Shaheen N Abdul Jabbar

Posts Tagged ‘Architecture’

With the increase of various types of application in an enterprise, the nightmare of managing access to them increases. One of the major issues is how to manage passwords to multiple applications.

I would like to remember only one password for all applications in the enterprise instead of writing each one down whenever its time to change it. The frequency of changing the password may vary from application to application, so does the password rules.

If you look at it from the cost perspective, every call to help desk to manage password costs an estimated $25 – according to Help Desk Institute. So having a password doesn’t come cheap, especially when you have multiple applications at various domains. Imagine this cost coupled with the cost of maintaining the credentials at various applications.

So why not use a software like Bruce Schneier’s Password Safe (http://www.schneier.com/passsafe.html )? That type of software is good for personal use when I have the luxury of time to dig through my list of domains and their credentials. They are not good for an enterprise that is regulated by various statutory requirements. It still does not solve my pain of signing in to multiple applications.

How about Singe Sign On? According to experts in the field, not many enterprises were successful in implementing in this area with single sign on. With all the acquisitions and mergers, it is found better implemented at the divisional or business unit level. However a more realistic approach would be to have reduced sign on.

This is not an easy job for architects as they need to consider stronger authentication mechanisms based on risk policies while consolidating application and reducing the number of access challenges.

One of the major constraints to reduced sign on is the multiple identity and policy domains that exist in the enterprise. They can be handled by having a primary authentication point which will facilitate background authentication with other policy domains. A user is challenged by a single primary system, while that primary system takes care of authenticating with other system in the background without the user’s knowledge.

Some of the options in consolidating sign on are extending network operating system login and centralized LDAP. However, they do have their own limitations. For example, network operating system login cannot be extended to external users and there could be multiple LDAPs within the enterprise that need to be consolidated.

Implementations such as E-SSO where multiple logins can be integrated to one single system is preferred for reduced sign on, however it is a large undertaking and requires time. Similar is the case with federated authentication using protocols such as SAML.

One of the easiest and quick fix to manage this nightmare is to have a password management system. Whenever a user changes the password, it is synchronized with all applications and tools such as LDAP and Active Directory using the password management system. In this way, I have only one password, possibly one user-id, for accessing all system in the enterprise. This still does not reduce my multiple sign on, however it’s the right step in the right direction.

Jim Hietala of The Open Group made the opening remarks on Governance, Risk, Compliance and Audit followed presentation on Professional Trends in Governance, Risk, Compliance and Audit by David Foote of Foote Partners LLC.

Mr. Foote says there is lot of investment now happening in Security Architecture and there is growing demand for security architects. An average salary of 125K USD can be expected by Security Architect and 149K USD by a Security Director in the US.

Peter T. Davis of Peter Davis and Associates shared his thoughts on IT Governance and the various methodologies. He explained the need for organizations need to have goals and strategies; why they should have a process and how they need to monitor performance; why there is a need for continuous process improvement.

Joel Winterergg of NetGaurdians, Switzerland introduced the concept of XDAS Audit & Logging Standard for servicing today’s regulatory / compliance requirements. Today every vendor defines its own audit trails with their SIEM solutions. There are no standards followed. There is a strong need to have uniform format and taxonomy for audit trails. XDAS is not a logging standard, it is an auditing standard.

Tim Grance of NIST presented their view of standards on Compliance. He introduced the Security Content Automation Protocol (SCAP) used by National Vulnerability Database (NVD) to the community. It helps to standardize the communication of vulnerabilities.

Shawn Mullen shared his thoughts on how ACEML standard will meet compliance and Shawn Chanput from Privity Systems gave an overview on security in Cloud Computing from a Canadian perspective.

According to Shawn Chanput, there are few organizations that have done comprehensive data classification which is critical in securing the cloud. He says it’s important to understand where the data will reside and how it is duplicated. He explained the new effort for version 2.0 and invited participation in various domains.

The Open Group Security Practitioners Conference opened with Allen Brown and Jim Hietala of The Open Group welcoming the community followed by the presentation by Murray Rosenthal of City of Toronto.

Murray says security is not just the integration with system development life cycle, but also deals with industry sectors, legal framework, and should be based on established standards. The intent of having security should marry with the reality.

Domain architecture should supplement solution architecture. He says if you don’t have security architecture, then you end up with trial and error methods, reverse engineering existing enterprise letting the enterprise go out of business. Similar is the case even for projects too.

Manu Namboodiri of BitArmor presented a different approach perspective on security virtualized environment. He suggests avoiding the legacy way of thinking and approach to security – think out of the box.

In virtualized environment, everything except data is virtualized. Data is tangible and traverse between environments. It could be duplicated and may remain remanent for ever unless disposed securely. Data is the lifeblood of the business and that’s what the business is primarily concerned about; infrastructure and the rest come secondary. Data has more threat surface than any other component in virtualized world. It requires higher and stronger security controls in the virtualized world.

Alex Woda of Avient Solutions Group, Steve Whitlock of Boeing, Predrag Zivic and Bob Steadman of Loblaw presented their thoughts on Security Architecture and how it should be developed.

The second half of the day concentrated on Cloud Computing and how to secure various types of clouds. Tim Brown of CA presented the concept of Cloud Computing followed by Views of Cloud Computing Architecture and Security by Chris Hoff of CISCO. Chris Hoff introduced Cloud Security Alliance to the community and encouraged everyone to be part of its efforts.  Steve Whitlock provided a short illustration of how Cloud Security Alliance aligns with Jericho Forum Cloud Architectural Views.