Integrate F5 SSL VPN with CheckPoint Identity Awareness
Problem this snippet solves: Goal This snippet allows you to use "identity based" rules on a CheckPoint firewall to manage the permissions for users connected by SSL VPN with F5 APM. Context Usually, when deploying SSL VPN with F5 APM, you need to use F5 ACL to manage the permissions for the VPN users defining which user or group is allowed to reach which servers or networks. These rules may be duplicates of existing rules implemented in the core firewall of the company. Since the mappings (username, assigned VPN IP) is known only by F5, it is impossible for the core firewall to apply the proper filtering based on users identity. The idea with this snippet is to be able to manage all the rules centrally on the CheckPoint firewall such as the following : User "Paul Anderson" is allowed to reach the network 10.10.1.0/24 User "Robert Schmitt" is allowed to go everywhere except 10.10.2.0/24 Active Directory group "Admins" is allowed to go everywhere on TCP ports 443 and 22 This snippet allows this kind of rules defined in a CheckPoint gateway to work also when the users are connected with F5 APM SSL VPN. How it works We are using the new CheckPoint R80 Web API to spread the association (username, assigned VPN IP) to the CheckPoint gateway. Indeed, the VPN connection follows the following steps : The user "Paul Robert" connects the F5 SSL VPN (through the Edge Client or the browser helper) The user "Paul Robert" is given an IP by F5 within the "lease pool" : let's say 192.168.1.13 F5 sends an HTTP request to the CheckPoint Identity Awareness Web API containing the association : 192.168.1.13 --> "Paul Robert" When Paul generates traffic through the VPN, this traffic is seen as coming from the source IP 192.168.1.13 from the CheckPoint firewall point of view. The firewall is able to apply the proper "identity based rules" because it knows that 192.168.1.13 is actually "Paul Robert" How to use this snippet: Requirements APM module provisioned on F5 SSL VPN service already configured with APM Import the iRule "HTTP Super Sideband Requestor" on your F5 Download here This iRule must be named "HSSR" and must be in the partition "Common" CheckPoint Gateway R80 with the blade Identity Awareness enabled Existing firewall rules based on identity CheckPoint Identity Awareness Web API By default, the WebAPI is not enabled in a CheckPoint gateway, you need to first configure it. The configuration is simply setting up which source IP are allowed to use the API and defining a secret for each client. It is done in the gateway object from the Smart Console : Here I configured my F5 as a WebAPI client with the secret "Fr38N....." Once the configuration is done, you need to install the policy on the gateway to apply the configuration. To validate the WebAPI is working, you can use the following bash command on F5 : curl -k -v --data '{ "shared-secret":"<api_secret>", "ip-address":"1.2.3.4", "user":"testuser1" }' https://<checkpoint_gw_ip/_IA_API/v1.0/add-identity This command sends the association (IP : "1.2.3.4" --> User: "testuser1"). If successful, you should get the following message from the gateway : { "ipv4-address" : "1.2.3.4", "message" : "Association sent to PDP." } F5 configuration Once you've validated the CheckPoint WebAPI is working and the F5 SSL VPN is ready, the needed configuration to integrate F5 with CheckPoint is composed of the 4 following steps : Create a new pool Pool member: CheckPoint gateway IP / port 443 Monitoring TCP Create a new local virtual server Type: standard Destination : A fake, non existing IP address (such as 1.1.1.1 for example)* Port : 443 Server SSL profile : serverssl-insecure-compatible Pool : previously created pool Source address translation: Automap (if needed) Import the iRule in this snippet with the following adaptations : Change <secret_api> with your WebAPI secret Change <vs_name> with the name of the previously created virtual server Add this iRule to your existing SSL VPN virtual server Testing After having applied the iRule, every new VPN connection should append the following line in the log file /var/log/ltm on F5 : VPN : Publishing VPN IP in CheckPoint identity - SUCCESS Moreover, all your existing "identity based rules" in CheckPoint must now work with clients connected through the F5 VPN. Notes For this configuration we made two assumptions : The "network access" object for the VPN is not doing any SNAT (SNAT Pool: none). Indeed, if we are using "Automap" for the network access, all the connected clients are hidden behind the same IP, so there is no way to identify the users outside of F5. In the iRule, we suppose the username to send to CheckPoint is present in the APM variable "session.logon.last.username". If it's not your case, you need to adapt the iRule by changing this variable name. Code : when RULE_INIT { ## Secret configured on CheckPoint to authenticate the F5 to the Web API set static::checkpoint_api_secret " " } when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { # Thx to John Alam for this way to get assigned VPN IP # https://devcentral.f5.com/s/questions/how-do-i-record-the-ip-assigned-to-a-client-after-login if { [HTTP::uri] starts_with "/myvpn?sess=" } { after 5000 { set api_username [ACCESS::session data get session.logon.last.username] set vpn_ip [ACCESS::session data get session.assigned.clientip] set jsonBody "{ \"shared-secret\":\"$static::checkpoint_api_secret\", \"ip-address\":\"$vpn_ip\", \"user\":\"$api_username\" }" set sts [call /Common/HSSR::http_req -virt /Common/ -uri "http://checkpoint.webapi.local/_IA_API/v1.0/add-identity" -method POST -body $jsonBody -rbody apiResp] if { $apiResp contains "Association sent to PDP" } { log local0. "VPN : Publishing VPN IP in CheckPoint identity - SUCCESS" } else { log local0. "VPN ERROR : Failed to publish the VPN IP in CheckPoint Identity : $apiResp" } } } } Tested this on version: 13.0Social Login to Enterprise Apps using BIG-IP & OAuth 2.0
Password fatigue is something we’ve all experienced at some point. Whether it’s due to breaches and the ever present, ‘update password’ warnings, the corporate policy of a 90-day rotation or simply registering for a website with yet another unique username and password. Social login or social sign-in allows people to use their existing Google, Twitter, Facebook, LinkedIn or other social credentials to enter a web property, rather than creating a whole new account for the site. These can be used to authenticate, verify identity or to allow posting of content to social networks and the main advantage is convenience and speed. With v13, BIG-IP APM offers a rich set of OAuth capabilities allowing organizations to implement OAuth Client, OAuth Resource Server and OAuth Authorization Server roles to implement social logins. Let's look at BIG-IP’s capabilities (from the user's perspective) as an OAuth Client, OAuth Resource Server. We’ll navigate to our BIG-IP login screen and immediately you’ll notice it looks slightly different than your typical APM login. Here, you now have a choice and can authenticate using any one of the 4 external resources. Azure AD Enterprise and AD B2C along with Google and Facebook. Google and Facebook are very popular social login choices - as shown in the initial image above - where organizations are looking to authenticate the users and allow them to authorize the sharing of information that Google and Facebook already have, with the application. In this case, we have an application behind BIG-IP that is relying on getting such information from an external third party. For this, we’ll select Facebook. When we click logon, BIG-IP will redirect to the Facebook log into screen. Now we’ll need to log into Facebook using our own personal information. And with that, Facebook has authenticated us and has sent BIG-IP critical info like name, email and other parameters. BIG-IP has accepted the OAuth token passed to it from Facebook, extracted the info from the OAuth scope and now the application knows my identity and what resources I’m authorized to access. We can do the same with Google. Select the option, click logon and here we’re redirected to the Google authentication page. Here again, we enter our personal credentials and arrive at the same work top. Like Facebook, Google sent an authorization code to BIG-IP, BIG-IP validated it, extracted the username from the OAuth scope, passed it to the backend application so the application knows who I am and what I can access. Let's look at Microsoft. For Microsoft, we can authenticate using a couple editions of Azure AD – Enterprise and B2C. Let’s see how Enterprise works. Like the others, we get redirected to Microsoftonline.com to enter our MS Enterprise credentials. In this instance, we’re using an account that’s been Federated to Azure AD from another BIG-IP and we’ll authenticate to that BIG-IP. At this point that BIG-IP will issue a SAML assertion to Azure AD to authenticate me to Azure AD. After that, Azure AD will issue an OAuth token to that BIG-IP. BIG-IP will accept it, extract the user information and pass it to the application. Finally, let’s see how Azure AD B2C works. B2C is something that companies can use to store their non-corporate user base. Folks like partners, suppliers, contractors, etc. B2C allows users to maintain their own accounts and personal information. In addition, they can login using a typical Microsoft account or a Google account. In this case, we’ll simply use a Microsoft account and are directed to the Microsoft authentication page. We’ll enter our personal info, the servers communicate and we’re dropped into our WebTop of resources. Social logins can not only help enterprises offer access to certain resources, it also improves the overall customer experience with speed and convenience and allows organizations to capture essential information about their online customers. ps Related: What are social logins? The Most Popular Social Logins Globally [Infographic] Understanding the Benefits of Social Login – How does it add value to your website?
Configuring Active Directory authentication
Hello , Need some help Setting up F5 SSO Solution , in this scenario F5 to act as an Identity Provider. Following the SSO document https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/3.html Stuck at the point Configuring an access policy to provide authentication from the local IdP Willing to use Active Directory Authentication Configuring an access policy to provide authentication from the local IdPConfigure an access policy so that this BIG-IP systems (as an IdP) can provide authentication for SAML service providers. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens. In the Access Policy column, click the Edit link for the access profile you want to configure to launch the visual policy editor. The visual policy editor opens the access policy in a separate screen. Click the (+) sign anywhere in the access policy to add a new action item. An Add Item screen opens, listing Predefined Actions that are grouped by General Purpose, Authentication, and so on. I do not see an EDIT option here at the Access Profiles , attached is the screen capture Just wondering what i missed here... Any help is greatly appreciated..!!!Internet of Insider Threats
Identify Yourself, You Thing! Imagine if Ben Grimm, aka The Thing, didn’t have such distinctive characteristics like an orange rocky body, blue eyes or his battle cry, ‘It’s Clobberin’ Time!’ and had to provide a photo ID and password to prove he was a founding member of the Fantastic Four. Or if the alien in John Carpenter’s The Thing gave each infected life-form the proper credentials to come and go as they please. Today the things we call ‘Things’ are infiltrating every aspect of society but how do organizations identify, secure and determine access for the 15+ connected chips employees will soon be wearing to the office? And what business value to they bring? Gartner refers to it as the ‘Identity of Things’ (IDoT) and an extension to identity management that encompasses all entity identities, whatever form those entities take. According to Gartner, IoT is part of the larger digital business trend transforming enterprises. It means that the business, the people/employees and the ‘things’ are all responsible in delivering business value. The critical part is the relationships between or among those participants so the business policies and procedures can reflect those relationships. Those relationships can be between a device and a human; a device and another device; a device and an application or service; or a human and an application or service. For instance, how does the system(s) know that the wearable asking for Wi-Fi access is the one connected to your wrist? It really doesn’t since today’s Identity and Access Management (IAM) systems are typically people-based and unable to scale as more entities enter the workplace. Not to mention the complexity involved with deciding if the urine powered socks the VP is wearing gets access. The number of relationships between people and the various entities/things will grow to an almost unmanageable point. Could anyone manage a subset of the expected 50 billion devices over the next 4 years? And set policies for data sharing permissions? Not without a drastic change to how we identify and integrate these entities. Talk about the Internet of Insider Threats. That's IoIT for those counting. Gartner suggests that incorporating functional characteristics of existing management systems like IT Asset Management (ITAM) and Software Management Systems (SAM) within the IAM framework might aid in developing a single-system view for IoT. The current static approach of IAM doesn’t take into account the dynamic relationships, which is vital to future IAM solutions. Relationships will become as important as the concept of identity is for IAM in the IDoT, according to Gartner. My, your, our identities are unique and have been used to verify you-are-you and based on that, give you access to certain resources, physical or digital. Now our identities are not only intertwined with the things around us but the things themselves also need to verify their identity and the relationship to ours. I can hear the relationship woes of the future: A: ‘I’m in a bad relationship…’ B: ‘Bad!?! I thought you were getting along?’ A: ‘We were until access was denied.’ B: ‘What are you talking about? You guys were laughing and having a great time at dinner last night.’ A: ‘Not my fiancé…it’s my smart-watch, smart-shoes, smart-socks, smart-shirt, smart-pants, smart-belt, smart-glasses, smart-water bottle, smart fitness tracker and smart-backpack.' IT said, 'It’s not you, it’s me.' ps The Identity of Things for the Internet of Things IoT Requires Changes From Identity and Access Management Space: Gartner What is IoT without Identity? IoT: A new frontier for identity Health and Finance Mobile Apps Still Incredibly Insecure Internet of Things 'smart' devices are dumb by design Authentication in the IoT – challenges and opportunities Technorati Tags: iot,things,wearables,iam,insider threat,security,silva,f5,identity,access Connect with Peter: Connect with F5:Ask the Expert – Why Identity and Access Management?
Michael Koyfman, Sr. Global Security Solution Architect, shares the access challenges organizations face when deploying SaaS cloud applications. Syncing data stores to the cloud can be risky so organizations need to utilize their local directories and assert the user identity to the cloud. SAML is a standardized way of asserting trust and Michael explains how BIG-IP can act either as an identity provider or a service provider so users can securely access their workplace tools. Integration is key to solve common problems for successful and secure deployments. ps Related: Ask the Expert – Are WAFs Dead? Ask the Expert – Why SSL Everywhere? Ask the Expert – Why Web Fraud Protection? Application Availability Between Hybrid Data Centers F5 Access Federation Solutions Inside Look - SAML Federation with BIG-IP APM RSA 2014: Layering Federated Identity with SWG (feat Koyfman) Technorati Tags: f5,iam,saas,saml,cloud,identity,access,security,silva,video,AAA Connect with Peter: Connect with F5:
Access Control in the New Mobile, Hybrid World
There is a brave new world dawning for the corporate world. There are many “new norms” – and a gold rush of new opportunities, but also new challenges with which they come – streaking like lightning throughout organizations. The workforce of today and into the future is, and will continue to be mobile. Consider that according to analyst IDC, 37 percent of the worldwide workforce will be mobile by the end of 2015. That’s about 1.3 billion mobile workers, worldwide – not to mention there will be two or more times as many mobile devices as mobile workers! – by the end of this calendar year! Then, consider this: According to Orange Business Services, 55 percent of worldwide business IP traffic will be mobile business Internet traffic by 2018. Mobility is here, and it’s here to stay. (In the Asia Pacific region, IDC anticipates the bring your own device (BYOD) market will continue its robust growth. There were an estimated 155 million smartphones and over 4 million tablets in use supporting BYOD initiatives across the region last year (2014), with year-on-year growth of 40.4 percent and 62.7 percent, respectively. And, that’s not even considering the burgeoning area of wearable devices, either.) As the mobile workforce accelerates like a rocket into the stratosphere, cascading torrents of smartphones, tablets, and wearables across organizations in its wake, the number of cloud- and SaaS-based applications used within organizations is also skyrocketing at a breakneck pace. According to a recent study sponsored by SkyHigh Networks, there are on average 759 cloud services in use by today’s organizations. The most puzzling piece isn’t the magnitude of in use cloud apps and services. Instead, its that, according to a Cloud Security Alliance study, most organization IT teams believe they have fewer than 50 cloud-based apps in use. That means that over 700 cloud apps and services on average are in use within enterprises – but no one (but the user) has control over those apps and services, and any corporate information shared with them! The problem is, you cannot defend what you don’t know about! Finally, the last piece of the “new norm” puzzle for organizations is the hybrid network, an eclectic mix of data center and cloud-based apps and data, with a stew of hosted private, public and cloud infrastructures. According to analyst Gartner, “while actual hybrid cloud computing deployments are rare, nearly three-fourths of large enterprises expect to have hybrid deployments by 2015.” Consider that a mobile workforce will drive infrastructure changes, needed to address a more diverse device ecosystem. Then consider that infrastructure addressing mobility requires greater investment in cloud-based apps and services to support that expanding device ecosystem. So, as you can see, the future of the network fabric for the foreseeable future will be hybrid. So, with a “new norm” of mobility, cloud, and hybrid networks, how can organizations address network, application, and data accessibility? With so many new devices that are mobile and are under limited corporate control, and applications and data scattered about the network and in various clouds and SaaS deployments, how can an enterprise be assured of fast, appropriate, authenticated and authorized access? With so many variables, there is one constant that remains: Identity. The user – and their identity – is, arguably, the “new perimeter” for the enterprise, today and onward. As the traditional network perimeter has been broken, fragmented, and in many instances shattered into many pieces, identity has become the new perimeter. As applications, data, and even networks move faster toward the cloud, and the user-controlled, BYOD-driven mobile ecosystem expands exponentially, corporate control has become more difficult, dispersed, and dependent on others – and many times, that’s the security uninformed and apathetic user. User identity, though, never changes. And, backed by authentication, authorization, and accounting (AAA), identity is now the first line of defense for secure corporate access. But, identity is just the tip of the spear for controlling the new parameters of access. The context of a user’s access request, and their environment at the time of access request, follow identity; inarguably, they have as much to do with securing appropriate access as identity. The ability to address the 5 w’s and 1 h (who, what, when, where, why, and how) assures, enhances, and differentiates secure access to networks, clouds, applications and data – wherever they may reside and however they are comprised. Insuring user identity is efficiently, securely shared between networks, clouds, applications, and data – wherever they live – is now a necessity. Yet, there are challenges: Identity silos, on-premise identity with cloud- and SaaS-based apps and data, and user password fatigue leading to weak user names and passwords – which are easily compromised. That’s where building an identity bridge comes in. Federation builds a trusted chain of user identity between two entities – networks, clouds, applications, etc. – through industry standards, such as SAML. The cumbersome duplication and insertion of identity directories becomes unnecessary. Identity and access is controlled by an enterprise, with authentication occurring between the enterprise, and cloud and SaaS providers. Instant user authentication and its termination is centralized and under enterprise control. Identity federation delivers access visibility and control together. Leveraging identity for access control, and building identity bridges are now imperative for organizations, as applications move outside the enterprise domain, the workforce and their devices are more mobile and leave the enterprises in droves, and the enterprise domain, too, has moved. It’s the “new norm”.CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist?
This question has been puzzling a few folks of late, not just CloudFucius. The Judicial/legal side of the internet seems to have gotten some attention lately even though courts have been trying to make sense and catch up with technology for some time, probably since the Electronic Communications Privacy Act of 1986. There are many issues involved here but a couple stand out for CloudFucius. First, there is the ‘Privacy vs. Convenience’ dilemma. Many love and often need the GPS Navigators whether it be a permanent unit in the vehicle or right from our handheld device to get where we need to go. These services are most beneficial when searching for a destination but it is also a ‘tracking bug’ in that, it records every movement we make. This has certainly been beneficial in many industries like trucking, delivery, automotive, retail and many others, even with some legal issues. It has helped locate people during emergencies and disasters. It has also helped in geo-tagging photographs. But, we do give up a lot of privacy, secrecy and confidentiality when using many of the technologies designed to make our lives ‘easier.’ Americans have a rather tortured relationship with privacy. They often say one thing ("Privacy is important to me") but do another ("Sure, thanks for the coupon, here's my Social Security Number") noted Lee Rainie, head of the Pew Internet and American Life Project. From: The Constitutional issues of cloud computing You might not want anyone knowing where you are going but by simply using a navigation system to get to your undisclosed location, someone can track you down. Often, you don’t even need to be in navigation mode to be tracked – just having GPS enabled can leave breadcrumbs. Don’t forget, even the most miniscule trips to the gas station can still contain valuable data….to someone. How do you know if your milk runs to the 7-Eleven aren’t being gathered and analyzed? At the same, where is that data stored, who has access and how is it being used? I use GPS when I need it and I’m not suggesting dumping it, just wondering. Found a story where Mobile Coupons are being offered to your phone. Depending on your GPS location, they can send you a coupon for a nearby merchant along with this one about Location-Based strategies. Second, is the Fourth Amendment in the digital age. In the United States, the 4th Amendment protects against unreasonable searches and seizures. Law enforcement needs to convince a judge that a serious crime has/is occurring to obtain a warrant prior to taking evidence from a physical location, like your home. It focuses on physical possessions and space. For instance, if you are committing crimes, you can place your devious plans in a safe hidden in your bedroom and law enforcement needs to present a search warrant before searching your home for such documents. But what happens if you decide to store your ‘Get rich quick scheme’ planning document in the cloud? Are you still protected? Can you expect certain procedures to be followed before that document is accessed? The Computer Crime & Intellectual Property Section of the US Dept of Justice site states: To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation….Although courts have generally agreed that electronic storage devices can be analogized to closed containers, they have reached differing conclusions about whether a computer or other storage device should be classified as a single closed container or whether each individual file stored within a computer or storage device should be treated as a separate closed container. But, you might lose that Fourth Amendment right when you give control to a third party, such as a cloud provider. Imagine you wrote a play about terrorism and used a cloud service to store your document. Maybe there were some ‘surveillance’ keywords or triggers used as character lines. Maybe there is scene at a transportation hub (train, airport, etc) and characters themselves say things that could be taken as domestic threats – out of context of course. You should have some expectation that your literary work is kept just as safe/secure while in the cloud as it is on your powered down hard drive or stack of papers on your desk. And we haven’t even touched on compliance, records retention, computer forensics, data recovery and many other litigating issues. The cases continue to play out and this blog entry only covers a couple of the challenges associated with Cloud Computing and the Law, but CloudFucius will keep an eye on it for ya. Many of the articles found while researching this topic: The Constitutional issues of cloud computing In digital world, we trade privacy for convenience Cloud Computing and the Constitution INTERNET LAW - Search and Seizure of Home Computers in Virginia Time to play catch-up on Internet laws: The gap between technology and America's laws hit home last week in a court decision on network neutrality FCC considers reclassification of Internet in push to regulate it Personal texting on a work phone? Beware your boss High Court Justices Consider Privacy Issues in Text Messaging Case Yahoo wins email battle with US Government How Twitter’s grant to the Library of Congress could be copyright-okay Judge Orders Google To Deactivate User's Gmail Account FBI Warrant Sought Google Apps Content in Spam Case State court rules company shouldn't have read ex-staffer's private e-mails District Took 56,000 Pictures From Laptops Can the Cloud survive regulation? Group challenging enhanced surveillance law faces uphill climb Watchdogs join 'Net heavyweights in call for privacy law reform Digital Due Process Judge's judgment called into question Dept of Justice Electronic Evidence and Search & Seizure Legal Resources Electronic Evidence Case Digest Electronic Evidence Finally, you might be wondering why CloudFucius went from A to C in his series. Well, this time we decided to jump around but still cover 26 interesting topics. And one from Confucius himself: I am not one who was born in the possession of knowledge; I am one who is fond of antiquity, and earnest in seeking it there. ps The CloudFucius Series: Intro, 1Fear and Loathing ID Theft
Do you avoid stores that have had a credit card breach? You are not alone. About 52% of people avoid merchants who have had a data breach according to a recent Lowcards survey. They surveyed over 400 random consumers to better understand the impact of identity theft on consumer behavior. 17% said they or a family member was a victim of identity theft over the last year with half the cases being credit card theft. 94% said they are more concerned or equally concerned about ID theft. They estimate that there were 13.5 million cases of credit card identity theft in the United States over the last 12 months. These concerns are also changing the way some people shop. Over half (56%) are taking extra measures to protect themselves from identity theft. Some of these behaviors include using a debit card less (28%), using cash more (25%), ordering online less (26%) and checking their credit report more (38%). These are all reasonable responses to the ever challenging game of protecting your identity and is important since 89% of security breaches and data loss incidents could have been prevented last year, according to the Online Trust Alliance's 2014 Data and Breach Protection Readiness Guide. The game is changing however, and mobile is the new stadium. Let's check that scoreboard. Most of the security reports released thus far in 2014, like the Cisco 2014 Annual Security Report and the Kaspersky Security Bulletin 2013 show that threats to mobile devices are increasing. We are using them more and using them for sensitive activities like shopping, banking and storing personally identifiable information. It is no wonder that the thieves are targeting mobile and getting very good at it. Kaspersky's report talks about the rise of mobile botnets and the effectiveness since we never shut off our phones. They are always ready to accept new tasks either from us or, a foreign remotely controlled server with SMS trojans leading the pack. Mobile trojans can even check on the victim's bank balance to ensure the heist is profitable and some will even infect your PC when you USB the phone to it. Distribution of exploits in cyber-attacks by type of attacked application I guess the good news is that people are becoming much more aware of the overall risks surrounding identity theft and breaches but will the convenience and availability of mobile put us right back in that dark alley? Mobile threats are starting to reach PC proportions with online banking being a major target and many of the potential infections are delivered via SMS messages. Sound familiar? Maybe we can simply cut and replace 'PC' with 'Mobile' on all those decade old warnings of: Watch what you click! ps Related Some consumers changing habits because of data breach, ID theft worries, report finds LowCards Exclusive Study: Identity Theft Concerns Shifting Shopping Habits of Americans Kaspersky Security Bulletin 2013. Overall Statistics for 2013 Mobile Payments and Devices Under Attack An SMS Trojan with Global Ambitions Mobile Malware Milestone Mobile Threats Rise 261% in Perspective Nine Security Best Practices You Should Enforce Technorati Tags: mobile,shopping,breach,malware,idtheft,behavior,silva,trojan Connect with Peter: Connect with F5:
Breaking up with your identity: it’s not me, it’s you!
Let me tell you why I’m glad my gran is not on the Internet. When it comes to technology securitymost of myexperienceis with customers: with other peoples systems, not mine. However, today I write about a personal experience that scares me a little. I signed up for a Gmail account back when it was an invitation-only beta service. My first impression of it was nothing short of wow! This exclamation inspired by its simplicity, and the fact that it offered an enormous amount of free space. I recall being impressed by that fact that in a time of rapid innovation the Gmail team weren’t trying to do too much with it. I think it was the first time I was able to describe a web-based service as being humble and don’t think I’ve seen anything like it since, until maybe Medium. Over the years my relationship with Google grew to include Google Docs, Google Sites, Analytics and even ‘Google Apps for Your Domain’. Our relationship blossomed – not quite this far, but we were on a good thing. Being an early adopter often means getting first pick of your account name and avoiding the dreaded nathanpearce1234. One cannot win all the time and I don’t always get my way but occasionally there is room for compromise. For example, when I signed up for Twitter, @NathanPearce was already taken. Consequently, and like many others, I reversed my name and have been happily tweeting from @PearceNathan for a few years now. It did weird me out a little when @NathanPearce followed me earlier this year (are you reading this post, @NathanPearce?). For the sci-fi fans: fortunately, I didn’t implode, burst into flames or leap to a parallel universe at this occurrence. I’ve managed to come to terms with the fact that there are a number of people in the world named Nathan Pearce. Mum, you were wrong! There’s a Nathan Pearce working at Sony Entertainment, another is a web savvy 9 year old, and then we have the most interesting Nathan Pearce of all – the web-challenged, heavy-metal loving, corn farmer. And it’s not just his music and farming preferences I’m familiar with. I also know where he travels, his preferred dating sites (a niche farmer-friendly service) and a number of other interesting factoids. How do I know all this? Because Nathan-corn-metal, as he will be known hereafter, keeps providing my email address to people thinking that it is his own. Before you start speculating as to how this mishap can occur, a lesser-known fact about Gmail is how it handles a period before the @ symbol. With Gmail, the following email addresses are all the same: firstlast@gmail.com first.last@gmail.com f.irstlast@gmail.com And, so on. I’ve heard of some clever people using this to their advantage: providing one format for family, another for shopping on-line, etc., and then using Gmail filters to file (delete) messages as appropriate. So, I can confirm that this isn’t a simple formatting mistake. Nathan-corn-metal believes that my email address are belong to him. This mistake (delusion) might seem trivial to some but has also lead to a few interesting circumstances. Email confirmation Nathan-corn-metal does get on the net from time to time. My first interaction was when he signed up for Decibel Magazine – a heavy metal e-zine. I’ve started to enjoy the monthly issues and have been following the developments of many a ‘Lars’ and the up and coming band, Monster Magnet. I’m still not listening to the genre but I’ve developed an appreciation that was never there before. I do hope he renews again this year, for the third time! What Nathan-corn-metal has not learned to appreciate is that when one sign’s up for a service on-line, there often lacks a process to confirm one’s contact details. The moment he hits Submit, the subscription was handed over to me and, unfortunately, I have no way of letting him know of the error, as email is the only detail of contact provided. Telephone bookings I’ll admit that the Decibel Magazine subscription didn’t actually tip me off as to the problem at hand. It was the creation of an on-line travel account. I assume Nathan-corn-metal’s account was setup over the telephone for the following reason’s: the login id was the email address there was a flight booking already in the account So, how did I know there was a flight booked, you may ask? Was there not a password on the account? Yes, there was a password on the account. However, I didn’t need it as there was a link in the automated email addressed to me that went straight to the booking, providing me with access to everything including account preferences and the booking page. Good Samaritan for the good intention At this point I started thinking about how I would feel if I’d made such a mistake and I decided to try and fix things. Surely, the travel company had a contact phone number. I called the travel agency asking to speak to a representative about an existing booking. To their credit, they were very quick to answer the phone. Unfortunately, every moment after this was truly shocking. I didn’t play any games for, despite his apparent learning difficulties, Nathan-corn-metal, for all I know, could be a decent chap. But my attempt at doing the right thing was met with resistance. Maybe it was a lack of understanding of the urgency of the problem? I didn’t know but I had to attempt a new tactic. Being told over and over again that it wasn’t the travel agencies problem was not good enough. Next, I explained it in terms of liability by advising that I would be altering the flight details and then maybe booking myself a trip to Venice using their customer credentials. Then by explaining that as they were the ones to leak said credentials it should make interesting reading in the news. Suddenly, my suggestion that they lock down the account and contact Nathan-corn-metal by telephone immediately was set in motion. Should this have been so difficult? Lesson learned? When so many on-line services fail to provide sufficient checks to ensure we are who we say we are, it is suddenly very simple for a lot to go wrong. I’m delighted to say that I still communicate with my grandparents via hand-written letter for I don’t believe that the Internet is a safe place for them. While the law might have clear definitions for liability, in reality, what is practiced is far from acceptable. Some organizations are building in security checks but only from the perspective of hacking attempts. What about a simple mistake at the time of account creation as done so by the aforementioned head banging tractor driver? In this example, holding off on the creation of an account until verification via OTP (One Time Password) for example would eliminate many false positive during account creation. Never underestimate the human element!
Tech Fractals: Technology Trends and Integration
#IDAM #Cloud #SSO Patterns repeat. Anything else is irrational. First, the paragraph that spawned this post: The increasing use of cloud-based services is driving the need for better and more interactive single sign-on (SSO) and federated identity management (FIM) services. It is building relationship dependencies between businesses, their partners and suppliers, and customers. -- Ovum Research, "Cloud: Transforming the IAM Industry" First, I beg to differ on the conclusion that cloud is "transforming" the IAM industry. It's pretty much the same as it's ever been. Single-sign on (SSO) is still about protocol transitioning; it's just the case that protocols have been abstracted into APIs. Federated Identity Management (FIM) is SAML wrapped up in a nice name. This is not transformational. Organizations have been integrating authentication and authorization across the Internet since after the dot com bust. XML gateways, anyone? WS-SEC? Seriously, this is not transformational. At best it's evolutionary. Now, if you know anything about fractals, you know that they're fascinating mathematical constructs because they are patterns from micro-versions of the same pattern. If you look closely at one of my favorites, you can see the small "dragon" is repeated to form the larger "dragon" in increasingly sized replicas of the same pattern. Fractals are fairly easily created using well-understood algorithms (okay, they're easy if you're a student of computer science and aren't afraid of math) and they are also found (and given cool names) in nature. Turns out they're also found in technology trend cycles. Every single new technology trend seems to go through the same set of technologies through the maturation process. It's kind of the Hype Cycle, only it's not focused on the maturity and value of the technology, but rather the realization that a certain technology is suddenly applicable or necessary to take the next step toward maturation of the trending technology. Single-sign on and identity federation are two similar technologies that appear in every technology trend cycle. Once adoption reaches about the half-way point (often considered mainstream) attention turns to enterprise-focused concerns about integration with corporate identity stores and how to include the distribution and supply-chain channels in the buy and sell-side process. It's a pattern. It happened with Web-based applications. Remember Passport? The Liberty Alliance? It happened when SOA was the trend du jour. There were literally hundreds of WS-* standards created by OASIS, most of them emerging at about the same point in the technology trend cycle as they did with the Web. And today the technology du jour is cloud. It should be no surprise that SSO and IDAM are rising to the fore. It's about time, after all. Adoption of cloud is well-established and organizations are beginning to turn to more corporatey, business concerns like how do I control who is using my services and how do I integrate my channel into the process. As SDN rises in ascendancy, we're going to see the same concerns in likely the same order raised. We're already started to see peppered here and there the inevitable "security" concerns that initially plagued and inhibited cloud adoption rise with respect to SDN. And soon after that we'll see interoperability with legacy networks rise to the fore as folks realize a hybrid approach (either transitory or by design) is necessary. Patterns. They happen on almost a predictable timetable when it comes to technology trends. Cloud and SDN are no different in that respect. The emergence of these concerns are not because of cloud, they're because it's a natural progression that stems from the greater implementation and adoption process. If you want to know what the next big thing is going to be for any given technology trend, just examine the last trend we left lying on the side of the information superhighway.
