Pivot3's latest round of $25 million in funding will spearhead its entry into international markets as well as help bolster its line of integrated storage appliances.

With the venture capital infusion, Pivot3 will open its first offshore sales office and demonstration lab--in Tokyo--which will support the larger Asian market. Pivot3 sells IP-based storage area network (IP-SAN) appliances that integrate video management software from a menu of partners--delivering surveillance management and terabyte-level storage in one box. The company is coming off its first sales in the Pacific Rim region, having made recent installs in South Korea, said Lee Caswell, co-founder and chief marketing officer. The company also plans to double its U.S. sales force to 20 from its current 10, he said.

Cisco adds dispatch console, interoperability for smart phones, other mobile devices to IPICS 4.0; APIs bring in PSIM, other systems

Cisco today is announcing availability of its IP Interoperability Collaboration System (IPICS) 4.0, styling it as a replacement for old, immobile dispatch consoles because of its ability to create a "collaborative" mobile incident management session among first responders, pushing and pulling live video and other media to an array of devices, including smart phones as well as traditional UHF/VHF radios.

Further, IPICS 4.0's policy engine "complements" physical security information management (PSIM) solutions an agency or enterprise might have in place, with the PSIM solution potentially pushing response templates to IPICS and its dispatch console, said Craig Cotton, senior director of product marketing, physical security business unit, at Cisco in a pre-release briefing with Security Squared.

An RSA Roundup

The Cloud has been everywhere at RSA this week permeating presentations and vendor discussions and casual discourse almost as much as foreign-originating cyberattacks.

What the tone of conversation reminds this writer of is the earliest days of the Web, when it was becoming obvious the Web and the Internet were disruptive, game-changing technologies--but no one truly knew exactly how the game would change or what their new position in it would turn out to be.

Worried about being left behind, many companies scrambled to "get on the Web." Some had a vision; others did it just to say they were there, often spending a lot of money for those bragging rights. It wound up taking some years before it became clear about how to integrate the Web into business processes and make the Web work as a tool.

The breathless cloud discussions at the 2010 RSA Conference in San Francisco have some of this tone of "we've gotta be in the cloud!" As we've talked to smart, smart people in security and identity management from CA, Hewlett-Packard, IBM, Microsoft, NetIQ, Novell, Splunk and VidSys, it's clear that some plain common sense needs to temper some of the cloud conversation--at least, if companies are to use the cloud with their security policies and procedures intact.

Gemalto, PassLogix, Entrust Talk Strong Authentication

Authentication, authentication, authentication--at least two factors of it, possibly more--that's a mantra we're hearing a lot at RSA this week, with a range of vendors from well established global giants like Gemalto and HID to Innovation Sandbox players like KikuSema GmbH and RavenWhite presenting solutions for how to ensure the person accessing an application is actually the physical person you think it is.

Multifactors of authentication--something you have, plus something you know--seem to be gaining credence as the baseline for secure authentication. "I don't think you can go to the cloud without two-factor authentication," said Ray Wizbowski, director of marketing communications, North America, for Gemalto, which provides a range of digital identity assurance solutions.

Further, using at least two authentication factors helps users break bad security habits and think more about security, he told Security Squared. "By introducing this technology, it makes people more mindful of security," Wizbowksi said.

First American Title Insurance Company creates audit trails, improves productivity with role- and criteria- based identity management and user provisioning

Microsoft yesterday announced at 2010 RSA Conference the official release of its Forefront Identity Manager, an identity and access management tool designed to work across heterogeneous systems, including card management systems.

Brendan Foley, director of product management in the identity and security business group at Microsoft, briefed Security Squared about that announcement, We'll have more in coming days about Forefront Identity Manager (FIM), especially its use of claims-based assertions, its ability to synchronize identities across disparate sources and how it integrates with strong authentication methods and their support systems.

For now, we'll let users tell the FIM story: At the briefing, we also spoke with First American Title Insurance Company, in the persons of Cameron Cosgrove, vice president, infrastructure; and Scott Weir, IT manager, desktop architecture group. They talked about their experiences with using FIM for role- and criteria-based identity and access management.

The convergence angle: Cosgrove and Weir discuss associating First American Title employees with identities rather than IP addresses--and the identities are built on roles and criteria that conceivably could include physical access rights. Further, those physical permissions could be correlated with data access rights, and both might vary with an employee's location on any given day, with FIM provisioning and deprovisioning in the background on the fly. As Weir says below, employees always have access to the resources they need, while First American has a clear audit trail for compliance.

Also of convergence interest: Cosgrove and Weir are evaluating multifactor authentication solutions at RSA to complement their logical access solution. Multifactor or strong authentication schemes are a natural intersection between the logical and physical identity worlds.

What follows is a transcript of our conversation at the RSA Conference Tuesday, edited for clarity.
*****
Cameron Cosgrove, First American Title: Our industry is real estate, and our fundamental business is property title insurance, helping people transact their real estate business. We are a global company, and we have a footprint of about 13,500 employees in the United States [and] we have deployed FIM to all 13,500.

One of the first challenges we wanted to address is the provisioning of users and deprovisioning. With 13,000 people all across the U.S., we are serving markets that are large and small, so we have large offices and small offices in the U.S. Employees need access to the system quickly--or when they leave, we need to de-provision quickly. Prior to FIM, we were doing that manually through HR requests, tickets going into our help desk. It would probably require a day or two days of elapsed time to complete by the time we would gather all the pertinent information about the new employee.

Top Six Threats Report Results Released at RSA Conference

How do you know who's doing what in the cloud you've built, bought or rented? The answer for too many early cloud adopters is: They don't.

That's one of the results caused by the six key security risks of cloud computing, being presented today in a report commissioned by HP and conducted by the Cloud Security Alliance. Three of these risks, categorized as "abuse and nefarious use," "malicious insider risks" and "account service and traffic hijacking" each relate to an enterprise's ability--or inability--to authenticate who is getting to the cloud and authorize and track what they are doing once there.

"The cloud is not occupied by your IT person--you really have no idea what's going on in there," said Chris Whitener, chief security strategist, HP, to Security Squared in a pre-release briefing. He suggested some IT departments are too quick to assume the cloud practices the same security measures they do. "Faith-based IT is a real problem." 

The other three risks are insecure application programming interfaces (APIs); shared technology vulnerabilities; and data loss and leakage.

Whitener noted that none of the six threats is unique to the cloud: disgruntled or thoughtless employees can misuse or lose data stored on USB drives, while bad programming is bad programming wherever it occurs. However, cloud architectures tend to amplify the impact of one user's actions, he said.

"If you can swipe one account, you have access to a lot more within the cloud," Whitener said.

Similarly, even if just a few companies use poor security connecting to or within the cloud, they could be increasing the risk profiles for other cloud users. "That's probably the most prevalent right now," he said.

From a converged perspective, extending identity management and strong authentication practices out to the cloud seems to be making a lot of sense. The challenge is, as Whitener said, many enterprises seem to think there's not much risk in just giving the cloud a try.

"If you're going to do something in the cloud, think about it," he said. Consider the risks, how the application and its data might be used by other departments or users, think through security, Whitener urged. "Don't just slap it up."

During RSA, Security Squared will be talking with a variety of identity management vendors, including CA Security Management, HP, IBM, Microsoft and Novell, about their view of extending identity infrastructure out to the cloud and where they are in supporting physical/logical identity convergence and related security policies that seem to us to be key building blocks in making the cloud safe and compliant.

Vendor Claims to Be First Offering Text-Based Out-of-Band Authentication

PhoneFactor today announced it is adding Short Messaging Service (SMS) to its two-factor authentication platform. It's one of several announcements and demonstrations of strong authentication pervasive at this year's RSA Conference.

With PhoneFactor's original authentication platform, users enter a user name and password into an application. The PhoneFactor system then places a call to the user's telephone; authentication is achieved when the user answers. A user may also enter a PIN for another layer of security.

With its new SMS-based platform, PhoneFactor sends a one-time pass code to the user's mobile phone. The user authenticates in one of several ways, depending on the security requirements: texting back the code; entering the code into the application; entering a PIN plus the code. For very sensitive applications, PhoneFactor also offers voice biometrics.

In a pre-RSA briefing with Security Squared, PhoneFactor CTO Steve Dispensa emphasized the authentication in all cases occurs "out of band," that is, on a second channel. "With out-of-band, compromising the computer isn't enough to cause problems," he said. A cybercrook may have obtained a user's id and password--but is unlikely to have the user's telephone or mobile device, which is a different device on a different network.

Even if the cell phone is lost, Dispensa pointed out users generally are quick to notice that and take steps to get a new one. That's in contrast the time it might take to notice a rarely used keyfob or other token is missing.

The SMS-based platform could help enterprises address the issue of SQL injections and man-in-the-middle attacks, in which bad guys take over an legitimately authenticated Web or VPN session. In those cases, Dispensa said, "The only thing that doesn't look right is the transaction itself."

In these situations, a text message could be sent that includes details of the transaction, such as a funds transfer amount and destination, and prompts the user to indicate whether the transaction should be permitted. The application owner can even use a fraud alert code the user can punch in immediately to signal trouble..

Dispensa noted the flexibility of PhoneFactor's authentication platforms to integrate with a variety of applications and support various use cases, all without custom programming. The platform integrates with Active Directory or an LDAP-based directory, synchronizing its user accounts with those in the enterprise directory. So it integrates with enterprise Single Sign On solutions and can replace other one-time token devices.

PhoneFactor's platforms could also be used as a second authentication device at physical access points, Dispensa said, such as providing a code needed to enter a restricted area.

For users turning to smart phones to transact web business, as long as the voice and data channel are separate, the out-of-band security separation holds, he said.

Strong authentication is one of the themes at RSA this year, with a number of companies presenting new or enhanced solutions for helping enterprises ensure the physical person signing into an earthbound or cloud-based application is who they think it is. Security Squared will especially be looking at how these solutions intersect with and enhance other security systems.

As part of an aggressive attack on the high-end of the video surveillance management system market, Milestone Systems is offering integrators an intensive training program for winning business from Fortune 1000 companies.

Unveiled at last week's Milestone Integration Platform Symposium in Hollywood, the Milestone Value Selling (MVS) Program aims to create a "Green Beret" level of channel partners, said Lars Thinggaard, president and CEO of the company, in a reference to the U.S. Special Forces, an elite branch of the U.S. Army whose members are specially trained for extremely difficult and hazardous missions.

The MVS Program will focus on identifying and communicating the return-on-investment propositions integrated security systems can offer large end-users. Integrators will learn how to identify and understand a large enterprise's strategic business mission and its risk factors, and then design an effective solution that addresses both.

Security Consultants International will provide the two-day training course, Thinggaard said.

After addressing the opening session of the MIPS meeting, Thinggaard expanded on the Value Selling Program and its significance for integrators in the video interview below.


 
 

Ping Identity on Cloud Identity Security Fundamentals

At SecureWorld Expo in Houston last week, Security Squared's Sharon J. Watson talked with Mike Donaldson, vice president-marketing for Ping Identity, which offers identity solutions for cloud computing and federation of identities among trading partners.  She asked Donaldson about the fundamental steps an enterprise should take to ensure it knows who is doing what in its cloud-based applications and data.

Milestone Systems has issued a new release of its XProtect Corporate video management software coupled with a substantially upgraded version of its Smart Client graphical user interface that makes VMS control and operation easier for rank-and-file security personnel.

Unveiled Thursday during its 2010 Milestone Integration Platform Symposium (MIPS) in Hollywood and carried live worldwide via webcast, Milestone XProtect Corporate 3.1 features support for Microsoft Windows 7 and Server 2008 Release 2, a server failover feature for additional redundancy, and streamlined installation and optimization procedures.

But the most significant addition to the package is Smart Client 5.0, the latest version of the XProtect graphical user interface. The upgraded interface increases the space for camera windows while reducing and simplifying menu bars and pull downs, said, Eric Fullerton, Milestone's chief sales and marketing officer, who declared it "the most user-friendly GUI on the market." The new version of the software is available now and can be downloaded from the Milestone web site.