Thursday, February 25, 2010

Virtualization divides Security & IT folks - maket immature

This article summaries the challenges in today's IT environments - one-third believe virtualization and cloud computing make security "harder," while one-third said it was "more or less the same," and the remainder said it was "easier."

This kind of spread between answers clearly underlines the maturity of virtualization & cloud security market - which is - very very nascent.  In mature markets, terminologies or concepts, we get one answer or an answer close to the correct one.  But, here, there is wide spread  interpretation of terminology, concepts and solutions too.  For the common IT person, my suggestion would be to go slow and understand fundamentals.  Ignoring is not an option as catching up will be almost impossible.

Virtualization security

In the report titled "Cisco gaining mind share in security", there is an interesting paragraph on Virtualization:

The survey consisted of 259 information security professionals.

All but 2% of the Fortune 100 participants said they had virtualization "in use" in their organizations or had plans to use, with 33% expecting virtualization to impact their security procurements. Check Point was cited most frequently as a vendor they chose to solve security concerns at this stage, the InfoPro report states. Among midsize enterprises, 41% said they were "very concerned" or "extremely concerned" about security in a virtual environment due to concerns about the complexity of it introducing a higher level of security risk.

In a question about cloud computing, the survey found about 35% of Fortune 1000 companies said they were already using cloud-computing services, with 25% planning to use them in the next two years. 

Technology behind Vancouver Winter Olympics 2010

Fascinating slide show with details on technology behind Vancouver Olympics - http://www.networkworld.com/slideshows/2010/021010-olympics-technology.html

Full IP converged network running on optical fibers (Avaya gear),  back end is based on Sun server and storage hardware, attendee accreditation is based on Windows platform, Windows Mobile based Samsung smart phones, Cisco medianet engine for Video (stream, edit), and NBC is using Microsoft Silverlight for Internet streaming.

Tuesday, February 9, 2010

OpenID and Credit Cards

Lets take a quick look at how Credit Cards (CCs) work - they are primarily provided by Visa, MasterCard, Discover, AmEx, etc which are issued via various banks.  When someone swipes a CC at a merchant location, the information is sent to a authorized payment gateway which further talks to the network (Visa, MasterCard, etc) which the card belongs to for authorization.  Today, the security weak points are at merchant locations, payment gateways.  Security issues include - loss of CC data, privacy info, Identity fraud and so on.

If we apply the CC analogy to OpenID distributed authentication model, then we may have some similar (to CC data) and some much more security issues.  If we assume that we are going to get there, what kinds of laws and protection mechanisms need to be in place to make this a success?

Monday, February 8, 2010

OpenID, a disturbed authentication

You can read about OpenID and how it works here

Though OpenID is marketed and used as a distributed authentication system, there are very few players and these are the big ones - AOL, Google, Yahoo, Facebook, etc.  There is one thing common among them - they all portals relying on advertising revenue as their business model.  The business model relies on getting as much information about the user as possible.

Lets check this scenario out:
A corp relies on a OpenID provider to authenticate users.  So, when the user tries to access an application, the application checks if the user is authenticated and if not, he/she is redirected to the OpenID provider for authentication.  Once the OpenID provider performs the login ceremony and successfully authenticates the user, the user is redirected to his application for access.  Similarly, when the user logsoff, the OpenID provider is notified.
Here the OpenID provider is keeping track of user login/logoff events - time stamps, application access, location of access, role of users for various applications, change in user population on the corp side and so on.  This kind of information is a gold mine for providers relying on ad revenue.  The provider is also able to track user movement among corporations, corporation's user and application movement.  Role management is also a issue - how are policies applied on users and application and where are they applied - on the OpenID provider or on corporate side?  Both of these methods have impact - if it is on corp side - it will be a performance impact, but, if it is on the OpenID provider side, then we have information disclosure issue.

It would be good to understand what corporations are thinking about using OpenID.