Note-to-self: MVA Learning Path – Security for the Chief Security Officer (CSO)

From a LinkedIn connection (thx Jeff and congratz on the achievement) I received an interesting pointer to a set of courses on MVA, Microsoft Virtual Academy.

An MVA ‘learning path’ is a combination of learning courses.
Just recently MVA published the ‘Security for the Chief Security Officer (CSO)’ learning path.

Check it out at : https://mva.microsoft.com/learning-path/security-for-the-chief-security-officer-cso-21

It combines 6 courses (better make sure to access them from the learning path):

  1. How to Harden Your Enterprise in Today’s Threat Landscape
  2. Cybersecurity Reference Architecture
  3. Cloud Security from the Field

BTW: have a look on the ‘security’ based content on Microsoft Virtual Academy, you’ll be surprised how much you can (continue to) learn.

See: https://mva.microsoft.com/search/SearchResults.aspx#!q=security

Advertisements

That alphabet of Security starts with I of “Identity”

It’s an understatement to say security is moving fast, it’s changing very rapidly and the pressure to keep up with it, increases too.

From various angles, people in IT (as in Information Technology), are under fire to keep the infrastructure secure. Cloud is getting mature, new features pop up every week.
It’s almost a contradiction, but also legislation is catching up to close the holes regarding the protection of people’s security and privacy.

In many cases, the first reaction of customers, management, ITPros, Developers, DevOps,… is to look for the ultimate and ideal tool that will help to plug the security hole.

But if you only focus on the tooling, you’ll discover rather sooner than later, it is not sufficient to get your security watertight.
One of the basic reasons is that tools can’t be implemented properly without involving people and processes. I don’t need to explain the PPT (people-proces-technology) or PPP (people-proces-products) triade, right?

Lots of security management approaches and certifications handle this triad (ISO27001, CISSP, … I’ll cover that another time.

(credits: smart picture of ITGovernance.co.uk)

Rather than diving into the search for a tool, you better take a step back and consider first.

What’s the primary function of security?
Protecting an item that you want to keep (safe), right?

[The reason (“why”) for keeping it safe = the CIA triad, Confidentiality, Integrity and Availability]

When you think about the processes (“how”) to secure  an asset (anything that is worth securing), there are 3 basics actions you need to define

  • authorization: what you can do with the asset (the CRUD stuff, create/read/update/delete)
  • identification: who needs the authorization?
  • authentication: the method to proof your identity (using passwords, passes, cards, 2FA, MFA, …)

This is essentially the foundation of my credo “no security without identity”

Just by interpreting the basic components of security, you directly hit the “PROCESS” part of the PPT triad.
Now, here’s were most technical people get into trouble… not knowing how to put this in practice.

But let me ask you a simple question: within the normal, usual businesses or companies, where does the identity process typically start?
Yes, correct, HR (Human Resources)

The second question: can you name at least 2 typical high-level HR processes (for people).
Answer: something like “hire” and “fire”, or synonyms like “onboarding/off-boarding”, “termination”, “end-of-life” (but that sounds pretty dramatic when talking about people…).

These 2 events announce the beginning and the end of a lifecycle, the identity lifecycle.
And to make it complete, you also need to define the life-in-between as people change over time.

BTW, just a small side step here: this does not apply to humans only, but any other asset in your environment has pretty much the same cycle and it does not matter if it’s considered “IT” or not… computer, certificates, smart cards, disks, tapes, … but also cars, documents, …

This idea to consider the lifecycle as universal, is a great approach to explain the “identity lifecycle” to non-techies that get involved in the identity lifecycle processes.

This is the common ground you can use to talk to HR people, business managers, Executive level, …

Now, if you look on the internet for pictures on identity lifecycle management, you’re smashed with a lot of complex schemas…

google_identitylifecycle

Many of results are variations of 3 essential processes

hire-change-fire1

Depending on your background you might name them differently, like:

1AA.png

For the sake of simplicity, when teaching IDM and security workshops I usually only keep the keywords “Hire”, “Change” and “Fire”.
Short and easy to remember for most people.

For your understanding, the circle approach  would assume you start over again after the “Fire” block, but that’s not always the case. The cycle might stop.
So, the approach below is easier to visualize for most people.

Clockwise:

  1. Starting the cycle at (1),
  2. updating the identity at (2),
  3. exiting the cycle at (3)

hire-change-fire2

As I mentioned, earlier, virtually any IT or asset related proces is basically working like this.

Now, let’s take it a step further… How does identity management control security?

A first thing to consider is the typical length of the hire-change-fire modules.

How many tasks/steps does it usually take to complete each of the 3 steps?
Keep the asset in mind and keep it simple…

Typical actions in a hire process:

  • signing contract
  • getting an network/AD account
  • getting an email address
  • getting building access
  • IT stuff (laptop, …)

Pretty straight forward…
How much time would it take, in simple cases to start working?  Hours if not days.

What about the change process? For example, you get promotion to team lead or head of department…

  • hand over your tasks to peers
  • get ramped up on new job
  • in some cases, there is segregation of duties, getting rid of existing rights permissions
  •  getting access to new environment
  • changing communications channels (notifications to stakeholders of change)

In reality, this usually takes a few weeks.

And what are the typical things your consider for the “fire” process?

  • informing stakeholders/customers
  • disabling the account
  • changing password
  • lock account
  • removing access
  • extracting documentation form personal storage
  • move documents to manager or team
  • handing over ownership
  • knowledge transfer
  • data backup/archiving
  • cleaning the mailbox
  • deleting the account (* not always allowed for various reasons)
  • sending legal / tax documents
  • and more…

As you can understand, this entire termination process might take months… In many situations the termination process must be executed in different steps, like:

  • Disabling the account till x+30 days (for example, revert in case the person gets a renewal)
  • Removing access on x+60 days
  • Kill mailbox on X+90
  • Remove the account on X+1y (or even: never)

In some cases accounts must be kept for legal reasons or tracking/cybersecurity reasons…

The further you go in the lifecycle, you need to combine more tasks, and tasks or decisions get more complex.

Overall you can distinguish 2 properties of these processes: duration and complexity. Both go up.

complexity

procesduration

Now, when considering security, why is this important?
Instead of discussing the impact of successful processes, it’s easier to find out what happens if it fails.

WHAT IF… (the process fails)??

Let’s run through the cycle again….

What if the “Hire” process fails?

  • you can’t access the building
  • you do not get an account
  • you can’t logon
  • you can’t access documents

Basically, on your first (few) day(s) you can’t work. Sorry!
But what’s the balance for security: just great, because the risk is nearly 0, except for a bad start and a bit of reputation damage..
At the end: you can’t do any harm, essentially.

In case of the “change” process, a larger part of the tasks and operations will impact the security posture.

When your “change” process fails,  for example

  • you can still access your old documents
  • you get more access (eg collecting access of your old and new role)
  • you start collection sensitive accesses over time
  • managers don’t know
  • user profiles get copied from existing colleagues in the same team (no ‘reset’ or the permissions before the new ones are assigned)

So for this second piece of the circle, the impact might be significant, over time.

But for the “end-of-life” the story is completely different, a failing “deprovisioning” scenario has major impact on the business and IT process

  • accounts stay active
  • accounts not being disabled
  • access not removed
  • active accounts not detected
  • account with highly privileged access still active
  • accounts being deleted too soon
  • unauthorized users that have access to critical resources
  • hackers go undetected for a long time, using sleeping accounts
  • hardware not returned,
  • data stolen,
  • over-use of budgets to software licenses that are not revoked
  • access badges allow unauthorized access to your building and environment
  • failure to ‘deprovision’ old hard disks properly expose your company data to interested (unauthorized) parties…
  • …,

It’s clear that a failing deprovisioning/end-of-life process has major impact on your enterprise security.

risk.png

And hackers or disgruntled employees like that.

Of course you can imagine the benefits of an efficient and effective end-of-life process. It’s the opposite.

Does that require you implement an automated identity management?
No.

That’s where ISO27001 and eg GDPR surprises a lot of people.

Once you’ve got the basic processes in place you can discuss tooling, not the other way around.

questforsecurity

You have
no security without managing your identity.

you want
no identity without security.

Did I mention  that I’ll be presenting more of this fun stuff on TechoRama 2017.
Check it out here: http://sched.co/9M94

I’m very proud to present a session on the ABC of identity: Maximizing security with 10 simple processes.

 

June 2017: @TroyHunt is back in Belgium for his workshop ‘Hack Yourself First’. Wanna join?

ZIONSECURITY will be welcoming Troy Hunt again. The 1st and 2nd of June, he will be leading a ‘Hack Yourself First’ workshop where he will teach professionals how to break into their own applications. Find out the program and register here!

#update: download the flyer with program and details here: Flyer Troy Hunt June.

I have been there the last time, it was great fun, lots of interaction. And I certainly would recommend you to join.

What if you really wanna join, but your boss is not willing to sponsor? (While he SHOULD!).
Or any other silly reason you can’t attend?

Well, you know, if you can provide me a very good, strong, original and unique argument why you MUST be at this workshop, you might be lucky.

You know the channels to reach out to me and test your luck.

Some suggestion, send me a direct message:
1. Comment on this post,

2. mail me, tweet me (direct message!), F@ceBook me, LinkedIn …

Convince me and it could be you sitting at the first row.

Note-to-self: Security Compliance Manager 4.0 now available for download!

Sometime you get some silent signals that you have been way too busy…

Like stumbling into an announcement of a tool you evangelise…

Security Compliance Manager 4.0 now available for download!

 

 

 

#FIM2010 / #MIM2016 not so dead, and what you didn’t hear.

What seemed to be a small note on a MPN blog, landed on LinkedIn and finally got into a pretty… eh how would you name it … disappointing, bizar, vicious, mean, deviant, misunderstood .. nah .. just a wrong direction, has caused quite some confusion.

And looking at the IM and messages I get, it still is.

Let me spoil the clue of the story: Microsoft Identity and Access, FIM, MIM,… IS … ALIVE. VERY MUCH ALIVE. (NOT DEAD)
If you need more detail, continue…

Lots of things have been said and I don’t want to repeat too much stuff, and certainly don’t want to take credit for it.
But let me pick some core components of the discussion and get a few things straight.

Why not refer to the sources first, by chrono. (If you want to have them in a short list all together, quickly read through the post till the end.)

It started here (by Gavriella Schuster on 12 April 2016):

https://blogs.partner.microsoft.com/mpn/microsoft-partner-network-evolution/?ln=en-US

In essence Gavriella discusses MPN (Microsoft Partner Network) competencies and mentions the “The retiring competencies”, which include: “Identity and Access”.
She doesn’t mention any product specifically, but she doesn’t mention either that “Identity and Access” is being moved to the Enterprise Mobility Management (EMM) competency.
This is clearly a cause for confusion, disappointment and misunderstanding.

But if you continue to read her post and check the next paragraph, you’ll see:

  • Interactive MPN Evolution Guide – This NEW interactive tool is your first step to guide your decision process. Use this to explore all of the new paths and options and easily identify which is the best fit for your business.
  • MPN Evolution Page – This is an overview of the changes, including the full list of impacted competencies and timeline.
  • FAQ – We have received feedback from some of your peers in our advisory councils and compiled answers to some of the questions we anticipate you might have. We will continue to build on these as we receive new questions.

 

After a few clicks in the MPN evolution guide, you’ll see that “Identity and Access” is now in the Enterprise Mobility Management (EMM) competency. But it takes a few pages to find out. Right.

Also the MPN Evolution FAQ (downloadable PDF) says:

“Identity and Access Competency

Q) Where can I find more information about Enterprise Mobility Suite and partner opportunities?
A) For Enterprise Mobility Suite information, go here. For competency information, go here.

Q) Where can I find more info around Enterprise Mobility Suite incentives eligibility via the Enterprise Mobility Management Competency?
A) To learn more about EMS Incentives, visit the portal page, here. ”

A few days later a post on LinkedIn interpretes the competency change as “It marks the end of MIIS, ILM, FIM, and MIM“.
This opinion/ interpretation ignited a discussion or list of comments that even got vicious and mean if not incorrect. But I’ll leave that to your own interpretation.

But I can certainly advise to read all of it.

One of the key comments is posted by Alex Simons (Director of PM, Microsoft Identity Division): (quote)

“This focus area has just been combined with Mobility as we believe the overall category is merging as part of the shift we are seeing among customers to a modern end-user productivity model which merges Identity, Mobiltiy and Information Protection together to enable workers to get their jobs done wherever they are. So don’t let the merger fool you! We have more engineers working on Identity and Access Managemebt today (600+ across the cloud and on-premises) than we have ever had before at Microsoft!”

Apparently, due to some technical issues, an important comment of David Steadman never got posted to that thread. And probably for that reason, it got disconnected.
But it’s a damn important insider-note or add-on to Alex’ message.

“Identity within Microsoft not Dead!!”

“/../ this is not the end to identity platform. It simply transforming to what customers are demanding, just like MIIS changed and ILM. Merging the assets makes sense, As we have seen with this product and others. If you do not change you will be left behind it is a strategic change that meets the demand of our Azure Customers and On-premise Customers. Also the MIM product group has release a few new additions to MIM CTP4 /../”

“… Because Microsoft is the Identity platform and as this merger of Identity, Mobility and Information Protection continues you will see great add to the story and services.”

A few days later, , posts an interesting reply to the discussion. To jump to his conclusion: “ Success in the cloud is underpinned by a well-engineered Identity and Access infrastructure – and that is usually a hybrid on-premises/cloud infrastructure involving MIM, AD, Azure AD and much more. You can call it what you like, but rumours of its death have been greatly exaggerated.

And to close the discussion, you might want to get up to speed on what Microsoft Identity and Access aka Enterprise Mobility is heading to… with another post by Hugh.
It’s the essence of the whole story: Identity and Acces, now Enterpise mobility is not limited to the ‘identity technology’ anymore: consider”Advanced Threat Analytics, Secure Islands, Adallom, hybrid identity, devices and enterprise mobility management, Microsoft Identity Manager (MIM) including Privileged Access Management (PAM), new features in Microsoft’s Enterprise Mobility Suite, including changes in Azure Active Directory, Rights Management, and Intune… and more.

It’s damn clear that a specialist in Microsoft Identity & Access (eh sorry, Enterprise Mobility), will have plenty of work in the future.

That being said, here’s the short list.

References list of LinkedIn articles:

But that’s not all.
Recheck the Microsoft support lifecycle for the various products and save it for future reference:

 

*EDIT – 13/may/2016 … the discussion continues*
Above was the customer friendly version, as I’ve got quite some queries for details.
So it allows to explain that the pronounced dead essentially was a hoax.

On the FIM/MIM FB group, there was a very pertinent remark by Gil Kirkpatrick which I’m allowed to share here:

I’ve been utterly baffled at the public reaction to all of this… I’ve had probably a dozen people (a Kuppinger-Cole guy for chrissakes) tell me how MSFT has failed to crack the IAM market and how they’ve given up and EOL’d FIM/MIM, and now its a free-for-all and tha datacenter is on fire, and …, well you get the idea. It’s like nobody even bothered to read the announcement, and I don’t know, maybe look up some of the words in the dictionary if they were having trouble understanding it.”

+1

I personally think this is exactly the reason that David, Hugh and others (including me) have been fighting this hoax.

And I’ll not go into the view and recent reports of the market watchers, like Kuppinger-Cole and Gartner on Identity and Access, Identity Governance, .. whatever.
These are valuable if the reports are built on current, solid data.
But if a vendor does not participate in the survey for a year, or two, because their product stack is been overhauled and set ready for the future.. and therefore the ‘product suite’ does not fit to the market watchers categories (so it drops from the reports), it’s no reason to burry a product/vendor.

And certainly if these reports are published one year later…
Things are moving fast, very fast.

Note-to-self: Normalization of deviance in security: how broken practices become standard [must read]

If you would search the internet you’ll quickly find the original quote… “Normalization of deviance in software: how broken practices become standard”

All credits go to the original post: http://danluu.com/wat/

And to honor the truth completely, the hint was posted by Joe Richards at http://blog.joeware.net/2016/01/04/5683/
Joe has highlighted some important remarks in his blog post. But there is more…

What reasons do people or companies have NOT to implement best practices or ‘forget’ to implement them.
What easily becomes accepted as normal, why not speak up if you think something is wrong…

Just replace the ‘software’ in the article and title by ‘security’ …

Simply must read!
[Or actually, simply must implement, every day.]