NetIQ Qmunity

10 Upcoming NetIQ Events

David Shephard — Fri, 30 Jul 2010 15:05:00 GMT

Time flies and August is upon us, which means it’s time for NetIQ’s guide to our upcoming conferences, webcasts, gatherings and training events where you can catch up with us and learn more about our solutions. For more upcoming event listings, check out NetIQ’s events page.

August 3-5, 2010, Tampa, FL: The 2010 LandWarNet Conference brings government and industry together to openly communicate commercial best business practices and government implementations. From rugged computers to intelligence gathering solutions, if you are looking for new products, services or solutions the LandWarNet exhibit hall is the largest and most complete defense, communications and information technology show in the Southeast US. We'll be there, on booth 1507, with a specific focus on migration and Active Directory security and automation.

Aug 3-5, 2010, Herndon, VA: This Secure Configuration Manager Essentials lecture/lab-style, three-day course will help you understand, deploy and successfully use NetIQ Secure Configuration Manager. Designed with real-world content and an emphasis on hands-on exercises, you will learn to install and use Secure Configuration Manager to examine the weaknesses in Windows, UNIX, web-server, and database systems; manage and inventory IT Assets and determine the vulnerabilities present on managed systems; apply industry standard baselines and criteria such as the SANS / FBI Top 20, HIPAA, and Sarbanes-Oxley to determine weaknesses; develop your own customized checks for specific vulnerabilities. You will also practice using features within Secure Configuration Manager to remove these vulnerabilities and lock down Windows and UNIX computers systems, IIS web-servers, and Microsoft SQL-Server database servers.

August 4, 2010, Online: NetIQ Security Manager v6.0, released in 2007, is moving to “Continued Support” status on October 29, 2010. Beyond that date, support for NetIQ Security Manager 6.0 will be limited to online support, and hotfixes and service packs will no longer be actively developed. Join us to learn how to have a successful and seamless upgrade to NetIQ Security Manager v6.5. Register now for "Maximize the Value of NetIQ Security Manager: Seamless Upgrade to 6.5" to gain valuable insight from our Professional Services experts on planning best practices and lessons learned from years of experience working with NetIQ Security Manager users just like you.

August 11, 2010, Auckland, New Zealand: We are proud to continue supporting The Future of Banking & Financial Services events organized by FST Media as they consistently provide a strong foundation for the exchange of ideas and information on business-enabled technology amongst CxOs and IT decision makers.

Aug 17-19, 2010, Herndon, VA: NetIQ Aegis Process Automation is a three-day lecture course that will help you understand, install, and successfully use NetIQ Aegis. In this course, you will learn about the Aegis lifecycle, how to use the Workflow Designer, and process revision control. In addition, you will learn how to manage, maintain and make decisions with Aegis. Through discussion, examples, and lab exercises with real world content, you will learn how to: identify and create notification workflow processes; set user and permission sets and handle basic Aegis troubleshooting.

August 24-26, 2010, Rivera Maya, Mexico: We are a gold sponsor of this years CIO Summit Latin America which will once again serve as an arena for senior level executives to engage in clear and focused dialogue with their peers and examine their management objectives in a relaxed and vibrant environment.

Aug 24-27, 2010, Houston, TX: In this instructor-lead AppManager 7 Essentials course you will learn how to gain greater control over the IT Environment by using features such as automated detection and deployment, policy exception management, secure delegation and self-maintaining service maps. In addition, you will learn to prioritize problem response and how to map IT resources to business applications and services.

Sep 1, 2010, London, UK: IDC's IT Security Conference 2010 enables end user IT professionals to discover what they should be targeting to ensure their organisation's safety in a complex environment. We, with one of our customers, will be presenting a case study - more details to follow.

Sep 7-10, 2010, Staines, UK: In this instructor-lead AppManager 7 Essentials course you will learn how to gain greater control over the IT Environment by using features such as automated detection and deployment, policy exception management, secure delegation and self-maintaining service maps. In addition, you will learn to prioritize problem response and how to map IT resources to business applications and services.

Sep 7-10, 2010, Herndon, VA: This Security Manager 6.x Essentials course is a four-day lecture style class designed to help you understand, deploy, and successfully manage Security Manager. You will learn Security Manager Architecture and how to use it to secure the organization’s computers. Through discussions, examples, and lab exercises with real world content, you will learn to defend both Windows and UNIX systems. In addition, learn how to: Architect, install, and configure Security Manager; install and configure Windows and UNIX agents; configure Change Guardian for Windows, Active Directory and Group Policies; and develop event correlation procedures.

Critical Data leak may be your next PR nightmare!

Erin Avery — Tue, 27 Jul 2010 18:33:00 GMT

Users with unnecessary access to critical data are increasingly becoming organizations’ worst nightmare. Too many privileged users are bad for security – that’s why so many regulations focus on controlling access to critical data. With the recent leak of sensitive and classified military documents (which were accessed by someone who may not have required elevated access, or who gained that unauthorized elevated access), we find the concept of privileged users and critical data front and center again.

When it comes to controlling access to critical data, you should start with users and their privileges. As organizations increasingly rely on their investment in Active Directory to act as the authoritative source for identity and access management, it stands to reason that examining Active Directory is a logical place to start.

Natively, Active Directory lacks the controls necessary to granularly control elevated permissions and audit privileged user activity. So, as you think about securing access to critical data via Active Directory, it’s important to consider:

Reducing administrative access for unnecessary users – your risk of a critical data breach or security incident increases greatly as the number of domain administrators increases. Look for a solution that can help you granularly delegate administrative privileges for only the access that users require to perform their job function.
Deviation from process – your ability to reduce risk exposure after a security breach is dependent on knowing that an incident occurred. The longer an incident goes undetected, the greater chance you have of hearing about it on the news. By that time, your PR nightmare has begun! Look for a solution that will monitor for unauthorized change and alert you when something happens that is outside of your standard process.
Tracking privileged user activity – how quickly you can perform forensics after a security incident is directly related to your ability to find information about what the privileged user in question did with their access. Look for a solution that can easily produce audit reports that show who did what, when they did it, and where a privileged user accessed information.

Critical and sensitive data needs to be secured at all times. Criminal motivations for accessing and distributing sensitive information are constantly evolving. Whether for political or monetary gain or to simply make a statement, there are folks out there who want your organization’s critical data. It is up to the organization to protect their critical data. The most effective way to stay out of the news begins with examining who has access and then putting controls and notifications in place to detect when deviation from process occurs.

Secure Open Source Cloud Computing! Does OpenStack Stack Up?

Garve Hays — Thu, 22 Jul 2010 21:45:00 GMT

In a previous entry, I mentioned standardization for "cloud" computing. So I was happy to see the New York Times Bits technology blog run an article on the launch of OpenStack from Rackspace. As a customer, I always insist on a published specification, preferably governed by a standards body, in case I want to switch vendors or perhaps to continue development myself. As a developer, standards help me to meet my customer's purchasing criteria and provide an integration point. A standard provides me the opportunity to control my information and my use of technology. From a security standpoint, standards help when analyzing the attack surface of a product or implementation. The standards process is participative and can be influenced by parties with enough energy to insist on a particular change, including security features. Although they do not necessarily prevent vendor "lock-in" -- sometimes there is only a single vendor; there is the possibility for competitors to enter the market. Along with a standard, or even in the case where there is no dominant standard, an active open source solution is also desirable. The ability to view the code and have a built-in code escrow adds tangible value.

OpenStack builds upon the Nebula Cloud Computing Platform developed by NASA, which is an alternative to expensive data centers. Nebula features the Nova compute and storage application programming interfaces (APIs), that were created to rival the Amazon Web Services (AWS) EC2 and S3 APIs. Nova leverages the Redis key value store and the AMQP standard messaging protocol. Redis is an efficient, open source data store that occupies the niche made popular by Google's BigTable, which in turn has spawned several distributed key value store projects, collectively referred to as "NoSQL." NoSQL because they are non-relational data stores. The AMQP standard provides for for basic username/password authentication and course-grained access control. It is possible to secure communications over TLS/SSL, but set up and certificate management is currently left to the implementer, which in the case of OpenStack has been accomplished using OpenSSL. Note: AMQP over TLS/SSL ports have been assigned by the Internet Assigned Numbers Authority (IANA), a body that oversees Internet addresses and protocol assignments. There is also an AMQP proposal that addresses message signing, so the situation will improve. The important thing is visibility -- we can see what is happening and even participate. Based on my own analysis, I am satisfied so far with the architectural direction and concern for security exhibited by the OpenStack project.

Amazon has a good head start, but I look forward to the competition from Rackspace. The battle is shaping up with challenges from VMware, Google, and Microsoft. We all stand to benefit from great products and enhanced value. Consumers win when there is a choice and vendors create better products when they are competing. A solid open source offering gives us a choice and will be a catalyst for other vendors to create outstanding offerings of their own. They will have to in order to get my purchasing dollar! As if they are lying awake at night worrying about me. More importantly, they will have to create and maintain a compelling product to get the limited dollars of "the IT" department. And the government.

Three Considerations for Effective De-Provisioning

Erin Avery — Wed, 14 Jul 2010 20:35:00 GMT

Provisioning is a continual hot topic when it comes to Identity and Access Management projects. It is arguably one of the most visible business drivers that IT facilitates – getting people the access they need to do their jobs.

However, provisioning has an often overlooked younger sibling called de-provisioning (the revocation of access.) And the thing is, if ignored or neglected, de-provisioning can cause some serious problems in your organization. Limiting privileged user access and protecting your business critical data can help you prevent a security breach or publicity nightmare. The following are three things to consider when approaching de-provisioning:

Automate De-Provisioning. It is critical to revoke access as soon as an employee no longer requires access to that information to perform their job. Relying on humans to do this only results in delays, errors or neglect because most IT staff are stretched to their limit with other business critical projects or fighting emergency situations. We’ve heard time and time again that they don’t have the time to sit and meticulously comb through a users access to determine if it’s relevant, and as a result, they are finding that automating de-provisioning is saving them many headaches. Additionally, it’s saving them from having to perform forensics down the road when a security breach happens due to unauthorized use of critical data.
Capture and audit trail and securely store it. When a security event occurs, the first thing folks want to know is what information the person in question had access to and how they used that access. As you implement processes for de-provisioning, make sure to capture audit logs that clearly show when a user was granted access to information and when that access was revoked. Also, you want to capture who approved, granted or revoked that access. This will simplify the process of performing forensics after a security event and also streamline the process of producing reports for auditors who also love to ask the question, “show me what this terminated employee had access to over the last 60 days.”
De-Provisioning isn’t just for folks who leave the company. De-provisioning is the act of revoking access. As users roles change and evolve in an organization, they can gradually begin to “stock-pile” access over the course of their career that is unnecessary for their current role. Sure – removing access when a user leaves a company is critical, but it’s just as critical to control the access that your current employees have as well.

Granting and revoking access can be a time-consuming and error prone activity if process is not in place. It’s critical to understand how your business works and how employees’ roles develop over time so that you can align your provisioning and de-provisioning processes to most effectively secure your critical data while still maintain and supporting business continuity.

AppManager Forum Highlights for June

Haf Saba — Tue, 06 Jul 2010 15:50:00 GMT

Hi gang!

For our US readers, Happy 4th of July! We've been busy getting lots of events going and this month if you're in Singapore, stop by the IDC CIO Summit on the 29th of July as I'll be speaking on some of the latest topics to hit the market!

Now here are some excellent snippets of tips from our AppManager Forum from the past month, enjoy!

Cumulo-Hypus (Or is the "cloud" all hype?)

Garve Hays — Fri, 02 Jul 2010 18:28:00 GMT

I actually find myself agreeing with Larry Ellison... But I guess he is right once in a while! Maybe that is why he can take some time off work to go win the Americas Cup. But I digress... I too think there is a lot of hype around the "cloud." My point is that existing and readily available technologies are being labeled with the magical moniker of "cloud" and suddenly sliced bread doesn't seem so great anymore. Much like Geoff Webb, I don't want to start on a crusade against the idea of cloud computing, but I do want to discuss what is new versus the out-of-breath rantings of the media hype-machine.

The idea of rapid provisioning is not new. IT outsourcing and managed hosting are well-known, standard offerings as well. Rackspace and others have been providing outsourced or hosted Microsoft Exchange, for example, for quite a while. We used to call providers of hosted software Application Service Providers (or ASPs). What we are now experiencing with these services is economy of scale. With EC2 services from Amazon.com, you can now rent servers. What is new is the improved computing "elasticity" or re-sizable compute capacity. This is empowering, more available means of accessing computing power.

One of my colleagues, Rich Getteau, characterizes it best:

"The Gartner article is right about one thing. Cloud computing is just the latest buzz word for distributed computing, client/server, virtualization, clustering, SaaS or anything else that doesn't have you running the app locally on your box. We've been using the Internet to connect our VPN tunnels for years. Have we been cloud computing? According to some folks, yes we have. We've had load balanced web servers where we could add capacity at any time by dropping another IIS box in the mix and adding it to the virtual IP address. Once again, depending on who you ask, we're cloud computing. Same thing for our VMware farm or storage behind DFS. All of it is masked from the end user and can be expanded or shrunk as we see fit. Until recently, we used a 3rd party to handle our paycheck stubs and we got to them through a browser; wow, more cloud computing. How about our 401K's or any other external web based app we use for work. So besides the fact that you would be paying someone else to use their app, I'm not seeing how cloud computing is so revolutionary. Running an app on a foreign computer is exactly what you did with your dumb terminal and Mainframe boxes. Sure we should see how we can sell into this market, but I guess I am just missing how this is all so new and cool."

It's time to roll up our sleeves and get to work. From my perspective that entails a better approach to securing it, and then standardizing it. I'm not sure SAS 70 is the way to go. But I would go with NIST. While the Cloud Security Alliance, the Open Cloud Consortium, and the Open Cloud Computing Interface all look promising.

Upcoming NetIQ Conferences, Webinars, MeetUps & Training Events

David Shephard — Fri, 02 Jul 2010 15:30:00 GMT

It’s a brand new month, which means it’s time for NetIQ’s guide to our upcoming conferences, webcasts, gatherings and training events where you can catch up with us and learn more about our solutions. For more upcoming event listings, check out NetIQ’s events page.

July 13-16, 2010, Houston, TX: With this instructor-led AppManager 7 Advanced course you can take your implementation of AppManager to the next level . Learn how to maximize your AppManager investment by using several tools in the AppManager Suite including: Control Center, Knowledge Base, SNMP Toolkit, Analysis Center and Diagnostic Console. Topics covered in this course include both advanced monitoring and troubleshooting techniques using the base AppManager application. The class employs a combination of discussion, demonstrations, and hands-on lab exercises.

Jul 20-23, 2010, Herndon, VA: In this instructor-lead AppManager 7 Essentials course you will learn how to gain greater control over the IT Environment by using features such as automated detection and deployment, policy exception management, secure delegation and self-maintaining service maps. In addition, you will learn to prioritize problem response and how to map IT resources to business applications and services.

Jul 20-23, 2010, Staines, UK:This Security Manager 6.x Essentials course is a four-day lecture style class designed to help you understand, deploy, and successfully manage Security Manager. You will learn Security Manager Architecture and how to use it to secure the organization’s computers. Through discussions, examples, and lab exercises with real world content, you will learn to defend both Windows and UNIX systems. In addition, learn how to: Architect, install, and configure Security Manager; install and configure Windows and UNIX agents; configure Change Guardian for Windows, Active Directory and Group Policies; and develop event correlation procedures.

July 26-27, 2010, Canberra, Australia: Focusing on the issues at the heart of the Australasian public sector, senior Australian civil servants and international representatives come face-to-face at FutureGov to focus on Web 2.0 & citizen engagement; green IT; open data; cloud computing; national broadband initiative; citizen authentication; enterprise content management; public private partnerships; business intelligence & analytics and compliance and risk management. This last area is where we come in. Geoff Rhodes of NetIQ's Federal Government team will be hosting a roundtable on systematic risk management, essential in government both to ensure organizational resilience and to protect critical information infrastructure. You can also come met us on our booth.

July 29, 2010, Singapore: With this years theme of "Winning Strategies of Empowered CIOs in Asia/Pacific" IDC's Asia/Pacific CIO Summit 2010 this event is where CIO, CTO, business and IT executives get the distilled and compact insights in IT refresh strategies, emerging technologies and best practices that have near term impact to your business landscape. We are a thought leadership sponsor and will be speaking about Identity, Access Management and Security. We'll also be available at our exhibition stand.

August 3-5, 2010, Tampa, FL: The 2010 LandWarNet Conference brings government and industry together to openly communicate commercial best business practices and government implementations. From rugged computers to intelligence gathering solutions, if you are looking for new products, services or solutions the LandWarNet exhibit hall is the largest and most complete defense, communications and information technology show in the Southeast US. We'll be there, on booth 1507, with enterprise data center and security solutions, including VoIP security along with hundreds of other technologies and solutions being demonstrated.

Food for Thought: Don’t let complexity rule your IT environment and remember, security and identity are linked

Erin Avery — Wed, 30 Jun 2010 16:34:00 GMT

Gartner’s Security and Risk Management summit last week provided me with much food for thought. I found the Identity and Access Management sessions to be of great value and I’ve been pondering many comments made by Perry Carpenter during his sessions. Here are a few of my favorites and my interpreted meaning – feel free to comment or add your thoughts.

“Provisioning is the most complex part of Identity and Access Management.” Carpenters argument here is that it’s where the rubber hits the road – user provisioning, the act of granting and revoking access in a timely and accurate manner, is what drives and enables business. As a result, provisioning touches all drivers that organizations aspire to achieve; efficiency, security effectiveness (and regulatory compliance) and business enablement. This makes provisioning complex – it touches so many business drivers and parts of the business, which can make folks a little uncomfortable (think of the book Who Moved My Cheese), which leads me to Carpenters profound thought #2.

“(Unnecessary) complexity is the enemy of good security (and arguably good business practices.)” As organizations further rely on technology to enable the business to operate and thrive, it is easy for a snowball effect to take place. The multiple dependencies and interdependencies in an enterprise organization could make heads spin. As organizations seek to further leverage technology to enable good business, I quickly think of the old adage my high school algebra teacher (and former Marine) used to tout – KIS (keep it simple). Over engineering process introduces new vulnerabilities that any criminal, thief, or admin who just doesn’t know what they’re doing could turn into a business crippling event.

“Security and Identity are inherently linked.” Information security starts with identity management and identity management should start with Active Directory (or your primary directory). As organizations increasingly are making Active Directory the heart of their approach to Identity and Access Management, it’s critical to secure the authoritative source of the identity. To do this, organizations are delegating administrative controls, as well as proactively monitoring for unauthorized change, auditing activity and enforcing process through automation to achieve a secure and compliant environment.

Securing the foundation and authoritative source of the digital identity will ultimately improve security and reduce complexity which helps organizations in the pursuit of efficiency, security effectiveness and the holy grail – business enablement! I leave you with my favorite quote from the entire conference (again from Mr. Carpenter) – “Just because you can, doesn’t mean you should.”

Identity and Access Management projects, can you really please everyone?

Erin Avery — Fri, 25 Jun 2010 20:22:00 GMT

I just got back from a great week in Washington, D.C. where I attended the Gartner Information Security Summit. It was a week of double duty – staffing the booth and attending sessions – but the content and discussions and touching base with some great NetIQ customers made the trip well worth it!

One of my favorite parts of the conference was attending some of the Identity and Access Management sessions facilitated by Gregg Kreizman, Ant Allan and Perry Carpenter. As I reflect back on the sessions and the questions asked by the audience, my thoughts return to one question that got the whole room nodding their heads during Carpenter’s discussion. It went something like this:

“We have a funded IAM project that I’m heading up. However, everyone has a different agenda when it comes to this project:

CFO – reduce costs
CEO – integrate with HR systems
CIO – start with the helpdesk and streamline operations

The question is: Where do I start? Do I go for the low hanging fruit or do I tackle the larger projects?”

Like I said earlier – everyone knows this acute pain all too well. Carpenter explained that Identity and Access Management projects are often large and complex. If you tackle the bigger projects first, you can end up going an extended period of time without demonstrating value, which can result in the perception that a cone of silence has been placed on the project or worse – that the project isn’t on track.

To mitigate these challenges, Carpenter recommends starting with projects that can provide success early (i.e. Single Sign-On) while simultaneously embarking on longer term projects (i.e. user provisioning) that will not necessarily display immediate success or value. By implementing some projects that show success early and often, you can establish credibility and build momentum as well as maintain or grow its perceived value to the business. And, you can still work on longer-term projects, but this way you can satisfy multiple members of the organization that each have their own agenda.

Employee On-Boarding Automation Eases Strain on IT

David Shephard — Thu, 24 Jun 2010 15:30:00 GMT

It was via The First 90 Days: Critical Success Strategies for New Leaders at All Levels (referred to as 'The On-Boarding Bible’) by Michael Watkins, Chairman of Genesis Advisers and regular Harvard Business Review blogger, that I was introduced to employee on-boarding commandment number six:

'Thou shall set up thy employee's workstation. An empty workstation is to a new employee what an unkempt home is to a house guest. Make sure the phone and computer, complete with voice mail and e-mail accounts, are set up.'

As any IT Administrator knows, bringing a new employee on-board can be labor intensive, particularly in larger organizations or those with high staff turnover. In addition to the hardware requirements there is the software - if you have ever been tasked with the creation and management of user accounts and groups in Active Directory, you already know that when relying only on native tools, user provisioning and user de-provisioning can easily become one of your most tedious and time-consuming tasks.

(Please visit the site to view this media)

So, it was with some pleasure that I recently sat down for a demo of NetIQ Aegis and as this short video makes plain the IT team's part of the on-boarding process is automated - Yes, it reduced human intervention to a minimum; no more trying to work out what hardware and software a new employee gets, or what Groups they need to belong to, it was automated: The hiring manager submits a new user request. A service desk request is created. The assets database is checked for available hardware and software, which is assigned to the new user. The new user is created in Active Directory and assigned to groups. The account details are sent to the hiring manager and the new user is sent a welcome email. It was amazingly simple and ensured that everything was in place, on time.

To maintain a healthy and productive business, you need to be able to quickly respond to provisioning, de-provisioning, on-boarding and off-boarding (you choose your phrase 'du jour') requests - automating the process certainly makes accurately assigning and removing user permissions and equipment in a dynamic business environment a whole lot easier.

So I asked David Mount, who provided me the demo, for the specific reasons as to why automation is key. He quickly listed: "Firstly the obvious, you are automating the provisioning and de-provisioning process. It reduces the time and resources required to provision and de-provision users. You can maintain a full audit trail of permissions granted and revoked - not always easy in a non-automated environment. You minimize the opportunity for user provisioning errors and you reduce the number of users with unnecessary elevated administrative access. In case you are concerned you can allow for approval processes before permissions are granted."

What's more an organization's provisioning and de-provisioning requests can be automatically triggered by updates in Human Resource applications or in a helpdesk ticketing system. Looking back at David's point on audit trails, automating helps improve your ability to adhere to processes, such as ITIL, and provides a comprehensive audit trail to easily demonstrate compliance.

But most importantly, effective employee on-boarding has a positive domino effect: it ensures that new hires feel welcome and prepared in their new positions, in turn giving them the confidence and resources to make an impact within the organization, and ultimately allowing the company to continue carrying out its mission. Result: happy new employees, better results and more time to focus on Bottling Up The New Hire Mojo as Jessica Lee outlined in her recent Fistful of Talent blog.

What I haven’t covered here is the area of policies, where David said you can gain greater control through automation. Basically, when a new employee logs on for the first time they can be presented with the relevant policies. Only when they have read and agreed to a policy, does the respective access get granted – for example, only when an employee reads and agrees to the ‘Email Acceptable Use Policy’ is their e-mail account enabled. Seeing as this is covered by employee on-boarding commandment number nine I’ll save that for my next post.

Administering servers in “the cloud”?

Garve Hays — Fri, 18 Jun 2010 18:34:00 GMT

I'm no Cliff Stoll, but several years ago, I did catch someone breaking into my system. In the mid 1990s, I administered the servers for a small Internet service provider (ISP). We had received several complaints that service was slow. As I investigated, I found that someone had used a sendmail exploit to drop into a root shell, create a new account, and to then install Eggdrop. I became aware of the problem when CPU use started spiking and disk space rapidly started shrinking! Perhaps a disgruntled customer found issue with my decision to not host Internet relay chat (IRC)? Or perhaps it was someone else? Don't know; didn't really care. I had to make our customers happy and to retain their trust. Anyway, he must not have been the most discrete intruder; or simply didn't care, because he (I assume) started copying his porn collection to disk. Nice. No, not really -- not on my public server.

The tools I initially used for analysis were "top" and "df." Once I had identified the offending process and zeroed in on the file "explosion," I was able to trace it back to an account, one I had not created. From that point, I was able to follow a pattern of system access using "utmp" -- the offender did not clean up their tracks very well!

The end of the story is that I disabled the account, patched sendmail, and removed Eggdrop and the other files. After that I started paying more attention to CERT advisories.

Fast forward. What if I'm now the administrator for a group of servers in "the cloud?" What do I now use to monitor the health and security of my charges? If something should happen, how would I pull off forensic tracking? How do I even figure out there is a problem in the first place? What would tip me off to excessive use? What is "normal" use in a cloud? Is 100% memory use even bad for a hypervisor or cloud server? So many questions! Some answers...

Consider that a cloud vendor likely uses memory and CPU "overcommit" features; it is pretty much guaranteed that overcommit is going to be used in a private cloud, so that IT can stretch their purchasing dollar. Guess what? That means peak loads in excess of 100%! Unlike with traditional IT hardware, server loads of 100% or more are just fine. Nothing to be alarmed about here folks. Move along. So much for diagnosing an issue in my cloud... Are traditional IT metrics even helpful to me? Probably not...

My first stop would be esxtop. Only if "memory granted" starts to pass 125% would I start getting worried. Next I would look to see if the "memory balloon" is inflating. That coupled with noticeable swapping to disk means it's time to start ringing the alarm bell. Esxtop? "Memory balloon"? Swapping? Huh? What? Yeah. Exactly. As others have commented on cloud security, yes, this is a new era, but some things have not changed and we still have to keep moving. Good thing security is a journey, not a destination. Are we there yet?

VM Sprawl is a Risky Business

David Mount — Wed, 16 Jun 2010 14:55:00 GMT

If I Google the term ‘Virtual Machine Sprawl’, I get nearly 43,000 results, confirming that it’s a topic that IT departments should be well aware of. Naturally, recognising a problem is the first step in overcoming or managing it, so this is good news. Often, this recognition relates to controlling resource utililsation, and controlling cost.

Some organisations plan very carefully their virtualisation strategy. They plan around factors like VM’s per host, to help them determine the number of hosts required, and their specification. Each VM deployed to the host consumes resources, and as capacity is reached, new host hardware is purchased and deployed. IT organisations recognise that each VM deployed requires managing, and this incurs a cost for the hardware, the OS licensing and any third party software that might be mandated to be deployed across the estate; for example, management software.

Savvy organisations are starting to recognise the value of elements of automation and orchestration around the Virtual environment to add control to the provisioning process. But what about the security risk implications of VM sprawl? If I Google ‘Virtual Machine Sprawl Security Exposure’, I get less than 3,800 results. An indication that risk exposure isn’t widely recognised or understood? Maybe.

Let’s look at an example.

Everyone’s favourite IT department (those folks at ABC Corp) are loving this virtualisation thing. Suddenly, elements of the IT department have just become more agile, and ‘Green’. When application owners need to scale out their apps, the server team can now clone a template and bring a new VM online in less than an hour of the request being assigned. Both sides love it. The App owner gets his new server PDQ, and Barry, one of the server tech’s, can enjoy an uninterrupted lunch break. One thing the App guys really love is the ability to request VM’s for testing, on a temporary basis. Because Barry regularly blows the froth off a beer or two with Mike from the app team, he’s happy for Mike to come to him direct when he needs temporary VM’s. Afterall, they’re so easy to provision, so it’s no hassle. Unfortunately, Barry and Mike occasionally blow the froth off of one or two beers too many, and some of these ‘temporary’ VM’s get forgotten about. Some months later, these systems haven’t been kept up to date with software updates, AV signatures etc, and more than one of those updates was to close a significant exploit…

Security risk should therefore be an equally significant contributor to getting VM sprawl under control, and is one area that IT Process Automation (ITPA) can enable. Using ITPA technology, organisations can define and enforce processes around the management of the VM environment. A couple of examples:

When new VM’s are provisioned (regardless of the method – ITPA or VM management tools), a process is triggered which ensures that all interested parties are aware – support teams, licensing teams etc, and that the system is appropriately added to associated tools – i.e. CMDB, patch management, performance monitoring, AV, security monitoring etc. If a VM was provisioned ‘outside’ of the controlled process, the VM could optionally be shut down and de-provisioned.
If VM’s are required on a temporary basis, full lifecycle management can be implemented. By allowing requestors to specify how long VM’s are required for, the IT organisation gains greater control over the resources they are responsible for. In this example, a requestor can request a VM for 4 weeks. This gets approved and provisioned, with all necessary software and CMDB updates occurring. Towards the end of the requested period, the requestor is contacted to confirm whether the VM is still required. If it is, the process could update any required billing systems for cross-charging, and then ‘snooze’, ready to remind the requestor again towards the end of the extension period. As soon as the VM is no longer required, it is de-provisioned, releasing resources and licensing for future use, and ensuring that there is one less endpoint on the network that needs managing and securing. For organisations required to adhere to compliance mandates, it becomes one less system to audit.

So just like Attenda, featured in this case study, you might want to investigate orchestrating Virtualised environments yourself.

Lessons from TechEd: Enforce Policy and Improve Security with Automated User Provisioning

Erin Avery — Wed, 16 Jun 2010 12:48:00 GMT

Hot off the heels of a great week at TechEd in New Orleans, there was one recurrent theme discussed in presentations, break-out sessions and on the show floor – Active Directory native tools don’t provide the granular and secure administration that IT organizations need in today’s complex and challenging business environment. This problem is compounded by the evolving role that Active Directory is playing in the enterprise organization. More systems, applications and data stores are relying on Active Directory. Over and over again I heard it said, “native tools just aren’t cutting it,” right alongside “how do I reduce the number of domain admins in my organization without saddling myself with a lifetime of password resets and administrative bologna?”

My consistent answer to these questions – delegate and automate Active Directory administration and user and group provisioning. Like eating a kiwi, the health benefits for your IT organization are endless. In no particular order (depending on your organization and industry, some might boil to the top quicker than others), delegating and automating helps you to:

Reduce workload – you’re not going to be able to sit back and kick up your feet all day while taking in the World Cup, but at least you won’t be running around with your hair on fire responding to every request – let technology do the work for you and you’ll spend much less time performing day to day Active Directory management and fulfilling provisioning request.
Reduce risk – it’s what you get when you don’t have 13,092 domain admins (yes, I know a company who had this many domain admins – it wasn’t pretty) since you are granularly delegating and revoking privileges based on need and role.
Improve compliance – automation standardizes process, process improves control, and auditors love to see that you’ve got things under control. No longer is it okay to skip a step or circumvent policy.
Improve security – by having fewer hands in the cookie jar (i.e. fewer domain admins who don’t need God-like privileges) and improving standardization of process, you are fundamentally reducing the risk of an unauthorized change or security incident.

While the limitations of Active Directory native tools aren’t new, the tools aren’t much better than they were 10 years ago, the business and security challenges organizations are dealing with today sure are. However, if you ask any of the admins at TechEd last week, they’ll tell you that it’s the IT organization who is feeling the pain. By employing a solution to help automate and streamline Active Directory management, IT organizations can streamline and standardize to prevent work-overload or a security breech.

Where’s my Super Suit… Errr… User Password?

Garve Hays — Fri, 11 Jun 2010 14:07:00 GMT

In the movie "The Incredibles ," as the tentacled robot creates a path of destruction, Lucius Best, better known as Frozone, is scrambling around his apartment exclaiming "Where's my super suit?"

In computer security, the super suit is the root password. As Honey Best, Lucius's wife, asks, "Why do you need to know?"; so should we too ask, do you really need the administrative password? Or can you do your job without it? In information security, this is known as the principle of least privilege. From a software development perspective, a great book on the subject is "Building Secure Software: How to Avoid Security Problems the Right Way," by John Viega, and Gary McGraw.

I used to work on a team that managed the internal computer network for a military contractor. One of the practices we adopted was to put the root and administrative passwords into sealed envelopes and place them into a locked file cabinet. The cabinet in turn was located in a keypad protected computer room. The procedure to use the password was to to make a request to the manager, who would then unlock the file cabinet. Once it was used, the activity was logged to a check-out sheet and a new password had to be generated and then sealed. This certainly encouraged discretion in the use of the root password.

If you work in a medium to large size corporate IT environment, no worries, because they are not going to give you that password! But if you work in a small company or start-up, this is a very real precaution. I'm not saying you should push to institute the sealed password process in your company or at home; as any popularity you may have had will quickly shift to infamy. But when you find yourself reaching for total veto power, you might want to ask yourself why do you need it?

Case Study: MSP Delivers Service, Value and Efficiency with ITIL and IT Process Automation

David Shephard — Wed, 09 Jun 2010 14:30:00 GMT

A little while back we sat down with Simon Hansford, Vice President, co-founder and first employee at Attenda to discuss their implementation of AppManager and Aegis. Simon described Attenda as a specialist in the provision of managed services solutions for operating Internet and enterprise applications. In short Attenda runs critical business applications for mid-market companies and ISVs - over 134 at the current count, including: bmi, Christian Aid, easyCar, Microsoft, NHS, Princes, St. James’s Place and Travelodge - ensuring they are 'Always On', so their clients can worry about running their own business and gaining competitive advantage without distraction – simple as that.

(Please visit the site to view this media)

How do these clients benefit?

These clients contract with Attenda with high business-led Service Level Agreements (SLAs) around the availability, scalability and security of their applications. Meanwhile, Attenda is delivering their services across many applications, across thousands of servers, across multiple data centers, across Europe. Their challenge is to deliver that in a scalable consistent manner. "We use NetIQ Aegis to help us automate the delivery of our service." Says Hansford; "It allows us to deliver in a consistent manner, faster and automate processes to a point where we can significantly reduce the overall cost of delivery". With a combination of NetIQ AppManager and Aegis, Attenda can now monitor and automate many more business critical processes on behalf of its clients. These include managing and resolving issues with application availability, server performance, Oracle and SQL Server database capacity and performance and web transaction user experience for its clients.

(Please visit the site to view this media)

What has Aegis enabled Attenda to do that you couldn't before?

"In our monitoring and management center our operators use thirteen industry standard monitoring and management tools. What that means, at times, is that they are presented with an awful lot of data that they have to try to intelligently decipher and determine what is important from unimportant. Aegis helps us automate that and present to our operators the important information at the right time and place." responded Hansford.

"In addition, we have an initiative to scale client support; what we want to do is add more clients onto our platform at a faster rate than new people to service them. This year, specifically, our initative is to save 10,000 hours, that is equivalent to an additional head count of six in support. We are using Aegis to help automate a lot of the common tasks, repetitive tasks, that we no longer need an operator to be involved in."

David Mount, NetIQ's UK technical director, commented that, “Attenda has ambitious growth plans for 2010, and has been able to automate standard and repetitive tasks, with a target for the year to save 10,000 man hours. This will help to free up support resource to concentrate on critical operations by taking care of standard tasks with little to no human interaction required."

(Please visit the site to view this media)

I understand ITIL forms your standard management framework, how has IT Process Automation helped there?

“Automating processes around the ITIL framework and industry standard monitoring and management tools is also a key area for Attenda. At the fomation of Attenda, back in the year 2000, we chose ITIL as the standard service management framework to deliver IT operations. To us as a business, IT operations was all about delivering the services that our clients had contracted us to deliver on their behalf. We chose Aegis as the IT Process Automation tool that would help us improve the processes that we already had in place around ITIL, to get the right information to the right people at the right time so that they make intelligent decisions based upon the data presented in front of them. Then finally, to automate the processes so that we would become more efficient and reduce costs; but more importantly to deliver a faster resolution to service affecting issues."

Tell us about your experience with IT Process Automation; take a few minutes to share a time when IT Process Automation saved your behind, made you look like a genius, or just helped you to get a good night's sleep. And, if you are interested in learning more about Attenda's experiences there is a full case study available.

Does Your Car Key Open Your House?

Garve Hays — Tue, 08 Jun 2010 12:05:00 GMT

I was working with a colleague the other day and watched as he logged on to several Windows servers over Remote Desktop. In each case he typed in a username and password; it was painful to watch! Hadn't he ever heard of Windows Credential Manager? The conflict here is maintaining good password security and actually being able to remember each password! I would be willing to bet the password was the same for each account. I did say this was Windows, so couldn't he have used a single Active Directory account? In this case, the remote server was either in a remote, un-trusted domain, or a stand-alone server belonging to a workgroup.

Still, you might ask "this is on a private network, so what is the big deal?" The answer is that it is a matter of discipline. Until the computing security situation improves, you must make a best effort to protect your own information as well as that of your employer. Furthermore, being on a private network is no guarantee that someone isn't "looking over your shoulder." Gartner estimates that 70 percent of incidents that cause loss of money involve insiders. Thus a significant amount of intrusions come from fellow employees, disgruntled, malicious, or otherwise. Also keep in mind that many of the break-ins into military systems that occurred in the 1990s came from within the network. The persevering "computing enthusiasts" had managed to enter the network by unsecured modem, thus bypassing the external safeguards. It doesn't look like the problem is going away anytime soon.

We talked about discipline earlier; let's apply that online. Internet World Stats show that 26.6% of the global population are online. It is reasonable to expect that most have some form of online account: it might be for automatic bill-paying, company pay-stubs, or health information. The point is that the Internet has permeated our lives. So think about if a criminal is able to capture a single password, and it happens to be the same for all of your online accounts. Guess what? All of your accounts have just been compromised!

So how do you balance convenience against necessary security practice? The good news is you don't have to begin a rigorous course of memory enhancement! Instead, supplement your busy memory with some outside help. Earlier I mentioned Windows Credential Manager. This is a utility provided by Microsoft that allows a Windows user to securely store account information. This information is encrypted using the Data Protection API (DPAPI). The service has improved in Windows 7 with the addition of "vaults" to allow backup and restore, but not all application and online services work with Credential Manager. Fortunately, there are other solutions; on a Mac, there is OS X Keychain; for browsing, there is Firefox Password Manager and IE Credential Cache. In the case of Firefox, I suggest you use a strong, master password. For general use, there is KeePass and Password Safe. There is an article on Lifehacker that reviews password managers. Personally, I started using Password Safe soon after Bruce Schneier mentioned it in his Crypto-Gram newsletter.

To recap, don't use the same password for your online accounts; or your internal ones for that matter. Choose good passwords. Some of the products mentioned above feature password generators. Another tip is to select a passage from a book you may happen to be reading and substitute numbers for vowels. Remember to use more than a single word. Finally, don't be intimidated by having to remember all these passwords! Instead, enhance your memory with a good password manager.

Bad rap for Microsoft Security

Geoff Webb — Mon, 07 Jun 2010 17:30:00 GMT

I may not always agree with Microsoft's comments on security, but I think they sometimes get a bad rap, and in this case, I have to say that I'm not sure that "security concerns" are the full story.

The short version is that Google has announced their decision to remove Microsoft products from their internal users and replace them with Mac OS systems. They say the reason for the change is because of the security problems of Microsoft products. Maybe. But moving to Mac doesn't necessarily mean that things will be any rosier. Of course there are a lot more script-kiddies out there looking for opportunities to pwn unsuspecting IE users. But the recent Google attack was hardly that.

The reality here is that there is no reason (that I am aware of at least) to believe the Mac is any more resilient to these kind of highly targeted attacks than any other OS. Attackers go where the valuable data is, and in the case of Google, I hope they are doing a lot more to secure that data than switching the desk-top system of choice.

Compliance is “Hot”: And we’re not the only ones who think so!

Renee Bradshaw — Mon, 07 Jun 2010 15:47:00 GMT

It’s the beginning of June in Houston, Texas (where NetIQ is headquartered) and it’s starting to get HOT! But, we’ve recently had some exciting news from the good folks at SC Magazine regarding NetIQ Secure Configuration Manager, our compliance assessment, reporting, and remediation product, which has made it positively “Spring-like” around here.

SC Magazine recently reviewed Secure Configuration Manager and delivered a product rating of 5 Stars - the highest rating possible. The reviewer was impressed with the fact that the product provides many compliance templates out-of-the box (for assessment against such compliance standards as PCI DSS, HIPAA, SOX, NERC and FDCC), has a solid overview dashboard for reporting of compliance risk, and can be customized to meet the needs of almost any environment. Overall, SC Magazine reports that the product is “a good value” and states: “If compliance is your hot spot, take a close look at this one.”

Once again, we’d like to thank the folks at SC Magazine for their comprehensive and fair review. We always welcome their feedback and analysis.

And if you happen to be at Microsoft TechEd this week, don’t miss the opportunity to see NetIQ Secure Configuration Manager demo’d at the NetIQ Booth #601.

Active Directory – Maturing Gracefully at TechEd

Erin Avery — Fri, 04 Jun 2010 19:55:00 GMT

I had a great visit with one of our longtime Group Policy Administrator customers today. They’re what I consider to be a very mature IT organization. They’ve built their environment with security in mind and use Group Policy Administrator to help enforce a strict change and approval workflow for editing Group Policy Objects (GPO). While they don’t use our rollback capability often (because they are very diligent in managing the change control process before pushing a GPO live), they rest easier knowing versioning and rollback are available if something were to go wrong.

Over time, they’ve evolved and documented their processes and they know what they need to do to keep the business happy with a fairly small staff working on Active Directory. However, it surprised me to discover that while they have solutions to help them manage many elements of their environment (like Group Policy), they’ve consciously decided over the years to manage Active Directory with native tools, a lot of scripting and a small team of highly talented administrators. For an organization that has consciously focused on controlling risk and implementing security controls from the outset, this approach to Active Directory management seemed counterintuitive to me.

Through continued discussions, I discovered that this organization is increasingly faced with the need to granularly delegate control and, more importantly, offload tier 2 and 3 tasks to the help desk. They’ve relied on a really talented team of Active Directory admins to do this work, historically, but as their organization grows and changes, they need that staff deployed on more strategic initiatives. Enter the need for a solution that helps organizations granularly delegate privileges and streamline Active Directory administration tasks.

Whether Active Directory is increasingly becoming mission critical or already at that level, native management tools can only get you so far. With TechEd coming up next week, I’m excited to chat with you all (stop by NetIQ booth 601 if you’re going to TechEd) about the role of Active Directory in your organization and how you’re approaching the ongoing management and secure administration of Active Directory.

AppManager Top Forum Posts for May

Haf Saba — Thu, 03 Jun 2010 18:00:00 GMT

Hello readers! Lots of good stuff in the forums this month. Read on for some fantastic info!

Win-RT Registry Read and Parameter by Steve Pyatt
Monitoring Security Certificate Expiration by dinykid
Grooming Archive Data from a QDB - changes to DeleteOldArchiveData by Tim Sedlack
Second QDB on one SQL server by Gerald Nannke (check out the SQL tuning tips by Andy)
Problem monitoring SQL servers via IP address by Dirk Oosterbosch

Also, I was recently featured in an online article in MIS Asia Magazine this month - read more here! (warning: security focus! http://www.mis-asia.com/technology_centre/security/securing-sensitive-data)

Enjoy!

What security customers want…Hint: It’s not necessarily world peace

Renee Bradshaw — Thu, 03 Jun 2010 17:59:00 GMT

I’ve just spent an eventful week in the southeast United States visiting with some security and compliance customers. Those of you familiar with my blog know that I’m a relative newcomer to this market, having cut my teeth and spent (or mis-spent, some may say) the bulk of my career in the computer hardware industry at Hewlett-Packard (HP). I must say that I came away from these initial customer visits with a greater appreciation of the pains these customers face daily as they attempt to implement good security practices within their organizations.

The customers we visited seemed overwhelmed by the demands of multiple and competing organizations, both external and internal. Typically, security organizations are faced with the task of implementing multiple compliance mandates, such as PCI DSS, SOX, or HIPAA, across several internal organizations that place their own monitoring demands on security organizations. Additionally, security teams must execute their programs within flexible IT infrastructures that often thwart all efforts to implement repeatable security processes.

They seem focused on providing and demonstrating value to the business. This could be symptomatic of the economic times in which we live. Whether value is achieved by extending current solutions to resolve new issues, or by seeking more effective ways to communicate organizational risk to executive management, the customers I met with know that positively impacting the bottom line is critical to keeping their organizations running smoothly, while getting their jobs done.

And speaking of getting their jobs done, security customers remain laser-focused on improving the security of their sensitive data. All customers have initiatives they are focused on implementing during the upcoming year, initiatives driven either by the demands of external auditors, or by internal business strategies. The types of initiatives being implemented vary greatly and are highly dependent upon the relative maturity of the security program in place. Some companies are looking to focus on implementing good log management solutions, while others are exploring ways to manage role-based access, for example.

Given all these factors and demands, customers are looking for help from vendors who are able to act as trusted partners. Over and over again, customers said they are looking for vendors they can “lean on” when questions arise or security expertise is needed. Vendors that can provide the expertise to help them “extend [their] current security solutions” are preferred over those that are solely product or technology focused.

In many ways, the obstacles these customers face mirror those I encountered when visiting with computer hardware customers back during my days at HP. Additionally, the types of vendors these customers appreciate and seek to do business with also mirror the types sought by computer hardware customers. At the end of the day, customers want help from truly committed vendors who help them perform their jobs better and more efficiently. Certainly simpler for vendors to deliver than world peace, wouldn’t you say?

Demystifying The Cloud.

Haf Saba — Tue, 01 Jun 2010 17:00:00 GMT

If you haven't noticed, there's a bit of a revolution going on. There's another buzzword floating around the conferences, the web sites, the blogs, and the magazines. It's called Cloud Computing. It's certainly not a new topic and I've been hesitant to talk about it on this blog because I wanted to wait and see how the concept developed into solutions for the marketplace along with the marketing around it. I've presented at three conferences this year so far and spoken to numerous journalists during this same period. Cloud computing was heavily mentioned in all occurrances. Journalists want to talk about it and conferences want to focus on it so the content is bleeding edge and promoting the next big thing.

So, what is the cloud? Well, the cloud helps connect, synchronise, update, and extend what capabilities you have in your existing IT environments. It can act as virtual storage, be used for outsourcing opportunities, and fulfill automated processing. The list goes on. Technically speaking though, it's nothing more than more servers, connectivity, software, and networks. That's vague I know, so let me explain it further with some examples.

Over the past 6 months, I've learned a fair bit about the cloud. You might be a bit let down when I tell you that it's not really anything new. The technology that powers it is no different than what we use today. The connectivity around it, while a bit more robust, is still not that far of a departure from what's in use today within the typical corporate data centre. However, I do want to point out the good stuff! Really, the cool thing here is what's possible when having a cloud available. The services being offered are now starting to take advantage of an always-on, always-connected user. This has many benefits.

Consider this - if you've been reading this blog for a while you may notice I mention I travel quite often. All of my travel is international considering I live on an island about 22 miles wide 2 degrees north of the equator in South East Asia. To help keep my mobile phone bill from going crazy with international roaming fees, I carry two phones when I travel and use a local SIM card in the country that I visit. Almost all countries allow me to buy a pre-paid SIM card (except for some random exceptions like South Korea). The two phones I use (both are the Nexus One from HTC) run Google's Android operating system. Due to the OS being tied to my Google account, the two phones stay in sync with each other. When I go overseas, I enable the data connection on my secondary phone that I use as my main device with the local SIM. Within minutes, that phone now has all the contacts, apps, calendar details, Exchange configuration, bookmarks, email, etc. just like my primary phone. The only difference is the calls and internet usage will be much, much cheaper and there's a local number for people to reach me. In addition, both phones are remotely trackable and can be remotely wiped out via SMS or email should one ever get lost of stolen.

How is this possible? I never connect my phones to my laptop to copy data. And this is where the cloud comes in to play. It simply acts as an intermediary between my devices. Any changes in one device are reflected in another all under my control.

To me, that's an exciting service the cloud can offer me and increases my productivity while saving me (and my employer: NetIQ) money at the same time. But really, the technology behind the scenes from a physical perspective is no different. There are still servers upon servers sitting in data centres around the world that store my data and give me the option of synchronising what I need. Sure, the phone and the software running the phone is all new as is the software that's capable to sync all this content but that was all built around the cloud service - and that's the exciting bit - the service offering. The "boring" bit of the cloud and why I say the hardware is nothing new is simply because in many ways, the data is being served from a collection of data centres. These data centres are, however, a bit more connected to the internet and opened up to share their data via various secure means.

Let me provide a more common example of what the cloud can do. Again, it's all around a service the cloud can provide. The back-end technology is still servers, networks, connectivity, and software.

Take something like Content Delivery. When you download a song from iTunes, where do you think it comes from? Apple? Not necessarily. Apple my have processed your credit card transaction but within seconds your information on where to download the song gets sent over to someone else. In many cases, this could be another cloud-based provider such as Akamai. It's up to Akamai to store the content and deliver it to you from a near-by location of one of their servers based on a range of factors. In addition, if this was a newly released and very popular song, Akamai's delivery platform would automatically scale to meet the demand. It's highly sophisticated but to the end-user it's a seamless transaction and you really can't tell what's happening. If you buy the song directly from your iPhone using the iTunes app, then the song will go to your phone instead. All you do is watch the screen anxiously waiting for the song to finish downloading.

There are many more examples I could describe, but they all have a common theme in the technology that powers them. They are all using servers, networks, connectivity, and of course, the software to wrap it all together. What this fortunately means for you is the tools and solutions you use today to manage, monitor, and secure your existing infrastructure can also apply to your cloud environment if you plan on building one. If you're a provider of cloud-based services, the investment you make in the technology to deliver your platform is still going to need the same treatment as you provide your existing infrastructure.

On a recent visit to New Zealand, my colleague Glen and I were having a chat in Wellington over the cloud infrastructure. He used a term that we coined within NetIQ called Rainbow Computing which discusses the idea of inter-connected cloud services. My iTunes example above is an example of this. You have two cloud-based providers sharing data to develop a stronger platform for a cloud-based service. Whether this term catches on elsewhere remains to be seen but just keep in mind that there's more than one cloud out there!

There will be more posts on this topic. At NetIQ, we're serious about the cloud as it plays very nicely into what we offer today in Systems and Security Management. Our process automation capabilities have already been used at locations that offer cloud services. Frankly, this cloud business is still getting going and it's very exciting to see where it will lead. Maybe there really is a pot of gold at the end of that "rainbow"?

Security Spending - Living With a Bad Purchase is a Pain

Erin Avery — Wed, 26 May 2010 16:19:00 GMT

Every time I make a large purchase, my father’s words of wisdom ring in my ears – “Erin, it’s your money, now spend it wisely.” This statement was usually followed up by the old adage, “Money doesn’t grow on trees.” With these two bits of wisdom in mind, I’ve always taken my shopping seriously. I shop until I find what I need at a price point I’m willing to pay. I do my homework and make intelligent purchasing decisions; after all, I do have to live with the consequences of my purchases (I think dad said that one too.)

During a conversation with an industry analyst today, I found myself intrigued by a comment on organizational spending trends. After a year of fiscal lock down, the coffers are opening, and IT organizations have shot into gear. Ready to make up the lost ground they endured when so many projects were put on hold in 2009; some organizations are racing to spend money. Simply stated, some companies are skipping the tried and true proof of concept process and going straight from demo to purchase order, without taking the products for a test drive. Under pressure to make up for lost time, organizations are poised to make bad decisions.

The frantic approach to acquiring technology in an effort to make up for lost time isn’t the answer. There is no “HOV lane” that will allow you to bypass the research phase of acquiring technology – especially security and compliance technology. Compliance is still the number one driver of spending and I’m consistently hearing that organizations are looking for auditing and reporting solutions that help demonstrate compliance more easily with less work.

Compliance will always be a moving target. Your approach to achieving, demonstrating and maintaining it should also be ever evolving. The technologies you employ in your pursuit of compliance should be flexible and sturdy enough to protect your critical data over the long term. The healthiest way to pursue a secure and therefore compliant computing environment is making the right decisions to not only meet the short-term need, but provide flexibility to keep up with your requirements in the future, too. If organizations don’t shop around and do some home work, they may find that they’re not happy living with the consequences of their purchase.

Security, Compliance, Chicken, Egg, and who turned out the lights?

Geoff Webb — Thu, 20 May 2010 19:27:00 GMT

It's a common theme - good security should make compliance easier (and cheaper) but you have to show how whatever you're doing helps meet some compliance mandate, otherwise it won't get funded. So, you start with compliance and work back to security.

But does this approach actually weaken security? Well, maybe if it makes security teams focus on the wrong things.

I had a recent question and answer session with James Powell of Enterprise Systems Journal in which we discussed this very topic. Can compliance be the enemy of security? I'll let you read the article itself and make up your own mind on that. I think it will be very interesting to watch how the power industry deals with the pressures of NERC CIP compliance; especially the interplay between the need to improve security and the need to meet specific, measurable compliance goals in a short period of time. If there's someone out there looking for a case-study for the interaction of these two drivers, this would be a good one.

Not that there's anything wrong with NERC CIP as it stands, but as has been seen over and over in the world of compliance, you get what you measure. So we better hope that, if we want the lights to stay on, we're measuring the right things.

Database Activity Monitoring: Defender of the Corporate Database

Renee Bradshaw — Tue, 18 May 2010 21:33:00 GMT

The next time you’re tempted to “borrow” your co-worker’s subscriber log-in information for Hoover’s, consider the plight of Goldman Sachs. In early May, the company was slapped with $3 million lawsuit by Ipreo Holdings LLC, a New York-based provider of software and market intelligence services for investment banking and corporate clients. Ipreo alleges that Goldman Sachs stole intellectual property from its database of market intelligence facts. According to a recent DarkReading article, the lawsuit claims that Goldman Sachs employees used other people’s access credentials to log into Ipreo’s proprietary database (aka Bigdough) which offers detailed information on more than 80,000 contacts within the financial industry. Ipreo complained to the court that Goldman Sachs employees illegally accessed Bigdough at least 264 times in 2008 and 2009.

The Ipreo Holdings LLC v. Goldman, Sachs & Co. legal case highlights a trend we’ve seen recently in the market -- increasing theft of Intellectual Property (IP), Personally Identifiable Information (PII), and Personal Health Information (PHI.) According to a recent survey by the Computer Security Institute, last year, corporations reported a 5% increase in attacks on IP, PII, and PHI. And because most of this sensitive information resides on corporate databases, which are historically one of the least-protected areas of the IT infrastructure, we have seen a parallel trend of an increased number of attacks on databases. According to the Verizon Business Risk Team 2009 Data Breach Investigations Report, databases ranked second in terms of their caseload but yielded the majority of breached data. In fact, they concluded that 75% of records stolen came from databases.

If the recent lawsuit by Ipreo is a harbinger of things to come, expect the requirement to protect sensitive customer data and corporate intellectual property residing on company databases to become a top organizational priority as executives seek to reduce the costs associated with breach. While the cost of failure is typically defined as the costs associated with regulatory penalties and fines, it can also encompass the effects of mandated disclosure laws and the costs associated with corporate espionage, as evidenced by the Ipreo Holdings LLC v. Goldman, Sachs & Co. legal case.

In this case, a dynamic database activity monitoring solution could have alerted Ipreo to the unauthorized access of their IP well before the Goldman Sachs intruders accessed their database an astounding 264 times. An effective database activity monitoring solution will monitor the activities of privileged users and locate and identify sensitive data. Moreover – and this could have been key in the Ipreo case – a good database activity monitoring solution will detect and alert on risky (anomalous) behavior in real time. In this case, a database activity monitoring solution could have been the “check” to ensure that the individuals accessing and retrieving records were doing so appropriately, in terms of both content and quantity.

When integrated with a Security Information and Event Management (SIEM) solution to provide single, central location for security event management and forensic analysis, and a workflow automation tool to automate responses to security events in real time, a robust database activity monitoring solution can deliver the data protection and compliance you need for today’s constantly evolving threat environment.