Transforming Cyber Security

My presentation at TRISC 2010

2010-07-22T20:28:00.000-07:00

I had a wonderful time at TRISC 2010 in Texas. Here is the presentation that I gave on the Advanced Persistent Threat.

APT & What we can do TODAY

Reaching beyond FIPS 201

2009-01-17T20:55:00.000-08:00

We are encouraged by the efforts of GAO, OMB, and NIST to not stop at producing the card and move towards practical uses of the cards that will deliver on the promise of tangible value to the citizens.

With this momentum built, we shifted our attention the extended enterprise; the ability for Federal, state and local governments and commercial companies to interoperate, trust, and be trusted by each other in the digital age.

This is a gigantic undertaking and it took us away from the blog for some time as we began lashing the relationships together required to make such an effort achievable.

Look for more frequent blogging now that this ball is in motion and moving quickly.

Bill at NIST recommends PIV termination process

2008-04-14T12:31:00.000-07:00

Ron Martin recently published a power point presentation that Bill MacGregor gave a few weeks back. It is a good read and has very important recommendations.

Before we dig into one of his recommendations, I should note that Bill and I were colleagues in a past life. We worked together after 9/11 as a tiger team within SchlumbergerSema to define an approach to information sharing which we ultimately presented to Rumsfeld. We thought alike back then, and it seems we still do.

Now, let's dig through one of his recommendations. Let me draw your attention to one of the slides entitled "Green Lights." Green light activities are those which Bill suggests are important for agencies to consider:His second recommendation is, "Develop and Coordinate a PIV termination process." Bill knows that agencies must work out their termination processes and it is important.

We agree. Termination processes are a hole right now and until it is fixed we will have "Orphaned Credentials." You can read our blog post about orphaned credentials here. To summarize the post:

Orphaned Credentials are those that are still active AFTER an identity (person) is no longer affiliated with the agency
Unless we continue to modernize our identity management capability, we, as a community will have many FIPS 201 Orphaned Credentials.
The root cause is that our identity management processes are NOT FUSED to our credential management processes

As usual Bill, we agree. To follow Bill's advice, we offer agencies the following recommendations:

Consider the termination process in the bigger picture of the offboarding processes. Ask your HR, IT Service Desk, Physical Security, and Information Security staff what they do when someone leaves. Terminating a FIPS 201 smart card is a single thread of many threads that all happen manually today for to offboard an identity. As an example, you might find that the IT service desk reclaims corporate issued laptops and blackberries, and reclaims copies of limited use software (e.g. Visio). This is one of many examples I could give, but you can see that automating as many of the offboarding threads as possible will drive a better ROI and also allows you to avoid the cost of figuring out how to integrate the PIV termination thread with your other offboarding threads at a later date.
To get good identity termination processes, we should start with good onboarding processes. Consider this. A contractor is sponsored for a FIPS 201 credential. Who sponsored him? Is that same person held accountable for notifying the proper persons when the contractor separates? Was and is the sponsor intimate enough with why the contractor is there to determine if the contractor has now left? You see, a good onboarding process will have a rich workflow which tracks who approved the credential and hold this person/people accountable for triggering the separation processes (which in turn trigger then PIV termination thread). Cream of the crop onboarding workflows will avoid orphaned identities--identities that no longer have sponsors that are accountable for triggering the separation processes.
Consider events other than separation for termination. For example, conversion from a contractor to an employee. This conversion process will include the termination process as well a process for creating a new credential. Lost, damaged, or stolen cards also trigger the termination process.
Consider your reporting requirements. Every year the IG comes into your agency and asks for a list of people who left and then they determine if the accounts were terminated or not. By properly automating your onboarding/offboarding processes, you will be collecting this very data and you will be able to prepare this report for the IG in real time. This is a giant leap in Compliance Automation, and it will save the agency time and money each and every year.

We will refer to Bill's other recommendations in future posts. For those that don't have a copy of his PPT, here is a link for your convenience.

Who will take care of the orphans?

2008-04-07T09:43:00.000-07:00

If physical security isn't informed when a person leaves an agency, then what are the chances that their FIPS 201 smart card will be revoked? You are right, the chances are not good. We call these cards "orphaned credentials." The credential is still operational but doesn't belong to a valid identity within the enterprise. The credential, has, in fact, lost its parent.

As things stand today, we as a community, will have many FIPS 201 Orphans. HSPD-12, FIPS 201, and the Federal Common Policy are brilliant. But if we stop now, we stop short in modernizing identity management.

One of the key concepts that we (Litmus, NASA, EDS) present in our IDM Reference Architecture is the need to FUSE identity management and credential management processes. This fusion ensures that valid cards will never become orphans.

Here is a concept diagram which explains the "ideal" case. The outer arrow represents the identity management processes. These processes are responsible for managing identities through their lifecycle to include identity onboarding and offboarding, and identity changes (e.g. change of legal name, roles, positions, duties, clearances, ...).

In the ideal case, Identity Management processes will trigger Credential Management processes (inner arrow) because the two capabilities are FUSED.

Wouldn't it be great if for each person (identity) that separates from an agency, the identity management processes automatically trigger the credentialing processes in an automated and reliable manner and the credential is terminated within minutes?

Yes. This is possible and necessary to make our FIPS 201 smart cards "fit for use."

If you aren't sure if orphaned credentials will be a challenge at your agency, ask your physical security department or your IT service desk. Ask them how they find out when a person leaves the agency. You will be shocked with number of manual tasks they remember to do and only if they are notified of the separation. Ask them in sequence for employees, contractors, and then consultants/on-loan staff/temps/interns. As you progress your questions through the sequence, the problem will become more and more apparent.

To prevent orphaned credentials, we, as a community, need to FUSE our identity management processes and credential management processes. We need to do so in a consistent and rigorous manner across the entire federal enterprise. We will increase the reliability of our smart cards and make them fit for use, no matter which agency happens to be managing the identity.

Clever Ideas at FEAC from Litmus, EDS, and NASA

2008-04-01T15:17:00.000-07:00

For those of you who sent in email over the past two months, you knew that I was heads down at the FEAC Institute (http://www.feacinstitute.org/). Many of you may have already learned that FEAC is the cream of the crop for Enterprise Architecture certifications.

While I was attending FEAC, I poured every ounce of time and energy I had into it. The results were bigger and better than I could have ever expected.

At FEAC, Litmus took our identity management expertise and joined up with some great talent from EDS (Paul Kavitz) and NASA (Greg Black) to develop our thesis. Our topic; Leveraging an Identity Management Reference Architecture to get real and consistent results across the entire Federal Enterprise.

I really enjoy getting a bunch of smart folks together in a forum where innovation is acceptable and expected. The results are always amazing. This time was no exception. Our team produced an 80 page thesis which puts a well defined scope and method for modernizing agency identity management capabilities. As it turns out, our "reference architecture" concept also defined (according to our professors) a missing component of the Federal Enterprise Architecture.

So, enterprise architecture met identity management, and some really clever ideas were spawned. The concept of a "reference architecture" is new in the Enterprise Architecture community. As such, it is ripe with opportunity for people to contribute, improve upon the concept, and apply it to the challenge du jour. Our thesis team is putting together a community web site where you can offer up your insights and learn more about reference architectures.

Stay tuned. When the community web site is available, I will post a link on this blog. The FEAC will be publishing our Identity Management thesis soon as well. I will also post a link for this 80 page document as soon as it is up.

SSO Lab with NAC and FIPS 201 Cards

2008-01-29T05:58:00.000-08:00

If you are like me, I would want proof positive that NAC will work with FIPS 201 smart cards. In 2007, we set out to prove it to ourselves, so we constructed an Ecosystem lab scenario to demonstrate SSO using products from two different NAC products, fips 201 smart cards, a few network switches and routers, and a directory.

Here is a video of one of many use cases we demonstrated to ourselves in the Ecosystem Lab.

Click here if you want a bigger picture view of this video.

The video clearly shows that SSO can work with NAC and FIPS 201 smart cards. Now that you know that it works, the first challenge is to make sure you purchase products that will interoperate as well as the ones in our Ecosystem lab. The second, and bigger challenge, is to 1) determine your network authentication policy and 2) to make sure you have enough data in your directory infrastructure to implement your policy.

Network Access and Identity Management Converge

2008-01-14T20:19:00.000-08:00

In 2007 we circulated the concept with the network vendor community that Network Access Management was a critical ingredient in a modern identity management capability. We couldn't understand why network authentication was never spoken of in the same breath as identity management.

Think about it. Where is the first point of access a) your domain, b) you applications, or c) your network.

The right choice is obviously C. The network has always been the first point of access, but usually only the first point of authentication for remote access users (e.g. teleworkers). If network access is not authenticated, users or visitors might place their personal laptops on your network, and will automatically be given an IP address. If these "rogue" laptops have malware on them or have not been hardened, they can be used to launch attacks on your applications and data from the soft underbelly of your agency LAN. Network access management solves this problem by forcing users and devices to authenticate to the network FIRST before anything else can happen.

We are thrilled that Gartner put network access into their most recent identity and access management report (19 November 2007). If agencies implement network access without considering the wider enterprise identity management capability, there is a huge risk that your agency will not achieve a basic level of single sign on, and in the worst case you might find that your network access products are not interoperable with your HSPD-12 smart cards; leaving you with a the choices of 1) replacing your network access investments or 2) turning off or not deploying network access. Neither option is a good one.

You can avoid this tough decision by planning network access and domain access architectures in tandem. In a future post, we will post a screencast of single sign on using your FIPS 201 smart cards.

Obtaining Funding - Example Line of Sight

2008-01-10T17:03:00.000-08:00

One of the identity management technologies within a modern identity managment capability is an enterprise provisioning tool. If you don't have one today, or the ones you currently have are in siloes dispersed throughout pockets of your agency you may need to obtain funding to purchase an enterprise provisioning tool.

The discipline of Enterprise Architecture offers some great models that will help you obtain your funding. Because I am so results oriented, one of my personal favorites EA models are the "line of sight" diagrams. They clearly communicate how investing in something down in the weeds can deliver real business results.

I had a conversation with Mike Tiemann at the FEAC Institute last week. As many of you know, Mike is a (if not "the") leading expert in Enterprise Architecture for Federal Agencies. According to Mike, "Line of Sight is a powerful way to get business and mission owners to see and understand the value of technologies." So, to use the right tool for the job, you may want to include a line of sight diagram in your business case.

If you are not sure what a "line of sight" diagram looks like, here is an example that I put together for an enterprise provisioning tool.

The details don't quite fit in the blog space, if you would like the visio template or would like to use this diagram as a starting point, just shoot us at noconcreterafts@litmuslogic.com from your .gov email address.

Certified Concrete Rafts - Don't let HSPD-12 become one at your agency

2008-01-06T14:05:00.000-08:00

One of my favorite sayings is "You can certify a concrete raft, but would it float?" I picked this saying up some time ago when ISO 9000 was the big thing. Certifications are great, but they are often don't tell us that we will get real results.

The saying is equally applicable to HSPD-12 today. Your agency is being measured by OMB based on the number of cards deployed. Your HSPD-12 system, whether turnkey or through GSA's managed service, is C&A'd, which means it is also certified.

So, your progress is certified by OMB and your system is certified by security, but are you getting real results from your identity management capability?

I am going to pick on one of many identity-related metrics to think about; the time it takes to revoke a contractor's smart card after they leave the service of your agency. Is it 1 minute, 1 day, 1 month, 1 year, or rarely?

I don't have actual numbers to back this up, but my SWAG is that agencies probably hit 1 day 5% of the time and 95% of the time it is closer to 1 year. Imagine the press if a terrorist were to obtain a super secure smart card that wasn't revoked and then used it to gain remote access to your agency, or even worse, use it to gain access to another agency that trusts your credentials.

Don't get me wrong. FIPS 201 smart cards are brilliant and are the biggest success story since the Internet. But if we stop short on our identity management capabilties now, then we can claim that 1) we deployed smart cards enterprise wide and 2) we invented the first open standards smart card. This is okay. But, what we can't claim is that 3) we heightened government security, signficantly cut operating costs, and increased customer satisfaction.

What a powerful thing to say. Only clever ideas could satisfy such divergent goals simultaneously.

If you are like me, you would rather be known for #3. To get to #3, we must be persistent and carry on with modernizing our identity management capabilities. This won't be easy work. There are a lot of processes to tune, systems to link together, and data to cleanse. It can be done and it is worth doing well. If we stop short we won't achieve real results, and HSPD-12 becomes a concrete raft.

How will you use your HSPD-12 Smart Card?

2008-01-01T13:35:00.000-08:00

Did you see the IG response to DHS's HSPD-12 progress? It wasn't too pleasant. Not only did they get hammered for not implenting in a timely fashion, they also did NOT have a plan for using the card.

Let's face it, without a usage plan, the smart card will be one expensive flash pass!!

What is in your usage plan?