Mike Stephenson's Blog

The world of Information Security this week (Mar 22nd to Mar 26th, 2010) March 26, 2010

A quick look at the highlights of the news in the world of Information Security this week for busy Security people.

Topics Covered:

Cloud Security

Application Security

New Security Releases

including

Data Loss Prevention

Identity Management

Role Management

Cloud Security

McAfee will offer service to secure the cloud McAfee Cloud Secure combines cloud security certification services with automated auditing, remediation and reporting capabilities to bring extra security to the cloud. http://www.channelinsider.com/c/a/Security/McAfee-Forms-Cloud-Security-Program-102498/

Details from MacAfee at: http://www.mcafee.com/uk/enterprise/products/hosted_security/

The Cloud Security Alliance push towards cloud security standard. They are working with other organisations and suppliers, to push towards a cloud security standard, or at least some consistency, across cloud infrastructures to ensure security is tight and right. They have been working with the MashSSL Alliance, an organization that evangelizes the use of a next generation SSL standard for cloud computing,  and Novell. http://www.crn.com/security/224000080;jsessionid=1W0AGTPNSJIH5QE1GHPSKH4ATMY32JVN

Details of Novell’s cloud security offerings are here: http://www.novell.com/products/cloud-security-service/

Common Assurance Metric (CAM) A 24-strong consortium of service providers, vendors, government organisations and consultants has begun work on a set of measurements designed to make it easier for businesses to compare the security features offered by cloud-computing providers. The project, launched on Monday, aims to provide metrics that will consist of objective, quantifiable measurements, the as-yet unnamed consortium said in a statement. It will draw from existing standards, which are often industry specific. http://www.zdnet.co.uk/news/it-strategy/2010/02/09/group-aims-to-set-standard-for-cloud-security-40032011/

Not much detail of what is planned for this initiative yet, but it is something that is very much needed for organisations who are moving into cloud computing to enable them to measure the effectiveness of the security of the services they will be providing to their customers. Until they get such metrics then they don’t really know how secure a service is until they get a breach which could damage them beyond repair.

For members of Linkedin there is a discussion on this topic at this link: http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers&discussionID=15718500&gid=1864210&commentID=13504742&trk=view_disc

Application Security

Google has introduced security testing tool called Skipfish. It is an open source, fully automated, active web application security reconnaissance tool called ‘Skipfish’. Google described Skipfish as an active web application security reconnaissance tool that prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. http://www.scmagazineuk.com/google-introduces-open-source-security-testing-tool/article/166207/

Details of the tests included in the software can be found here:  http://code.google.com/p/skipfish/wiki/SkipfishDoc

New Security Releases

SailPoint adds provisioning to IdentityIQ SailPoint has added end-to-end provisioning capabilities to its identity governance solution, SailPoint IdentityIQ™, and can now automate the entire user access request and fulfilment process. http://www.prnewswire.com/news-releases/sailpoint-releases-next-generation-provisioning-solution-88806867.html

Details of the provisioning engine can be found at the SailPoint web site here: http://www.sailpoint.com/product/provisioning-engine/

Updates to Avatier Identity Management Suite (AIMS) 8.0 have been announced. Avatier’s Identity and Access Management solution adds several new enterprise features as well as a new module, Compliance Auditor, for integration of governance management with access validation and SOX remediation. It also added a new module, Identity Analyzer, that includes bottom up role mining, identity correlation and advanced analytics. http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20100317005497&newsLang=en

Details of Compliance Auditor can be found here: http://www.avatier.com/compliance-auditor.html

Details of Identity Analyzer are here: http://www.avatier.com/identity-analyzer.html

RSA, EMC’s security arm, has enhanced its Data Loss Prevention Suite with more than 70 new features for scanning, workflow, reporting, and global content processing. Version 8.0 of the RSA DLP Suite  allows discovery and remediation of more data types and sources, including native scanning of Microsoft® SharePoint® and IBM Lotus Notes®. The product can also scan and fingerprint IBM DB2 databases. The new release also includes enhanced capabilities for Chinese, Japanese and Korean languages. http://www.channelinsider.com/c/a/Security/RSA-Upgrades-DLP-Suite-Capabilities-276902/

Details of the RSA DLP Software can be found here: http://www.rsa.com/node.aspx?id=3426

McAfee has announced McAfee Data Loss Prevention (DLP) to help to secure sensitive data on internal systems and removable storage media.  The tool is designed to run through McAfee’s ePolicy Orchestrator platform. http://www.v3.co.uk/v3/news/2259973/mcafee-unveils-loss-prevention

Details can be found here:  http://www.mcafee.com/uk/enterprise/products/data_protection/data_loss_prevention/network_data_loss_prevention_manager.html

Courion® Corporation, announced the integration of its Access Assurance Suite 8.0 with Symantec Data Loss Prevention 10 to create a content-aware identity and access management (IAM) solution. This integration will enable organisations to not only discover sensitive data, but also who has access to it and if that access is appropriate,  providing a picture of end-to-end data security and compliance. http://www.courion.com/company/press_release.html?id=616

Details of Courion’s Access Assurance are here: http://www.courion.com/solutions/access-assurance.html