 |
|
VeriSign Security Review
|
Q2 2005
One of the most formidable obstacles to deploying a security program
across an enterprise is facilitating interoperability between myriad
devices, protocols, and technologies. But in the first quarter of 2005,
we’ve seen many advancements that will greatly assist enterprises as
they attempt to meet these challenges: OATH released a new Reference
Architecture for its open security standards, paving the way for a smoother
transition to enterprise security programs. Through the VeriSign Security
Review, we hope to keep you informed on ways you can increase the strength
and reach of your security programs, while holding down costs.
A Significant Push Towards
Open Security Standards: OATH Releases the 1.0 Reference Architecture
By David Berman, OATH Marketing Group Representative
To ensure that identities and other confidential
information can be securely shared and trusted between independent partners,
organizations are leveraging strong-authentication solutions as the
first pillar of strength. Strong authentication must not only address
individual users but must also ensure that that all devices are strongly
authenticated in an open, interoperable, and federated environment.
The Initiative for Open AuTHentication (OATH)
was formed to establish open standards with which to drive the adoption
of strong authentication across the entire network environment and the
entire user community—from corporate employees, to Internet users, to
people accessing everything from health care records to government services.
OATH is comprised of representatives from throughout the entire “security
ecosystem,” including security vendors, device manufacturers, middleware
and application developers, as well as corporations, merchants, and
financial institutions. In May, at the Digital ID World conference in
San Francisco, OATH announced
the release of the version 1.0 OATH Reference Architecture, marking
a significant step towards the development of an open, royalty-free
specification for strong authentication.
The OATH Reference Architecture provides the
technical framework for open authentication as originally envisioned
by OATH member companies. The key guiding principles behind the Reference
Architecture were:
- Open and royalty-free
specifications (leveraging existing standards wherever possible)
- Device innovation
and embedding (including such devices as PDAs, cell phones, and laptops)
- Native platform
support (platform connectors for strong device and user authentication)
- Interoperable modules
(allowing customers to deploy comprehensive and flexible authentication
solutions)
This first release of the architecture outlines
four areas that OATH will initially focus on.
The Client framework – The key objectives within this framework
are:
- To develop industry-standard
one-time password (OTP) algorithms
- To foster innovation
in tokens by embedding authentication technologies into mobile devices
and through the promotion of multi-function and multi-key tokens
- To promote standardized
token interfaces
- To encourage the
development of authentication protocols such as EAP and Web Services
methods specific to OTP authentication methods
The Validation framework – This framework will enable vendors
to write custom validation modules and enable enterprises to deploy
multiple authenticator types within the same infrastructure. The validation
framework will also enable organizations to deploy a configurable set
of validation protocols (e.g. RADIUS, OCSP, WS-Security).
The Provisioning framework – This framework is an architecture
that can accommodate support for multiple standards-based provisioning
protocols to enable the provisioning of different types of credentials
across all types of devices. For some platforms, this framework will
also enable the provisioning of authentication software to the device.
The Common Data model – This model includes the definition
of standard user-store extensions and OTP Token metadata to support
open authentication.
By addressing these four areas, OATH aims to
promote device innovation, minimize the impact on existing infrastructure,
drive interoperability, and facilitate the deployment of best-of-breed
solutions. OATH invites everyone to download
and read the first release of the OATH Reference Architecture, and VeriSign
encourages all readers of the Security Review to join in the effort
to make strong authentication universally adopted.
For more information, visit www.openauthentication.org.
If you have questions, please email info@openauthentication.org.
Strong Authentication for Consumers
By Kevin Trilli, director of product marketing
for authentication services, VeriSign
Identity theft and phishing attacks are causing
considerable concern among consumers, and such attacks, in turn, have
a direct effect on banks and other financial institutions, in the form
of legal retribution, a tarnished public-relations image, or increased
pressure from government regulators. For these reasons, financial organizations
are beginning to deploy strong-authentication solutions for securing
their systems, since such solutions combine usernames and passwords
with secondary security credentials, such as USB tokens and smart cards,
providing a near-impenetrable gate around their critical information.
No single solution will provide complete protection from identity theft
and fraud; organizations ought to adopt a layered approach to security
that includes protection for the user, the desktop, and the corporate
network. However, strong authentication at the user layer, ensuring
that individuals are who they say they are, is a critical component.
Today, very few financial institutions are
rolling out strong-authentication solutions directly to consumers, though
there are several clear advantages for doing so. For example, strong-authentication
solutions provide an effective defense against identity theft, and in
offering such solutions to consumers, organizations can better differentiate
their services, as well as protect themselves against litigation from
victimized consumers. In addition, strong-authentication solutions provide
an opportunity for organizations to associate their brands with USB
tokens, smart cards, and other devices, and such solutions also provide
an organization with a potential source of additional revenue, should
they market the enhanced security credentials as a value-added service.
Strong authentication has yet to see widespread
consumer adoption for several reasons, but the key challenge that this
market faces is that though USB tokens and smart cards are relatively
portable, consumers will be reluctant to carry a large number of extra
cards in their wallets or purses, one for each service they need to
gain access to, and it will be highly unlikely that any consumer would
carry multiple USB tokens on a single key chain. It is clear, then,
that organizations need to collaborate on a token-sharing architecture,
for if consumers could authenticate to multiple systems (ISPs, banks,
hospitals, libraries, etc.) using a single token, all organizations
would benefit, as the way would be paved for widespread adoption.
To establish such an architecture, organizations
need to answer several highly important questions, and agree on fundamental
ground rules for authenticating users across their participating systems.
At this juncture, it is certain that no single technology is going to
resolve all of the issues, since each party will have slightly different
requirements based on their particular needs. Rather, an effective
token-sharing architecture requires a set of protocols through which
critical security and business needs can be met. All parties need to
decide, for example, how users’ personal information will be used, the
extent to which it will shared, and the ways in which liability can
be assigned if data is incorrectly handled.
This is where you come in.
VeriSign would like to initiate a series of
discussions on building the bridges that will bring consumers to strong
authentication, and as a reader of the VeriSign Security Review, we
invite you to join in on the discussion, and help shape the emerging
marketplace of consumer strong authentication. To begin, send an email
to consumerauthentication@verisign.com,
briefly explaining any plans you may have in developing strong authentication
for the consumer market. You will then receive additional information
as to the time, place, and venue for the next discussion around this
crucial topic.
For more information about bringing strong
authentication to consumers, please see the VeriSign white
paper entitled “Consumer Strong Authentication: Addressing
Deployment Obstacles by Enabling Token Sharing.”
Intrusion Prevention: Powerful
Tools When Properly Used
By Scott Magrath, product manager, VeriSign®
Managed Security Services
As intrusion prevention technologies continue
to mature, more and more enterprises are looking to include them as
a component of their security strategy. IPS solutions, which can block
malicious traffic while allowing the unimpeded flow of normal traffic,
are powerful tools when used correctly. However, IPS devices must be
adjusted carefully and continuously, since a poorly managed IPS may
miss potential threats, or worse, could actually block access to critical
resources, creating significant negative business impact.
In short, like any security control, IPSs cannot
run on auto-pilot. No matter how robust the technology they need to
be meticulously configured and continuously monitored to ensure they’re
operating at peak efficiency relative to the organization’s business
goals, without causing the slightest disruption in an organization’s
daily business activities. Operating an IPS requires significant security
expertise in order to anticipate threats before they occur and react
quickly and decisively before threats cause damage.
More than just technology, an effective intrusion-prevention
strategy must include all components of an enterprise security program:
not only technologies like firewalls, email gateways, localized anti-virus
software, strong authentication, and integrity verification, but business
processes and incident response planning as well. To identify patterns
that may point to network miss-use or emerging threats, security experts
must carefully monitor, correlate, and analyze events across all layers
of an organization’s network, and must incorporate a global threat view
to ensure a proactive approach to information security.
Drafting and operating such a program may be
a daunting prospect for many organizations, but it is a critical endeavor.
To help organizations get a head start on this process, VeriSign produced
a white paper entitled “Intrusion
Prevention - A Proactive Approach to Network Security.”
For more information about cultivating an effective,
proactive approach to information security, please visit the Managed
Security Services section of the VeriSign Web site.
Ask a Consultant
The VeriSign® Global Security Consulting practice
performs a wide range of security assessment, program development, technical
design, controls testing, and computer forensic engagements. With an
average of ten years’ experience in enterprise information security,
and having conducted a great many security assessments and audit reviews,
VeriSign consultants demonstrate expertise across the entire information-security
and privacy spectrum.
This is your opportunity to ask a question
of our consulting team, and directly leverage VeriSign expertise. Each
issue, we will publish one or more of your questions to share with readers
of the Security Review.
If you have a question, send an email to askverisignsecurity@verisign.com.
For authentication purposes only, include your name, title, company
name, and phone number. We reserve the right to edit for clarity, and
we will contact you if we have selected your question for publication.
We realize that some security-related questions may be sensitive, so
let us know if you would prefer to be anonymous. We will not be able
to respond to every question, but we will do our best to address as
many as we can.
Question:
As a Director of Information Security, I get
a lot of questions about Sarbanes-Oxley and how it maps to our security
program. How specific is Sarbanes-Oxley on key security topics and how
do I integrate it into my overall security program?
Answer:
Good question. Coming on the heels of the Enron
scandals, the key objective of the Sarbanes-Oxley Act is to raise investor
confidence in what companies report about their financial position.
For information security, the key area to focus on is section 404, which
states that each annual report must contain a statement establishing
the internal control structure as well as a method for assessing its
effectiveness. It does not provide specific guidance on passwords, encryption,
etc. That guidance comes through the standards by which companies (and
auditors) assess their internal controls.
The two most popular standards are the Committee
of Sponsoring Organizations of the Treadway Commission, or COSO, and
the Control Objectives for Information and related Technology, or COBIT.
Particularly useful is a report by the IT Governance Institute (ITGI)
that examines Sarbanes-Oxley through the framework of COBIT and the
key control processes of COSO. This report, titled “IT Control Objectives
for Sarbanes-Oxley,” (updated April 2004), is used by many companies
to guide them in this regard.
The ITGI report provides guidance in the form
of illustrative controls (what the organization needs to have) as well
as illustrative tests of controls (how one would go about assessing
the organization.) Areas that are addressed include: security policies
and procedures; user account management and authentication requirements;
transaction integrity; network security (e.g. firewalls, IDS, and anti-virus);
annual independent assessments; log monitoring; and physical security.
There are also a variety of change-management oriented controls that
include patch management and configuration.
Regardless, even with the additional detail
provided via standards, there is (and always will be) a certain amount
of reasonableness applied based on good practice. This is true for Sarbanes-Oxley
as well as other regulations like the Health Information Portability
and Accountability Act (HIPAA) and Gramm-Leach-Bliley. These (and
other) standards should be incorporated into your overall security program.
This might seem like a lot of work; the good news is that the regulations
have a lot in common, and if you study the regulations, you will find
that you will be able to eliminate many of the duplicative requirements.
It is important to note that not all 404 controls
are security
controls. Since Sarbanes-Oxley focuses on financial statement reporting,
IT should focus on those systems that either process or control access
to data that map to the financial statements. Work with your auditors
and consultants to determine what those key systems are and develop
a comprehensive plan for regular assessment and ongoing improvement.
More importantly, take a holistic approach to see how Sarbanes-Oxley
and other regulations and requirements apply to your organization and
build a program that provides the most coverage.
— Douglas W. Barbin, senior product manager
for compliance solutions, VeriSign
Douglas W. Barbin is a Certified Public Accountant (CPA), Certified
Information Systems Security Professional (CISSP), and a Certified Fraud
Examiner (CFE). He has developed IT Security Controls for Global 1000
companies and government organizations. Prior to his role in Product
Management, he was VeriSign director of security consulting for the
Western United States.
Mitigating Spam and Related
Threats
By Sundar Krishnamurthy, product manager,
VeriSign® Email Security Service
Spam affects individuals and organizations
on a global basis. Late last year, CNET News reported that spam made
up as much as 38
percent of the email sent daily in North America. Spam is
a growing nuisance, forcing users to spend time sorting through and
deleting large quantities of email, but it can also pose security risks
to an enterprise system, as spam is one of the primary methods for spreading
viruses and launching network disruptions such as denial-of-service
attacks.
Large organizations, therefore, have developed
robust in-premise systems for spam filtering and virus scanning, ranging
from software-based solutions to those employing proxy servers and other
network infrastructure. Such deployments are costly, however, not only
due to the investments in the initial installations, but also, of course,
in the ongoing expenses related to the downloading, testing, and deployments
of system updates and upgrades. In addition, email-borne threats are
constantly changing, and IT staff must adjust filter criteria on a continuous
basis to effectively screen out dangerous data. Ferris Research estimates
that the total cost of ownership for server-based email-filtering solutions
run approximately $132 per user per year, while desktop-based solutions
cost roughly $217 per user per year.
VeriSign offers an alternative that is both
more effective and less costly than in-premise solutions, the VeriSign®
Email Security Service. This service leverages VeriSign infrastructure,
including a system of secure, reliable, and globally distributed data
centers, to fully offload spam-filtering services from an enterprise.
The VeriSign Email Security Service maintains 99.999% availability and
employs multi-layer spam filtering and multiple anti-virus engines.
In contrast to in-premise solutions, the VeriSign
Email Security Service can be deployed in one hour, and it doesn’t require
upkeep or additional investments. Recently, the service has been enhanced
with additional
features, such as support for French, German, Italian, Spanish,
and Canadian French.
VeriSign is offering a free 30-day trial of
the service with no setup fee, and up to a 40% discount for companies
that have 300 employees or more and currently use an in-premise solution
for filtering spam and viruses. For more information, please call 650-426-5310,
send an email to emailsecurity@verisign.com,
or submit an inquiry online.
Lowering The Cost of Strong
Authentication
By Kerry Loftus, Product Line Manager, VeriSign®
Unified Authentication
Financial institutions and other large enterprises
need to provide the strongest protection against cyber-criminals, and
for this reason, such organizations require more than passwords to prevent
unauthorized access; such organizations require additional, physical
security credentials such as one-time password tokens, USB tokens, or
smart cards. These strong-authentication solutions can be expensive,
due to the costs of providing the necessary hardware to each user, provisioning
each device, and managing the authentication solution.
These costs are compounded if an enterprise
uses a variety of different authentication solutions and devices. Migrating
from legacy systems can add further complexity and costs to the process
of maintaining such a solution. Strong-authentication solutions can
easily cost more than $60 per user, per year. For large organizations,
this represents a substantial investment, but compared with the costs
of having sensitive data fall into the wrong hands, such investments
are reasonable.
The cost of strong authentication, however,
can be dramatically reduced if organizations leverage strong-authentication
solutions that are based on open standards. Such solutions can easily
accommodate a myriad of devices and technologies without requiring changes
to the core system. In addition, such solutions can easily accommodate
new forms of authentication as they are created, as long as the new
devices also adhere to the same standard. VeriSign® Unified Authentication
is just such a solution, and it is based on OATH, one of the most ubiquitous
and robust open standards in use. The Initiative
for Open AuTHentication (OATH) is a working group comprised
of security vendors, device manufacturers, developers, and enterprises.
VeriSign Unified Authentication allows organizations
to reduce the total cost of ownership of strong-authentication by as
much as 40%, while providing organizations with an innovative and comprehensive
authentication infrastructure. This represents substantial savings over
other solutions, but organizations will be able to further reduce strong-authentication
investments: Through the end of the year, VeriSign is offering a competitive
upgrade program through which organizations can deploy Unified
Authentication tokens for as little as $8 per user, per year, a price
that is unprecedented in the industry.
VeriSign Unified Authentication can also mitigate
the complexities of upgrading from legacy systems, as the solution can
seamlessly operate with legacy two-factor authentication technologies,
including legacy tokens. Such flexibility allows enterprises to migrate
their users as legacy tokens expire, for a smooth transition to the
new system. In addition, the VeriSign technical team can assist participants
in the Upgrade Program by developing an interim Unified Authentication
architecture to run in tandem with their existing solution, during the
transition period. VeriSign works with each organization to develop
a seamless migration plan, so that the transition will have minimal
impact on established business processes.
For more information, visit the VeriSign
Unified Authentication section of the VeriSign Web site.
VeriSign Customer Profile:
Oracle
Building a Secure Environment for Deploying
Remote Application and Database Services
In the early 1980s, few individuals imagined
the extent to which business would be transformed by an apparently mundane
and perfunctory technology called “relational databases.” Larry Ellison,
CEO of Oracle Corporation, could well imagine this potential, however,
and today, Oracle has turned relational databases into a multi-billion-dollar
enterprise technology that has penetrated 98 of the Fortune 100 companies.
Oracle was also one of the first organizations to deploy company-wide
application and database capabilities across the Internet, and has been
doing so since 1995. In 2002, Oracle was developing its series of Oracle®
On Demand services, through which enterprise-level customers can host
applications and databases at Oracle Data Centers. However, Oracle needed
to be able to guarantee that their customers’ data was fully secure.
So Oracle turned to VeriSign for comprehensive solutions for deploying
digital certificates, which protect sites and data via Secure Sockets
Layer (SSL) encryption.
A Trusted Partner
Leonid Stavnitser, Oracle’s senior manager
of Application Traffic Management for Global IT, said that Oracle first
began securing its Web applications with VeriSign SSL Certificates as
far back as 1996, because of the leadership position that VeriSign occupies
in the certificate market. In addition to providing either 40- or 128-bit
SSL encryption (depending on the needs of the end user), VeriSign SSL
Certificates include up to $250,000 in warranty protection against economic
loss resulting from the theft, corruption, impersonation, or loss of
use. Users can also display the VeriSign® Secured™ Seal, the most widely
recognized symbol of trust on the Internet (Cheskin/Studio Archetype
Study). At that time, Oracle was purchasing each certificate separately,
which became costly due to the size of Oracle’s operations. So in 2001
Oracle leveraged the VeriSign Managed Public Key Infrastructure (PKI)
services, which allowed the company to manage the distribution of all
SSL Certificates throughout the enterprise. Stavnitser said that Managed
PKI successfully secured Oracle’s ever-growing application environments,
and that the service easily scaled as needed.
Seamless Distribution
Managed PKI worked extremely well for Oracle’s
internal use, but when the company launched its On Demand hosted services,
Oracle had to contact each of its customers to guide them through the
process of deploying each digital certificate. Oracle needed a system
that would automate and centralize SSL management for their customers,
yet allow Oracle to maintain secure administration over the SSL Certificates
deployed across all Oracle On Demand environments, without impacting
noticeably on application performance or adding any complexity to the
network architecture. VeriSign® ISP Center, offered as part of the VeriSign®
Security Reseller Partner Program, provided this needed functionality,
and Stavnitser says that the service met all of Oracle’s requirements
while lowering the total cost of ownership. “In most cases,” says Stavnitser,
“the customer was unfamiliar with SSL technology, so they were easily
confused by the ordering and certificate-handling process.”
With ISP Center, Oracle has been able to consolidate
all SSL administration for enterprise customers within a single team,
and Oracle can rest assured with the knowledge that all sensitive certificate-based
information is stored by VeriSign, on secure servers backed up across
multiple servers stored in military-grade, geographically distributed
data centers. “Before ISP Center,” says Stavnitser, “Various different
teams within Oracle used to order certificates and manage the security
around handling private keys, but we’re avoiding many issues by consolidating
the security piece.”
Leveraging ISP Center, Oracle was able to design
and implement processes and procedures to speed up certificate procurement
and renewal, secure and regulate access to private key files, and automate
most of the administration tasks. “ISP Center has been instrumental
in centralizing certificate management and streamlining the accounting
process,” says Stavnitser. Most importantly, ISP Center provided significant
time and cost benefits. “We’ve decreased the average provisioning by
five business days,” says Stavnitser, “and we’ve greatly reduced administrative
overhead. Our SSL team was able to support over 800 additional certificates
without adding headcount. VeriSign has helped our business to become
not only more manageable, but also more scalable.”
Stavnitser appreciates the level of expertise
that VeriSign brought to the table. “VeriSign representatives collaborated
throughout this process,” says Stavnitser. “They provided valuable technical
assistance in automating the SSL provisioning process.” Stavnitser also
strongly values the 24/7 availability of VeriSign support.
Looking Ahead
Stavnitser said that in addition to the position
VeriSign holds in the security market, Oracle was also drawn to the
large wealth of complimentary services that VeriSign offers, and looks
forward to future developments. “One of the reasons we chose to work
with VeriSign is that the company has the proven ability to enhance
existing products and introduce a wealth of new ones to address emerging
needs.”
Solution Summary
Industry: Systems Development
Challenge: To streamline the distribution process of hundreds
of digital certificates on behalf of enterprise customers
Solution: VeriSign MPKI and ISP Center services
Results:
- Oracle reduced the
provisioning process by an average of five days.
- Oracle was able
to support 800 additional certificates without adding headcount.
- Oracle can easily
manage administration of SSL certificates over a secure Web interface.
- Oracle's customers
appreciated the strong VeriSign reputation.
Upcoming Events
June 6-8, 2005
Gartner
IT Security Summit 2005
Washington, D.C.
This three-day conference explores the future of IT security, focusing
on such issues as emerging technologies, business solutions, and the
leading advice from world-renowned analysts, experts, and security providers.
June 6-9, 2005
SuperComm
2005
Chicago, Illinois
SUPERCOMM is the world’s largest annual all-inclusive conference for
communication service providers and private network managers, offering
the latest in every branch of communications technology. Visit VeriSign
at booth #29040.
June 12-15, 2005
The
Techno Security Conference 2005
Myrtle Beach, South Carolina
Techo Security is a top-tier training and networking event, offering
information and advice on the cutting edge of digital security from
the industry’s leading experts.
June 13-15, 2005
NetSec
Scottsdale, Arizona
NetSec is a premiere tradeshow on network security, discussing solutions
and strategies for both managerial issues and technological questions.
June 20-23, 2005
Cracking eFraud
Boston, Maryland
Featuring leading industry and government speakers, this seminar tackles
the growing problem of eFraud, and helps business owners find practical
ways to safeguard their sensitive information.
September 26-30, 2005
3GSM
Asia
Singapore
With over 75 vendors and 2,300 attendees, this conference offers a fantastic
insight into the latest technological developments and policy decisions
in Asia.
September 28-30, 2005
IT Security World Conference and Expo
San Francisco, California
The IT Security World Conference offers more than 30 technical sessions,
covering the newest trends and most pertinent topics in IT Security.
|
|
Worldwide Sites
