|
|
|
|
|
I've spent some time over the last many months looking at NAC (amongst other things), and think there is a long way to go. The standards are still evolving, vendors are still jockeying for position if not acquisition for the smaller players, and folks trying to implement NAC are still riding through various peaks and troughs of success and disillusionment.
But this post is not about those things… this is about where I think NAC needs to and will evolve over the next few years… and I’ll say that if I am wrong, or missing things, let me know – I am watching lots of news and analysis go by through the tubes, but the evolution seems to be moving slowly.
So, here are some key areas I think we need to focus on:
- Standardized NAC infrastructure: With the work of the TCG's TNC working group, HP believes that standards for NAC infrastructure will help meet customer needs for interoperability between NAC level products. For example, Microsoft's recent NAP alignment with TNC will have a significant impact on creating a common NAC framework. HP will continue to work with vendors and standards bodies to deliver a standardized NAC infrastructure. Further, the increased use of interoperability testing will ensure that the infrastructures will provide for easier deployments.
- Device Identities:
- Standardized NAC integrations:
- Behavior based NAC:
- Virtualization and Hypervisor evolutions:
see post for more details on the list, and to see if I am a little crazy...
|
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Thursday, April 03, 2008 at 8:14:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
Like many of you I'll be racing around the RSA security conference next week... I'll be at the HP stand a bit, ready to talk about NAC, IAM, security in general, and international beer tasting.
HP has a large presence, and you should take a look at the following list to see if there is something you want to talk to HP about:
1. HP-UX 11iv3 Data Protection
HP-UX 11iv3 provides embedded data encryption capability to utilize existing applications and storage devices for the protection of sensitive data at-rest, with enterprise key management and key protection. Prototype integration with HP StorageWorks Secure Key Manager
2. Secure Print Advantage (SPA)
Secure end-to-end printing solution for the enterprise. There will also be slides on other IPG secure printing solutions.
3. HP Compliance Log Warehouse
HP Compliance Log Warehouse solution is an integrated, enterprise-class appliance that provides collection, retention, and analysis of event log data for security, industry and government regulation compliance, and IT systems governance.
4. HP Storage Security
For data-at-rest, HP Secure Key Manager and MDS9000 SME deliver the right encryption keys to the right person at the right time! Secure and high availability key management for enterprise data privacy. It integrates with HP’s Compliance Log Warehouse to bring key event data into the Compliance Log Warehouse.
5. HP NetTop and Trusted Infrastructure
Protect your cross domain solution, from the client to the server. HP NetTop provides secure virtualization for secret and top secret data. Common Criteria servers and multi-level security services provide information assurance for your computing infrastructure needs.
6. ProCurve ProActive Defense
ProCurve ProActive Defense delivers a trusted network infrastructure that is immune to threats, controllable for appropriate use and able to protect data and integrity for all users
7. Application Security Center
Products (AMP, DevInspect, QAInspect, and WebInspect)
8. Information Security Service Management
The three demos on this station are Information Security Service Management, Mission Critical Security Services, and Proactive Compliance Management.
HP is announcing the evolution of ISSM and the transformation approach. This presentation will demonstrate the ISSM Reference Model, the delivery life-cycle, the major phases and milestones for an ISSM transformation project, how security controls align with IT processes, how ISSM addresses compliance and supports standards, and how ISSM is a key component of HP Service Management Framework (SMF)
Mission Critical Security Services
HP is announcing new Mission Critical Security Services. This presentation will demonstrate how these services focus on continual improvement of the security infrastructure and how they are integrated with a complete set of proactive security and risk management services.
Proactive Compliance Management
This presentation will demonstrate a joint solution with HP Services, HP Compliance Log Warehouse and Symantec Control Compliance suite which automates IT compliance management processes and the assessment of technical and procedural controls.
9. Securing the Data Center
How HP Services addresses end-to-end the data center protection working with Apani
- End-to-End Data Protection
- Compliance and Data Loss Prevention
- Data Encryption and Key Management
10. HP ProtectTools
Client PC Security ProtectTools suite plus HP NAC demonstration. There will be a demo that focuses on PSG’s HP ProtectTools clients and one that offers an implementation of layered security policy enforcement created by integrating HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs with the HP ProCurve Network Admission Control (NAC) solution. The combination of thin clients and CCI blade PCs provides a very secure, robust, and cost-effective computing solution that can be applied to any network.
11. HP Application Security Center tools
Application Security Center tools demonstrate how they protect against hacking of web applications.
|
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Thursday, April 03, 2008 at 8:05:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
A few thoughts (not comprehensive) as you review the NAC capabilities available today, and consider preparing for the changes and additions to NAC requirements going forward:
- Standards
- Choosing one single standard today is a challenge given the core variants - NAP, CNAC and TNC. Add to that efforts in the IETF, Open Group, and others, and the need for a framework to align and match your business needs to your network architecture, ensure that your approach can do so.
- As of today (early 08) the standards are not entirely interoperable outside of custom integrations, and therefore, choosing the approach to meets a majority of your needs is the key direction to take. Think the 80/20 rule for now.
- Vendor experience and stability
see post for more including deployment planning tips, and look for future posts on more best practices...
|
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Tuesday, February 26, 2008 at 4:09:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
NAC solutions today are quite often not overtly complex in their goals or implementations, but might also be considered relatively simplistic in their enforcement capabilities. From our perspective we also see NAC implementations running into trouble by starting with a small set of requirements in mind, and remaining focused on those goals without considering the longer term impact of the deployment on a true security architecture - say a layered security model such as HP's Adaptive Networking Architecture.
Additonally, some of largest challenges facing NAC today are:
- Legacy or limited endpoint capabilities: While endpoints such as PC's and servers can run agents or respond to remote queries to determine their health, devices such as networked printers, phones, PDA's, game machines, cameras and so forth usually do not have the capacity or standard capability to respond to standard or even alternate NAC challenges such as web access redirection or 802.1x-based authentication. Therefore organizations implementing NAC usually end up using exceptions such as MAC or IP address authentication, or implementing Guest VLANs. Since MAC or IP address authentication can often be spoofed, it is important to consider carefully the security implication on a NAC deployment, and implement separate guest VLAN when possible.
- Politics: Like many projects, NAC has the potential to significantly change the way in which people will need to work when using networked resources. Initial implementations can fail if they create too complex remediation processes, or worse, force a user into a dead-end where they are unable to work at all. The commonplace example is a critical deal being lost because some individual could not get on the network to obtain or submit critical time-sensitive information. Make that person an executive and the example can often become more serious.
Another political issue is bringing together desktop management, network management, help desk, and security teams to work alongside the business to ensure that policies do not conflict.
- Complex integrations: In order to successfully deliver NAC, it is required that all parties work well together. Today many vendors provide their own partner integration programs.
- Proprietary solutions: ...
|
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Wednesday, December 19, 2007 at 12:55:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
I've been looking at the hype, potential and sometimes disappointment associated with the Network Access Control (NAC) market (and its kin - NAP/CNAC etc).
The needs are relatively obvious in terms of protecting data, protecting resources and validating compliance - HP's Secure Advantage approach to securty encapsulates these goals as well - however, the benefits sometimes hard to quantify.
HP’s approach to NAC is comprehensive in its scope and flexible in its delivery evolved from a security model that requires analysis of the business needs, governance models and operational risk management. HP states that NAC cannot be an isolated security solution. NAC is part of a layered security, or Defense in Depth approach to protecting your organizations information technology assets.
HP looks at NAC as a combination of software, hardware, services and processes designed to protect a network from untrusted or unsecured endpoints while providing clear policy compliance across the corporate network environment. HP Enterprise NAC incorporates:
- Policy Management and Compliance – NAC controls and restricts access to network resources based on certain criteria (e.g. posture/health) and business policies
- Endpoint Protection – NAC solutions include authentication (user and endpoint), endpoint health checks, and/or ongoing monitoring of endpoint health
- Network Security – Complete NAC solutions incorporate appropriate endpoint, edge, core, LAN and WAN controls.
- Remediation – NAC also provides mechanisms to quarantine and remediate non-compliant devices to allow them appropriate access to network resources.
While these are the core functional aspects of NAC, other service and solution requirements need to be considered including: ISSM, ITIL, ANA, Identity Management, IDP, HIP, Help Desk.
The business benefits of proper NAC solutions are significant, and include:... |
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Friday, November 30, 2007 at 7:21:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
After spending the first day at the conference I was struck by how many of the presentations seemed to run on, and into each other... critically so in terms of verbosity on the page and directly from the speakers. While ultimately interesting in terms of viewpoint, it took a lot of effort to get to the core of what points were trying to be made.
As a result, I reworked my own presentation on the first night, effectively giving it a theme of "Heroes and Villians" as opposed to the that suggested by the title marketing allowed me to have - "8 Concepts to Explain, Justify and Deliver Successful Identity Management".
On the day (Thu), I was concerned for attendance, as it seemed we had been given the Siberian room (i.e. a long way from the main conference rooms), making it a challenge for people to drop in a see if they liked what they saw before commiting to a session. I was surprised therefore to see the room swell and fill to over 100 folks. I was very interested when I asked how many folks were attending this type of conference for the first time, and almost half the audience put their hands up.
Well... this was either going to backfire or it was going to be the most interesting talk folks saw over the event.
I started out with the agenda - still 8 items...
- Heroes
- Villians
- Teamwork
- Money
- People
- MacGuffins
- Government
- HP
I think this provided a very unique 8 points (should I say "concepts") for the audience, and based on the feedback, it was useful as well as interesting - well, except for MacGuffins which no-one in the audience knew the definition of... so I'll use the term "gadgets" instead for any future talks.
Was it what folks expected based on the original title? Probably not.
Was it entertaining yet interesting? I think so based on the feedback I received.
If you missed it, or would like to talk some more, give me an email or commentary - tell me if it helped or hindered. |
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Monday, November 12, 2007 at 9:41:00 AM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
| Next week, I along with many other Identity Management illuminaries will be converging on Los Angeles to attend the Gartner Identity and Access Management Summit at the Hyatt Regency Century Plaza in Los Angeles, CA.
The summit is scheduled for Nov 14-16. I'll be speaking on Thursday 15, at the 2:45 session, offering you 8 Concepts to Explain, Justify and Deliver Successful Identity Management. We've heard from many folks, including Gartner, that many folks having started their implementations, have yet to see the returns expected, or worse, encountered failures. How did they begin, how did they plan, and what measurements did they use to determine success or failure? Its more interesting that it sounds, and you may even see a hero or two appear as I run through some key concepts to help deliver your success (8 to be specific, 9 to be rebellious)...
I'll be around Wednesday and Thursday if anyone would like to talk, however on Friday, I'll be off to another conference. |
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Tuesday, November 06, 2007 at 5:23:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
In my previous post on Federation, I noted that HP releases game changing "Federation Router" in Select Federation 7.0.
The question then is: Who needs it?
In this entry I wanted to take a further look at the challenges that drove this development. In subsequent entries I'll take a look at the various deployment options that deal with the challenges...
Federated identity technology is rapidly growing in adoption. New management challenges that never existed before are resulting out of its early success. Federation depends upon trust relationships (business policy) between independent entities; Trust between an Identity Provider (IDP) and Service Provider (SP); Trust between Web Service Provider and Web Service Consumer.
Common use cases of federation deployments today include allowing employees to seamlessly access their benefits information which is provided by independent benefits provider enterprises, or allowing consumers of to seamlessly access different services provided by independent divisions of the same enterprise.
Adoption of Federation technology and the evolution of federation standards have introduced a need to deal with issues that are not necessarily new to an organization, but are in a different context. These issues are not apparent in small deployments, when the number of federation partners is fairly limited or very uniform. Complexity of the deployment grows exponentially as the number federation partners increases and/or the number of federation protocols supported increases.
It’s a classic problem of scale that needs to be management up front, and over time.
 Diagram 1 demonstrates the sets of relationships that might be required between federating entities from an enterprise (Employer) and outsourced employee service provider (Benefits Provider). In this example a large engineering enterprise has an aeronautical division, medical systems division and a financial services division. The enterprise as a whole has contracted with a benefits provider for health and dental benefits. However, since each of the divisions in the enterprise is independent, each has its own identity management processes. Further, the Benefits Provider is actually a merger between two benefits providers, one which provides medical benefits and the other providing dental benefits. As a result, the systems within the benefits provider are also independent. The enterprise has now mandated that all employees must receive seamless access to their benefits information. This means that each division would have to explicitly trust each service of the benefits provider so that employees from each division get seamless access to their personal medical and dental benefits information.
For each of the federation relationships depicted in the diagram 1, business and technical policy must be defined to address trust, protocol usage, attribute mapping, and security. Since trust agreements are based upon business and regulatory policies, they are typically legal documents requiring costly legal review. Thus, having a large number of legal agreements is less than desirable to simplify and reduce costs of governance and management of contracts. Furthermore, non-technology processes will lengthen the duration of federation IT projects adding further delay and uncertainty to the process. These issues become a hurdle for rapid adoption of federated identity management.
Read on for how to resolve this issue... |
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Tuesday, October 30, 2007 at 2:51:00 AM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
Most enterprise level technologies face the issue of scalability at some point. Most vendors try to support more and more protocols and similarly, more and more features, without changing the way in which their tool is managed, creating a significant issue for businesses that wish to scale at speed. HP believes that management and modeling technologies are critical for technology to deliver for business.
As a result, HP introduces the “Federation Router”, available in HP Select Federation 7.0.
The thinking here is that as the adoption of federation technologies has grown, it has become increasingly evident that that required pair-wise business and technical agreements between federating entities does not scale. Each federation relationship requires a business/legal agreement, meta-data exchange, determination of protocol usage, user mapping, etc. While these issues are manageable “in the small”, this complexity grows exponentially as the variety of federation protocols and number of federation partners increases.
Just as a network router simplifies the relationships between network entities by directing traffic, ensuring message delivery, providing protocol translation, and allowing for special handling of requests, a federation router simplifies the relationships between federated identity entities. The federation router will enable identity to be a more pervasive aspect of the enterprise infrastructure – transforming the enterprise and blurring the lines between the enterprise and extended enterprise.
Adopting the HP federation router architecture will allow enterprises to be more ready for organizational change; to be better integrated with customers, partners and suppliers; and to easily scale these capabilities as there electronic business relationships grow. The primary issue of deploying multiple federation brokers even is that a change in business policy requires IT administrators to change policy in all deployed federation solutions. By pushing links through centrally managed routers, changes can be managed and deployed simply and effectively.
Simply put, a federation router acts as an SP to an IDP on one side and then turns around and acts as an IDP to an SP on the other side. The Liberty specifications proposed the use of such “identity proxies” first in its Liberty ID-FF 1.2 specification, and it is now a part of the SAML 2.0 specification. However, the HP federation routers architecture takes the idea of identity proxies further by fulfilling the following purposes:
- Acts as an intermediary between multiple organizations, some of which are on the “inside” and others on the “outside”.
- Abstracts the details of each side for the other. Hides backend infrastructure (various Federation protocols, agreements, multiple IDPs, etc.)
- Maintains trust relationship with identity components on the inside and outside. This reduces the overall number of trust relationships that need to be managed.
- Maintains policy about which users on one side have access to which applications on the other side
- Transforms user identity representation so that applications can get all information they need about a user in the format they expect.
- Performs protocol translation, ensuring that federating entities receive messages in the format they support
- Possible to make internal changes without requiring communication to or coordination with external partners
Let me know if you’d like to talk more. In a follow-up post I’ll give some examples of how this works in real world applications. |
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Friday, October 05, 2007 at 7:22:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
HP delivers an important new capability to support our ‘Identity as a Service’ strategy in addition to enabling out-of-the box integration with Service Center providing the only identity-enabled Service Catalog in the industry.
Highlights include:
-
SOA-based Identity Services (web services)
-
Identity Services delivered through Service Catalog/Service Center
-
Ease of on-going IdM operations and maintenance
-
Unified connector architecture
See the post for more details on each highlight...
|
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Wednesday, September 26, 2007 at 2:11:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
I've not had the opportunity to talk to Jon Oltsik of the Enterprise Strategy Group for a few months, but Chris Whitener, Chief Security Strategist for HP's Enterprise Storage and Servers has.
Jon picked up HP's approach to security, and HP's "strategy" immediately on his blog posting at CNet, noting:
Rather than the traditional "bottom-up" approach to security, HP's strategy starts with executive management and works its way down. In other words, HP plans to count on its relationships, industry expertise, product installed base and IT services management prowess to weave together enterprise security solutions that complement existing HP strengths. Yes, this will pull products like identity management, SPI Dynamics and Opsware, but it also relies of professional services for IT governance expertise in areas such as the IT Infrastructure Library (ITIL) and security standard ISO/IEC 17799/27002. Think big enterprise-wide projects and business-critical infrastructure here rather than basic threat management.
So will this work? Yup. Large enterprises are buying exactly what HP is selling and the list of competitors gets pretty thin after IBM and Symantec. HP needs to toot its own horn with marketing air cover and developing more industry-specific security solutions but its customers are already hearing more and more about Secure Advantage and HP capabilities every day through the grassroots efforts of its global sales force. HP will rely on IT muscle rather than specific security visibility and brand awareness. This is one of the reasons why I joined the HP Security Office. HP is serious about all aspects of security and we are executing on a very broad and strategic level to ensure our customers get what they need. This is not necessarily a huge number of products loosely or even tightly coupled, but rather approaches, strategies and knowledge to deal with the rapidly changing and urgent security issues we face day by day. |
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Tuesday, September 18, 2007 at 4:07:00 PM |
| Permalink
| Trackbacks (0)
|
|
|
|
|
|
Overnight I received an urgent message from the organizers of the SDForum.
...Due to an exceptional combination of events, SDForum must regrettably postpone the Sept. 19 Security Conference in South San Francisco and will not hold the 1/2 day session as planned at SecureWorld.
We deeply regret any inconvenience this may have caused you and appreciate your understanding. In the many years SDForum has created events, less than a handful have had to be cancelled or postponed...
So, looks like I've got the morning clear now... I hope folks are not too inconvenienced. |
|
|
| » Read the full content |
|
|
|
| Posted by Archie Reed on Tuesday, September 18, 2007 at 3:55:00 PM |
| Permalink
| Trackbacks (0)
|
|
| Apr |
May 2008 |
Jun |
| S | M | T | W | T | F | S | | 27 | 28 | 29 | 30 | 1 | 2 | 3 | | 4 | 5 | 6 | 7 | 8 | 9 | 10 | | 11 | 12 | 13 | 14 | 15 | 16 | 17 | | 18 | 19 | 20 | 21 | 22 | 23 | 24 | | 25 | 26 | 27 | 28 | 29 | 30 | 31 | | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
|
|
| » |
|
|
Printable version
