Alpha Software is focused on enabling developers to create robust, data-driven business applications that run on any PC, Tablet or Smartphone in the fastest, most efficient and cost-effective manner possible.

Share this blog:

Showing posts with label Security framework. Show all posts
Showing posts with label Security framework. Show all posts

Tuesday, April 28, 2009

Cisco's John Chambers' security storm

As you might have heard, Cisco chairman and CEO John Chambers has been kicking up a security storm recently. During his keynote address at the annual RSA security conference in San Francisco last week, Chambers commented that cloud computing is set to be a major security problem.

He predicts the integration of data, voice, and video will become a normal way of life, but warns this could be a "security nightmare." Here's my two pesos worth on the situation.

Every new technology brings new challenges, not the least of which are security issues. Now, the usual problem with military generals is that they are often fighting the last war and not the one to come. However, in this case, the old and tested ways (of security) are still appropriate, and they are relatively independent of technology. The unchanged security principles
are ...

1. Know where your sensitive information is located; whether it be in the cloud or on an unknown local server.

2. Control access to that information. You must be able to identify the people or systems that access it (authentication), and ensure they have proper permission to read or change the data (authorization). The more sensitive the data, the more rigorous the authentication and authorization processes must be.

3. Take steps to ensure sensitive information is always protected from prying eyes by appropriately encrypting when in transition across security zones. For example, from a secure data center across the Internet ("the Wildest West").

4. Build information risk management into the culture of the organization. Security is much more than a few technical point solutions, such as a firewall or intrusion detection device. It is everyone's responsibility, especially executive management.

5. Always be alert for "Black Swans," those unexpected or "unlikely" events that can be career- and business-limiting. That means always assume that the security defenses might be vulnerable to a new threat -- external or internal. So never rest on your laurels, and continually test and challenge the security decisions.

6. If any sensitive information is to be outsourced -- whether to a cloud computing vendor or any other service provider -- apply the same rules of information protection as if the data were in-house, with the added proviso of proper legal and contractual protection.

With these standard practices in place, your organization will be set to take on whatever the future of computing holds, wherever that might be.

Thursday, July 10, 2008

Alpha's Jeff Kalwerisky in InformationWeek

On his first week on the job (I haven't even had the chance to introduce him on the blog yet!), Jeff Kalwerisky is already making waves in the media. InformationWeek published an article on "DNS poisoning" yesterday, and they called on Jeff to offer his counsel to readers. As the new Chief Security Evangelist at Alpha, Jeff's been working overtime to spread the security gospel, and he had some thoughtful words of advice for IT managers facing the dangers of DNS hacking. Here's what Jeff told InformationWeek.

As Chief Security Evangelist for Alpha, Jeff is providing input and oversight on the development of our Web Security Framework, an integrated security system developers use to protect applications and data from unauthorized access. He also counsels Alpha Software VARs, customers, and partners on matters relating to application security, compliance, privacy, and governance.

Jeff has specialized in information security and risk management for over 20 years, including a tour of duty as Executive of the Security and Risk Management practice at Accenture. He focuses on information risk, information security governance, and security standards, including ISO-27002, PCI-DSS (Processing Card Industry Data Security Standard), and CoBIT (Control Objectives for Information and Associated Technologies).

He has consulted to Fortune 100 companies and national governments, helping them develop enterprise security governance policies and frameworks, and deploy technology solutions that strengthen information security and data privacy/protection. He also managed security-related projects, including risk assessments, vulnerability testing, and security incident triage.

Jeff was also appointed Principal Security Architect for U.K.’s National Health Service IT infrastructure project, which remains the largest healthcare IT development initiative in history serving 50 million people.

Before Accenture, Kalwerisky was VP of Consulting Services for SecureWare, which pioneered the world’s first Internet bank, Security First National Bank. His work ensured Security First and connected banks were secure, and capable of passing audits by the Office of the Controller of the Currency.

Before that, Kalwerisky served as director of global security for VeriSign where he was responsible for ensuring that affiliates in 30 countries adhered to VeriSign’s rigorous security standards. He also managed an international team of security managers to design, deploy, and monitor these secure data centers around the globe. These centers protected the sensitive cryptographic keys used to electronically sign digital certificates, the life blood of e-commerce.

Kalwerisky is the author of Windows NT: Guidelines for Security, Audit and Control and Security Audit and Review Guide. His executive training courses on the use of advanced technologies for secure e-commerce, such as cryptography and biometrics, have been delivered to executives and developers internationally.

He's a busy guy! And off to a great start! Way to go, Jeff.

Thursday, November 08, 2007

Security Framework

I recently caught a BBC program about how undercover IRS officials convinced IRS Help Desk personnel to reset online account passwords for various taxpayer accounts, changing them to passwords that the undercover person suggested.

They were successful 50 percent of the time, despite presenting no legitimate proof they even worked for the IRS. Once they had the password, they had full access to the taxpayer's account.

Every week, news breaks about passwords or entire databases of personal information stolen or breached. As a Web application developer, I constantly deal with sensitive user information, and build systems that include password storage.

I've received databases from clients that contain passwords, user IDs, Social Security numbers, driver's licenses, and other highly sensitive information.

I've seen hundreds of user passwords, and most of them are obvious or silly -- such as the user's first name, or a variation of a common, four-letter word. And I'm willing to bet it's the same password they use for their bank account and other personal services.

My clients often ask me to make the password and user ID visible in the database, so their Help Desk can provide it to users. While I have yielded in the past, I now absolutely refuse to create a Web application with the password accessible to anybody other than the user. I tell the client the password is "owned" by the user, not the developer or the Web application client.

Alpha Five's new Security Framework makes enforcing this philosophy easy to accomplish. The user can be required to create a "complex" password at the outset. And the user has the ability to recover or reset the password.

The password is automatically encrypted in the database, so it's useless if the database is stolen. Help Desk personnel will never know the password. In fact, Alpha Five's Security Framework doesn't even have a function that allows you to view the password.

In addition to employing the new Security Framework in all my database work, I also uphold certain personal policies regarding Web application security. They are:

* Never send an e-mail that contains both the user ID and the password. Security Framework can help here, since it's only through the Framework that users can retrieve their password.

* When a user registers for a new online account, mandate a double opt-in process, whereby the Web application sends a confirmation e-mail to the would-be user. If they try to login prior to confirming their e-mail address, tell them to watch for the e-mail, and offer to send them a new one -- but don't let them in!

* Always provide a means for users to remove themselves from the online system, and completely remove their account if they do un-register (saving any history or business data as required by the client).

* Make everything automatic and confirmed by e-mail. No Help Desk person should be involved, unless the user loses their user ID. The user ID is most often their e-mail address. (Note that I currently don't allow users to recover user IDs online. I might change my position in the future, as the Security Framework offers secure methods to handle this.)

* Provide a local user database with non-security information as a mirror to the Security Framework table. The Help Desk staff can search that user list for any non-sensitive information. If a user calls and provides sufficient evidence, the Help Desk can give them or reset their user ID. They can also reset the password, but the Help Desk personnel should not be able to view the old password, and the user should be required to change their reset password when they next log in.

* When registering for a new account, require users to read a EULA (End-User License Agreement), and check a box confirming same beside the words "I have read and agree to abide by the Terms of Use." If you are a developer, require clients (or their lawyers) to write a EULA, which must include Terms of Use and Privacy Policies, and mandate their use. You can also provide EULA templates that clients can adapt.

* Be a conformist. From a security standpoint, do everything you can to make your applications behave like your bank or utility company -- often the most secure applications online.

To accomplish all of the above, you need to provide methods to keep this local user table in sync with the Security Framework.

To see all of these policies in action, visit this Web site.

Wednesday, October 17, 2007

TechRepublic features Alpha Security Framework

Security is a big concern for any database developer. That's why Alpha Five includes a new Security Framework. As I discussed in my last post, this new tool set keeps you covered at every level of your Web application.

I gave everyone here a first peek at my latest white paper that reviews the most popular methods for Web application registration and login. And now, I'm happy to say, it's available on the TechRepublic directory.

Registration is required, but it's free, and TechRepublic often provides great advice on how to make your technology work in business. It's a good resource to have, especially now that you know you can find advice from Alpha up there. ;)

Stay ahead of the curve by staying safe. Bone up on the Alpha Security Framework, and lock down those applications!

Related Posts Plugin for WordPress, Blogger...