I spoke with James Spooner of Secerno and Bill Beverley of F5 Networks about their solution, which is based around the F5 BIG-IP ASM and Secerno DataWall products. Essentially they are working together to provide a more joined up security solution. While much has happened to deliver more integration between the lower network levels and applications, no-one has really tackled the problem of integrating application and database security – at least not in the web application space.

This is where F5 Networks and Secerno have jointly focussed their effort. By using customized rules on the F5 box, DataWall can be notified of anomalies at the web traffic layer. This gives Secerno’s product user-level visibility (down to the session level) of what is happening in web applications. In theory this approach should increase the ability to protect back-end databases, and reduce the number of false positives. 

The F5 BIG-IP provides more than half a dozen attributes that can be used to correlate web transactions to database transactions, enabling very granular blocking of attempts to exploit SQL security vulnerabilities (see here). Suspicious activity can be reported up to SIM/SEM security management products and used for security forensics.

It is an interesting development, with lots of potential for expanded functionality. Using web-based applications is an attractive way of sharing information outside of the organization, either via Web 2.0 style APIs, or web portals. They can be quick to develop, and provide efficiency and competitive advantage. The downside is that such applications often require access into databases with sensitive information. The F5 and Secerno solution is a worthy attempt to deliver high levels of security, but still enable business flexibility – making both companies’ solutions more attractive.

Related Posts

• Identity Management
• F5 Networks – A Case of Applications and the Network
• When Blurred e-mail Goes From Bad to Worse

From document management to remote access, compliance to shiny web 2.0 style portals, identity management is central to running a secure and efficient IT infrastructure. All the more distressing that it is also one of the most problematic elements of business IT architectures, with forests of directory trees and multiple ‘authoritative’ information sources. Now is the time to get that sorted out.

Dr. Hellmuth Broda, from the Liberty Alliance, talked about their efforts to standardize mechanisms across the industry. Questions from the floor challenged their ability to do that, with big names like IBM and Microsoft missing from the project. That said, they are re-using existing standards, rather than creating their own, so that may not be such a barrier. Kerberos received frequent mentions. This near-ancient standards-based security continues to feature, even in the upcoming Windows 7 security (read this introduction to Kerberos for more). It is a good technology that works well and is network friendly.

There were some impressive projects discussed during the day. Glow is a project for the Scottish educational system that supports millions of users on a national schools intranet, with up to 250,000 individuals authenticating at peak times. It has proved the ability of directory technologies to work at scale, but still be very feature rich – it supports the ability to have users in dozens of groups and with overlapping roles.

A number of vendors were on hand to discuss their products: integration products from Salford Software and Quest Software, server software from Sun Microsystems, and professional services and consulting from the likes of DNS, Logica and PA Consulting Group.

Dormant unused accounts are a potential security hazard, while password resets are a massive resource sync – figures quoted suggested taht a password reset costs an average of £50 in lost time and accounts for over 40% of all help desk calls. Getting user identity under control is a critical business governance task, and makes good commercial sense for any company from medium sized upwards.

For me, the most insightful comment of the day came from Alan Coburn of identity management specialists DNS, who said this: “Don’t treat an identity management project like just another IT project. Identity management projects are business transformation projects.”

If you want to dig into Identity Management in more detail, I recommend checking out Kim Cameron’s identity blog, starting with his introduction.

Related Posts

• A Cloud Computing Tour – London CloudCamp
• Britannic Technologies – Convergence in Communications
• Linking Network and Database Security

Why is that so bad? Well, it moves the security boundary for the corporate e-mail firmly outside of the corporate firewall. Hackers have recently had quite a bit of fun with a certain vice presidential candidate’s email (for the full back ground check out Michelle Malkin’s “The story behind the Palin e-mail hacking“. There are many different services out there, and the way that they handle authentication (the usernames and passwords) varies widely. A wily hacker could have access to a mailbox for months if not years before anyone realised.

What to do? The immediate sensible reaction might seem to be a big crack down, but actually it would be more productive to look at employee’s needs and provide mobile e-mail access. Monthly costs are now very low (on a par with line rental or a broadband account). It might also be time to take another look at a corporate webmail solution for laptop-based remote users.

You might not want users stuck in the office, but you don’t want their email running free!

Related Posts

• Twitter’s Bitter Lesson – What You Should Know
• Linking Network and Database Security
• Identity Management