IT Security Best Practices and Why Users Could Care Less

In the November issue of  Communications of the ACM, Butler Lampson, a Technical Fellow at Microsoft Research, offers an incisive analysis of the sad state of affairs in Security Management.  I'm not a security practitioner, but I've been around long enough to have witnessed many an IT department be brought to its knees for hours and days while battling a security breach.  Lampson's simple argument is that security experts have set perfection as the goal, and both vendors and customers have bought into this assumption.  He reasons that perfection is missing the point because security management is essentially "risk management:  balancing the loss from breaches against the costs of security.  Unfortunately, both are difficult to measure."

That the costs are difficult to measure is generally obvious to anyone in IT, which typically doesn't even take the time to quantify the impact of component or application outages per hour [Numerous blog postings to follow!].  From the users' perspective, access and authentication interfaces become mere hindrances to doing productive work, so their universal response is to just say yes to any security question--no understanding or sense of ownership required.  Lampson sums up the ramifications of this linkage between economic uncertainty and user indifference with an implicit rebuke of security vendors:

The root cause of the problem is economics: we don’t
know the costs either of getting security
or of not having it, so users quite
rationally don’t care much about it.
Therefore, vendors have no incentive
to make security usable.

I hope this encourages you to download the whole article for yourself.  I will be watching how Security managers and vendors solve these self-limiting practices in the future.

Notes on Bill Powell's March 2009 Presentation -- Impact of Economic Uncertainty on Service Management Plans

In March 2009, Bill Powell of IBM presented a super draft presentation to the NY LIG (Local Interest Group) of ITSMF USA that couldn't have been more interesting.  I wrote up my notes on his talk here, but I encourage you to download the podcast and his slides from the final presentation.  Here's the summary text from the ITSMF conferences posting just to give you an overview.

Amid the global financial turmoil and toughening business conditions, businesses continue to look to IT to provide leadership in responding to challenges and emerging opportunities. This presentation covers the implications and recommendations for leadership in an uncertain economy based on a recently completed IBM research of over 400 IT organizations. This session will focus on the US results, how Service Management is transforming from an IT to a business discipline, and provide practical advice on how best to weather the storm.

Security & Compliance: Microsoft's Acquisition of Whale Communications

I've been trying to keep one eye on the products vendors are introducing to address the growing IT problem of managing security and compliance, and the recent acquisition of Whale Communications by Microsoft is certainly interesting. Here's what I've learned.

The Whale Communications products are essentially remote access solutions that are designed to provide high levels of security. The company has an excellent technical pedigree, and will probably become a profitable subsidiary in this arena. That said, this acquisition in no way moves Microsoft towards a role as a security and compliance vendor--the Whale suite are merely alternative access methodologies for the huge base of Windows applications and servers, especially the ISA 2006 server.

Here's Microsoft's own statement on their strategic direction, from a June 12 "Press Pass" interview with Ted Kummert, VP of Microsoft's Security, Access and Solutions Division (SASD):

Press Pass: What are the key customer pain points Forefront products seek to address?
Kummert: Customers are facing a broader, more complex and diversely motivated threat landscape. Attacks are increasingly advanced, more carefully targeted and often aimed at specific applications. In protecting themselves from these threats, customers are faced with a vast array of solutions, each of which will protect a given point against a specific threat. However, implementing such a combined collection of security solutions can provoke configuration and integration difficulties, making it more costly and complex to manage, control and report on the security of their environment.
By equipping customers with the ability to effectively secure their environment and securely enable the access scenarios their businesses require, Forefront products will help them unlock the full business value of IT applications and infrastructure.

See the full interview at http://www.microsoft.com/presspass/features/2006/jun06/06-12Security.mspx

In conclusion, IT managers are increasingly pressured to ensure that every system and application is secure from attack on the one hand, and in compliance with increasingly onerous governamental regulations on the other. Truly helpful solutions will continue to come from those vendors who are automating these concerns directly, as opposed to reducing the threat surface of individual applications and protocols. JMACINC will continue to study the NetIQ (now Attachmate) Security & Compliance Suite of products as a feasible and cost-effective approach. See http://www.netiq.com/solutions/regulatory and http://www.netiq.com/solutions/security for the full details.

Refer to www.JMACINC.com for the rest of the story.

Netconnect 2006

I attended the 6th annual NetIQ Global Users conference in May, held in Orlando, FL. It was a wonderful chance to meet a lot of the people that I have worked with over the past 6 years as a NetIQ employee in the Technical Support and the Professional Services departments. I was also flattered by the fact that several customers remembered me from my days in Technical Support. Staying on after the conclusion of the conference, I attended two days of training on NetIQ's Security Manager product.

Netconnect 2006 was organized into five product demonstration and education tracks, including:

IT Automation
This track covered customizing, automating and tuning the AppManager (AM) Suite, including threshold automation and workload management with AppManager Performance Profiler (AMPP).

IT Service Management
This track focused on the convergence of security management with service level management, and how to transition your IT services from event management to service management. Products covered within this track included AM, VigilEnt Policy Center (VPC) and Analysis Center (AC).

Compliance and Risk Management
This track reviewed the impact of governmental regulations on IT from many perspectives, including preparing for audits, rules of evidence, organizational policy management, etc. Products examined were the Security Compliance Suite and the Risk and Compliance Center.

Security Management
This track presented NetIQ's broad coverage of security monitoring, automated response and reporting. Products presented were Security Manager (SM) and the Security Compliance Suite.

Change Control and Windows Administration
This track reviewed issues of managing operational changes and enforcing IT policies for Windows systems in a cost-effective manner. NetIQ's product lineup in this area recently expanded with the introduction of Change Administrator for Windows. Additional products covered included NetIQ Change Guardian for Active Directory (CGAD), Directory & Resource Administrator (DRA) and Group Policy Guardian (GPG).

As my personal goal in attending NetConnect was to broaden my awareness of NetIQ’s security and policy compliance solutions, I focused on the Security Management track, specifically SM. Workshops I attended included an overview of new features in SM 5.5; using the Security Compliance Suite to ensure compliance; integrating SM with AM, and the SM Essentials class. Here are some quick highlights.

SM is made up of three major components – Event Manager, Intrusion Manager and Log Manager.

-- Event Manager monitors the Windows event logs for security related incidents and executes responses and notifications based on best-practices rules. All incidents and responses are collected into a backend SQL database. This is the first phase of the complete event management life-cycle.

-- Intrusion Manager builds on Event Manager to help secure systems from internal/external, malicious/benign, or accidental/policy-based violations. For example, Intrusion Manager lets you monitor root and administrator logon failures, security configuration changes, or possible buffer overflow attacks. The monitoring rules are based on security industry best practices, and can be extended to custom configurations.

-- Log Manager copies all the information collected by Event Manager and Intrusion Manager to a separate SQL Server database designed for the analysis and reporting of security status across the enterprise. Log manager exposes knowledge articles on the analyzed events to supplement the administrator's understanding of each security scenario.

A core feature of SM is its ability to monitor with "event correlation", in which rules are configured to cover sequences of events filtered for various attributes such as criticality, time and number of occurrences.

Some of the new features in SM version 5.5 include:

AutoSync Technology
NetIQ provides new modules and module updates based on requested features or newly discovered security vulnerabilities. These updates are posted to the AutoSync Server. In the SM administrator console, these updates can be obtained by running the Module Installer. The Module Installer queries the AutoSync Server and distributes any updates available to the deployed agents as required.

Agentless Monitored Computer
The newest version of SM now supports agentless monitoring. An agentless computer is monitored by a proxy agent on another computer.

Protection for Oracle Database Servers
Security Manager now offers monitoring for Oracle database servers. Changes to security roles and user accounts can be monitored, along with the status of the audit subsystem.

The value of NetConnect was certainly worth the time and money to attend. I plan to release more detailed reports on the Security Compliance Suite in the months ahead.