Did you find yourself adding hash-tags in emails or “old-fashioned” blog posts recently?
Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure…

In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC in Munich.
Novell made some great announcements recently and – to no surprise for me – their now combined SAP/Novell offering for end-to-end GRC does add a lot of value for customers of both companies.
Just a few weeks ago, doing an invited talk at the SAP Partner Port in Waldorf with Loren Heilig, Managing Director of IBSolutions, I claimed that SAP does have a big advantage when it comes to Business GRC, while they really lack the depth needed to control everything down to the system-level, aka “more technically”. As a complimentary solution vendor, I showed some Novell slides, and the reactions were pretty … ambigious.
While the customer audience seemed to like the idea, the vendor representatives seemed a bit uncomfortable. Today, I find my self to be proven by reality – my own little “analyst crystal ball” only had a “warning period” of roughly 4 month, though. Maybe I should get to London and place some bets, before making my next presentations…
SAP and Novell: congratulations! You now offer the most complete GRC approach in the market today (at least from my humble perspective!)

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- )
So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself…
Well, as my friend Walter Hofer of IDpendant was kind enough to investigate the issue (and let me know right after he found out):
Even with a corresponding GPO in the AD set, Win 7 will refuse to lock the computer after the smartcard has been removed from the reader as Microsoft chose to create a new system service called Smartcard Removal Policy – and it is set to MANUAL. Unless you look that service up in the “Services” menu and change its start behaviour to “Auto”, you will not get the expected results—
Just to get you a faster solution if this should occur to you, too!
Keep up the safe&secure computinge experience!

Well, unlike Falco in his famous hit single, this time it is SAP, who´s calling the worlds´ERP elite to Austrias capital next week – and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event
Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as possible and my agenda is bustling with activity around Netweaver Identity Management and SAP security. Especially the second, more general topic has some relevance as I am looking into the SAP and 3rd party audit and compliance solutions available today. Besides SAP´s own offering in the GRC arena, I am about to dive deeper into CheckAud of ibs Schreiber, a tool I came across in several Master´s thesis I have been advisor for. Next is “mesaforte” of Swiss Wikima4 AG and last not least the SAST System Audit and Security Toolkit, of Akquinet, especially since they now co-operate with my valued friends at Virtual Forge (some of my former Fraunhofer SIT colleagues are the founders).
Do you have expertise in one of those? Are you at TechEd in Vienna? Make sure to meet me over a cup of coffee or a Stiegl Bräu beer!
Looking forward to meet you in Vienna!

Asa tech savvy person and all-time traveller I recently acquired a mobile network data flat of one of the local German and international providers – the one with pink logo. For every contract/subscription you sign, you usually get some perks, extra stuff, a mobile handset or – in my case – one of those netbooks. The Acer Aspire One 531 I was sent does feature an integrated 3G modem by OPTION Wireless ad comes with Windows XP Hometo my demise. Failing in preparing a proper backup (Acer gives you a backup software to burn media – but a netbook does not have an optical drive, and maping the DVD burner in my home Vista machine is not acceptable use of the software – and thus deactivated) I killed XP home anyway and installed Win 7 fresh of a 8 GB USB flash (see here for a geek howto, or here for the DAU help with prepping the USB stick). All worked well – even a complete Office 2007 and Visio2007 found its way on the device – no driver problems, except… for the 3G!

I spent way too much time to figure this out, so here are the resources needed:
Driver handling & tweaking plus driver links

http://www.itgrl.de/2009/03/31/aspire-one-3g-treiber-fur-umts-modem/

Driver Links Acer
http://global-download.acer.com/GDFiles/Driver/3G/3G_Option_5.0.12.0_XPx86_A.zip?acerid=633776034442008284&Step1=Netbook&Step2=Aspire One&Step3=AO531h&OS=X01&LC=de&SC=EMEA_8
Driver Links Option (IMEI required!)

http://www.option.com/en/support/software-download/product-list/

After trying desperately to use the T-Mobile web´n´walk software for a while (even the EMBEDDED Version taken from the mysterious FTP server in Czech Republic) did always UNINSTALL the Option drivers leaving my netbook without connectivity.
Using the ACER Software DOES the trick though, but yu have to tweak it:
the Acer 3G Connection wil fail to connect (it finds the device, SIM is entered, network is acquired) but the it get stucks while “connecting” aka “Verbinden…”.
Again, calling the friendly mobile provider support, we quickly analyzed that we are only one step away. Simple solution:
create a new modem connection with *99# as the number to be dialed and all works well suddenly!

Now, back to real work… message me if you have a working setup with w´n´w software on Win 7 and internal Option MOx40 cards… or actual stand alone drivers for Win 7 that are NOT deleted when installing w´n´w

Dear readers, the following post is provided bi-lingual but does not represent a one-to-one translation. Most information is for German speaking readers, so the English version is comparably short! Still, there is some general info in the English part, so please make sure you read both parts…
The ICF German Chapter Inauguration Meeting
www.informationcard.de
Participants: Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo, KuppingerCole and MANY more!

Initiated by Jens Fromm of Fraunhofer FOKUS in cooperation with Axel Nennker, Deutsche Telekom Labs, a local German speaking chapter of http://informationcard.net/ was established. The founding members and supports of www.informationcard.de will try to align their efforts as much as possible to establish an interoperable and easily to adopt exchange network, where not only cross-testing but also fully operational systems can be deployed. Goal: to foster the adoption and usage of infocards in the German speaking countries by bringing together stakeholders such as card-providers, infrastructure providers, service providers and possibly providing info to consumers.
A number of member presentations on technology, background, usage-scenarios and development provided a deeper insight to what is happening in the ICF and between partners. In brief, there where presentations of Deutsche Telekom of a mWallet with Nokia Symbian (NFC, functional) or Apple iPhone (just a UI, not yet fully functional) that showed a P2P (mobile2mobile two Nokias, touching…). Other use-cases besides money transfer comprise cinema ticketing and POS payment in a canteen. There also was a demo on hotel booking again with Nokia/iPhone, that visualized the goal of having the same look & feel on all devices. Additional (and excellent!) demos where provided by Corisicio and fun Communications, showing different ways and methods to access the KuppingerCole Site with IdentityCards. Microsoft rounded it up with showing how to authenticate to special online workspaces using Windows 7 and IE8.
The next month will show how the participants will create their network and infrastructure that will provide a continually usable test-bed and also an environment for real applications. Especially, it will be interesting how removing the language barrier will contribute to creating best-practices that can be handed back to larger InformationCard Community in the ICF. KuppingerCole supports these efforts by serving as a live-site to authenticate with IdentityCards as well as promoting the use of IdentityCards in a broader, more open and public community.

DE
Eine der ersten großen Teilsessions auf der European Identity Confernce in München war das Treffen der deutschsprachigen Abteilung der InformationCard Foundation http://informationcard.net/, das weit über 20 Teilnehmer bewegt hat, sich schon vor den Keynotes am Vormittag des ersten Konferenztages zusammen zu finden. Unter Mitwirkung einiger amerikanischer Vertreter haben sich Mitarbeiter von Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo und von KuppingerCole getroffen, um den derzeitigen Stand der Entwicklung zu zeigen. Wichtigster Punkt war die voll-funktionale Demonstration der Anmeldung an der KuppingerCole Site mit einer InformationCard.
Das Ziel des Treffens war es, alle Beteiligten und Interessierten zusammen zu bringen, die entweder aktiv an der Entwicklung von InformationCard Technologien, Kartenselektoren oder Anwendungsszenarien arbeiten. Neben der bereits angesprochenen live-Demonstration der KCP-Anmeldung wurden mehrere Ansätze zur Verwendung auf Mobiltelefonen (iPhone und Nokia Symbian) mit NFC Anbindung vorgestellt, die insbesondere dem Anwender viele Möglichkeiten zur Mehrfachnutzung bieten. Die Teilnehmer waren sich einig, dass das allgemeine Problem die bisher fehlende Adaption durch die Anwender sei – ein Weg diese Adaption zu verbessern ist eine möglichst niedrige Einstiegshürde. Im Detail bedeutet dies, ein weit reichender Support diverser Endgeräte, eine möglichst einfache Installation und Konfiguration der notwenigen Software auf den Endgeräten und eine ebenfalls möglichst hohe Portabilität bzw. Nutzbarkeit in vielen Anwendungsszenarien. Exzellente Live-Demonstrationen von fun Communications und Corisecio (ebenfalls Anmeldung an der KCP Site, jedoch über Mobiltelefone) untermauerten den hohen Anspruch, den Gruppe an sich selbst stellt.
Die kommende Monate werden zeigen, wie sich die deutschsprachige entwickelt und welche speziell auf den zentraleuropäischen Wirtschaftsraum abgestimmten Konzepte und Lösungen als best-practise an die Mutterorganisation weiter gegeben werden können. KuppingerCole unterstützt die Initiative nach Kräften – unter anderem mit der Möglichkeit zur Anmeldung an der KCP Site mit IdentityCard und natürlich mit allen zur Verfügung stehenden Mitteln um Anwender für die Technologie zu begeistern.

Recently, we announced that a report on strong authentication with tokens would be released. The response to that was tremendous – from either side of the market. Some (customer) companies pre-registered to get it, some vendors called back to make sure their products were included, and guess what: NOT all of them were included. This led to two things: me going back to square one and getting briefings with all “new” vendors” and rewriting some portion of the report as well as me tinking: “if I do not know these vendors try to get into the market – how should the market (aka customers) know?”. Looks like some vendors did invest a lot in product engineering, such as AXSionics e.g., but a lot of those at the same time did not invest much into developing their go-to market strategies and a marketing plan. There are a number of sayings arounds marketing (such as that 50% of the budget is wasted, one just does not know which half this is) but let me get that straight: a complex service or solution such as strong authentication does not sell by itself. You need to analyse the market, identify your tagert customer base and address these possible customers as directly as possibly. I do not judge print media here, but simply advertising in a trade magazine will hardly work…
We as analysts have to serve both sides of the market, thus granting us a very special position that allows us to gain deep insight into customer needs as well as into current market situations. We certainly are no “know-it-alls” as the above introduction reflects, but we certainly can add valuable information to either authentication strategies or marketing plans! Ok, enough shameless self-marketing at this point and back to the deep dive:
I guess one thing that sets KuppingerCole apart from other analysts is the technological background of the analysts. Most of us are or have been IAM practioners before switching to “critize mode”. This background makes us TEST what vendors tell us – in my personal situation that means: drowning in cards, tokens, readers and software for strong authentication. I really love this retreat to “playing” with technology – at least as long as it works! My test stopped working last week, when I tried to use a Microsoft PKI to issue certificates for my Vista laptop. Little did I know what horrors the switch from XP to Vista on my test client would bring…
I used to run a pretty straight forward test environment for certificates, namely a Win2k3 Enterprise Edition server mit Certificate Services. All was well with the usual XP clients and users receiving certificates, using smartcards and tokens of all types to do the SC-login. Well, Vista and W2k3 Certificates Services do not work together that easily, namely some components that allow the certificate enrollment procedures via browser. Ok, testing certificates and cards in a productive environment is not the best idea anyway, so I decided to give Server 2008 a shot, using virtual machines on 2008 HyperV as the basis for my lab. Being a strong user of VMware before, HyperV set some traps for me: storing the virtual machines in a subdirectory of the “public” user directory of the system drive was one. Saving the machine state in a similar location AFTER I had re-routed the location of the images to D: drive was even more nuisance. Not being able to “import” such an image if it had not been “exported” before almost drove me crazy. I ended up with some 100 Gigabytes of mostly useless images and wasted tremendous amounts of time with this…
Oh, did I mention networking? Have you ever tried to setup a Win2k8 domain with DHCP in the virtual realm and then have DHCP clients (aka, my Vista laptop) receive their IP info over the physical interface of the host machine? Fun stuff to do – works (sometimes), unless you try to join the domain with this client (networking to/from the virtual realm stopped working after reboot of the newly joined client). A “restart” of the network interfaces at the host machine worked, allthough I still do not know why…
Anyway, now I am set to create myself multi-tiered (or teared?) PKI environments comprising a W2K8 based PKI, some EJBCA and all the paraphernalia one has to gather…
Only thing I miss yet, is a decent Hardware Security Module (HSM) for my EJBCA to recover encryption certificates not created with SC-based key material.
I certainly grew some extra grey hair with this, but at least I am up-to-date with my PKI infrastructure!
Looking forward to your responses, inquiries and “didn´t you know…” comments…
Sebastian

Yesterday I had the pleasure to attend this year´s last CAST workshop in Darmstadt, Germany. CAST,
Competence Center for Applied Security Technology, is a non-profit organization that provides security information for its members as well as the broader public. CAST is led by representatives of academia (Technical University of Darmstadt) and applied research (Fraunhofer SIT and IGD) as well as corporate and SME members. Yesterdays´ event had “cybercrime and forensics” as headlines and the keynote was delivered by the famous president of the Federal Policy of Germany, Joerg Zierke (who attracted quite a number of additional participants, obsviously).
Zierke talked a lot about why Germany is very special with regard to cybercrime: on the one hand, internet safety and security is quite mature here, compared with the UK, US or other leading countries. On the other hand, criminal activity also is very elaborate and specialized individuals co-operate in ever changing teams – cross-border and and cross-competence. The president brought lots of evidence for his claims, especially regarding trojans “hand-crafted” to target German banks, browser data-manipulation and online-fraud in general. While creating giggles and smirks when claiming DDoS attacks were executed with emails (aka using smtp), he showed substantial knowledge of the threats and attacks currently seen. Zierke went on to showcase cases of child-pornography and “real” terrorist activity and explained communication schemes of these cells. Impressive, scary and at the same time disturbingly “close”… Anyway, he lost my support (and I guess most of the others as well) when he drew the conclusion that all this could only be tackled, handled and investigated, if the much-discussed BKA-law (comparable to the patriot-act in the US) would be set into place.
From this rather general talk, the topics went into more and more detail, ranging from judicial analysis of new cyber-laws, a presentation about their use in jurisdiction across business-related fraud detection (impressive presentation by PwC!) up to forensic analysic of digital photography. All in all the event covered a breadth of topics I rarely see anywhere else.
All that I missed was the INTERnational perspective, hence the topic of my post I can only urge lawyers, forensic specialists, cryptanalysts and politicians/judges/law enforcement (LE) to work closer together. Especially expert advice of all of the former groups to the latter three is needed. LE is usually drowning in open cases, judges have no clue what goes on “in the internets” and politicians are seldomly aware of what evil might lurk behind that link (or what good can be created through others).
Experts of all cyber-related technologies are needed as advisors and subject matter experts!
Do not ask what this community can do for you (e.g. tax-cuts ) – ask your judges, police-officers and politicians what you can do for them!
WARNING: you might end up explaining to your “senator-of-choice” how to send email…lets´ not talk about using S/MIME or PGP here

Looks like IAM and GRC is all about roles, doesn´t it? Well, for the sake of simplicity it does. Simplicity you ask, having had trouble defining these in a year-long struggle and ending up with worthless collections of access rights and user profiles due to the latest merger and the finance -crisis consolidation?

You have pretty good company as many organizations face these problems. A few years back when I worked for CA, a good portion of the IAM projects also included considerable amounts of work to be done on roles. VAAU, at these times the preferred role-mining specialist in the market, helped a lot getting this work done, especially in the early phases of the projects.  As companies are comparable to living organisms, they tend to change over time (sometimes rapdily), thus affecting the roles and profiles user might be mapped to.

Early role-mining only provided insight to the current situation the snapshot or analysis was made, leading to frustration and incorrect roles once the IAM system was about to be delpoyed. Vendors like former VAAU (now with SUN) and the recently acquired Eurekify (now with CA) learned their lessons, providing consistency checking and automated role-monitoring as new key-features. This evolved the early role-mining tools from providing fuzzy “best-before” role data into helpful GRC supporting tools, that constantly check if former analysis is still valid. One example: if members of a certain group of user sharing the same role get the similar exception or add-on to their access rights, Eurekify would suggest to make this exception a part of the role. This helps to manage expceptions before they become a labyrinth while making the life of admins and auditors easier.

Speaking of “easier”… during my recent briefing with a former Eurekify EMEA VP and now CA employee, the question came up on how CA will leverage the power of Eurekifys tools in their customer base. I was told that both existing IAM customers – regardless of which vendor they chose – will remain to be primary focus of the team, as the above mentioned role-management and role-auditing capabilities are available for all major IAM products in the market. I was pleased to hear that CA will continue to sell Eurekify technology without limitations – and was even more happy to hear that integration will extend the available webservice interfaces. 

Keeping this open mind and easy way to dsicover, integrate and manage will definitly be advantageous to CA partner community, providing audit, role-mining and compliance services with the former Eurekify tools.
I am looking forward to what happens next regarding the role-management tools and offerings – and also to what and when CA merges the Eurekify capabilities into their GRC and IAM tools!

Just a short note after meeting up with some ENSIM representatives (thanks for the opportunity!): after building some reasonable references in the european market and the recent acquisitions in the “MS infrastructure management market”, there definitly will be some growth potential for ENSIM in EMEA. Whereever AD and ID management is needed and automation is key, one should check out if the quite modular and customizable set of solutions could make a fit. I´ll look into the technology a bit deeper at the end of the year - so check back for more info and the capabilities of their products.

Also, I was informed that their local representation in Europe is going to be extended to accomodate the rising number of requests for demos and PoCs. Good for us at KCP to have some techies to talk to in our own time zone

Off to the evening reception at IIW, cu all soon!

One of the fancy things about conferences like IIW is that lots of entrepreneurs and start-up people mingle with each other, which is how came to “poke around” a little. POKEN is a cute little way to give the traditional exchange of the business cards and the following procedure of scanning/creating vcards a tad bit easier…

Dave Brown of POKEN had a little session on how to facilitate the exchange of contact information without the hassle of activating bluetooth, entering data manually or other hurdles. One can get a small (and cute) token  called poken (USB and wireless, sor of NFC) with an individual ID in it and that “connect” to other poken owners just by bringing the two pokens together. Easy as a handshake – especially cute as the pokens look like 4-fingered hands

During this process, the pokens actually handshake and exchange their IDs, which are then stored in the flash part of the device. Once you hook the poken up to your computer, it reads the IDs recently learned and finds the corresponding contact information (in the InfoCard format) online. This InfoCard contains as much information as the related poken owner wants it to contain, enabling one to share a single website, email, phone number or other attribute, or offer full profile information if desired. Fun and useful fact: one can chose between up to three “profiles” depending on the context you meet a poken-person in.

I overheard that the poken could also be put to use as sort of a simple hardware credential, but I will need to investigate further… Meanwhile, if you are interested, check out www.doyoupoken.com. You can connect your personal poken to your profile there and start “pokin´around”.