Enterprise IOT: Mixed Model Architecture

– By Andy Thurai (@andythurai)

This article was originally published on VentureBeat.

Recently, there has been a lot of debate about how IoT (Internet of Things) affects your architecture, security model and your corporate liability issues. Many companies seem to think they can solve these problems by centralizing the solution, and thus collectively enforcing it in the hub, moving as far away from the data collection centers (not to be confused with data centers). There is also a lot of talk about hub-and-spoke model winning this battle. Recently, Sanjay Sarma of MIT, a pioneer in the IoT space, spoke on this very topic at MassTLC (where I was fortunate enough to present as well). But based on what I am seeing in the field, based on how the actual implementations work, I disagree with this one size fits all notion.

Read more of this post


The Façade Proxy

KuppingerCole analyst Craig Burton (of Burton Group originally) wrote a recent article about Façade proxies. You can read the article here: http://blogs.kuppingercole.com/burton/2013/03/18/the-faade-proxy/

As Craig notes,

“A Façade is an object that provides simple access to complex – or external – functionality. It might be used to group together several methods into a single one, to abstract a very complex method into several simple calls or, more generically, to decouple two pieces of code where there’s a strong dependency of one over the other. By writing a Façade with the single responsibility of interacting with the external Web service, you can defend your code from external changes. Now, whenever the API changes, all you have to do is update your Façade. Your internal application code will remain untouched.”

I call this “Touchless Proxy”. We have been doing the touchless gateway for over a decade, and now using the same underlying concept, we provide touchless API gateway or a façade proxy.

While Intel is highlighted as a strong solution in this analyst note by KuppingerCole, Craig raises the following point:

“When data leaves any school, healthcare provider, financial services or government office, the presence of sensitive data is always a concern.”

This is especially timely as the healthcare providers, financial institutions, and educational institutions rush to expose their data using APIs to their partners.

Read more of this post

Another classic case of Data Loss that could have been easily prevented

I was catching up on my reading from my security forums and this caught my attention. In a hack of the SC state tax department there were about 3.6 million tax returns stolen. The stolen information included SS#, CC numbers, names, addresses, etc. But the one that caught my attention the most was this:

The hacked personal income tax returns included Social Security numbers and about 387,000 credit and debit card numbers, 16,000 of which were not encrypted.

Why would anyone choose to encrypt partial data? It looks like there is a policy and/or workflow flaw. I hope they didn’t do this based on identities. Were red customers encrypted and not the blue? Check out my blog on context/ identity aware data protection to implement this the right way (link here). There is a reason why I am not paying my taxes using a Credit Card. Atleast not until they use Intel ETB (Token Broker) to protect that data :). If they had used our solution this wouldn’t have happened to begin with. We could have encrypted the sensitive data (PII), while preserving the format, and tokenized the credit card (PCI) information.

Your personal data is now yours….. maybe?

Recently the State of Alaska DHSS was fined a hefty sum of $1.7 million for non-compliance. . This issue came to forefront when a USB drive containing PII (Personally Identifiable Information) data was lost (or stolen). This is not the first high profile incident in which stern action was taken by government agencies for someone losing or careless with consumer data.

Recently I blogged about how California declared zipcodes as PII and what you should do to protect the information you capture, regardless of whether it is credit card information, patient data, or Electronic health records.  https://soacloudsecurityblog.wordpress.com/2012/04/02/perfection-series-how-do-you-definemeasure-perfection/

It is not just about tokenizing your data, you have to make sure your logs, storage, and monitoring systems are clean too. If you fail to do that you can be found non-compliant when a compliace/ forensic analysis is done, they look at all collateral repositories as well. I have previously blogged about being careful about leaving PII residue in your logs.

Remember the classic case of employees going after Starbucks about their personal data being carelessly handled.  https://soacloudsecurityblog.wordpress.com/2012/04/09/you-too-seattle/

And we all know about FTC going after a data broker Spokeo for $800,000 to settle the FTC charges that it sold personal information it gathered from social media and other Internet-based sites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act.  http://www.networkworld.com/news/2012/061212-ftc-spokeo-260092.html?page=1

These are only a few examples of the revolution that is happening. For years we have had our data exposed, particularly personal information, and watched helplessly as our data was collected, sold, used, marketed to, abused and often stolen and circulated in black market. Finally, the government and related agencies are stepping in to make a statement.

The core of all these issues stem from the fact that it is hard to fix the holes across your enterprise eco system. While you can continue to encrypt the data in as many places as you can, still the human element wins most times. And there is also this issue of your encryption algorithim strengths or if there is a weaker link in your entire process flow. That is why the newer model “Tokenization” is becoming very popular. Especially when you move your Data, Applications and Processes to the cloud you lose a lot of control. Essentially when you lose control over the data trails, transport and storage i.e. – alerts, monitoring, logs, auditing, etc and compounding this being at the mercy of the cloud provider. This exponentially complicates your ability to figure out how vulnerable your data is and could be very dangerous. Then there is also this issue of where all your data is flowing (or leaking). Especially if your data flows to an application instance, which is controlled by export control laws with stronger encryption exception this would mess things up. While you have to worry about using a stronger encryption to protect your data, you also have to worry about complying with export regulation laws.

Intel Tokenization solutions would be a perfect fit in such situations. Our PCI and PII tokenization allows you to strike a balance between both issues. You can keep your Enterprise data encrypted and tokenize the sensitive data when it is sent over the wire to cloud locations, partners, etc. Given this fact, unless they are a whitelisted application, they won’t know where to go to get the original data. You can rest in peace knowing that while your sensitive data is sitting safe and secure, only your tokens are floating around everywhere.

If you are interested either in PAN tokenization or PII tokenization (such as SS#, DOB, etc) use the bottom link to check out our solution details and reach out to me if you need further details. http://cloudsecurity.intel.com/solutions/tokenization-broker-reduce-pci-scope

Also, check out this whitepaper by Walter Conway, QSA, who is an expert on this subject.

The “Intel” on Intel is we do software!

Are you surprised? I start off most of my presentations/ conferences with the following question:

How many of you know that Intel ‘does’ Software?

Very few hands usually go up, and that is exactly the challenge I have today in getting the word out about other exciting developments that people wouldn’t normally associate with this technology juggernaut. And while the Silicon Valley behemoth often conjures up images of powering a plethora of devices (including phones too!), it’s Application Security & Identity Products division (ASIP), my unit, is quickly escaping the formidable shadow of the “mother ship” as it gains prominence in the world at large with Cloud, Application security, Identity and Tokenization software now being “top of mind”. Intel ASIP group is on the cutting edge of innovation in a myriad of ways with some very advanced technologies such as Cloud SSO, Cloud based Identity services, Identity Manager, OTP (One Time Password), Big Data, Analytics, API Gateway, Cloud Service Broker, Security Gateway, Mobile middleware and Security as a Service.

Every Intel commercial you see on TV, or through other media channels, usually promotes Intel chips as that is a core strength of ours. But I want you to be aware that we are far more than just chips. We are a leading edge technology company that constantly renews itself as well as its raison d’être. We hold more patents than almost anyone else in almost every field that we are in. And we employ an army of engineers in some of the largest research efforts in the world, with one of the largest research budgets.

There was a great article in Forbes not too long ago, about how Intel is one of the largest software companies in the world, that you’ve never heard about. Lead by our fearless leader, Renee James – SVP of Intel Software group, Intel recently announced Security as our third pillar. Our CEO Paul Otellini didn’t just stop there; he showed the world he meant it by acquiring McAfee soon after. However, we’ve also made some very key strategic acquisitions in software security and identity areas to strengthen our position. Those include, but are not limited to: McAfee, Nordic Edge, Sarvega, WindRiver… (a complete list can be seen on the Forbes link below or at Intel.com). This is consistent with our strategy. We continue to acquire and develop a lot more software/ security solutions with unwavering commitment.

You might be surprised to learn the following:

  • Intel turbo-charges the Linux community by putting hundreds of full-time engineers to work on the free operating system.
  • Intel’s tools helped Apple’s engineers move its Macintosh computers to Intel processors.
  • Intel helped Google move into the Smartphone business.
  • Maybe the company’s biggest software triumph has been its push into high-performance computing. Five of the ten fastest supercomputers in the world now run Intel’s chips.
  • Intel has a solution that helps companies Tokenize their sensitive data.
  • Intel’s Cloud Service Broker (CSB) and API Gateway solutions help companies seamlessly move their enterprise applications to the cloud.

Along these lines, Intel has been a pivotal partner on many projects that have helped to move the “proverbial needle” by developing tools, frameworks and enhancements – all of which often have gone unrecognized since the efforts are not branded with any kind of Intel logo.

With the acquisition of security software vendor McAfee last year, Intel became one of the world’s 10 largest software companies. – Forbes May 2012.

If you have time, I suggest you give our annual report a read. You’ll get a first-hand look at the contributions of the software division. They are impressive. Just from the numbers alone, we could easily be considered one of the largest software vendors in the world.

We, the software group of Intel, get access to information coming from advanced security labs of McAfee and extreme performance labs from Intel. This allows our software unit to understand what is coming down the road and architect solutions for the future. That is why when you choose Intel for any of the aforementioned products, the performance comparison numbers against our direct competitors our numbers are truly outstanding. If you have any questions about this, please give me a shout and I will demonstrate to you how awesome we really are.

A very familiar AllState commercial states “Are you in good hands?”, With Intel I can guarantee you are.

Intel Cloud SSO – Control your Cloud Identities

If you were in a cave, hunting hibernating Siberian bears you might have missed this news. Intel made a big splash last week by announcing the solution to manage Cloud based Identities. This is a brainchild of my unit within Intel and I am so proud of our guys who took the concept to execution; beta to GA in just about a year.   What is more impressive is that we are the “First, and currently, the ONLY” force.com based Identity provider.   While many can follow the suite, the original idea was conceived and well executed by our guys, who spent many sleepless nights on this. Congratulations guys!!!, you showed the world how to do get things done well and fast.

Salesforce Adds Intel Cloud SSO

By Stefanie Hoffman



Service providers might be able to add security to the list of reasons to move customers to cloud applications with a partnership that enables Intel’s Cloud Single Sign On to be delivered on SalesForce’s social enterprise platform.

Intel delivers cloud-based identity application to salesforce

By Staff Writer

Computer Business Review


Cloud SSO deployed on Force.com is now available via salesforce.com’s AppExchange and Intel

Intel Cloud SSO lets IT manage SaaS apps

By James Furbush



Intel has entered the Identity as a Service space this week with software that provides a way to secure employee access to SaaS apps.

Intel Rolls Out Cloud SSO Identity Solution

By Darren Allen



Intel has announced Cloud SSO, a cloud-based identity and “Access Management-as-a-Service” system which is now live on Force.com, Salesforce’s social enterprise platform.

Intel announces Cloud SSO link-up with Salesforce

By Matthew Finnegan



Intel has announced a cloud based identity management system for social enterprise apps through Salesforce’s Force.com.

Intel unveils cloud-based SSO service

By Rene Millman



Intel has revealed a new cloud-based single sign-on service that integrates with Salesforce.com and will allow customers to ditch on-premise password management.

Intel Cloud SSO Goes from Private Beta to Public

By Staff Writer

Sys-Con Media


We’re happy to announce general availability of Intel Cloud SSO IAM-as-a-service today after running it in private beta mode for 2 months with select customers.

Intel brings Cloud SSO to Salesforce’s Force.com

By Rachel King



Salesforce.com is integrating Intel’s Cloud SSO to provide enterprise customers with single sign-on access to Force.com and thousands of cloud-based apps.

Intel launches cloud-based single sign-on service

By Antone Gonsalves


Reposts: Network World, Computerworld


Intel launched a cloud-based password management service on Wednesday that has been tightly integrated with Salesforce.com to give its customers an alternative to on-premise single sign-on software.

Intel and McAfee team on cloud single sign-on

By Iain Thomson

The Register


Intel and MacAfee have been talking about the fruits of their merger and their plans for a cloud to computer security network that will be built into new systems.

Intel Cloud SSO: Single Sign On Across Cloud, SaaS Apps

By Joe Panettieri

Talkin’ Cloud


Intel, leveraging the Salesforce.com cloud, has developed a single sign on (SSO) solution for cloud computing. Intel Cloud SSO stores user identities on Force.com, and leverages that information to authenticate users across multiple third-party cloud applications.

Intel Wants to Manage Your Passwords in the Cloud

By Penny Crosman

Bank Technology News


Intel and McAfee (the security software company Intel acquired in 2011) are today rolling out software for providing such single sign-on across all software-as-a-service applications, with user names and passwords stored and managed in Salesforce’s cloud utility, Force.com

Intel, McAfee launch Cloud SSO, expect busy year

By Staff Writer



As a first step to this, the companies have launched Cloud SSO, a single sign-on facility developed to manage authentication for a range of cloud applications that can be used to supplement or replace existing access management systems.

Articles in press

Tax man cometh – Whose Identity is it anyways?

If you are like me, I am sure you waited until the very last minute, milking every second of it, before you filed your taxes last week. Now that it is all taken care of, I want to talk about a video that I happen
to watch on CNBC about how an innovative tax scam is evolving. This is about how any individual who is filing tax can be scammed, so you better read up. (No I don’t have a solution that I want to sell you and make money; just being a good citizen educating others who follow my blog).

First of all, I was sitting there and watching on how that is done, CNBC was pretty much giving away step by step instructions on how to do it and wondering; so why is CNBC broadcasting it to the whole world. Much same way as Discovery channel would broadcast our weapons capabilities to our enemies. Anyways, this simple scheme works like this.

The Identity thieves are getting bolder and smarter these days. They gave up on applying for credit cards and loans using your name now that you can freeze your credit or have an alert set notifying you when suspicious activity happens using your name. Unfortunately, they are going after the IRS inefficiencies and lack of security verification, using their easy exploitation that occurs once each year.

What is shocking is that IRS requires you to have ONLY Name, SS#, DOB to file a tax return. That is it, mama mia!. They don’t check if the filing address was same as last year (or years), why your filing status has changed suddenly, why you don’t have proper W2 filing information, why your dependents have changed, etc. Maybe it is just me but when I see a tax return with every information from last year has changed shouldn’t that flag something for them?. Thieves have people working for them where they pick up this information such as hospitals, car dealerships, etc., but of course these are easy pieces of information that you can even buy as a list from online sources. Worst thing is that if they target the dead, active military service personnel, or people abroad then it can be months or years before anyone can find out. The thieves then make up income, withholding taxes, and deductions and have the refund wired to a pre-paid debit card that can be used in retail stores and banks to cash out. Contrary to what people think IRS takes days, or months before they verify/ match up the income stated in your tax return. At that time, neither IRS nor you have means to trace these guys. What is worse IRS thinks you owe them that money as they supposedly paid it out to you, ouch!

According to IRS, they stopped about 200,000 returns worth $1.15 B with questionable return submissions. Imagine how much slipped through. This is all because of IRS inability to verify the Identity. Identity is the main cause for this fraud. Wow!. Fair enough that IRS has to process about 145 million tax returns with about 110 million refund for requests, but come on, with about 75% of the population filing electronically how difficult it is to do a colon search on the rest 25%?. (BTW, if you file electronically they ask you for information from last year tax returns before they accept it. But the problem is if yours was already filed by an Identity thief as a paper return you can’t file at this point, so you are scrutinized but they are not – double whammy huh?).

Why is it so easy for the Identity thieves to do this.

Hard to detect, Easy to cheat, Takes months before the issue is found, Thieves know the loop holes in our system.

Fix: Have a government mandated universal identity system with bullet proof detection. (ya right, like that is going to happen).

Right now it is done mostly by small time scammers, just imagine if a well organized crime gang or a foreign government funded group picks this up. We will all be screwed.

http://www.cnn.com/2012/03/20/us/tax-refund-scam/index.html http://www.cnn.com/2012/03/20/us/tax-refund-scam/index.htmlhttp://www.cnn.com/2012/03/20/us/tax-refund-scam/index.htmlvvv

How this could be fixed?. Well very simple,
1. In Tax returns ask for something from last year only you would know – such as your AGI, your total deductions or even your refund amount.
2. Mail the check to the address as of last year’s return. If the address given is other than last years then put them on suspend.
3. Debit only to last year’s bank account and stop fly by night refund activities such as debit card scheme.

Unfortunately, IRS is not doing any of this. I can think of a roundabout way this can be prevented, but would love to hear from you all, if there is a way we all can benefit by stopping these identity thieves.

Let me know your thoughts and save the fellow geeks from losing their hard earned money.

%d bloggers like this: