Shaheen N Abdul Jabbar

Posts Tagged ‘Information Security’

Nandan Nilekani’s…..Fully integrated ID card system for Indian citizens!!

Operator : “Thank you for calling Pizza Hut . May I have your…”

Customer: “Heloo, Heloo, can I order..”

Operator : “Can I have your multi purpose ID card number first, Sir?”

Customer: “It’s he…,hold……….on……889861356102049998-45-54610″

Operator : “OK… You’re… Mr Singh and you’re calling from 17 Jal Vayu. Your home number is 22678893, your office 25076666 and your mobile is 09869798888. Today morning you landed in India at IG International Airport. Welcome back, Sir. Which number are you calling from now Sir?”

Customer: “Home! How did you get all my phone numbers?

Operator : “We are connected to the system , Sir”

Customer: “May I order your Seafood Pizza…”

Operator : “That’s not a good idea ,Sir”

Customer: “How come?”

Operator : “According to your medical records, you have high blood pressure and even higher cholesterol level Sir”

Customer: “What?… What do you recommend then?”

Operator : “Try our Low Fat Pizza. You’ll like it”

Customer: “How do you know for sure?”

Operator : “You borrowed a book entitled “Popular Dishes” from the National Library last week Sir”

Customer: “OK I give up… Give me three family size ones then, how much will that cost?”

Operator : “That should be enough for your family of 05, Sir. The total is Rs 500.00″

Customer: “Can I pay by! Credit card?”

Operator : “I’m afraid you have to pay us cash, Sir. Your credit card is over the limit and you owe your bank Rs 23,000.75 since October last year. That’s not including the late payment charges on your housing loan, Sir..”

Customer: “I guess I have to run to the neighbourhood ATM and withdraw some cash before your guy arrives”

Operator : “You can’t Sir. Based on the records, you’ve reached your daily limit on machine withdrawal today”

Customer: “Never mind just send the pizzas, I’ll have the cash ready. How long is it gonna take anyway?”

Operator : “About 45 minutes Sir, but if you can’t wait you can always come and collect it on your Nano Car…”

Customer: ” What!”

Operator : “According to the details in system ,you own a Nano car,…registration number GZ-05-AB-1107..”

Customer: ” ????”

Operator : “Is there anything else , Sir?”

Customer: “Nothing… By the way… Aren’t you giving me that 3 free bottles of cola as advertised?”

Operator : “We normally would Sir, but based on your records you’re also diabetic……. ”

Customer: #$$^%&$@$% ^

Operator : “Better watch your language Sir..Remember on 15th July 2010 you were convicted of using abusive language on a policeman…?”

Customer: [Faints]

Here is an excellent use case for a badly implemented identity system. Thanks to my friend Lakshmi K (last name purposely not given) who forwarded this joke to me.  I couldn’t resist posting it to this boring security blog. I guess some humor adds some spice!

The Unique Identification Authority of India, or the UIDAI, is an agency of the Government of India responsible for implementing the envisioned Multipurpose National Identity Card or Unique Identification card (UID Card) project in India. It was established in February 2009, and will own and operate the Unique Identification Number database. The authority will aim at providing a unique number to all Indians, but not smart cards. The authority would provide a database of residents containing very simple data in biometrics. [Wikipedia]

With the increase of various types of application in an enterprise, the nightmare of managing access to them increases. One of the major issues is how to manage passwords to multiple applications.

I would like to remember only one password for all applications in the enterprise instead of writing each one down whenever its time to change it. The frequency of changing the password may vary from application to application, so does the password rules.

If you look at it from the cost perspective, every call to help desk to manage password costs an estimated $25 – according to Help Desk Institute. So having a password doesn’t come cheap, especially when you have multiple applications at various domains. Imagine this cost coupled with the cost of maintaining the credentials at various applications.

So why not use a software like Bruce Schneier’s Password Safe (http://www.schneier.com/passsafe.html )? That type of software is good for personal use when I have the luxury of time to dig through my list of domains and their credentials. They are not good for an enterprise that is regulated by various statutory requirements. It still does not solve my pain of signing in to multiple applications.

How about Singe Sign On? According to experts in the field, not many enterprises were successful in implementing in this area with single sign on. With all the acquisitions and mergers, it is found better implemented at the divisional or business unit level. However a more realistic approach would be to have reduced sign on.

This is not an easy job for architects as they need to consider stronger authentication mechanisms based on risk policies while consolidating application and reducing the number of access challenges.

One of the major constraints to reduced sign on is the multiple identity and policy domains that exist in the enterprise. They can be handled by having a primary authentication point which will facilitate background authentication with other policy domains. A user is challenged by a single primary system, while that primary system takes care of authenticating with other system in the background without the user’s knowledge.

Some of the options in consolidating sign on are extending network operating system login and centralized LDAP. However, they do have their own limitations. For example, network operating system login cannot be extended to external users and there could be multiple LDAPs within the enterprise that need to be consolidated.

Implementations such as E-SSO where multiple logins can be integrated to one single system is preferred for reduced sign on, however it is a large undertaking and requires time. Similar is the case with federated authentication using protocols such as SAML.

One of the easiest and quick fix to manage this nightmare is to have a password management system. Whenever a user changes the password, it is synchronized with all applications and tools such as LDAP and Active Directory using the password management system. In this way, I have only one password, possibly one user-id, for accessing all system in the enterprise. This still does not reduce my multiple sign on, however it’s the right step in the right direction.

Jim Hietala of The Open Group made the opening remarks on Governance, Risk, Compliance and Audit followed presentation on Professional Trends in Governance, Risk, Compliance and Audit by David Foote of Foote Partners LLC.

Mr. Foote says there is lot of investment now happening in Security Architecture and there is growing demand for security architects. An average salary of 125K USD can be expected by Security Architect and 149K USD by a Security Director in the US.

Peter T. Davis of Peter Davis and Associates shared his thoughts on IT Governance and the various methodologies. He explained the need for organizations need to have goals and strategies; why they should have a process and how they need to monitor performance; why there is a need for continuous process improvement.

Joel Winterergg of NetGaurdians, Switzerland introduced the concept of XDAS Audit & Logging Standard for servicing today’s regulatory / compliance requirements. Today every vendor defines its own audit trails with their SIEM solutions. There are no standards followed. There is a strong need to have uniform format and taxonomy for audit trails. XDAS is not a logging standard, it is an auditing standard.

Tim Grance of NIST presented their view of standards on Compliance. He introduced the Security Content Automation Protocol (SCAP) used by National Vulnerability Database (NVD) to the community. It helps to standardize the communication of vulnerabilities.

Shawn Mullen shared his thoughts on how ACEML standard will meet compliance and Shawn Chanput from Privity Systems gave an overview on security in Cloud Computing from a Canadian perspective.

According to Shawn Chanput, there are few organizations that have done comprehensive data classification which is critical in securing the cloud. He says it’s important to understand where the data will reside and how it is duplicated. He explained the new effort for version 2.0 and invited participation in various domains.