Patrick Parker

Recent Posts

Congratulations to the OPA Team and Community!

Posted by Patrick Parker on Sun, Feb 28, 2021

There has been some exciting news for those of us who have been following the evolution of Open Policy Agent as an new technology for distributed policy enforcement. The Cloud Native Computing Foundation (CNCF) has announced that Open Policy Agent has demonstrated the maturing and adoption level to warrant graduation from its status as an incubating standard. This is a major accomplishment for the OPA team and community. At EmpowerID, we have been tracking its progress and integrating it into our external authorization offering.

CNCF Announcement: https://www.cncf.io/announcements/2021/02/04/cloud-native-computing-foundation-announces-open-policy-agent-graduation/

The CNCF describes OPA as follows: "OPA is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. The project was accepted into the CNCF sandbox in April 2018 and one year later was promoted to incubation. More than 90 individuals from approximately 30 organizations contribute to OPA, and maintainers come from four organizations, including Google, Microsoft, VMware, and Styra."

I've included a short video below of EmpowerID leveraging OPA in conjunction with another exciting standard for authorization, User Managed Access 2.0 (UMA).

 

 

 

Tags: open policy agent, authorization

Cyber Attacks: What You Need to Know and Do

Posted by Patrick Parker on Fri, Oct 25, 2019

photo-1510915228340-29c85a43dcfe

Unsurprisingly, Verizon’s 2019 Data Breach Investigations Report doesn’t make for comfortable reading.

In 2018:

  • 43% of security breaches involved small businesses
  • 52% involved hacking (69% of the attacks proved to be the work of outsiders)
  • 33% were through social media
  • 28% involved malware.

(Verizon, 2019)

What’s also important to note is that C-level executives were 12 times more likely to be the target of a social engineering incident and nine times more likely to be the target in a breach caused by social engineering. Given this much higher target rate, it’s clear that modern cybercrime organizations are deducing that there’s higher value in a more targeted, high level attack (Barth, 2019).

Unfortunately, for many businesses, and despite the increased risks and chances of hacking, they are still using outdated methods and approaches. What’s worse is that some are even following the same approach to cyber security today as they were a decade or so ago.

As we mention in our Anatomy of a Cyber Attack white paper, that’s simply not going to work in today’s business theater. So much so that

Businesses Should Assume They Have Already Been Hacked and Are Currently Under-Siege

Seriously, that is the best, easiest, and most practical way to look at your security efforts to date.

Suffice it to say that, if information security is something you’ve been lackadaisical with up to now, today’s the day… [you need to change that]. You need to get wise to what’s happening. Before it’s too late.

Yes, there is a lot of information out there (much of it false), and though not having enough information can be fatal, the opposite is also true.  Either one can lead to 3 critical issues:

  • ineffective planning
  • insufficient mitigation of risks
  • inability to recover quickly following a breach.

With that last point, above, you don’t need us to tell you how important your customers are to your business.

In terms of numbers, Bryan Littlefield, CISO of Aviva, said that following a customer data breach, research suggests that of those customers who are thinking of cancelling their account with you, 50% of them actually will (Out-law News, 2015).

That long-standing relationship you’ve been building… destroyed.

That trust level you hold so dear to your heart and have painstakingly nurtured… gone, In an instant.

Cyber Security is Not Something That Only Others Do

Moreover, the days where security was considered to be extraneous or a separate arm of the business are long gone. Indeed, security must work as a  “…flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line.” (Sartin as quoted in Guta, 2019)

We do have more information on cyber-attacks (and you can download our paper at the bottom of this page), but for now we advise you to take this approach:

  1. Assume you’re already under-siege. You need to fight back.
  2. Work inside out. Adopt a defensive posture, start from the core, and ‘clear and secure your lines’, all the way to the external perimeter of your organization.
  3. All the while, rethinking your security approach and how you’re going to make it as hard as possible for the hacker/attacker in the future.

That’s what you need to do.

Naturally, you’re here on our webpage, on our site, so we’re going to offer advice on what works for us (‘us’ being our clients, customers, and partners) and what we ourselves recommend.

Identity Access Management and Zero Trust

We recommend Identity Access Management. In particular, what we call Zero Trust.

Zero Trust follows the 3 fundamental principles of never trust, always verify, and always enforce least privilege. (We have a white paper called Identity is the New Perimeter: Zero Trust is its Firewall where we talk more about that.)

In its simplest form, Zero Trust involves an identity verification and authentication portion. If these are incorrect then the rest fails.

With that in mind, let’s take a closer look at the anatomy of a cyber-attack (if you want to jump straight to the white paper, click here).

Caveat: before we go any further, we’re not for 1 second suggesting that you haven’t been taking security seriously. It’s just that as someone for whom this is our ‘meat and potatoes’ (or bread-and-butter, if you’re British), we know full well how overwhelming security can be.

Not least because of the rate with which the tech is changing, but also because of the myriad of terms and definitions, and all the rest of it.

That’s one of the main reasons we created this white paper. Others include helping you to cut through all that noise, to eliminate that chaff, so you get an easy to read, understand and digest picture off what’s going on.

The Anatomy of a Cyber Attack

The Anatomy of a Cyber Attack white paper covers the following:

  • An overview of cyberattacks and how the landscape is changing. One of the problems of today is that “As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed” (Sartin, 2019).
  • The architecture of the modern attack, including phishing and social Engineering
  • The danger of local admin privileges and cached passwords
  • Attacks to Kerberos and Active Directory
  • The consumerization of hacking
  • Can we keep the hackers out?
  • Assume breach – now what?
  • Other tips to discourage hackers. These include preventing users from being local admins, avoid group nesting, and use dedicated secure admin workstations for admin tasks, etc.

Understanding what constitutes a cyber-attack is just 1 weapon that you will need in your arsenal: it’s only one of the steps you must take. I hope you’re like me and, when you see people reminiscing on or about the good old days, you smile. I’m happy for them–seriously happy. From my own perspective, life outside of cyber security must seem a trifle mundane. Admittedly, I don’t dwell long, because what we’re seeing and experiencing in cyber security now is unprecedented. Sure, today might be a great day, but let’s use that time wisely and prepare for tomorrow, too.

Click on the link below to download the white paper:

Download the White Paper\

 

References:

Barth, B. (2019, May 9). Verizon Breach Report: Attacks on top executives and cloud-based email services increased in 2018. Retrieved August 19, 2019, from SC Magazine: https://www.scmagazine.com/home/security-news/verizon-breach-report-attacks-on-top-executives-and-cloud-based-email-services-increased-in-2018/

Guta, M. (2019, May 22). 43% of Cyber Attacks Still Target Small Business while Ransomware Stays On the Rise. Retrieved August 19, 2019, from Small Business Trends: https://smallbiztrends.com/2019/05/2019-small-business-cyber-attack-statistics.html

Out-law News. (2015, July 3). Info security professionals are business brand preservationists, says Aviva security chief. Retrieved from Pinsent Masons: https://www.pinsentmasons.com/out-law/news/info-security-professionals-are-business-brand-preservationists-says-aviva-security-chief

Sartin, B. (2019, May 5). C-Suite Beware: You are the latest targets of cybercrime, warns Verizon 2019 Data Breach Investigations Report. Retrieved August 19, 2019, from Verizon: https://www.verizon.com/about/news/verizon-2019-data-breach-investigations

Verizon. (2019). 2019 Data Breach Investigations Report. Retrieved August 22, 2019, from https://enterprise.verizon.com/resources/reports/dbir/

Tags: Data Governance, Identity and Access Management (IAM), Access Governance

Cybersecurity and Why You Cannot Rely on Yesterday’s Tactics

Posted by Patrick Parker on Fri, Oct 25, 2019

RustedLock

“They came on in the same old way – and we defeated them in the same old way.”

Though it could easily be used today, that quote does have rather more deep-rooted origins. The speaker was Arthur Wellesley (though you may know him by his more common titles of The Duke of Wellington and, later, Prime Minister of Great Britain). He spoke those words after his and Field Marshall Blucher’s combined Allied forces had just defeated Napoleon at the Battle of Waterloo.

Without going into the details of the battle itself, the outcome was quite significant in several ways:

  • Napoleon’s tactics at Waterloo were both out of date and inflexible
  • His battle plan lacked finesse, consisting only of repeated ‘in your face’ brute force attacks
  • The outcome of this helped shape the future of Europe for almost 100-years
  • Given ‘The Battle of Waterloo’ was in 1815, it does, in fact, predate the on-going debate about RBAC v ABAC which still persists today.

Okay, that last point is stretching a little white lie (a hint of a joke, as it were). But If you’ll permit me, I’ll tell you 2 specific reasons why it does fall flat on its face:

  • The RBAC v ABAC debate is now in its 22nd year (yes, it began in 1997)
  • Like Napoleon at Waterloo, if you honestly expect to win today’s battle with yesterday’s tactics then you’re going to lose.

Unfortunately, and we know this firsthand, some companies still are using old systems, old methods, and old tactics.

(Please tell us this isn’t you, though?)

Your Attacker is Getting Cleverer

One glance at the news tells you that your attacker is getting cleverer. (It might also be a concern to know that there are a lot more attackers out there since hacker tools became more commercialized. If you want to learn more, then click here to get our The Anatomy of a Cyber Attack white paper.

Make no bones about it, your attacker is getting cleverer, more devious, and increasingly skillful–they’re evolving. And though steam rolling in with brute force methods might be just one part of their plan, unlike Napoleon on that fateful day, we both know they’ll adapt and move on to other means as soon as necessary.

This isn’t hyperbole, either.

You’ve likely seen or heard all of the scare tactics, the dire threats, the ‘end of the earth as we know it’ (if you haven’t, let us know and we’re more than happy to fire some your way).

But here at EmpowerID, where cybersecurity, RBAC and ABAC, and your security is concerned, we prefer to stay a little more grounded. A little more pragmatic.

The Cyber Threats Are Real

But make no mistake…

Don’t think for a minute that the threats aren’t real–because they are.

You and I both know, full well, that your attackers’ plans are evolving continuously.

Unfortunately, the very nature of cybersecurity is that they’re likely to be evolving far faster than you or any of us can ever react.

However, it isn’t all 1-way and isn’t all doom and gloom. There are steps we can take to mitigate this. To limit the chances of them being successful.

We can’t stop them from selecting us as their target, but our goal here, of course, is to make it so difficult that they move onto easier pickings. They turn their attentions and efforts elsewhere.

Let’s not get ahead of ourselves just yet, though…

What Is Your Battle Plan?

A question for you:

When the attackers’ beady little eyes do eventually turn to and focus on you, what exactly is your battle plan?

At Waterloo, Wellington had surveyed that ground years 2 or 3 years before.

We both know we’ll never ever have that luxury.

Then what?

“But we’ll be okay,” said every single security consultant or manager in the world ever. (All the while secretly praying that they’re okay.)

And then they weren’t, of course (okay, that is).

Reading this, you, may very well think that we’re wrong.

If that’s the case, then tune into the media and watch or listen. Turn on your TV or radio, or tune in via your PC, whatever it is you use.

Because if the next security breach is not all over the news today, then it’ll be tomorrow or next week.

It’s only a matter of time.

As realists, we both know it’s coming.

We sincerely hope they’re not talking about you.

White Paper: Identity is the New Perimeter: Zero Trust is its Firewall

To learn more about constructing your organization’s defenses and laying out your battle plans, we have a white paper called ‘’Identity is the New Perimeter: Zero Trust is its Firewall.

In it, we talk about how identity and Zero Trust are where the 21st century battle will occur. Zero Trust is founded on 3 fundamental principles:

  • never trust
  • always verify
  • always enforce least privilege.

Quite simply, when a user attempts to access to your system, they have to verify and authenticate themselves. If they fail either, then they’re denied access.

Click here to download the Identity is the New Perimeter: Zero Trust is its Firewall white paper

 

Tags: Data Governance, Identity and Access Management (IAM), Access Governance

EmpowerID Named Overall Leader in IAM / IAG Suites

Posted by Patrick Parker on Thu, Feb 05, 2015

Rating graph

EmpowerID has been recognized as a three time leader in a recent KuppingerCole report evaluating Identity and Access Management (IAM) / Identity Access Governance (IAG) Product Suites.

The IAM/IAG Leadership Compass “focuses on complete IAM/IAG (Identity Access Management/Governance) suites that ideally cover all major areas of IAM/IAG as a fully integrated offering,” Martin Kuppinger wrote in the report.

KuppingerCole, a respected global analyst focused on Information Security, examined Identity and Access Management / Governance Suites for this report. They specifically evaluated products that are integrated solutions with a broader scope than single-purpose products. Martin Kuppinger concluded in the report, “With their Windows-based product they [EmpowerID] offer one of the best integrated IAM Suites. All components have been built by EmpowerID, allowing for tight integration into a well thought-out architecture. This integrated approach is a clear strength of EmpowerID."

To request an unabridged copy of the the KuppingerCole report on IAM/IAG Suites, please visit http://info.empowerid.com/download-the-free-kuppingercole-iam-suites-leadership-compass.

Tags: Role Based Access Control (RBAC), GRC, authentication, IAG, IAM, Group Management, Governance and Regulatory Compliance, Identity Management, Federation, User provisioning, Attestation, Separation of Duties, Identity and Access Management (IAM), Access Governance

SSO and Delegated Management Module for Office 365 Released

Posted by Patrick Parker on Fri, Sep 12, 2014

365 banner resized 600

Yesterday we announced the release of Office 365 Manager, a new module that enables organizations to extend their existing on-premise security and audit control model to the Microsoft Office 365 and Azure Active Directory Cloud. We have also released a new web site dedicated to information on Office 365 Manager. The new site is located at http://office365.empowerID.com.

We are seeing rapid adoption of Office 365 to reduce the cost of IT operations. Office 365, however, is presenting our customers with some security and management challenges because it offers only basic audit controls and a limited ability to delegate administrative tasks. Our new Office 365 Manager provides organizations with the first and only Identity and Access Management solution that applies existing security practices for on-premise Active Directory and Exchange to the management of Office 365 in the Cloud.

Office 365 Manager allows organizations to leverage the same secure delegation and flexible administration model that they use for their behind the firewall systems. It addresses a key shortcoming of Office 365 which runs on Azure Active Directory and lacks a hierarchical structure that forces the placement of all users, groups, mailboxes and contacts in a single location. By extending the existing structure of a customer’s on-premise Active Directory, LDAP, or HR system to Office 365, Office 365 Manager can securely delegate responsibilities by role, department, business unit and location.

With Office 365 Manager's Single Sign-On capabilities, your internal users can continue to use their existing Active Directory username and password when logging in to Outlook, OWA, Lync, and SharePoint after they have been migrated to the Office 365 cloud. External partners or customers can leverage Social Media logins, your own branded EmpowerID login, or even their remote corporate AD credentials.

Top 10 features and benefits of the new Office 365 Manager:

1.    Role-Based Delegated Administration to Reduce IT Staff Workload 
2.    Automated Provisioning and Sync for Better Productivity and Security 
3.    Dynamic Group Management for Improved Group Security 
4.    Single Sign-On for Ease of Use 
5.    Multi-Factor Authentication for Improved Access Security 
6.    Mobile Device Security (BYOD) To Properly Secure Mobile Device Access 
7.    Self-Service Password Management to Reduce Help Desk Workload 
8.    Shopping Cart Style Self-Service to Automate Request Fulfillment and Audit Tracking 
9.    Access Recertification and Audit Reporting For Better Access Governance 
10.     Mailbox and Folder Permission Audit, Management, and Self-Service for Improved Productivity and Governance

 

                                               Secure  Office 365  Today!

Tags: Single Sign-on (SSO), Role Based Access Control (RBAC), User provisioning, Office 365

What is federation? And how is it different from SSO?

Posted by Patrick Parker on Fri, Jun 08, 2012

what is federationWhile having a discussion with a partner this week, he pointed out that enterprise single sign-on and federation are being confused much less often these days.  That led me to asking a few people what the difference is and finding that there is still confusion about the two.

So what is federation?  And how is it different from Single Sign-on (SSO)?

SSO is an umbrella term for any time a user can login to multiple applications while only authenticating once.  It covers both federation and password vaulting which is more commonly known as “Enterprise SSO”.  The main difference is that federation eliminates the requirement to use and remember passwords and Enterprise SSO doesn’t.

Federation allows single sign-on (SSO) without passwords – the federation server knows the username for a Person in each application and presents that application with a token that says, " this Person is domain\johndoe or johndoe@example.com".  No password is required for the user to login to each system.  Because of the trust between the two systems, the target application accepts this token and authenticates the user.

The federation server passes that token using one of the standard identity protocols: SAML, OpenID, WS-Trust, WS-Federation and OAuth.  The benefit to federation is security and authentication into both on premise and cloud applications.

Enterprise SSO is when the applications all still require that a password be sent to login, but the software handles storing it and automatically retrieving it for the user and inputting it into the application for an automatic login. The user still has a password for each system that must be provided to login, must be changed on a regular basis, etc. 

I like analogies; in my mind, Identity federation is like an amusement park.  With Enterprise SSO (ESSO), you get into the amusement park but still need a ticket for each ride (think Santa Cruz Beach Boardwalk).  With federation, you get into the amusement park but have a wristband that every ride operator recognizes and lets you on (think Disneyland).  Feel free to use this one.

Even understanding this distinction, there are a lot of different implementation scenarios depending on whether you are initially authenticating on network or in the cloud, whether you are signing in to cloud or on-premise apps, or whether you want to manage Identity as a Service (IDaaS).  Download our whitepaper on the Top 5 Federated Single Sign-on Scenarios to see which one best fits your requirements.

Click me

Tags: Single Sign-on (SSO)