sign in sign up
<<
Home , Information security

and

NERCOMP SIG

November 2008

Office of Traditional Middleware Drivers

. Services that enable secure access to networks, services, and applications • Identification • • Directories • Audit . Leveraging enterprise identity and access to enable processes

2 Security or Middleware?

. How do campuses securely provide access to these applications? • Identity and Access Management systems . How do we detect abuse of these applications? • Audit • Log correlation and data orchestration . Why is this our problem? • Aren’t you the Information security officer? • Who gets the phone call when data leaks?

3 The changing security landscape

. In security we have a continually changing landscape • Network worms aren’t very interesting any more • We can detect and shut off a port scanner in minutes . Vendor patches have solved many of our problems • Sometimes very slowly . Application vulnerabilities abound • Cataloging which applications we own and/or operate is a daunting task • Securing these applications is more daunting

4 Current environment

. We have traditionally focused our security efforts on systems • Managed or unmanaged . The current and emerging threat environment changes some of our focus to data and privilege • Web-based application assessment • Cross-site scripting, SQL injection • Data leakage and extrusion prevention • The is in the data, not just the systems • • Who manages the assignment of privilege?

5 Current threat environment

. I won’t claim that we have solved all of our systems security problem • Otherwise known as job preservation . However, the environment has changed. The focus should be on the behavior that we don’t understand or manage as well • Everyone wants their own application • Those who operate these applications frequently do not have a strong security background • Assignment of privilege is decentralized and often poorly managed

6 Middleware Policy space

. • “A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials”

. Trust Fabrics • “Federations provide a trust fabric on which Identity Management can be leveraged.”

Both from: http://www.aamc.org/members/gir/campmed06/ribbeck.pdf

7 How do security and middleware intersect?

. We’ve built strong defenses against those outside our • And those we don’t trust inside our organization (ResNet, certain Departments) . Data leakage occurs from inside as often as outside • Faculty posting FERPA protected data on public • Staff posting financial data publicly . Understanding how privilege is granted and managed is to defending these data and information services

8 Where do security staff see concerns?

. SQL injection attacks aside, who provisions access to your critical applications? • How secure are those provisioning applications? • Can you locate and parse the logs and audit trails? . All these applications and authentication services generate a lot of logs • Can you correlate across these disparate applications and authentication logs? • Can you further correlate these applications against network-centric data sources?

9 What concerns me about middleware?

. Federations • Seem to be fairly unstoppable • And I argue to strongly support them on my campus • But it means my base no longer includes only individuals that are directly affiliated with my campus • For web applications • For network access • How do I identify a user from a remote institution • Especially in the environment of a -preserving like shibboleth • How do I handle an incident when the offending user belongs to another campus • And I may not even know their username

10 What I like about middleware

. Integrating incident response workflow with institutional IdM • Leveraging campus directory services to provide more timely and accurate incident notification • Integrating incident response in the campus workflow applications (Remedy, RT) . Federations • Policy-based management of privilege for intra and inter-institutional applications and resources • Privileges may no longer be provisioned by the grad student in the chemistry department who hasn’t worked here in 5 years. • But there remains a lot of work to get here

11 What I like about middleware

. Log correlation and data orchestration • There are two presentations here today specifically focusing on the value and use cases for managing these data well • And deriving actionable knowledge from them . Audit trails • IdM systems provide a better mechanism of enumerating goodness • For credential provisioning and privilege management . Additive to traditional security mechanisms • These tools and technologies improve operational security awareness

12 What else can we do with middleware

. Asset identification • Knowing what assets you are trying to protect is a precondition to properly securing them • Determining ownership and responsible parties facilitate incident response and remediation • Integrating asset identification with campus identity management lifecycles ensure continuity of responsibility

13 Themes and conclusions

. Security and Middleware staff need to be engaged with IdM design and implementations • Working with them now may both prevent bad things and even facilitate good things • We are probably trying to solve some of the same problems . Educating your user community about realigned middleware drivers is in our collective interest • Preventing data leakage from poorly managed applications and

14 Themes and conclusions

. Federations need to be understood in the context of operational security needs • How aware are security staff of current federation activities on your campus? • Embracing these technologies may improve our overall security posture . Identity Management is a complementary technology to our security toolkits • Integrating business processes with security requirements • Authentication and authorization are a necessary, but not sufficient, condition for secure applications

15 Themes and conclusions

. Audit and log correlation will allow us to maintain situational awareness • In our increasingly complex environments • Additional abstraction layers is rendering many traditional detective techniques less effective • Orchestrating logs across systems provides visibility that many of us don’t currently have . Privilege management • Assignment of authorizations places more of our data at risk of disclosure • A next step in incident handling

16 Themes and conclusions

. Some institutions have organized information security and identity management under a single management structure • Though this is limited in scope currently, this may be an emerging theme . Business continuity is going to be dependent upon robust IdM . and IdM are intrinsically intertwined • When the occurs, whether the vector was an IdM failure of Infosec failure is irrelevant.

17 Questions?

18