Category: RSA

Nov 02

That’s my View and I’m sticking to it

Minimizing the clicks & Better Performance

As some of you may know, I’m a user (and fan) of virtual desktops. I’ve been using a VMware View-based virtual desktop now at EMC for about 2+ years. This works well for me because I use my personal MacBook rather than a company issued laptop. I like to keep that separation between what’s mine and what’s EMC’s. I do all my “EMC” work on the virtual desktop. Email, timecard, etc…

So, when new VMware View clients came out, I jumped over to see what’s new. I’m happy to report that a couple of things caught my eye.

URI Support

Screen Shot 2012-11-02 at 11.33.51 AM

The first is the new URI support for the VMware View client. You can now launch the VMware View client from your browser, passing certain characteristics to the client. The URI would be vmware-view://. That was interesting to me as I wanted the ability to launch a URL with the VMware-View URI for specific use cases. Primarily, I wanted to launch the View client with different sizes. One for fitting well on my Macbook Air screen and another when I’m using an external monitor. I looked into the documentation and found this was trivial to set up.

vmware-view://mike@my.view.server.com/MikeF%20Desktop?desktopProtocol=PCoIP&desktopLayout=1280×854

Obviously, I’ve changed the username and server name and desktop name in the above URL. But, as you can see, I can specify the protocol, PCoIP or RDP and the size of the screen, in this case 1280×854. According to the docs and a blog article by Kristina De Nike at VMware you can change all sorts of things. Here’s a list from the blog.

  • View Connection Server address
  • Port number for View Connection Server
  • Active Directory user name
  • Radius or RSA SecurID user name
  • Domain name
  • Desktop display name
  • Window size
  • Desktop actions including reset, log off and roll back
  • Display protocol
  • Options for redirecting USB devices

Screen Shot 2012-11-02 at 11.37.07 AM

How do I get this so I can just click on a desktop icon, add my password and go? By creating a .URL file using a text editor. This .URL file is understood by both PC and Mac browsers and will do the right thing. Here’s the format:

[sourcecode language=”text” padlinenumbers=”true”]
[InternetShortcut]
URL=vmware-view://mike@my.view.server.com/MikeF%20Desktop?desktopProtocol=PCoIP&desktopLayout=1280×854
[/sourcecode]

Copy that into your text editor and save it as a .URL file on your Windows or Mac desktop.

How does this work with things like SecurID? <shameless plug for my employer> It works just fine. When I’m at home and I double-click the icon, I’m prompted for my SecurID credentials and then my Active Directory credentials. When I’m in the office on the corporate LAN, I’m just prompted for my Active Directory credentials. Someday, I would LOVE it if 1Password could fill in the login info, but…

Performance

This now leads me to the second thing I found out with the new VMware View clients. I was originally going to have two .URL files on the deskop. One for RDP and one for PCoIP. The reason being is that I use a USB 2.0 to DVI DisplayLink adapter from Monoprice.

image

As you can imagine, it doesn’t really have a lot of horsepower for graphics. Earlier VMware View clients for the Mac running PCoIP would choke horribly on this device. I used RDP for the past year when I wanted my virtual desktop on the monitor connected to the USB/DVI adapter. But lo and behold, I started up the new View client using PCoIP on the 2nd monitor and it works beautifully! I don’t know what VMware changed, but I sure am glad it’s working. I can now resize at will and as I write this, I have a View session going at 1440×1024 with great performance!

So, to wrap up, the new VMware View clients make it easier to launch the client just the way you like them and if you’re using DisplayLink devices like the Monoprice adapter and the DisplayLink 1.8 drivers you’ll get decent performance to boot.

I hope this was helpful. Please share your comments!

thanks,

mike

Oct 10

Dude, that’s so Meta

This isn’t going to be a blog posting about me writing a blog post. No, I’m referring to metadata. I recently read an article on Digg about Apple’s new Maps app and the accumulation of metadata. The amount of stuff Google, Apple, Amazon, etc are collecting is huge. Read about this recent Apple patent on metadata and what sorts of things they are planning to use it for. (this is a must-read by the way)

If you’ve been following my rants…er…blog, you’ll remember a posting recently where I talked about metadata in a virtual environment. Well, for a change and because this is a short post, I’m not going to talk about virtualization..

Nope, I’m thinking of the metadata itself. More and more applications and devices are generating metadata. Location information, accelerometer data, usage patterns, etc…(see that Apple patent I mentioned earlier!) Lots of great data that I believe will eventually be consumed by security vendors. Many in the industry are investigating the use of metadata to provide multi-factors of authentication. But here’s my worry. How much of that data can you trust? Meaning, is the data valid? Was the device that generated the metadata compromised? Was the email and calendar server that we’re storing our work and home life compromised and some data changed (example: location data of a meeting last week)? If we are using metadata for factors of authentication, can we live with some of it being compromised or of questionable value? I say “Yes”. Read on…

My new security term – The Tidbit

tid·bit

 [tid-bit]
noun
1. a delicate bit or morsel of food.
2. a choice or pleasing bit of anything, as news or gossip.

I’m a foodie so let’s run with the “morsel of food” analogy, shall we? One morsel isn’t going to make a meal. But, like going to a tapas bar, when you order up a bunch of tasty morsels you’ve got yourself a meal. Let’s think of that in the context of security. Now, just one tidbit, in this case, your current GPS location, isn’t going to get you thru the VPN, but what about multiple tidbits? Will that be “good enough” to replace passwords for some folks? (probably. I’ve seen crazier things happen) Will that make a “secure” meal? Obviously, that’s a decision of for you to choose. I always like to say “apply the right level of security based on the sensitivity of the data”. For some things like accessing a corporate web page that only contains reference information then a couple of tidbits might be ok. But for VPN, because it’s far more intrusive into the corporate infrastructure, I might need two or more tidbits PLUS SecurID.

But what if the metadata is compromised?

Ok, now that we’re looking for that security meal that will allow me access to what I need to get to, we have to start to think of how it can be compromised. Like a meal, will one bad tasting tidbit kill me? Probably not. I’ll probably spit it out and push it off to the side of my plate.

Well, if I’m using all these cool geek tidbits like GPS, accelerometers, photos, meeting information, etc, I can then safely toss any that are suspect and maybe bring a new tidbit online to replace them. Or maybe, I’ll change from the server side what tidbits I’m looking for randomly, ensuring that I’m staying one step ahead of the bad guys. (Hey, that’s adaptive authentication!) After all, what I’m looking for is a sum of the parts, not the parts themselves. Just like a bunch of unclassified data, when put together, can produce classified data.

The point being here is that no longer will we have a one size fits all methodology to authentication. There are new methods for verifying people on the horizon. Mash that up with Big Data and you get a world where in order to confirm a transaction on your mobile phone the app (and back-end server) knows you’re in Lowe’s and tells you to go to Aisle 16 and scan the bar code of a specific product before it processes your transaction.

Feasible? Sure. Practical? Well, we’ll see, won’t we?

Your thoughts?

mike

Sep 27

Would you pay for the TruCoat?

“I’m saying, that TruCoat, you don’t get it you get oxidation problems it’ll cost you a heck of a lot more than $500…”

For those of you playing along, you probably remember this line from the movie “Fargo”. William H. Macy, playing car salesman Jerry Lundgaard, is arguing with a couple about tacking on an unwanted option called “TruCoat” for $500. It’s one of those things that car dealers use to increase their margins. Watch the video here but be warned, there’s a part at the end that’s NSFW.

Jerry Lundgaard selling the TruCoat

So what’s all this got to do with virtualization and cloud security?

Well, in my talking with customers and cloud service providers, the topic of tiered offerings always comes up. You know, the “Gold, Silver & Bronze”. I’ve asked Cloud Service Providers about including security in those tiers and have been met with “Well, maybe, but it would have to re-coup the investment.” (It IS all about the Benjamin’s, isn’t it?)

That got me thinking about TruCoat. A product that Jerry Lundgaard is selling not because it adds value but because it’s got a GREAT profit margin. Not unlike doing the least amount of “security” (Checkbox Security) and charging the most for it. Not really bringing value but charging like you do. I’m not accusing anyone of doing that, but I wonder if maybe some less than reputable vendors (Joey’s Transmission and Cloud?) would head in that direction?

You see, this goes back to security being bolted on .vs. built in. If, in the Gold tier, you add in network packet monitoring and two-factor authentication, you as the cloud service provider are making a significant investment. You need to get that investment back and start to make a profit. How do you explain the TRUE value of the service you offer? Or, like Joey, you just upsell a little anti-virus and firewalling that you’d do anyways because, at scale, it’s not a big hit on the bottom line? Just like the TruCoat.

Clarification: AV and Firewalls are absolutely part of a good defense in depth story. But they are now, especially with the capabilities of vShield, a “commodity” item that is easy to set up and doesn’t impact the bottom line like other security products would.

Buying Value

Customers will pay money for something of value. I haven’t met many people who buy junk intentionally after all! That said, trying to meld security and value together in a cloud environment will be an interesting journey. Today I think it’s a bit of a chicken and egg. Many customer SAY they want secure clouds but how many are willing to pay for it? Cloud Service providers would like to offer security but, let’s face it, it’s not cheap and, as I said, how many are willing to pay for it?

What are your thoughts? Will customers start to demand things like GRC, packet inspection, two-factor authentication? Or will firewalls and anti-virus “check the box” for them?

For some, the response will be “Ya! You betcha!”