alone, an open policy framework emerges as a foundation for identity privacy security and trust will emerge.

Security Prediction #9:
Securing the Smart Grid (Safe Clean Tech)

Saving energy and improving management of energy is high in today's political agenda. With millions of individual homes, building apartments, offices, the network of things may will likely be larger than the World Wide Web. Securing the smart energy grid cannot be an after thought. The interconnection of consumer devices, meters, distribution transmission infrastructure, and energy providers into an intelligent network may not only be of country largest growth and innovation opportunity, it could also be its greatest liability. The network of things will have to be trusted from day one. This worthy endeavor will drive the deployment of next generation cryptography, embedded certificates and trusted computing for smart grid elements. It is still early, but there is no alternative: the smart grid will have to be secure or it won't be.

Security Prediction #10:
Browser Security (Stopping the Man in the Browser)

Browser security seems to be as much art as it is a science. As anti-virus companies and hackers keep on playing the cat and mouse game, new approaches for protecting users against malware are starting to emerge. Browser sandboxing is a promising area. Cloud based AV provides another innovative approach. Most corporate users are already familiar with AV web proxy. They process web page in real-time and filter based on signatures and blacklists. Real time updates and shared threat intelligence are some of the key advantages of cloud-base malware detection. The approach has merit since signatures can take days to be written while malware can morph in hours. Browser and plug-in vulnerabilities will keep on driving desktop threats in 2010. The VeriSign iDefense team will keep on publishing zero-day exploits and vulnerabilities ahead of attackers. If last year's trends are any indication of what the next year will look like, they have their work cut out for them.

Posted by Nico Popp at 2:41 PM
Permalink | Comments (0)

Concerns for the security of application run in the cloud are running high. The perceived lack of security of cloud platforms is often cited as the primary obstacle to adoption. Whether "cloud" is defined as infrastructure as a service (storage and compute services ala Amazon), platform as a service (application deployment environment ala Google App Engine), or simply as application outsourcing (SAAS ala SuccessFactor), almost everyone is lamenting at the security inadequacies of these new computing platforms.

This raises the question whether cloud providers should envision becoming security companies. After all, why would CIOs ever shift their entire IT infrastructure to the cloud unless the cloud came with strong security, compliance assurance and operational risk management? Conversely, should security companies rapidly transform themselves into cloud providers? After all, why would an enterprise that has crossed the Rubicon of moving the IT infrastructure to the cloud ever want to keep on buying security from a security company? Instead, would not enterprises customers expect cloud service providers to bake in security as part of the cloud offering? Despite the need for secure clouds, security companies are not yet focusing on IT infrastructure as a service. Instead, most security vendors are exploring security as a service, that is the cloud as a delivery mechanism for traditional security services. The MessageLabs acquisitions by Symantec, the MX Logic acquisition by McAfee and the recent acquisition of ScanSafe by Cisco gives credence to the popularity of the cloud as the savior for all enterprise security companies faced with the spectrum of contracting software licenses revenue and profit margins.

Interestingly, the so-called insecurity of the cloud does not need to be a perennial curse. The shift of IT to the cloud actually provides a significant opportunity to improve the way we do IT security today. In the same way as the cloud is transforming IT deployment and management, it will transform security. Consider for example, vulnerability and patch management. From a security standpoint, the most tangible risk is the failure to keep up with the constant, labor-intensive process of patching, maintaining and securing each server in a company. Although vulnerability assessment can be automated through external network and application penetration testing, there is still a lot of labor-intensive process and extreme customer pain in patching networks, servers and software: ports must be closed, networks must be segmented, patches must be installed installed, application code needs to be changed, etc.

Contrast this to what the cloud can enable. If an application is running in the cloud, the cloud provider takes responsibility for the hardware, OS, network, and third party software, making sure they are hardened and certified. A choice of infrastructure elements with varying security assurance levels is offered, but the customer internal security policies govern deployment. All infrastructure elements are periodically pen-tested for known and zero-day exploits. As new vulnerabilities are identified, an automated patch process is implemented. New virtual images are built and automatically deployed across the virtualized infrastructure. Virtual switch segments and firewall rules are updated in real-time. When vulnerabilities are found in the custom IT application code, a virtual Web Application firewall automatically blocks them. Virtual IPS and IDS capture, correlate and log all security events. Compliance logs, reports and scan results are automatically sent to customers and auditors whilst being securely archived. An end to end managed security model, orchestrated by a pool of specialized and over-trained security administrators becomes possible; a far cry from today's reality of patching and software security maintenance.

Therefore, far from being a security liability, the shift to the cloud is an opportunity to streamline, automate and strengthen IT security. For progressive security companies, this could be game changing. For those unable to renounce their addiction to an aging licensing business model, it could be doomsday. In the same way that the cloud is challenging software platform vendors and ISVs, the cloud is about to disrupt the world of security. The quest for security differentiation in cloud platforms may even drive industry consolidation. Of course, skeptics will assert that the cloud is a fad and that nothing is really changing (watch Larry Ellison at the Churchill Club exposing the hype). Denying the transformational nature of virtualization (the genuine cloud OS) and multi-core computing technologies may be shortsighted. Ignoring the business model disruption of pay-as-you-go over software licensing may prove unwise. Personally, after a year of contracting GDP and anemic recovery forecast, I find it invigorating to believe that one in a decade technology disruptor and market breaker lies right in front of our industry. Displeases Mr Elisson, for once, keeping your head in the cloud may be the smartest IT business strategy for the many years to come.

Posted by Nico Popp at 8:03 AM
Permalink | Comments (0)

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance framework should be flexible enough to support different levels of assurance based on the transaction risk and value. For low assurance Web federation where large brands such as email providers and major social networks dominate as OPs, certification may seem overkill, unless of course, the federation is built on open principles stating that any OP meeting the standard should be able to participate. For high assurance identity, such as payment networks, financial networks or eHealth record exchanges, certification is primordial. In fact, in such environments, both the OP(s) and the RPs need to be certified.

The NIST guideline for electronic authentication is often referenced in the community as a good model for any identity trust framework. The NIST guideline defines four levels of insurance for e-authentication. Each level is deemed appropriate
Depending on transactional risks. Tiered levels of identity assurance are essential to any pragmatic trust framework. Set the bar too high and deployment becomes impractical. Set the bar too low, and the bad guys will have a ball. Justifiably, the NIST guideline provides a solid starting point. Nevertheless, one needs to observe that the framework may be too narrowly focused on user credentialing and credentials strength to provide a complete answer. Open Identity systems cannot ignore the reality of today's Web vulnerabilities, threats and exploits that feed identity theft around the globes such as man in the browser exploits, session hijacking or Web vulnerability driven exploits like mass SQL injections. A trust standard also needs to go beyond security and address the major consumer concerns and political challenges of privacy. When it comes to trusting identities, security, privacy and anonymity are intricately intertwined. Trust in a federated identity Web mandates a holistic approach that looks not only at user authentication but also takes into account the current state of desktop exploits, Web site compromises and most importantly establishes clear and enforceable privacy protection guidelines.

Trusting the OP/RP Websites: web security & business authentication

For low and medium assurance identity transactions, it seems to be that both the OP and RP website security would need to be asserted. There I think, one can learn from Internet security standard such as PCI. Even though the standard is far from being perfect (a euphemism, perhaps), it provides a shared base of security requirements for all websites to engage into ecommerce and securely handle credit card information. If one believes that consumers will require for their personal identity the same level of security as for their credit card, the parallel can be useful. The OP website should then be scanned for network security vulnerabilities; Ports should be closed. Network services should not run outdated or un-patched software; the OP should not be vulnerable to common Web exploits such SQL injections, cross-site scripting (XSS), or Cross-Site Forgery requests (CSRF). For web application vulnerabilities, the OWASP standard that identifies the top 10 Web vulnerabilities provides a useful reference. In addition to security assessment, a set of security best practices should be required. For example, the OpenID profile retained by the federal pilot already specifies that SSL should be part of the deployment profile. Verifying the authenticity and legitimacy of the organization behind the OP is as important as verifying the security of its website. There, a proven model that the industry could re-use is the EV business authentication standard. EV certification already defines a strong process for vetting organizations and it is already widely used across the industry.

Trusting the user: beyond identity verification and credentials

As mentioned, NIST will provide the foundation for user trust assurance (both for runtime and initial authentication of end users). Equally important, however, is to consider that Internet threats have significantly evolved since the NIST framework was initially published. In particular, we need to recognize that one of the main threat vector for identity theft is now malware. An identity trust framework can no longer ignore the potential of a man-in-the browser attacks (Trojans, key-loggers, worms, etc). Knowing whether the end user has any end-point protection (and maybe encouraging websites to introduce out-of-band messages into high assurance identity transactions when such protection is lacking) could be of consideration.

Trusting the transaction: from activity to security streams

Believing that the OP can provide strong identity assurance by simply checking credentials and abandoning the user at the RP front door is a dangerous over-simplification. Because modern exploits often let the user authenticate to commit fraud further down the session, it is important to enable OPs to leverage the knowledge of the end-user and her transaction patterns to identify high-risk conditions. Since we cannot assume the existence of adequate desktop protection (Internet security that exclusively relies on the presence of a client on the user desktop is no more than an academic exercise), high assurance federation models need to enable the use of fraud engines techniques across RPs (most logically, run at the OP although it could be a separate). The ability to create an effective user risk profile across transactions is what has made the credit card networks work. High assurance identity networks are going to need an equivalent (think VISA of identity). An interesting idea could to leverage the concept of activity stream as a real-time fraud detection primitive. A security stream back to the OP (under complete user consent and strict privacy protection) would allow RPs to feed transactional information back to the OP, allowing it to build a complete risk profile of the user across her Internet activities (fraud detection is often based on clustering techniques that measure abnormal deviation from normal behavior). Even without a risk-engine running at the OP, a security activity stream could have tremendous security value if used as a simple identity alert system to notify the user of all ongoing transactions. In high risk cases, the activity stream could trigger an out-of-band consent for the transaction (think of Visa calling you to confirm and authorize a suspicious transaction); it is interesting to think that the social concept of activity stream that is today missing from OpenID (not from Facebook Connect) could actually be used to drive better identity theft protection. With such transactional feedback loop, a security minded OP would be able return a transaction score and possibly a liability guarantee based on the user risk and behavioral profile built over time. Incidentally, interesting new OP business models could emerge (VISA-like: "I will take a cut of the transaction", Credit-Bureau-like: "I will charge you for the score", Insurance-like: "I will take the liability risk").

Ensuring trust across these three dimensions (the organization, the website and the user) is non-trivial. Yet, it is critical to enable consumers worldwide to engage into shared identity interactions with peace of mind across the Internet. Very much like PCI vendors emerged from the existence of a commercial PCI standard, one would hope that Identity trust assurance services could emerge as well since security companies need economic drivers to build great services. One of the key challenges of the standard will be to strike a balance between where to set the security bar to permit a high level of automation for accreditation. Such balance is always hard to strike, but it is also what makes the challenge worthwhile.

Posted by Nico Popp at 11:13 AM
Permalink | Comments (0)

Two weeks ago, I had the privilege to join the OpenID foundation and Information Card boards for a meeting with CIO, Vivek Kundra and his staff at the Whitehouse. The goal was to discuss the forthcoming OpenID pilot and better understand the government commitment to enabling distributed identity on the Web. Undeniably, this was a very interesting and spirited discussion.

A key take home for me was the recognition of identity as the lynchpin to new citizen-centric services, governmental IT cost reduction, and stronger cyber security. For key Obama initiatives such as citizen participation or electronic health records, identity management was described as foundational. Equally impressive was the sense of a holistic and consensual approach towards the broad deployment of trusted digital services across federal, state and local Web sites.

In particular, there is a clear view that the deployment of low level assurance identities is only a critical first step, not an end in itself. With the initial OpenID pilot, the administration is seeking to teach Internet users how to conveniently and confidently re-use their identities across multiple sites. Federation is a new behavior and as such, it requires training. Federal and State web sites will provide an important training ground of relying parties. The government endorsement of OpenID is likely to prove significant. After all, if OpenID is good and secure enough for the government, it should be good and secure enough for most Web sites. Beside, once consumers are comfortable using distributed identities, it becomes possible to alter the login experience by introducing stronger security and identity assurance. This is the ultimate end game since high assurance identity services are pre-conditions to new strategic initiatives.

Consider health care reforms for example. To counter balance the $900B expense that the new Obama plan calls for, electronic health records must come to reality. However, eHealth requires access control across a large and complex ecosystem. Users must be able to register, login and access private data across physicians, hospital, pharmacies, labs, insurance, and employers Web sites. Privacy and security concerns are high on the list. Without high assurance, clear liability models and robust shared identity services, eHealth is a non-starter.

The crawl, walk run approach to identity services that our federal government is taking may prove insightful. By restricting initial interaction to pseudonymous and low assurance level identities, federal web sites instantly provides the industry with a simple test bed to iron out the trust and privacy frameworks necessary to the deployment of large federated identity networks. User experience, privacy policy and security approach that can work for millions of consumers will have to be standardized. The liability elephant that has been haunting the identity discussion rooms will have to be tamed. No doubt that the OpenID foundation, the Information Card foundation and many other have their work cut out for the next few months.

So, keep an eye on the pilot. If all the planets keep aligning, and federated identity can prove to significantly increase user registration, an important chapter in the book of distributed identity systems may be just about to open in front of us.

Posted by Nico Popp at 11:37 AM
Permalink | Comments (1)

In the coming years, many websites will contemplate adding strong authentication to accounts login. So far, early adopters for strong authentication have mostly been financial institutions. Since 2005, banks and brokerage firms have had had little choice than following the FFIEC guidance. This 2005 regulated mandated a move to stronger credentials than just name and passwords. Today, SAAS providers and large consumer Web sites are increasingly suffering brand exposure and public scrutiny following high visibility attacks (here and there). With increasing reliance on the cloud to host mission critical applications and sensitive data for enterprises and consumers, I would expect many large online services to begin offering stronger login options to their user base.

Interestingly, the FFIEC deployment of multi-factor solutions such as chase.com or bankofamerica.com give us some insight into the type of technology that are likely to be adopted by non financial service providers. Multi factor authentication essentially relies on a cookie as the second factor (the cookie is "what you have"). Coupled with a backend anomaly engine, the client side cookie is used as a "persistent" device identifier. Cookies as device IDs are alluring because they work across all browsers; they do not require any new client install on the user desktop; cookies are transparent to the end user, and most importantly, they do not cost anything. Since cookies could become prevalent as a "second factor" for web login, it is important to be aware of the security limitations and risk that they represent.

The first issue with cookies is their lack of persistence. Statistics show that users very often reset their cookie. This leads to the challenge of "cookie re-issuance" or cookie reset. This problem is roughly equivalent to password reset which, as many recognize, is the Achilles' heel of login. The alternative is not pretty. Either you make the reset process stringent and secure and it becomes a hassle to the end-user; or you make the process relatively easy, and it leads to very simple attacks. In short, the lack of persistence of cookie as device ID will trigger many cookie re-issuance events. Since high frequency life-cycle events cannot be made too complex without frustrating customers, the high frequency of cookie reset will inexorably lead to simple procedures. In turn, these simple procedures will inevitably open the door to a broad range of attacks.

The second class of problem with cookies is that they can easily be stolen using remote attacks such as cross-site scripting (XSS). XSS is a vulnerability that lets the attacker overcome the same origin policy enforced by all modern browsers. The policy circumvents scripts loaded from one domain to access content from another domain. XSS vulnerabilities effectively allow an attacker to execute scripts in the context of the vulnerable domain, hence overcoming the same origin safeguard in the browser. All the attacker needs to do is to exploit this vulnerability by crafting a request parameter value along the lines of . Since this gives the attacker unlimited access to any cookies of the website, DOM content, etc., this is considered one of the most serious vulnerabilities out there. The key about this type of cookie attack is that it can be launched remotely. In other words, an attacker can get to a user cookie without the user machine being compromised by malware. Add malware on the user machine, and cookies as a device ID become a recipe for disaster. In that case, cookies and machines fingerprints can be harvested and sent to the bad guys without the user ever noticing anything.

The increasing reliance on a silent device ID that does not impact the user experience is a logical approach to strengthening authentication on the Web. It is only the absence of alternative to cookies that is leading web engineers to leveraging them for authentication. Cookies were not invented for such purpose. As my sweet-tooth daughter would eloquently put it: the world need better cookies. Eventually, we do need stronger, more persistent devices ID that can be deployed across fixed and mobile devices, competing operating systems and browser platforms. These strong device IDs can be shared secrets, asymmetric key pairs or device certificates. The technology clearly exists but we lack a common deployment framework for device IDs (open client, common user experience, shared ID security stack, hardware protection too) .That is typically where the industry does it best work. Everyone needs it. Everyone will benefit from it. No one can do it alone.

The common need for open standard, open stack and open policies to deal with strong, persistent and privacy-conscious device IDs will inevitably lead to a joint effort. As cookies start crumbling across websites, security experts will get together and the urgency for collaboration will come to bear. In the meantime, when access security really matters, I will keep using my one time password token. If only, I could remember where I left it.

Posted by Nico Popp at 8:22 AM
Permalink | Comments (0)