Abhijit Pandit : IT Security and YOU !

RSA Conference at San Francisco is an annual event where the best of the security product vendors and industry experts convene to share & exhibit their security offerings. Participating in this conference last week (25-Feb to 28-Feb) alongwith the leaders and visionaries in the IT Security was an enlightening experience. It not only showcased some of the best products available today in the security industry, but also highlighted some of the upcoming trends in the security technology.

The war between the hackers and protectors is a never-ending one with each party trying to go one step ahead of each other. As a Security Professional, you need to be prepared to tackle the next move that the opponent would make. And this preparedness depends on two very critical aspects :

I wrote about Privileged Identity Management in my previous blog. TM Forum’s TMF-615 technical specification provides a reference point for management & provisioning of Telecom OSS Operator User identities. Typical Service Provider environment consist of multi-vendor networks that are often managed using multiple proprietary element management systems. Compare this with typical enterprise systems which, though multi-vendor, is still consisting of a fixed and small “types” of devices.

Much of your enterprise’s sensitive data is kept on secure servers. You provide additional protection mechanisms to these servers so that the people who do not need to work with this data, do not get access to this information. Not only this sensitive data, all of your production infrastructure – the application/web servers, storage, databases – all these are managed with strict access control processes.

Digital identities go along way beyond People. Traditionally, you have been dealing with identities of people. So, you wanted to access your mails – you used your userID and password. When you had to do something more sensitive in nature – say, accessing your bank account – you used a second factor of authentication such as a hardware or software TOKEN. This is an example of People interacting with Applications.

Managing digital identities of people may be seen as a common task. But if you are running an enterprise that caters to a number of customers, you would have realized that the digital identities have different contexts. And the activities of these identities are controlled depending upon the context

What does the word identity mean to you ? Again, the meanings may differ depending upon the context. I am talking about a digital identity.

Identity identifies an object or an entity. It could be anything – a person, a device, a computer, an application, an organization, a service, a product. And we associate certain attributes to any entity. “The size of the shirt is Large”, “a tall cappuccino”, “Vehicle Identification Number xxxx” – you are familiar with some of these dialogues.

A lot has been written about Cloud and the security for, from and within the cloud ! But when it comes to adapting your business to the cloud, what care should you take ? What you typically kept on your premise, under your control, is now going out to someone. And there are many of these “someone”s who claim to serve your best interests if you use their cloud services.

But first and foremost, you need to identify the boundaries. US NIST has defined three Cloud Service Models. These models help you in determining the boundaries of responsibilities

Over the last decade, Service Oriented Architecture has matured in terms of enterprisewide service availability. It has enabled automation of business processes. Look at any of the SOA products available today in the market – they will have a large number of application components that work very closely with each other and need to be deployed with care when it comes to integration with other solutions in your software stack. But when it comes to securing these applications and services, there are certain question marks.