I’ll have to paraphrase since the talk was almost a year ago. But Sachs said something like “Identity is really hard. Leave it to the professionals.” Essentially he was advocating for the use of Google or a SaaS identity provider–or, in other words, he was saying that identity is too difficult for the masses.
Gluu is not anti-SaaS. In many situations we recommend SaaS providers like Okta to organizations that do not have the economies of scale to operate their own identity service. We also do not under-estimate the capabilities required to run a robust identity and access management service.
Nor are we anti-Google. We frequently point to Google as having the best consumer identity platform on the planet (note: consumer, not enterprise). From a usability perspective they have gotten so many things right; support for strong authentication is excellent; obviously it scales. And Google is on the cutting edge of new security paradigms–for example, their tight integration of identity with document sharing is wonderful.
But the idea that an identity platform is too hard or even inefficient for most organizations to operate is not accurate either.
As Google can probably attest, excellence at identity is a competitive advantage. The future of many organizations hinges on their ability to adapt to the digital revolution that is underway. If your organization’s capability to secure digital assets is constrained by a third party, will that impact the ability to innovate new products, services, and business relationships? What’s more important: top line growth or cost savings?
SaaS, like any utility, is made possible by two things: capital and established operating process. It’s the latter that presents a potential conflict of interest for the utility. The biggest cost for a SaaS identity provider is people. To achieve maximum profitablity, the best strategy is to reduce the support surface area.
Innovation is not always in the interest of enterprise SaaS providers. Supporting the latest and greatest technology is risky–if something fails, a SaaS provider may have to continue to support it for years (as long as some of their customers are still using it). This creates an atmosphere of extreme risk-aversion when it comes to enhancements. But for your organization to succeed, you may need to push the technology envelope.
Anything that is unfamiliar is hard. Is identity hard, or just unfamiliar?
I remember attending Microsoft seminars years ago about how to deploy a Kerberos server. Why is no similar effort underway to evangelize the adoption of OpenID Connect providers? All of a sudden it’s just too hard? Or, is it that operating an OpenID Provider is a valuable trade secret that will no longer be shared with the public because the monthly fee business model is more profitable?
I love utilities as much as the next person. I am not going to suggest that you build your own electricity plant to power your factory. But it’s important that we not dumb-down the security capabilities of our organizations–in fact, we should be doing the exact the opposite. Only then will we be able to build a new secure, inter-connected digital society.
Recently I authored a paper and presented a "brighttalk" on the same topic: "Threat Centric IAM". Both the paper and the tech talk was well received by at least 12+ CISO's I had met. Quite often they came back to me with more people, process and governance related questions to this approach, hence this blog entry. One of the interesting trends in enterprises, that I have witnessed in the past few years is a CISO organization that is folding the IAM resources under the CISO as opposed to having IAM resources distributed within IT and related groups. In the past IAM folks with expertise in Authentication, SSO, IDM provisioning and externalized fine grained access (entitlement developers), have been in IT organization that run IT support services or within Application Development teams. With the technology trend moving towards Cloud adoption by IT and SAAS models by application groups and given that IAM is a key control amongst all security controls, and its significance, in terms of addressing Compliance Reporting, IAM teams are getting folded within the CISO organizations as a new parallel pillar. This is further necessitated with the Mobile and IOT trends as a business enabler. This to us is a reflection of the increased significance given to IAM by the CISO organization and the recognition that IAM is a critical core control for all distributed security controls (intra and inter enterprise). It is also helping in terms of leveraging resource expertise across an entire enterprise, as Authentication is a Service that gets reused and so is IDM provisioning as a service and Authorization as an externalized enterprise wide entitlement service that can integrate into Risk Systems (for risk based access), etc. This is a welcome development as the IAM team works closely with Security Architecture and Engineering while modernizing and maturing its IAM Programs (via Standards interfaces and policy compliance) driven by requirements coming from Risk Management and Compliance teams. In addition, the IAM team has opportunities now to partner with Security operations and the cyber security team to work on “threat modeling” of the AS-IS IAM footprints and also drive towards “Threat Centric IAM” –integrating the Threat Intelligence and recommended coarse of actions (STIX COA) into IAM controls one step at a time. This can include threat intelligence integration into IAM vetting/proofing processes, IAM provisioning processes, authentication and multi factor authentication processes, network admission control processes, cloud access security brokers and enterprise fine grained access controls, including data base firewalls and DLP systems. Folding the IAM team under the CISO org chart allows for these two pillars to collaborate more extensively moving forward to realize higher levels of maturity as described in the “Threat Centric IAM” paper. Good to see a blog on CISO mind map… 11 functional domains highlighted here are collapsed into 5 organizational pillars, in my blog.
FinTechの３本柱の１つとして注目されるAPIですが、特に欧州ではPayment Service Directive 2で銀行が2017年末までに金融API提供を義務付けられたことに伴い、とてもホットな話題になっています。日本ではまだまだブロックチェインの後塵を配していますが、まだまだリサーチ・プロジェクトと言っても良いブロックチェインに比べて、金融APIは喫緊の課題です。
こうした中で、金融APIをメインに取り扱う、「Open Data in Finance」というカンファレンスが、欧州金融の中心地・ロンドンで６月１４日、１５日の２日間にわたって行われます。６月１４日はワークショップで、メインのカンファレンスは６月１５日です。到底力不足ながら、不詳、わたくし、Nat Sakimura が、カンファレンスを通じたChair を拝命しております。
プログラムは、こちらのページ（Agenda）からご覧いただけますが、The Open Banking Standard のステアリング・コミッティのチェアの Open Data Institute の CEO の Gavin Starks とバークレイズ銀行のManaging DirectorのMatt Hammerstein の Armchair Chatに始まり、多くの有識者たちによるパネル・ディスカッションやラウンドテーブルを聞くことができ、欧州における金融APIの「今」を知るための貴重な機会となろうかと思います。
Mit der steigenden Nachfrage von Unternehmen nach engerer Kommunikation und Kollaboration mit externen Partnern und Kunden wächst auch der Bedarf an professionellem Web Access Management und Identity Federation. Geeignete Lösungen ermöglichen sichere Zugänge von und auf externe Systeme, auch aus der Cloud. Um die Vielzahl an Anforderungen für eine sichere Kommunikation und Kollaboration erweiterter und vernetzter Unternehmen nahezu lückenlos mit IT abzudecken und gleichzeitig agil zu bleiben, sind Standardinfrastrukturen notwendig.
The German ZVEI (Zentralverband Elektrotechnik- und Elektroindustrie), the association of the electrical and electronic industries, and the VDI (Verein Deutscher Ingenieure), the association of German engineers, has published a concept called RAMI (Referenzarchitekturmodell Industrie 4.0). This reference architecture model has a length of about 25 pages, which is OK. The first target listed for RAMI 4.0 is “providing a clear and simple architecture model as reference”.
However, when analyzing the model, there is little clearness and simplicity in it. The model is full of links to other norms and standards. It is full of multi-layer, sometimes three-dimensional architecture models. On the other hand, the model doesn’t provide answers on details, and only a few links to other documents.
RAMI 4.0 e.g. says that the minimal infrastructure of Industry 4.0 must fulfill the principles of Security-by-Design. There is no doubt that Industry 4.0 should consequently implement the principles of Security-by-Design. Unfortunately, there is not even a link to a description of what Security-by-Design concretely means.
Notably, security (and safety) are covered in a section of the document spanning not even 1% of the entire content. In other words: Security is widely ignored in that reference architecture, in these days of ever-increasing cyber-attacks against connected things.
RAMI 4.0 has three fundamental faults:
It is not really concrete. It lacks details in many areas and doesn’t even provides links to more detailed information.
While only being 25 pages in length and not being very detailed, it is still overly complex, with multi-layered, complex models.
It ignores the fundamental challenges of security and safety.
Hopefully, we will see better concepts soon, that focus on supporting the challenges of agility and security, instead of over-engineering the world of things and Industry 4.0.
Azure AD is here. It can act as a domain controller. It helps you managing your partners. It is ready-made for managing your customers. The application proxy builds the bridge back to your on-premise applications. That raises an important question for all organizations running AD on-premises: What is the future role for on-premise AD? What is the right strategy? Who can and should get rid of on-premise AD now or in the near future, who should focus on a hybrid strategy? Where is the overlap?
Security breaches and cyber attacks have become a daily occurrence. Worse, in some cases it can take an organization months to realize they’ve been breached. Open the pages of the latest breach forensic report and you will find a litany of basic IAM errors that read like a horror story. Many companies are missing the basic IAM best practices that can help prevent, detect and mitigate attack. In this session, SailPoint's CTO Darran Rolls presents the anatomy of a typical cyber attack and explains where and how IAM controls should be applied to better enable close-loop cyber protection for enterprise systems. You may not be able to prevent an attack, but you can minimize the damage and your exposure.
This session looks at the responsibilities and liabilities of organisations involved in the ‘smart manufacturing’ process both internally (e.g. towards employees) and externally (e.g. other organisations, suppliers, consumers, the environment) and at the difficulties of attributing liability in a complex web of stakeholders that might include cloud service providers. We also discuss the importance of contractual and non-contractual liability as well as statutory and common law liability, including fault-based and strict liability. This session also looks at why these legal questions are important and at potential ways to clarify issues of attribution of liability in Industry 4.0.
In most cases, the terms Industry 4.0 and Industrial Internet of Things (IIoT) are used interchangeably. But these two terms, though referring to similar technologies and applications, have different origins and meanings. Industry 4.0 is focused specifically on the manufacturing industry and the goal of ensuring its competitiveness in a highly dynamic global market. The IIC is more focused on enabling and accelerating the adoption of Internet-connected technologies across industries, both manufacturing and non-manufacturing. That’s why it’s important to understand the differences between Industry 4.0 and the "Industrial Internet of Things" and where our mindset and approaches best fit.
What often gets overlooked in the conversation on cloud security is the subject of “deletability" of cloud data. During this session our expert panel explore the topic of whether cloud data that is “deleted” by an end-user is actually completely removed from the cloud? By end-user we mean the consumer and the cloud administrators.
The idea of this trends & innovation panel is to give each panelist the opportunity to tell the audience what company or companies out there are doing something innovative, what it is, why it is important and why the audience should care track the company. For example, one of the panelists might talk about how the perimeter is disappearing and it’s important to be thinking about governance, security and privacy for cloud properties like Salesforce, Workday, etc. The only restriction on panelists is that they are not allowed to talk about their own products or products from anyone on the panel.
The number of companies investing in modern “Big Data”-type SAP products and cloud-based SAP deployment models is growing constantly. Having formerly been stored in standalone database silos, SAP information from CRM, ERP etc. for Big Data deployments is now being migrated to a central high-volume and high-performance database. Deploying traditional SAP environments in the cloud and leveraging new cloud-based SAP applications introduce new groups of customers to SAP services and shift the focus of existing SAP users.
With the Cloud Foundry Summit underway in Santa Clara this week, we thought it would be a good time to announce our preview version of a new identity service broker for the Cloud Foundry platform. An extension of the OpenAM project, the new service broker will allow externally deployed ForgeRock solutions to protect applications and microservices running on any iteration of Cloud Foundry. In short, the service broker will enable developers to create persistent identities that are portable across clouds. ForgeRock identity solutions have been implemented as cloud deployments previously – notably European telecom giant Swisscom has offered identity as a service built on the ForgeRock Identity Platform for some time now. But this service broker project marks the first time that a cloud offering is universally available through the open source OpenAM project. We’re throwing around a lot of terms here that might not be immediately recognizable to everyone in the identity community, so let’s clarify a bit.
What exactly is Cloud Foundry?
Cloud Foundry is an open source cloud computing platform as a service (PaaS) that is available as freeware, and also as commercial offerings from Pivotal Software, IBM Bluemix, Swisscom, HP and several other vendors. All of these iterations of Cloud Foundry offer a collection of platform elements that enable developers to create and host production versions of online services and applications. These platform elements include features for monitoring, logging, messaging, authentication, traffic routing and other tasks. One of the core concepts of the Cloud Foundry project is the service broker.
What exactly is a service broker?
A service broker is code that enables an application in the cloud to invoke or “point to” a needed service for that application to run. So in our case, an application on the cloud – let’s imagine the application is a smart car onboard navigation and information system – could point to the ForgeRock service broker to invoke identity and access management when a driver “logs in” by starting up their car. The advantage of using OpenAM as the authentication server for the Cloud Foundry platform is that it offers very rich capabilities, including authentication, authorization, adaptive risk and multifactor authentication. For instance, in the smart car scenario there could be different levels of identity required for different drivers – so for instance, parents could set certain restrictions for their teen drivers.
What are microservices?
Well-known software industry observer Martin Fowler, describes microservices thusly: “In short, the microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API.” Speaking last week to my colleague David Ferriera (cloud technology director here at ForgeRock and the exec who oversaw the development of our service broker project) he provided this overview of what microservices mean in the identity management context:
Microservices is a popular new architecture where monolithic applications are broken down into subcomponents that can then be used to scale independently. The promise of cloud is ubiquity, persistence and flexibility, and microservices are a natural fit in this kind of environment because they give developers more choices in how to approach technical and business challenges. Now, why is identity necessary in a cloud architecture? Identity and access management are key here because a single enduser request may result in many, many microservices requests, and you need identity to be consistent across all those requests. You need to make sure they’re all acting on the same person, and you need to make sure that each one of those microservices requests is authorized. And that’s what we released today – what the ForgeRock service broker does is it supports OAuth and allows you to extend OpenAM capabilities to secure those microservices.
What is OAuth?
OAuth is a standard for authorizing access to applications and data. It enables users to grant restricted access to resources they own—such as pictures residing on a site like Facebook—to a third‐party client like a photo printing site. Before OAuth, it wasn’t uncommon to find websites or online services asking users to share their username and password with the client, a deceptively simple request masking serious security risk. In contrast to this, OAuth promotes a least privilege model, allowing a user to grant limited access to their applications and data by issuing a token with limited capability. OAuth is beneficial because it hands the management of web delegation to the actual resource owner. The user connects the dots between their accounts on different Web applications without involvement from security administrators on the respective site. This relationship can be long‐lasting but can also be terminated at any time by the user. One of the great advancements OAuth brings to the Web community is formalizing the process of delegating identity mapping to users. OAuth originated through the OpenID project at Twitter, and became a standard with input from Google and other Internet companies. The OAuth 1.0 protocol was published as RFC 5849 in April 2010, and the OAuth 2.0 framework followed in 2012.
Daniel: The beauty of the cloud / service broker approach is that when a developer is coding an app, they can actually see the service and call out to it. They don’t have to think about deploying the service. If your developers are focused on code, and all they’re doing is pushing this stuff to where it needs to be deployed, and all that infrastructure – everything underneath it is taken care of – that’s gold.
David: That’s the point of the platform. If you’re a developer, you only need to worry about writing the business logic that you’re responsible for. You don’t have to become an expert in identity, deploying databases and all that other infrastructure stuff – it’s just write your code and get on with it.
Daniel: Yes, well there’s two things here, right? Why do developers care about a cloud identity service broker, and why do identity architects and security groups care about it? Because they can now plug into Cloud Foundry as well as their data center and have one single place to manage their security / identity processes. It’s beneficial for both, and that’s a powerful thing.
Where can I access the ForgeRock Cloud Foundry service broker?
The open source code for the service broker preview is accessible through GitHub, and ForgeRock welcomes feedback on the project. The service broker preview and IAM for cloud deployments will be discussed at ForgeRock’s upcoming UnSummit, taking place in San Francisco on June 1st. More information on the ForgeRock Identity Summit Series is accessible here.
PingAccess is a web and API Access Management offering from Ping Identity. PingAccess is tightly integrated with PingFederate and provides a superior alternative to traditional Web Access Management products with its ability to provide policy- and context-driven access control to traditional on-premise web applications and cloud applications, as well as to REST-based APIs.
During the first part of the blockchain track at EIC 2016, we have learned a lot about the concept and technology of Blockchain Identity. In this session we build on this and have a look at what happens in different use case scenarios, if blockchain, the internet of things, identity and the need for privacy "collide". Has blockchain been the missing link to put the "platform" thought away from "Life Management Platforms" to make it a universally available privacy by design representation of humans in a digital world?
Recent research estimates that there are 1.5 billion individuals who do not have any means to prove their legal identity. Failing states lacking to perform even the most basic administrative tasks, supressed ethnic groups, and of course all those who have to flee their home due to conflicts or disasters.
New thinking is required to make identification available to all humans, and to help refugees and displaced people to cross borders and to apply for asylum. In this panel discussion, we will try to outline a blockchain based supranational identity infrastructure under the roof of an organization like UN.
Blockchain is not yet ready to support industrial use cases. In this panel session we discuss the requirements across industries and how to improve and accelerate the maturity of this shared ledger technology through an open and coordinated approach.
For the last few months, every day there has been a new announcement of a major corporate (successfully ?) trialing blockchain technology in a Proof-of-Concept. For anyone outside of the blockchain space and hype, it has become difficult to discern the signal from the noise. We give a brief introduction into the true technical innovation of these open multi-user platforms and present several use cases where businesses can benefit: From IT security to data privacy to IoT.
One of the most promising use-case for distributed ledgers in financial services is the implementation of compliance and risk management solutions. In this session, we will analyze how the blockchain technology can be used to build trusted registries of identity and ‘know your customer’ data about individuals or companies, with concrete examples. We will also highlight the difficulties of such approaches and discuss the possible scenarios of evolution in this domain.
How is trust established without trusted third parties? Although it is not possible to offer a prediction of how distributed ledger technology with change society, the assertion that new and publically-accessible technology such as the internet, file sharing and social networks would empower individuals and lead to a more transparent and equitable society has been made before. While the advent of the internet has led to unparalleled global communication capabilities, it has also allowed for a situation of total, mass surveillance. The blockchain offers a trustless information security model, replacing human judgement with proof-of-work algorithms and perimeter security with total transparency.
In many cases, Fintech services such as aggregation services uses screen scraping and stores user passwords. This model is both brittle and insecure. To cope with the brittleness, the new OpenID Foundation Work Group invites developers, architects and technologists to contribute to an open standard approach using an API model with structured data and to cope with insecurity, it should utilize a token model such as OAuth [RFC6749, RFC6750].
The OpenID Foundation Financial API (FAPI) Working Group aims to rectify the situation by developing a REST/JSON model protected by OAuth. Specifically, the FAPI Working Group aims to provide JSON data schemas, security and privacy recommendations and protocols to:
enable applications to utilize the data stored in the financial account,
enable applications to interact with the financial account, and
enable users to control the security and privacy settings.
Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered.
The FAPI Working Group is building a Fintech bridge through open standards. This effort builds on the wide international adoption of OpenID Connect.
The FAPI Working Group was proposed by Nat Sakimura (NRI), Tony Nadalin (Microsoft), and Cindy Barker (Intuit). A charter will be approved and a chair selected at the first FAPI Working Group meeting.
The FAPI Working Group chairs will be presenting on the focus of the group at upcoming conferences including the 2016 Cloud Identity Summit in New Orleans and the Open Data Finance conference in London, both in June.
The Open Data in Finance conference is an end-user driven event that focuses exclusively on open data and data sharing in the finance sector.
It will bring together influential representatives at the nexus of the open data initiative, to give insights into the plans of government and key industry players, and share how they are shaping and responding to this market change.
The Open Data in Finance organizers have offered OpenID Foundation members a 20% discount to attend. Please contact me directly if interested.
Those interested in participating will need to submit a signed IPR Agreement indicating their participation in the FAPI WG. The IPR agreement can be submitted online via DocuSign or emailed to firstname.lastname@example.org.
The conference was organized by MIT Connection Science and brings together many of the world’s blockchain thought leaders and practitioners to discuss and develop better, more standardized approaches to digital identities and contracts using distributed ledger technologies.
“We are delighted that the Kantara Initiative as a standards defining organization is co-sponsoring technical sessions at the ‘MIT Digital Contracts, Identities and Blockchains 2016’ conference,” said Thomas Hardjono, CTO, MIT Connection Science. “The UMA Legal Subgroup in Kantara continues to be a creative forum for bridging between legal and technical communities addressing identity, trust frameworks and data privacy.”
MIT Connection Science under the leadership of its Founding Faculty Director, Prof Alex “Sandy” Pentland, is spearheading a new initiative around the legal and technical aspects of smart contracts, distributed incentives, and blockchain technology.
Connection Science seeks to build better societies through data/analytics, with faculty-led research, training programs, and open-source tools libraries. It is publishing a multi-part blockchain & financial services whitepaper series on “The Fifth Horizon of Networked Innovation”. Contact email@example.com for a copy.
“TomTom has initiated a program for delivering a new identity platform that manages identities of customers and devices worldwide at very large scale. The identity platform is a global solution. It is a great example of a way to manage all identities ─ of peoples, devices, and things ─ in a consistent way.”
TomTom is a navigation, traffic, mapping, and GPS-focused company that uses the ForgeRock Identity Platform to secure the identities of consumers, devices, and things, worldwide. They’re working with us and our partner Everett to launch cool services like these:
Sync smartphone navigation, journey planning on the desktop, and navigation devices, so consumers can plan travel in advance but react in real-time
Single sign-on to all TomTom services across all devices, whether it’s on a sports watch or a personal navigation device.
In-car devices with their own identities, so TomTom can share traffic and navigation data with our cars
A unified user profile that can access all TomTom platforms from any device, whether a smart watch, GPS, laptop, and more
We love to see TomTom in the spotlight for this ambitious and highly successful identity project. And, we’re proud that this award confirms that ForgeRock offers the best unified identity platform on the market for innovative digital businesses like TomTom.
KuppingerCole thinks so too. In their recently released “Leadership Compass – Access Management and Federation,” KuppingerCole named ForgeRock a leader in all four categories (Overall, Market, Product, and Innovation) and the outright leader in the Innovation category. Read up on the report here.
Want to know more about TomTom and their award winning identity project? Read on!
TomTom empowers movement. Every day millions of people around the world depend on TomTom to make smarter decisions. They design and develop innovative products that make it easy for people to keep moving towards their goals. Best known for being a global leader in navigation and mapping products, TomTom also creates GPS sports watches, as well as state-of-the-art fleet management solutions and industry-leading location-based products.
The TomTom business consists of four customer-facing business units: Consumer, Automotive, Licensing and Telematics. It has over 4,600 employees and 58 offices in 35 countries worldwide. Since 2004, TomTom has sold over 78 million personal navigation devices and the company’s navigable maps span over 135 countries, reaching more than 4 billion people. TomTom’s real-time traffic information service is available in 50 countries and over 625,000 professional drivers are powered by the TomTom fleet management solution WEBFLEET
Over time, TomTom’s different business units grew independently and created their own customer identification systems. With the introduction of new digital technologies and their rapid growth globally, TomTom needed to unify their customer databases and create a single consumer experience that would allow them to truly understand their consumer across all channels. To enable new technology like MyDrive, a smart route planner, TomTom needed consumers to have a single, persistent identity that followed them from their laptop, to their mobile device, to their car navigation system in order to create a seamless user experience. The identity platform also had to be able to scale to handle millions of concurrent users.
Originally, TomTom’s solution for Identity and Access Management was proprietary and did not follow industry standards. However, the growth of the IoT in the automotive space meant that navigation was no longer solely delivered on hardware manufactured by TomTom or on a dedicated navigation solution. This created external demands for TomTom to develop an IAM platform that met industry standards in order to integrate with other services and systems. TomTom realized that their legacy platform could not support the demands of the digital era.
TomTom turned to ForgeRock to unify their approach of managing the identity of users, devices, and things. Working with identity systems integrator and ForgeRock partner, Everett, TomTom has migrated to the ForgeRock Identity Platform to manage its digital identities worldwide. There are three main components to the project:
“AMS – Access Management Service”: ForgeRock components are used to give “In-Dash” (built in) devices in cars their own identity, allowing TomTom to deliver services to the car.
“UAM – User Access Management”: TomTom will establish a Single Sign-On experience for customers on the TomTom website.
“CUDS – Common User Data Store”: Customers are being migrated from a legacy platform to a new Identity Management Platform built with ForgeRock components.
All of these initiatives have the same goal: to gain control of consumer identity across all TomTom market areas and channels by consolidating identities in a central location.
The ForgeRock Identity Platform supports millions of TomTom consumers, devices and things throughaout the world. The solution is primarily focused on consumer identities for TomTom’s connected devices, the e-commerce platform, and for in-dashboard devices installed by car manufacturers.
The solution is designed to provide a central point containing all accounts and a uniform identity strategy over all users, devices and touch points, providing a number of key benefits to the consumer:
With one identity, the consumer will be able to gain control over their own data, services and devices.
User authentication means TomTom knows that it is really you that is logging in.
Users and devices are secured before they can access services, manage data, and engage with TomTom.
There is a single way to log-in to services across all products and business units
Device authorization makes sure you can access services that you’re entitled to access
Primary Business Drivers
Reduced time and cost for integrating new services. Because the ForgeRock Identity Platform is built on open standards like OAuth, SAML, and REST that enable product interoperability, TomTom is able to easily introduce new systems into their digital ecosystem.
Standard IAM platform for business units and products enables TomTom to accelerate time to market for new services and devices
Improving consumer experience leads to greater consumer satisfaction and brand loyalty
Reduced risks and costs associated with security by using an identity platform that adheres to security standards and receives regular updates based on global security developments and standards adoption.
Easier to maintain and upgrade than a proprietary system. Commercial open source model means TomTom can also contribute code back to the code base and benefits from contributions of other developers.
Ease of migration from legacy systems.
Ability to build trust with customers by creating a secure, unified IAM platform.
A unified and flexible platform enables the company to address unique vertical market objectives as well as regional regulatory requirements.
TomTom’s digital ecosystem continues to evolve as it develops new products and services. This requires a market leading IAM platform that can keep up with the pace of innovation. The ForgeRock Identity Platform helps TomTom to reach their strategic business goals and empower movement around the globe.
Recognized as a leader in digital identity
The TomTom identity solution is one of the largest deployments worldwide based on a single identity platform. It delivers TomTom a secure platform with which to build trust with its customers (consumers and OEM) while also enhancing the end-user experience. From a business perspective, this identity platform is directly impacting both the top and bottom line revenue as well as stockholder value. The TomTom identity project is unique and demonstrates the true value IAM can have for the business.
Omada Identity Suite is a strong offering which is well-respected for its advanced Access Governance features. New functionality and strategic partnerships position the solution as a comprehensive Identity and Access Management product, with flexible cloud and on-premise deployment options.
We are on the brink of a machine learning revolution in which computers won't just speed up existing security processes but enable the automation of processes and decisions too complex for the human mind to imagine. The machine-reengineering revolution will leverage powerful algorithms and the immense lakes of organizational data to drive changes in business processes that will fundamentally change the way security is managed. This session provides an overview of machine learning and big data technologies as they apply to Identity and Access Management.
In this session, find out how customer-obsessed businesses are increasing their audiences and creating trusted, customized experiences across devices and platforms in exchange for first-party data. We provide case studies of how leading brands are leveraging customer identity and access management (CIAM) to create personal relationships at scale while maintaining high degrees of data privacy and security.
Big Data meets Security: Analyzing systems logs to understand behavior has become one of the main applications of big data technology. Open source initiatives as well as commercial tools and applications for big data integration, collection and analytics become more important building blocks of cyber attack resilience through better collection and analysis of very large sets of log and transaction data, real-time analysis of current events and potentially also prediction of future behavior.
A large proportion of time spend securing IT systems involves managing user risk in a variety of guises. Balancing the need to be secure against the needs of users to be productive in their day-to-day activities is an on-going challenge. In this session I will show how you can deliver reductions in user risk without impacting their productivity. How IT Security can empower users to do more with less risk.
Last year we had our first discussion of risk and value related to IoT. Over the last 12 months we have gone from “What is this IoT?” to IoT becoming a driver of digital transformation. All of the major platform (PaaS) players have made IoT a key part of their strategies. In this session Jackson will highlight how the IoT landscape has changed from a risk & security perspective for both consumers and enterprises, how it is driving digital transformation and why it is even more important for you to be planning your IoT strategy now.
The Cloud is turning out to have important “emergent properties” – features not previously observed in computing systems, never imagined by cloud architects, and not yet widely discussed or understood. They will be key to determining which strategies prevail in meeting cloud era challenges. Kim Cameron discusses how this impacts the world of identity – leading to better applications and simpler identity solutions for people and things.
Axel Springer becoming a truly digital publisher and further investing in digital expansion. Meaning and selling of Identity and Access Management in a media company like Axel Springer. A way to bundle forces and gain buy-in from related parties and sponsors. Increasing importance of Identity and Access Management to manage cloud services.
How many times do you change your hat per day? In the new age, the CISOs will change their roles as much as they can for making decisions about how to affront new risks. Compliance, Governance, legislation, data protection, cybersecurity, intelligence, cyberdefense, cyberfusion…. how can we deal with them?
Transitioning the NSTIC from the 2nd goal to the 4th and how we plan to finish the job, as, US President Barack Obama stated it, NSTIC was really a 10-year effort. In this keynote, Paul Grassi talks about modularization and performance-based standards, future proofing by leveraging a diverse marketplace, transition to the next phase of Connect.gov which will be moving from pilot to production, and landing high-risk, large user volume of transactions.
It's all too easy to pretend to be someone else, whether it's organised crime, social engineers, hackers or paedophiles. The financial impact of this impersonation runs to 100's of billions of dollars per annum. As a result business costs increase, not only because of the increasing losses, transactional friction increases as do the processes that business implements to increase their level of trust.
Blockchain technology is certainly at the peak of the hype cycle. In this keynote, Sebastien will give you the keys to understand the reality of blockchain beyond the myths and anticipate the next steps.
Privileged accounts have been at the center of each recent high-profile attack. This session will explain how hackers that successfully exploit these accounts are able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.
Paris is a musical in every manner as here you can find legendary jazz clubs to the thriving independent and underground music scenes. The city is brimming with some great sharp record stores and in the last few years the number of music festivals has also accelerated with interesting line-up of international artists. Big hitters like Pitchfork, and radical home-grown treats like We Love Green and Weather Festivals are also celebrated here, covering almost all genres in music that you like.
We Love Green
The festival is known for its eclectic mix of rock, pop and electronic music. Promoting and encouraging responsibility and community values owing to its eco-friendly values at its core. Here you can get to see innovative line-ups like Hot Chip, Diplo, PG Harvey and Amon Tobin, French acts and with strong threads of techno and indie-rock. Join the festival if you want to enjoy a beautiful outdoor partying indulging in organic food.
Afropunck is a multi-genre black music and culture festival that celebrates pop, rock, electro and hip-hop music. Some of the stellar lineup in this event is Saul Williams, Angel Haze, Lizzo, Michael Kiwanuka and Samm Henshaw, among others. Joining this event, you can also enjoy ‘cultural experience’, as the venue features excellent food stalls and art displays done by local artists.
When: 3-5 June 2016
Venue: Le Trianon
Download Festival France
The legendary 14th annual heavy rock festival, Download is the favourite event for heavy-metal and hard rock fans. Apart from the great music, the festival is also popular for its several other events like Heavy Metal Dating, Dog’s Bed Stage, and the real ale house. Download has all rock bases covered and more, giving you an intense dose of rock and heavy metal music. Some popular music bands that will be performing here are Deftones, Korn, Biffy Clyro and Megadeth.
This summer, experience your favourite live jazz concert in a Paris park. The festival begins from mid-June until the end of July. You can enjoy two jazz groups’ performances every Saturday and Sunday in the big open hall of the Parc Floral de Vincennes. Join this free event to enjoy great music, performances, and the sunshine amid coloured flowers, woodlands and lakes.
If your interest lies in listening an audacious program of live performances, visual arts, and film projections this festival worth visiting. This underground mixed-media festival will take place over five days in popular venues of Paris. This year the musical festivals line-up will feature live performances from The Horrors, King Gizzard & The Lizard Wizard, Rendez Vous, and Dorian Pimpern, among others.
When: June 18-19 2016
Venue(s): La Machine du Moulin Rouge, Trianon, Gaîté Lyrique, Point Éphémère, Monseigneur
About the Author-
Hi, I am Krishna, avid traveller, foodie and music lover. I like to explore new places and share my experiences. Here I am sharing upcoming music festivals in Paris, so if you are music lover in this romantic city, make sure to attend these music events. While my visit to romantic city-Paris, I had an amazing time staying in Paris serviced apartment to experience a bit of everything in the city like a local.
The definition, implementation and maintenance of an adequate set of policies is a major task for many areas of today’s organizations. However, continuously ensuring compliance to these policies and providing adequate documentation of evidence is even more challenging. Keeping computer security definitions in compliance with your corporate security policy and with mandatory regulations is overly complex when done the conventional way.
Levi’s blue jeans have been a staple in my life for a long time. Today I am wearing a new pair I bought last week. The Levi’s brand is quintessential Americana. In fact, complex.com dubbed Levis as the eighth most iconic brand of all time!
Today, we celebrate the birthday of Levi’s. According to History.com:
On this day in 1873, San Francisco businessman Levi Strauss and Reno, Nevada, tailor Jacob Davis are given a patent to create work pants reinforced with metal rivets, marking the birth of one of the world’s most famous garments: blue jeans.
The pair of Levi’s I am wearing now don’t have classic copper rivets, but I like the comfort and fit. I suppose that wearing Levi’s is the closest I’ll ever come to being “hip.”
Sexual relations are never quite as easy as some people may make them out to be.
On the one hand, some individuals/couples find their sexual relations to be all but perfect.
On the other side of the coin, some individuals/couples find nothing but frustration in their sexual relations, almost getting to or even reaching giving up.
If you are in the latter group, what are you doing specifically to make things better?
Talk and Action Both Go a Long Way
For your sexual relations to improve sooner rather than later there are a number of steps you can put into place to do just that.
Talk – Nothing usually works better than talking things over. Come to an understanding (or at least as close to one as possible) on why your sexual relations haven’t been work, what you can do to change this, and how to make the change or changes long-term, not just for a short period of time. The most important part of the talking solution is being good listeners. Both partners certainly should their perspectives, but listening to one another is crucial. If all that happens is shouting, moping, shutting the other person out, there is little chance of success. Finally, don’t be afraid to seek sexual counseling if need be. Some partners are embarrassed to seek help, but oftentimes having that third person in the room can make a big difference. Yes, you will spend some money for such counseling, but you both may find over time that it was some of the best money you could have ever invested in your relationship;
Agreement – Along with talking things through, it is important that both parties are on the same page in the bedroom. Whether it is the topic of using condoms, one person being the more dominant of the partnership or getting away from the normal routine, there are many things to come to an agreement on. The biggest thing is to agree not to disagree. Remember, there was probably a disagreement or two along the way that got your sexual relationship out of whack to begin with. When both sides agree to work together on improving their intimate times together, the possibilities are oftentimes endless. Lastly, make sure you have an open mind to finding the solution or solutions to the problem. In the end, getting both partners happy about where their sexual relationship is should always be the goal
Variety – How many times have one or both of you said that your sexual encounters have become downright dull? Unfortunately, it happens more times than not in bedrooms all across the nation. In order to spice things up a little bit, do the occasional weekend getaway. Heck, even a one-night getaway to a nice area hotel can put some spark back in the sexual part of the relationship. Just as if you were to eat the same thing day after day for breakfast, your sexual relations need to have a charge put into them from time to time. This does not mean that you have to spend money wildly, just put aside a few dollars for a nice romantic evening out or a weekend where just the two of you can get away for a bit. For those with kids, this becomes even more critical, so don’t be afraid to call on a babysitter or have another parent who you are friends with watch their kids and yours for an evening or weekend. With a little variety injected into your sex life, you might see things turn around quicker than you might have thought possible.
One of the hot-button issues in relationship can be sexual relations.
While one of the partners may feel like things are just fine or even satisfactory, the other can see things in a totally different light.
In order for both parties to come together and enjoy everything that a healthy sexual relationship can provide, being honest with one another, being open to new experiences, and being able to talk and listen to each other proves critical.
So, is your sexual relationship as healthy as it can be?
We have created the initial working group version of the CBOR Web Token (CWT) specification based on draft-wahlstroem-ace-cbor-web-token-00, with no normative changes. The abstract of the specification is:
CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. CWT is a profile of the JSON Web Token (JWT) that is optimized for constrained devices. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value.
Changes requested during the call for adoption will be published in the -01 version but we first wanted to publish a clean -00 working group draft.
CA Privileged Access Manager (PAM) is a well-integrated suite that provides a comprehensive solution for privileged identity management in physical and virtual environments. CA PAM enables centralized control and management of privileged user access to a broad range of servers, network devices and applications.
Cloud computing is an incredible innovation. While at its heart a simple concept, the packaging of compute resources as an on demand service is having a fundamental impact on information technology with far reaching consequences. Cloud is disrupting most industries in a rapid fashion and is becoming the back end for all other forms of computing, such as mobile, Internet of Things and future technologies not yet conceived. As governments, businesses and consumers move to adopt cloud computing en masse, the stakes could not be higher to gain assurance that cloud is a safe, secure, transparent, and trusted platform.
With the stakes rising in cloud adoption, cloud providers need to step up with better built-in security:
Cloud computing adoption is solid and increasing. Security and compliance can be adoption barriers. Now is the time to increase the pressure on cloud providers to build security in, not try to bolt it on as an afterthought.
Cloud computing demands new approaches to security:
We need to take a hard look at many of our existing security practices and retire them in favor of new “cloud inspired” approaches that offer higher levels of security.
Finally, solving these tough problems will require cooperative effort between cloud providers and their customers:
Both enterprises and cloud providers need to work together to better align their security programs, architectures and communications.
Let’s work together to conquer these tough challenges.
This afternoon, I read the Cloud Security – 2016 Spotlight Report, presented by CloudPassage. It was an informative report based on responses from a Linkedin security community. Aside from the insight it provided about Cloud Security, I found it intriguing that social media groups are proving to be a valuable source of market information.
The report focuses on the risk factors facing enterprises as they progressively adopt cloud computing
Security of critical data and systems in the cloud remains a key barrier to adoption of cloud services. This report, the result of comprehensive research in partnership with the 300,000+ member Information Security Community on LinkedIn, reveals the drivers and risk factors of migrating to the cloud. Learn how organizations are responding to the security threats in the cloud and what tools and best practices IT cybersecurity leaders are considering in their move to the cloud.
It is no surprise that security is a key concern. I would expect such a response from a self proclaimed information security community.
Cloud security concerns are on the rise. An overwhelming majority of 91% of organizations are very or moderately concerned about public cloud security. Today, perceived security risks are the single biggest factor holding back faster adoption of cloud computing. And yet, adoption of cloud computing is on the rise. The overwhelming benefits of cloud computing should drive organizations and security teams to find a way to “get cloud done”. This is a prime example to where security can have a profound impact on enabling business transformation.
It was not surprising that most respondents thought that traditional security tools were inadequate.
The survey results confirm that traditional tools work somewhat or not at all for over half of cybersecurity professionals (59%). Only 14% feel that traditional security tools are sufficient to manage security across the cloud.
I am not a expert on the validity of this type of survey vs. a more traditional survey conducted outside of the social media environment, but I think it provides some valuable insight. There is a lot of work to do, folks!
We all understand that the concept of username/password to control access is insecure and out of date in a world where anything is connected and a new approach is needed. But how can we make the password obsolete?
the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging.
… and that security is no longer just an IT issue.
The 2016 Top Threats release mirrors the shifting ramifications of poor cloud computing decisions up through the managerial ranks. Instead of being an IT issue, it is now a boardroom issue.
More vulnerabilities and increased business awareness/responsibility. The urgency of security is rising.
The report identifies security concerns so business leaders can make better decisions about security:
The purpose of the report is to provide organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in CSA community about the most significant security issues in the cloud.
The 12 critical issues to cloud security (ranked in order of severity per survey results):
Weak Identity, Credential and Access Management
System and Application Vulnerabilities
Advanced Persistent Threats (APTs)
Insufficient Due Diligence
Abuse and Nefarious Use of Cloud Services
Denial of Service
Shared Technology Issues
The report provides includes a variety of useful information about each critical issue, including:
Some of the anecdotes are both intriguing and disturbing:
British telecom provider TalkTalk reported multiple security incidents in 2014 and 2015, which resulted in the theft of four million customers’ personal information. The breaches were followed by a rash of scam calls attempting to extract banking information from TalkTalk customers. TalkTalk was widely criticized for its failure to encrypt customer data.
Praetorian, an Austin, Texas-based provider of information security solutions, has launched a new cloud-based platform that leverages the computing power of Amazon AWS in order to crack password hashes in a simple fashion.
Heartbleed and Shellshock proved that even open source applications, which were believed more secure than their commercial counterparts … , were vulnerable to threats. They particularly affected systems running Linux, which is concerning given that 67.7% of websites use UNIX, on which the former (Linux) is based.
In June 2014, Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor authentication. All the company’s assets were destroyed, putting it out of business.
Test-Driven Development (TDD) tells us to write the tests first and only then develop the code. It may seem like a good idea. Like a way how to force lazy developers to write tests. How to make sure that the code is good and does what it should do. But there's the problem. If you are doing something new, something innovative, how the hell are you supposed to know what the code should do?
If you are doing something new you probably do not know what will be the final result. You are experimenting, improving the code, changing the specification all the time. If you try to use TDD for that you are going to fail miserably. You will have no idea how to write the tests. And if you manage to write it somehow you will change them every time. This is a wasted effort. A lot of wasted effort. But we need the tests, don't we? And there is no known force in the world that will make the developer to write good and complete tests for the implementation once the implementation is finished. Or ... is there?
What are we using in midPoint project is Test-Driven Bugfixing (TDB). It works like this:
You find a bug.
You write an (automated) test that replicates the bug.
You run the test and you check that the test is failing as expected.
You fix the bug.
You run the test and you check that the test is passing.
That's it. The test remains in the test suite to avoid future regressions. It is a very simple method, but a very efficient one. The crucial part is writing the test before you try to fix the bug. Even if the bugfix is one-liner and the test takes 100 lines to write. Always write the test first and see that it fails. If you do not see this test failure how can you be sure that the tests replicates the bug?
We are following this method for more than 5 years. It works like a charm. The number of tests is increasing and we currently have several times more tests that our nearest competition. Also the subjective quality of the product is steadily increasing. And the effort to create and maintain the tests is more than acceptable. That is one of the things that make midPoint great.