Ugggh....last week we were reminded of how social media platforms are vulnerable to identity security problems. Two colleagues of mine were hacked in the twitter and an add was posted to my facebook account via cross-posting feature in Facebook (I love uggh boots, I just didn't plan on advertising them on my Facebook account. More about this later). One of the powerful aspects of social media sites is the extended conversation that users can have with their friends, colleagues and communities that participate. However, if social media sites don't work more aggressively to thwart security holes in their platforms they will undermine the credibility and trust they have worked hard to gain with the mobile IT generation. This is not a new problem.
The twitter hack is not a new one and in the short term can be rectified by changing one's password immediately. However, with the simplicity of being able to acquire the password there seems to be a problem that the twitter team needs to plug immediately. I have severely restricted my link clicking activities as a result of these vulnerabilities and tell family members not to click links when possible. However, this takes the fun out of getting access to content quickly or participating in events that are happening immediately (e.g. conferences, concerts, etc.).
As for the cross posting via Facebook, first let's talk about what constitutes cross-posting. Cross-posting is a great feature if used properly. It is a way for you to post to wider groups of people and this is useful as communities sometimes do not always overlap. Simply put, it is where a bot or user puts a comment in a blog that has been posted to Facebook or other social media site. Because a trust relationship has been established between the post and social media site comments are "retweeted" to the social media site it has been published.
I have three options to ensure that this does not happen in the future. One, do not post/share blog entries on Facebook; two, remove the trust relationship from Facebook to my blog; three, review all comments before allowing to be published to my blog. All of them are not good options. I will probably choose the third because it allows me to still share my blogs with my friends on Facebook but yet maintain some level of control over what is "retweeted" to my friends. Each of the blogging platforms allows a different level of control and easy access to the social media platforms so investigate and determine which is best for you.
Lastly, here is a quick overview of the top 8 social media hacks as of August, 2009 by Michael Eggebrecht from CIO Zone (thanks for the great picture top left). He outlines the top 8 social media hacks so far (e.g. Koobface, Twittercut, Best Video, etc.). If you are not reading Mashable already then I suggest taking a peruse as they have great coverage of different events and issues associated with this emerging space.
DSEE 7.0 is available for download today here with new documentation here. The critical document you want to look at is the upgrade and migration guide here.
Directory Server Enterprise Edition 7.0 Boosts Speed and Performance:
Considered one of the best extranet LDAP Directory Servers in the market today, the latest version of Directory Server Enterprise Edition allows enterprises to accelerate growth in a simplified way, improve performance and lower total cost of ownership. Directory Server Enterprise Edition 7.0 has been optimized to improve performance by more than three times when compared to its predecessor. In addition, this release provides innovations that improve authentication and modification performance by 60 percent, allowing customers to accelerate their applications without changing one line of code.
What's New with Directory Server EE 7.0
• Boosts speed and performance: DSEE 7.0 has been optimized to improve performance of some operations by more than 3x the current version. In addition, this release provides hardware optimization with up to 60% improvement in authentications and modifications. • Reduces Total Cost of Ownership– Reduce cost by using the only solution in the market that provides customers with a directory server, virtual directory, proxy server, web console and Active Directory synchronization tool-kit under a single license. • Hassle Free Upgrade – DSEE 7.0 provides a simple upgrade path and provides 5x performance improvement in data import times, thereby reducing migration costs.
You can see a webinar we did recently on DSEE 7 and Role Manager 5 on why this release is important to your business and how this can help your company meet growth goals and reduce your total cost of ownership.
The Sun Identity Management team will be giving a webinar next Wednesday to discuss the very important topic of Identity Management and healthcare. As the healthcare legislation moves through congress the increase of 36M patients on healthcare providers, insurance companies, and patients will be profound. The cost savings projected by the bills will rely on IT systems to provide increased access to information to drive productivity gains. As we have seen with recent high profile identity security breeches at hospitals identity security is critical in making sure the right people have access to the appropriate information, that information must be shared with all members of the value chain securely.
Sun's Identity Management Suite provides a powerful package of solutions to help with storing identity information with Directory Server Enterprise Edition; managing authorization, federation and web services security with OpenSSO; providing provisioning solutions with Identity Manager; and, defining and managing role based access control with Role Manager.
Join this free Webinar to learn how Sun's identity management solutions can help your organization to:
Automate management of digital identities for other providers, patients, physicians, clinicians, and payors Provide single sign-on (SSO) and secure federated access to privacy-regulated healthcare information while adhering to strict mandates
Comply with the Health Insurance Portability and Accountability Act (HIPAA), internal security policies, and corporate governance policies with complete auditing and reporting capabilities
Sun identity management solutions make it easier for healthcare organizations to manage and share digital information.
This week Google launched a new service called Google Dashboard which can be found in the account settings in top right hand corner under "personal settings". The service is a great idea for a couple of reasons. One, it served as a reminder (at least to this user) of all the services that I had actually signed-up for from Google over the years. Which given the pace of their innovation and continuous beta approach and my propensity to try new things in the technology space was quite a few. The second reason and arguably the most important was that it offered you the link to go and manage your privacy settings from the dashboard to the services you have subscribed. This is critical and important for those customers and users that are interested in actively managing their identity at Google. Here are the reasons why!
In the world of Web 2.0, Mashups and Federation business's are constantly stitching together different applications to provide value to customer's and consumer's. Organization's need to give user's control of their privacy setting's to allow them to control what information they share when and where on the internet. Most user's don't mind providing the information or more likely are unaware of what they are sharing. This is why the Google Dashboard feature is a powerful tool for user's to improve their security. The ability to access these privacy setting's existed in each of the services that Google offered. However, as I mentioned above, I had forgotten about all the different services I had signed up for within Google Land. This consolidation in one spot, gave me information, power and most importantly choice in one spot making my ability to make better decisions about how my identity is managed on the internet.
Facebook has learned this lesson and has done a lot to put the power in user's hands of controlling how applications user their information. I applaud what they have done to provide not only the tools but the education to users about what that privacy information actually means. You can join the Facebook Security Fan Page to get updates on different steps they are taking to improve the choices users have to manage their identity data. Another great step they have taken is also in the user experience they provide users in the pages that manage services and privacy by providing contextual help for users. Big improvements that contribute to better user decision making.
Next week, Nov. 9-11, the Identity Management Team travels down to Gartner Identity Access Management conference to showcase two of our latest releases DSEE 7 and Role Manager 5. Gartner IAM is a great event because it not only gather's together experienced practitioners in the identity management space but has a number of events that are small enough that you can have quality conversations about real problems. Last year, Verizon presented at this conference on the Directory and OpenSSO implementation that serves 50M users. The presentation is a great example of the proven expertise that Sun brings to Identity Management and the proven extranet scale our products can support---not a marketing benchmark.
Our team has taken a different approach to this even this year and we are participating in Gartner's Learning Lab's. Vendors, customer's and identity specialists are encouraged to come-by in a classroom style and learn about specific problem's Sun's product, partner's and customer's are using to solve their identity business problems. This is crucial today as the cost of failure or doing nothing rises exponentially. The best way to ensure success is to learn from real-world implementations not marketing based slideware presentations. This is why we have assembled not just the product teams but partners and real customer's to share their experience in these "learning labs".
The other great thing about Gartner IAM is that there are usually a few different ways to combine great industry expertise and a little fun. On Tuesday, Nov. 10 at 9:00pm you can meet the Sun Identity team at the Hard Rock Rooftop bar for drinks and conversation. The first 50 people get a wristband for free drinks. Identity management isn't hard so come to the Hard Rock to find out how to make it easy!
Gartner IAM Sun Schedule
Monday, Nov 9th
Learning Lab:
12:40 - 1:05pm “Increase Speed &
Performance while reducing TCO with Sun Directory Server Enterprise
Edition” Speaker: Nick Wooler, Sr Product
Manager – Sun Microsystems
1:05 - 1:30pm “Changing the Rules of
the game; Raising the bar with Rule Life-cycle Management and
closed-loop remediation” Speaker: Neil Gandhi, Sr Product
Manager – Sun Microsystems
1:35 - 2:00pm "IAM Governance,
Risk and Compliance -- the future of IAM", Speaker: Sachin Nayyar, President -
BrinQa
2:05 - 2:30pm "Enterprise Single
Sign On for Sun Identity Management", Speaker: Stephane Fymat, VP of Strategy
and Product Management - Passlogix
12:30 - 2:30pm Mat Hamlin showcasing Identity
Manager
Tuesday, Nov 10th
Learning Lab:
12:10 - 12:35pm “Role based user
provisioning; using business roles for identity life-cycle management
and identity auditing”, Speaker: Mat Hamlin, Sr Product
Manager, Sun Microsystems
12:35 - 1:00pm “Three tough
challenges, one powerful solution: OpenSSO for web access management,
federation and Web services security”, Speaker: Daniel Raskin, Chief Identity
Strategist – Sun Microsystems
1:05 - 1:30pm "Privileged
Identity Risk Management: Mitigating the Insider Threat", Speaker: Richard Weeks, VP of Channels
and Business Development, Cyber-Ark
1:35 - 2:00pm "The WHO behind the
WHAT: Arcot Authentication and Sun OpenSSO Enterprise " Speaker: R 'Doc' Vaidhyanathan, Chief
Product Officer - Arcot
Sun Booth:
12:00 - 2:00pm Nick Wooler, showcasing DSEE
12:00 - 2:00pm Neil Ghandi, showcasing Role
Manager
Identity management in government is a very important topic as it crosses a number of domains. There are a number of issues as government's across the world pursue e-Government initiatives. Norway is a great example as they have launched a portal to allow citizens to opt into services that they wish to consume from the government (e.g. postal, doctor, etc.). The government portal in Norway uses OpenSSO. This is only one of the ways in which Sun is helping governments further information sharing and reduce the cost of providing citizens and organizations the services they need to be successful.
If you are interested in hearing more about the different way's Sun can help governments help solve Identity Management issues such as the following, please attend the following webinar.
Secure control over information access by dynamic and diverse user populations
Single sign-on and identity federation for seamless operations across multiple IT environments
Automated provisioning and deprovisioning to reduce costs
Delegrated and self-service account management to improve the user experience
Auditing and reporting to meet internal security and compliance requirements
If you are a Facebook user that has received some crazy emails recently from "friends" with enticing subject lines to click on a video or picture should think twice before clicking the link. The Koobface virus has rared it's ugly head again and for some in the eweek article posted here have had to throw out their PC's because of being infected. Facebook has been great about identifying scams and exploits and maintains this page for users to get information about their security.
In the interest of spreading the word and propagating good usage of the internet:
Here are some ways to be smart and aware on Facebook:
If a link or message seems weird, don't click on it.
This is true of all spam—whether a chain letter, an ad, or a phishing
scam. If it seems weird for an old friend to write on your Wall and
post a link, that friend may have gotten phished. Let the person know,
and don't click on links you don't trust.
Be aware of where you enter your password. Just because
a page on the Internet looks like Facebook, it doesn't mean it is.
Learn to tell the difference between a good link and a bad one.
Report any spam or abuse you see on discussion boards and Walls.
Those report links are there for a reason. The sooner we find spam, the
sooner we can remove it and eliminate spammers from the site.
Don't use the same password on Facebook that you use in other places on the web.
If you do this, phishers or hackers who gain access to one of your
accounts will easily be able to access your others too. You might find
yourself locked out of your email and even your bank account.
Never share your password with anyone. Don't
do it. Facebook will never ask for your password through any form of
communication. If someone pretending to be a Facebook employee asks you
for it, don't give it out, and report the person immediately.
Don't click on links or open attachments in suspicious emails.
Fake emails can be very convincing, and hackers can spoof the "From:"
address so the email looks like it's from Facebook. If the email looks
weird, don't trust it, and delete it from your inbox.
Add a security question. If your account ever
does get stolen, you might need this to prove your identity to
Facebook. If you haven't already done so, you can add a security
question from the "Account Settings" page.
Also, if you are interested in avoiding scams during the holiday season here is a helpful site from CNET. The site can be viewed here.
BusinessWeek published an interesting article on Sunday titled "U.S. Is Losing Global Cyberwar, Commission Says". If you are interested in Identity Management or IT security this is an important topic. The plenary session was held this afternoon with press releases flying across the internet. You can find the MSNBC version here. BusinessWeek did a nice job of scooping the report and summarizing some of the recommendations which include creating a "CyberSecurity Czar". I am not sure we need more Czar's but if you are interested in the details of the report please take a look at the full report here.
Jim Carr from Security Magazine published an interesting article this week that exposes the long road that we still have to travel in the industry managing patient information within hospitals/organizations/enterprises. You can read the whole story here. The article doesn't go into tremendous detail about how the employees got access to the information. However, it does illustrate the challenge Health Care providers have in balancing access to patient information to people "who need to know" while maintaining patient information privacy. This is further exacerbated by the changing roles and responsibilities in organizations and applications. Ben Worthen, from the Wall Street Journal created a blog post here that also reminds us of the fact that a number of security breaches occur from trusted employees.
"But lest you think the threat is more imagined than real, consider that
among companies that experienced a data breach in 2006, 23% said the
culprit was an insider, according to a survey by the Computing
Technology Industry Alliance. "
Additionally, towards the end of the article an argument is made to sanction Doctor's who may have checked Britney's information without having a direct need to see the data.
Jamie Nelson, the director of engineering for Federation Access Manager, provides some very valuable insights into building identity security into your applications from the ground-up. Jamie also shares his insights into the problems that customers face in federating with partners and suppliers.
Kim Cameron provided a link recently to a great article by the Economist. The Economist in February reviewed how government;s were creating portals and using identity based software to aggregate services for citizens. You can get the article here. This is a trend that is happening not only in Europe (here is a great case study on Norway.no which used Federated Access Management to deliver SSO across all the government service providers while giving citizens choice) but also in the United States as governments try to provide more efficient services to an increasing online electorate. This has some great benefits, here are a couple to name a few: better information for health care providers, reduced cost and more eco-friendly government by reducing paper distributed information for citizens, reduce cost by getting better identity information on citizens (e.g. wrong address information results in government communication and postage costs to deliver mail to wrong location). However, despite many other benefits the fact that the government is holding more and more information about citizens causes some citizens to grow concerned. This article provides some insights into those issues but also on how much more work still needs to be done to leverage and protect identity for customers and governments.
It is not every day that you get to hear from one of the great thought leaders on Security. At Sun we are lucky every day because we get to work with people like Whitfield Diffie all the time. Whitfield Diffie is Sun's Chief Security Officer.
In this article on Computer World he gives insight into one of the future growth areas in security. He believes that outsourcing or your data managed by others is the biggest force of change in security over the next 5 to 20 years. Companies like SugarCRM, SalesForce.com,Amazon or Google provide global business with the ability to outsource business operations, IT functions all to more efficiently invest their resources to continue to innovate. However, the challenge for us all is to ensure that the appropriate level of security is applied to the data that we want to protect.
Sun takes security seriously and that is why we have one of the leading Identity solutions in the market, Identity Manager. Additionally, we offer a product called Sun Connection will allows companies to quickly and efficiently apply security updates to RedHat, SuSE and Solaris operating systems.
Ugggh....last week we were reminded of how social media platforms are vulnerable to identity security problems. Two colleagues of mine were hacked in the twitter and an add was posted to my facebook account via cross-posting feature in Facebook (I love uggh boots, I just didn't plan on advertising them on my Facebook account. More about this later). One of the powerful aspects of social media sites is the extended conversation that users can have with their friends, colleagues and communities that participate. However, if social media sites don't work more aggressively to thwart security holes in their platforms they will undermine the credibility and trust they have worked hard to gain with the mobile IT generation. This is not a new problem. 
|
|
|
|
DSEE 7.0 is available for download today 
The Sun Identity Management team will be giving a webinar next Wednesday to discuss the very important topic of Identity Management and healthcare. As the healthcare legislation moves through congress the increase of 36M patients on healthcare providers, insurance companies, and patients will be profound. The cost savings projected by the bills will rely on IT systems to provide increased access to information to drive productivity gains. As we have seen with recent high profile identity security breeches at hospitals identity security is critical in making sure the right people have access to the appropriate information, that information must be shared with all members of the value chain securely.
This week Google launched a new service called 
information. I applaud what they have done to provide not only the tools but the education to users about what that privacy information actually means. You can join the 
The other great thing about Gartner IAM is that there are usually a few different ways to combine great industry expertise and a little fun. On Tuesday, Nov. 10 at 9:00pm you can meet the Sun Identity team at the 
government's across the world pursue e-Government initiatives. 
If you are a 
