July 30, 2014

Gluu17 Recommended Requirements for an Identity and Access Management POC [Technorati links]

July 30, 2014 03:55 PM

Identity and Access Management POC Checklist

We get requests for POC’s quite often. In an attempt to provide tactical guidance to organizations developing an identity and access management POC, the following are our top recommended requirements to include.

By adding some or all of these requirements to your POC, your organization can limit vendor lock-in and ensure that the solutions considered will satisfy both current and future identity and access management challenges.

  1. Published results for OpenID Connect Provider (OP) and Relying Party (RP) software in InterOp 5 that indicate the vendor has at least 80% coverage of both the RP and OP defined inter-op use cases. For example, here are Gluu’s InterOp results.
  2. Support for UMA 0.9 Authorization Server endpoints, Resource Server endpoints, and supported client code. Include details on how the policy mapping is made to UMA scopes.
  3. Support for adaptive authentication: i.e. the ability to make changes to the business logic of authentication at run time. Or how to use a 1 or 2 step authentication workflow depending on the person (i.e. the IT group has to use two-factor authentication, normal users can use passwords…)
  4. Support for the publication of SAML Multi-party federation management, including a workflow tool for vetting SAML IDPs and SPs to join the federation, and other federation administrator operational tools.
  5. Support for public user registration.
  6. Support for invitation code based user registration.
  7. IDP must be able to specify authentication type on a per SP basis. For example, use passwords for Google, but tokens for Salesforce.
  8. Support for SAML persistent non-correlatable identifiers.
  9. Support for per SP attribute release policies in SAML.
  10. Native mobile client application for strong authentication, along with mobile device enrollment and management features.
  11. Support for the SCIM user management API’s to enable your organization to interface with the IDM system to send updates about users.
  12. Supported SAML client API for Java.
  13. Supported OpenID Connect client API for Java.
  14. Supported UMA client API for Java.
  15. Supported SCIM Client code.
  16. Support for open standards based API access control using headless API’s and a mobile client (i.e. no browser).
  17. Free open source license for binaries for major linux operating systems so your organization can easily take over operation and provide a reasonable free open source option to partners who do not want to purchase expensive enterprise software.

 

Have questions about these requirements? Feel free to schedule a meeting with us or comment on the blog to discuss the rationale behind our recommendations.

Kuppinger ColeIdentity Managed Data Loss Prevention - sleep well at night [Technorati links]

July 30, 2014 10:56 AM
In KuppingerCole Podcasts

It’s never been easier to control who has access to what, who authorised it, who’s access hasn’t been removed and to generate reports on it all. We’ll look at the direction of technological and standards development and discuss the ramifications – what do you have to do to exploit the potential?



Watch online
July 29, 2014

Nishant Kaushik - OracleIdentity Management Is A People Problem (But It Shouldn’t Be!) [Technorati links]

July 29, 2014 08:37 PM

Another Cloud Identity Summit has come and gone, and even though it only happens once a year, the effect of being at “the top event on the identity calendar” (as Stephen Wilson puts it) always lingers. You leave trying to process all the great content and ideas you got exposed to, thinking about the wonderful conversations you had, and re-energized from hanging out with so many smart and talented individuals. And Brian.

The workshops and sessions always serve as a good indicator of where the community will be focused in the coming year. And based on this years CIS:

Amid the sea of topics dominated by the authentication side of the house, and the lineup of one amazing speaker after the next (Ian Glazer‘s and Josh Alexander‘s talks were notable not just for their content, but also their bet on who had the most slides), I tried to hold my own while talking about good old identity management. I wanted to present a new way of thinking about the problem of managing identities in the enterprise, one that is built on bringing together some organic changes that are happening in the way people are working, collaborating and using technology. And I did my best to take a somewhat boring topic and spice it up. You can check out the talk below (posted from the Talking Identity channel on Vimeo).

In the past, I’ve sometimes recorded a clearer, more articulate voiceover for the web, and one was certainly warranted for this talk. But it just wouldn’t have been the same without the audience reaction, so I’ve kept the original audio. And I’ve added the twitter reaction to my talk below for your entertainment. Since the talk has a somewhat iconoclastic bent to it, I do hope to see it generate some discussion, so please chime in with your thoughts and feedback, either on Twitter or in the comments here. And I’ll use some future posts to flesh out some of the ideas from my talk in more detail. Just remember to avoid using the term “wearables” (for Paul‘s sake).

The Twitterverse Response to my CISmcc Talk

Tags: , , , , ,

CourionSOX Reporting Headache? Take One ComplianceCourier and Get a Clear View Into ‘Who Has Access to What’ [Technorati links]

July 29, 2014 03:18 PM

Access Risk Management Blog | Courion

Brad FrostThe headache of Sarbanes-Oxley (SOX) reporting requirements is just about to get easier for Old Republic National Title Insurance Company, since the title insurer selected Courion ComplianceCourier™ for its access certification solution.

The public company, which has more than 4,000 employees, must comply with Sarbanes-Oxley (SOX) reporting requirements. And not unlike many companies we speak with, the IT department was finding the challenge of answering “who has access to what” was absorbing too much manpower and time. The manual data process of gathering user access information and compiling it into spreadsheets was also vulnerable to error.Old Republic

With ComplianceCourier, Old Republic will be able to centralize and automate the access control process, reducing the risk of unauthorized access. What’s more, the access certification solution will allow the company to audit existing access by user, application, administrator, group, or workstation and meet SOX compliance requirements more easily. The efficiency of IT operations will be improved and as an added bonus, the active directory structure will be consolidated. To read more, click here.

blog.courion.com

Vittorio Bertocci - MicrosoftProtecting an MVC4 VS2012 Project with OpenId Connect and Azure AD [Technorati links]

July 29, 2014 06:34 AM

I have to say I am pretty surprised by the attention that last week’s OIDC OWIN+WebForms post has garnered. Had I known, I would have posted about it much earlier!

In the same spirit, here there’s another quick tutorial addressing a common FAQ: “My company is still on VS2012: can I use the OpenId Connect/WS-Fed middleware?”

The answer is “As long as you target .NET 4.5, totally!” Smile

Just make things a tad more actionable, here there are some basic instructions on how to make a minimal MVC4 app work with AAD and OpenId Connect.

Create an empty project

Fire up the (even more) good ol’ VS2012, create a new project and navigate through the templates until you get to Visual C#/Web/ASP.NET MVC 4 Web Application. Choose a name and click OK.

image

Here you have a variety of choices. My personal preference is “intranet application”, mostly because it is the project type with the least amount of stuff I don’t need – hence I spend less tile deleting stuff after creation.

image

We’ll be doing things by the book, hence we’ll enable SSL. The flow was already pretty much the same one you find in VS2013:

Here we do need to change a couple of things from the template, mostly to disable its Windows auth settings. Open the web config and:

That’s it! Next: configure your app in AAD.

Provision the app in Azure AD

This is exactly the same task for any platform, hence the indications I gave for VS2013 apply verbatim here as well.

Navigate to https://manage.windowsazure.com/, sign in as your tenant admin, scroll to the Active Directory tab, choose the tenant you want to use, select the Applications tab, and click the Add button on the appbar at the bottom of the screen.

Choose “Add an application my organization is developing”.

Give to the app any name you like. Keep the default “web application and/or web api”. Click the Next arrow.

image

In the Sign-On URL enter the HTTPS address you got when you enabled SSL on the project (mine is https://localhost:44307/). In the App ID URI enter any valid URI that will later remind you of what this app is. For my test app I chose http://OldFashionOWINisAwesomeS. Click the Done button.

Click on the Configure tab and leave the browser open there. We’re going to need some of the values here in just a moment.

Add references to the Cookie/OpenId Connect/SystemWeb NuGets

Once again, exactly the same deal as VS2013. Let’s go back to Visual Studio. Go to Tools->Library Package Manager->Package Manager Console. In the console, enter the following three magic commands:

Install-Package Microsoft.Owin.Security.OpenIdConnect -Pre

Install-Package Microsoft.Owin.Security.Cookies –Pre

Install-Package Microsoft.Owin.Host.SystemWeb –Pre

That will install the necessary OWIN packages.

Add the initialization logic

Here we really need to enable the OWIN pipeline forms cratch, given that the tempalte we used is 100% unaware of it. Luckily, it’s a trivial task.

In the root of the project, add a new class. Name the file Startup.cs.

Here there’s the code you want to have in there:

using Microsoft.Owin;
using Owin;

[assembly: OwinStartup(typeof(OldFashionOWIN.Startup))]

namespace OldFashionOWIN
{
    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureAuth(app);
        }
    }
}

This class’ implementation of the Configuration method  will be automatically called upon the first request comes in. All it does is invoking ConfigureAuth, the authentication initialization logic which we will add in another file. HEad to the App_startup folder, add a new class Startup.Auth.cs, and make its code look like the following:

using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;

namespace OldFashionOWIN
{
    public partial class Startup
    {
        public void ConfigureAuth(IAppBuilder app)
        {

            app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
                {
                    ClientId = "475d1913-d6e7-422c-8dbc-3a94ed21cfaa",
                    Authority = "https://login.windows.net/developertenant.onmicrosoft.com"                    
                });
        }
    }
}

The Authority part indicates the AAD tenant you want to use, while you can get the value of ClientId from the Configure tab of the application entry in the Azure portal, which should still be available in the browser from few steps earlier in the tutorial.
I already explained in various places what that middleware does, hence I won’t bore you again about it here.
Note: the namespace (VS will append a .App_start, delete it) and the fact that the class is partial.

Finally: head to the Controllers/HomeController.cs file and decorate the class with the following:

[Authorize]
public class HomeController : Controller
{
    //...

That will tell ASP.NET that all requestors of this controller’s actions must be authenticated, hence it will help to trigger the auth experience at start up time.

Give it a spin!

Hit F5. You’ll be bounced right away to AAD, Sign in with your user of choice.

image

Et voila! You are treated with the cerulean theme that was in fashion back in VS2012 times, and the upper right corner shows that you successfully signed in. Pretty easy!

image

 

 

As I hope the above has shown, the OWIN model is super flexible and can be applied pretty much anywhere there’s .NET 4.5 available. That means that if for one reason or another you didn’t upgrade to VS2013, you can still take full advantage of Azure AD, ADFS and the ease of use of the new OWIN based middlewares Smile have fun!!!

July 28, 2014

Matt Flynn - NetVisionBMWs and Bicycles: The Value of Complexity [Technorati links]

July 28, 2014 08:21 PM
If your ideas about Oracle Identity & Access solutions start and end with the word complexity, you're missing the big picture. Contrary to what competitors might be telling you, Oracle's current IAM solution looks nothing like a conglomeration of distinct, aging products. If you want to know about today's Oracle IAM solutions, consider concepts like: common data model, consolidated feature set, shared services, unified admin and operational consoles, and a lower TCO than managing multiple point solutions.

It didn't happen by accident. Oracle has a large, diverse, and talented team of engineers and developers. I'm consistently impressed by the level of talent roaming the halls at Oracle. And the team knew years ago that continued innovation was important. They intentionally expended significant effort to rationalize the product backend so that it's not simply multiple integrated products. Did you know that Oracle uses a single connector for user provisioning, access governance, and privileged account management? Did you know that Oracle's provisioning product also provides access requests, risk scoring, and entitlement reviews in a single product? (not a license bundle - a single installed product)

Can the entire solution be downloaded onto a smartphone and installed in 3-5 minutes? No. But, the solution can meet any current or future Identity & Access requirement with a modular, unified approach to Identity & Access for legacy, enterprise, cloud, mobile, and social use-cases. And there are numerous customer case studies that demonstrate Oracle's IAM technology has already been implemented in mobile, consumer, and IoT scenarios with extreme scale. Claiming that Oracle can't handle third platform use-cases is either ignorant or deceitful. Which it is depends on who you're talking to.

That's not to say that there aren't IAM solutions on the market that offer less complexity. But let's investigate complexity for a moment.

Is complexity good or bad?

If you already answered, you're missing the point. The reality is that complexity should be commensurate with your needs and the optimal amount of complexity will depend on the context.

A BMW is more complex than a bicycle. If your goal is take a leisurely ride through a park to enjoy the weather while getting some exercise, then a bicycle may be a great fit. And a BMW will miss the mark entirely. If the goal is to find a vehicle for your daily commute to work, you might still opt for a bicycle but you'll be balancing the desire for less complexity with the BMW's feature advantages of getting you there quicker, shielding you from the weather, and requiring less effort. If your intended use-cases involve cross-country trips or travel in severe weather, the complexity of BMW engineering becomes a thing of desire. And if you fall in love with the way a BMW handles corners at speed, well... let's just say you may stop thinking about complexity altogether.

Getting back to IAM, here are some IAM features to consider:
When you begin to think about how these capabilities can be used to enable new business opportunities, it starts to feel like a BMW approaching a corner. And you'll be glad you're not on a bicycle.

Vittorio Bertocci - MicrosoftOrg Navigator: a Mobile App leveraging Azure AD Graph [Technorati links]

July 28, 2014 03:36 PM

One big feature I’ve always missed in Windows Phone is the ability to look up people in the directory when I get mails from unknown colleagues.

Sure, the Contacts hub helps you to find out phone, email and even office location – but many important questions remain unanswered. What team is this guy in? What group does he/she belongs to? What DLS is he in, so that I can get an idea of if he/she’s completely new to identity or if he/she already have some background I can latch to?

I have been toying with the idea for some time, and even wrote the basic request and visualization engine without much conviction – but I didn’t consider a serious app writing effort until my wife went on a trip, creating an unexpected pocket of “what to do?” time in the weekend. Hence, I rolled my sleeves and spent some unhealthy amount of time at the PC to disentangle ObservableCollections, data binding logic, converters, activations, and all other XAML incantations that are normally off-limits for us identity & protocols server side rats Smile

The result Org Navigator, is a small app that helps you to search the directory for specific users and explore your organization by crawling through their relationships.

I published at http://www.windowsphone.com/en-us/store/app/org-navigator/84975f22-2c23-4a90-9a5e-cde950e8a084.

I had a lot of fun writing this, although getting the UX right took far more effort than I expected. I even got creative and designed the app tile myself! If you don’t understand what it is meant to represent, my artistic endeavor failed Smile

blu_Sextant358x173

For the time being the app is free, given that I expect that for some time we’ll find bugs, but as it gets more stable and I add few other features I have in the pipeline I’ll consider venturing in the world of  paid apps. Hence, get it while it’s free  Smile

Below there’s an excerpt from the help page. Have fun w it and let me know if you stumble in bugs!

Org Navigator – BETA

Org Navigator is a simple (but useful!) app for Windows Phone which allows you to instantly look up anybody in your directory, find out his/her basic coordinates (email, phone, office location, etc) and navigate through the organization’s structure by following the relationship links which tie  every user to his/her management chain, reports, peers, and so on.

Org Navigator is super easy to use. Start by typing in the search box something about the user you seek: possible values are first and/or last name, alias and email address.

Screens0

If this is the first time that you use Org Navigator, you will be asked to sign in. You will need to enter the credentials of a valid user for the directory you want to query. Subsequent runs of the app will not require a new sign in for a long time.
Org Navigator works with Azure Active Directory: if you have Office 365 or Azure you already have one! If you don’t, but you want to give the app a try, you can use the sample directory currently offered by the Azure AD graph team: find username and password in https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet.

WAB

Once you successfully authenticated, the focus gets back to Org Navigator and your query is executed. The results, if any, are shown as a list below the search box.

Screens1

Click on the result to see a detailed view.

Screens2

Swipe to the right to see all the users that are related to the current user via organizational structure. For example, swipe to the Peers section to see who else in the organization shares the same manager as Derek.

Screens2.2

You can click any of the user entries to access its details and relationships: for example, if in our test query you click on Marcus Bryer, Org Navigator will move its focus accordingly:

Screens1nav

From here, you can iterate the process and go as deep as you like. You can backtrack by using the Windows Phone hardware back button.

If you want to sign in as another user, head to the settings (via the app bar button in the search page) and hit sign out. You can then sign in directly from that page, or defer the operation to the first time you’ll perform a new search.

If you have any feedback or comments please feel free to write me via http://www.cloudidentity.com/blog/contact/

Julian BondWords I dislike, #23 : [Technorati links]

July 28, 2014 06:30 AM
Words I dislike, #23 : 

Sophomore
[from: Google+ Posts]
July 27, 2014

Kaliya Hamlin - Identity WomanResources for HopeX Talk. [Technorati links]

July 27, 2014 07:53 PM

I accepted an invitation from Aestetix to present with him at HopeX (10).

It was a follow-on talk to his Hope 9 presentation that was on #nymwars.

He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg - Snowden conversation that happened mid-day Saturday.  It was amazing and it went over an hour - so our talk that was already at 11pm (yes) was scheduled to start at midnight.

Here are the slides for it - I modified them enough that they make sense if you just read them.  My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.

Hope x talk from Kaliya
I am going to put the links about joining the IDESG up front. Cause that was our intention in giving the talk to encourage folks coming to HopeX to get involved to ensure that the technologies and policies for for citizens to use verified identity online when it is appropriate and also most importantly make SURE that the freedom to be anonymous and pseudonymous online.
This image is SOOO important I'm pulling it out and putting it here in the resources list.

WhereisNSTIC

Given that there is like 100 active people within the organization known as the Identity Ecosystem Steering Group as called for in the National Strategy for Trusted Identities in Cyberspace published by the White House and signed by president Obama in April 2011 that originated from the Cyberspace Policy Review that was done just after he came into office in 2009. Here is the website for the National Program Office.

The organization's website is here:  ID Ecosystem - we have just become an independent organization.

My step by step instructions How to JOIN.

Information on the committees - the one that has the most potential to shape the future is the Trust Framework and Trust Mark Committee

Here is the video.

From the Top of the Talk

Links to us:
Aestetix -  @aestetix Nym Rights
Kaliya - @identitywoman  -  my blog identitywoman.net

Aestetix - background + intro #nymwars from Hope 9

     Aestetix's links will be up here within 24h
We mentioned Terms and Conditions May Apply - follows Mark Zuckerberg at the end.

Kaliya  background + intro

I have had my identity woman blog for almost 10 years  as an Independent Advocate for the Rights and Dignity of our Digital Selves. Saving the world with User-Centric Identity

In the early 2000’s I was working on developing distributed Social Networks  for Transformation.
I got into technology via Planetwork and its conference in 2000 themed: Global Ecology and Information Technology.  They had a think tank following that event and then published in 2003 the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.
The ASN and the idea that user-centric identity based on open standards were essential - all made sense to me - that the future of identity online - our freedom to connect and organize was determined by the protocols.  The future is socially constructed and we get to MAKE the protocols . . . and without open protocols for digital identity our ID's will be owned by commercial entities - the situation we are in now.
Protocols are Political - this book articulates this - Protocols: How Control Exists after Decentralization by Alexander R. Galloway. I excerpted key concepts of Protocol on my blog in my NSTIC Governance Notice of Inquiry.
I c0-founded the Internet Identity Workshop in 2005 with Doc Searls and Phil Windley.  We are coming up on number 19 the last week of October in Mountain View and number 20 the third week of April 2015.
I founded the Personal Data Ecosystem Consortium in 2010 with the goal to connect start-ups around the world building tools for individual collect manage and get value from their personal data along with fostering ethical data markets.  The World Economic Forum has done work on this (I have contributed to this work) with their Rethinking Personal Data Project.
I am shifting out of running PDEC to Co-CEO with my partner William Dyson of a company in the field The Leola Group.

NSTIC

Aestetix and I met just after his talk at HOPE 9 around the #nymwars (we were both suspended.
So where did NSTIC come from? The Cyberspace Policy Review in 2009 just after Obama came into office.
Near-Term Action Plan:
#10 Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
Mid-Term Action Plan:
#13 Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
NSTIC was published in 2011: Main Document - PDF  announcement on White House Blog.
Trust Frameworks  are at the heart of what they want to develop to figure out how navigate how things work.
MY POST the Trouble with Trust and the Case for Accountability Frameworks.
What will happen with results of this effort?
The Cyber Security Framework  (paperObama Administration just outlined . NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

The National Program Office was launched in  January 2012 and Jeremy Grant leads it.  You can read Commerce Secretary Locke comments at the announcement at Stanford.
I wrote this article just afterwards: National! Identity! Cyberspace! Why we shouldn't Freak out about NSTIC   (it looks blank - scroll down).
Aaron Titus writes a similar post explaining more about NSTIC relative to the concerns arising online about the fears this is a National ID.
Staff for National Program Office

The put out a Notice of Inquiry - to figure out How this Ecosystem should be governed.

Many people responded to the NOI - here are all of them.

I wrote a response to the NSTIC Notice of Inquiry about Governance.  This covers that covers much of the history of the user-centric community  my vision of how to grow consensus. Most important for my NSTIC candidacy are the chapters about citizen's engagement in the systems co-authored with Tom Atlee the author of the Tao of Democracy and the just published Empowering Public Wisdom.

The NPO hosted a workshop on Governance,  another one Privacy - that they invited me to present on the Personal Data Ecosystem.  The technology conference got folded into IIW in the fall of 2011.

OReilly Radar - called it The Manhattan Project for online identity.

The National Program Office published a proposed:

Charter for the  IDESG Organization

ByLaws  and Rules of Association for the IDESG Organization

Also what committees should exist and how it would all work in this webinar presentation.  The Recommended Structure is on slide 6.  They also proposed a standing committee on privacy as part of the IDESG.

THEN (because they were so serious about private sector leadership) they published a proposed 2 year work plan.  BEFORE the first Plenary meeting in Chicago in August 2012

They put out a bid for a Secretariat to support the forthcoming organization and awarded it to a company called Trusted Federal Systems.
The plenary was and is open - to anyone and any organization from any where in the world. It is still open to anyone. You can join by following the steps on my blog post about it.
At the first meeting in August 2012 the management council was elected. The committees they decided should exist ahead of time had meetings.
The committees - You can join them - I have a whole post about the committees so you can adopt one.

Nym Issues!!!

So after the #nymwars it seemed really important to bring the issues around Nym Rights and Issues into NSTIC - IDESG.  They were confused - even though their bylaws say that committees. I supported Aestetix writing out a charter for a new committee - I read it for the plenary in November of 2012 - he attended the Feb 2013 Pleanary in Pheonix. I worked with several other Nym folks to attend the meeting too.
They suggested that NymRights was to confrontational a name so we agreed that Nym Issues would be a fine name. They also wanted to make sure that it would just become a sub-committee of the Privacy Committee.
It made sense to organize "outside" the organization so we created NymRights.
Basically the committee and its efforts have been stalled in limbo.
        Aestetix's links will be up here within 24h

The Pilot Grants from the NPO

Links
Year 1 - announcement about the FFO , potential applicant Webinar - announcement about all the grantees and an FAQ.

Year 2 - announcement about the FFO, potential applicant webinar, annoucement about the grantees.

Year 3 - ? announcement about FFO - grantees still being determined.

Big Issues with IDESG

Diversity and Inclusion

I have been raising these issues from its inception (pre-inception in fact I wrote about them in my NOI).

I was unsure if I would run for the management council again -  I wrote a blog post about these concerns that apparently made the NPO very upset.  I was subsequently "univited" to the International ID Conf they were hosting at the White House Conference Center for other western liberal democracies trying to solve these problems.

Tech President Covered the issues and did REAL REPORTING about what is going on.  In Obama Administration's People Powered Digital Security Initiative, There's Lots of Security, Fewer People.

This in contrast to a wave of hysterical posts about National Online ID pilots being launched.

They IDESG have Issues with how the process happens. It is super TIME INTENSIVE.  It is not well designed so that people with limited time can get involved.  We have an opportunity to change tings becoming our own organization.

The 9th Plenary Schedule - can be seen here.  There was a panel on the first day with representatives who said that people like them and others from other different communities needed to be involved AS the policy is made.  Representatives from these groups were on the panel and it was facilitated by Jim Barnett from the AARP.

The Video is available online.

The "NEW" IDESG

The organization is shifting from being a government initiative to being one that is its own independent organization.

The main work where the TRUST FRAMEWORKS are being developed is in the Trust Framework and Trust Mark Committee.  You can see their presentation from the last committee here.

 

Key Words & Key Concept form the Identity Battlefield

Trust

What is Identity?  Its Socially Constructed and Contextual

Identity is Subjective

Aestetix's links will be up here within 24h

What are Identifiers?: Pointers to things within particular contexts.

Abrahamic Cultural Frame for Identity / Identifiers

Relational  Cultural Frame for Identity / Identifiers

What does Industry mean when it says "Trusted Identities"?

What is Verified?

AirBnB
Verified ID in the context of the Identity Spectrum : My post about the spectrum.

Reputation

In Conclusion: HOPE!

We won the #nymwars!

Links to Google's apology.

Skud's the Apology we hopped for.

More of Aestetix's links will be up here within 24h

The BC Government's Triple Blind System

Article about & the system  they have created and the citizen engagement process to get citizen buy-in - with 36 randomly selected citizens to develop future policy recommendations for it.

Article about what they have rolled out in Government Technology.

Join the Identity Ecosystem Steering Group

Get engaged in the process to make sure we maintain the freedom to be anonymous and pseudonymous online.

Attend the next  (10th) Plenary in mid-September in Tampa at the Biometrics Conference

Join Nym Rights group.

http://www.nymrights.org

Come to the Internet Identity Workshop

Number 19 - Last week of October - Registration Open

Number 20 - Third week of April

 

 

 

 

 

 

Anil JohnShould Level of Assurance be Scalar or a Vector? [Technorati links]

July 27, 2014 05:15 PM

Levels of Identity Assurance continues to be one of the most discussed topics in the identity world. One of the oft-debated aspects is whether it should be conveyed as a singular number, distilled from an underlying set of components, or if the underlying set of components themselves should be conveyed.

Click here to continue reading. Or, better yet, subscribe via email and get my full posts and other exclusive content delivered to your inbox. It’s fast, free, and more convenient.


These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer.

Julian BondToday's neologism: "Accelerationista". Who are they? What do they stand for? [Technorati links]

July 27, 2014 11:54 AM
Today's neologism: "Accelerationista". Who are they? What do they stand for?

I've also told the stories of accelerating change. Especially in the run up to Dec 2012. And I'm still fascinated by the implications of exponential growth with short doubling periods. But as I get older I wonder where the change is. In many respects 2014 doesn't feel that different from the 1974 of my youth. 2054 could easily be more like 2014 than different. But that presupposes continuing 3% growth in global GDP with sufficient available energy to fund that growth. And that's something I increasingly doubt is sustainable for another 40 years.

Found here.
http://www.electronicbeats.net/en/features/columns/pattern-recognition/pattern-recognition-vol-9-cold-forecast/

Incidentally, this is a most interesting essay. It touches on something I've been vaguely aware of. And that's a move in music towards a very cold, clean, antiseptic version of electronic maximalism. It's not just people like Rustie, Logos, Lone, Jam City. But also in erstwhile dirty dubstep producers like Shackleton of Skull Disco apparently recapitulating the kind of ultra clean synth programming of the German Kosmische Musik groups of the late 70s like Tangerine Dream - ‎Neu! - ‎Faust - ‎Amon Düül II.

How are we supposed to react emotionally to musics that make one think of climate change refugees breaking down CCTV secured border fences and then being bombed by drones. Are we closing in on a future where we are all Palestinians and this music is just reflecting that?  That's a pretty dark view. Previous music that provided a commentary on war tended to emphasise the dirt and messiness of warfare. This music is emphasising the cleanness of drone warfare waged from cubical farms in air-conditioned offices with water coolers, office hours, powerpoint and donuts.
 Pattern Recognition Vol. 9: Cold Forecast »
This month, Adam Harper—the premier writer on new, underground music—considers musical futurism and finds a paradox in its chilly anti-humanism.

[from: Google+ Posts]

Julian BondWhy is the colour of the digital future predominantly blue? [Technorati links]

July 27, 2014 11:37 AM
Why is the colour of the digital future predominantly blue?
http://goo.gl/GLmE9r
 digital future - Google Search »

[from: Google+ Posts]
July 26, 2014

Julian BondStay Awake [Technorati links]

July 26, 2014 10:55 PM
Stay Awake
http://boingboing.net/2014/07/24/alien-autopsy-william-barker.html

Schwa merch, original and recreated on etsy.
https://www.etsy.com/shop/AlaVoidDistribution
 Alien Autopsy: William Barker on Schwa, two decades later »
Twenty years ago, William Barker's Schwa artwork revealed a world of alien abductions, stick figure insanity, conspiratorial crazy, and a hyper-branded surveillance state. It's now more relevant than ever.

[from: Google+ Posts]

Kaliya Hamlin - Identity WomanI've co-founded a company! The Leola Group [Technorati links]

July 26, 2014 05:27 PM

Thursday evening following Internet Identity Workshop #18 in May I co-Founded and became Co-CEO of the Leola Group with my partner William Dyson.

So how did this all happen? Through a series of interesting coincidences in the 10 days (yes just 10 days) William got XDI to work for building working consumer facing applications. He showed the music meta-data application on Thursday evening and wowed many with the working name Nymble registry.  The XDI [eXtneible Resource Identifier Data Interchange] standard has been under development at OASIS for over 10 years. Getting it to actually work and having the opportunity to begin to build applications that really put people at the center of their own data lives is a big step forward both for the Leola Group and the  Personal Data community at large.

William and I met in September of 2013 via an e-mail introduction from Drummond Reed.  We started working together the day I met him on the efemurl project.  We were dating a few days later and a few weeks later we were engaged. We announced this during the closing circle at IIW #17.

The efemurl project was taking a extensively featured web platform William had built over several years and working to turn it further develop it and turn it into a consumer-co-operative.  The short hand way to describe, you know in that way they describe movie plots, it's like Google and REI have a baby.  The core ideas developed for the efemurl platform will be brought over into the applications the Leola Group is developing.  Core aspects of what the Leola Group is are to valuable to be owned by one company and we will be working with Planetwork to turn the operation of those into a consumer co-operative.

So big questions for people in the community include:

Are you still involved with IIW? 
Yes of course!  IIW will continue and my roll with it will too. Phil Windley founded his company Kynetx and continues to be a co-leader of IIW with me and Doc.  We have a great production team lead by Heidi Nobantu Saul.

What is going to happen to PDEC?

We have worked to create a 6 month transition plan for the organization/community to new leadership.   We have brought on Dean Landsman (well known for his leadership in the VRM community) serve as Communications Director and among other things host regular community calls and host a podcast.  As part of taking on the Co-CEO role in the new company I have woven into the job taking the time needed to properly transition out of my role as Executive Director and work with the community over the next 6 months to get governance in line and then have that leadership group hire an new Executive Director. You can read more about it on the PDEC blog and see a video we made.

The organization just welcomed 11 new members. Dean will be presenting about his new role with PDEC at the Personal Data Meetup in NYC on Monday.

When are you getting Married?

William and I are getting married the weekend after IIW #20 which is April 7-9 (Yes, it's way early!!!).  This will help friends coming for IIW from around the world being able to join in the celebration.

Julian BondBurn the witch! Burn him with fire! [Technorati links]

July 26, 2014 04:43 PM
Burn the witch! Burn him with fire!
http://www.bbc.co.uk/news/uk-politics-28464009

Frankly unbelievable that there's a Conservative MP on the health and the science and technology parliamentary committees who thinks that Astrology should be incorporated into Medicine.
 Astrology can aid healthcare - MP »

[from: Google+ Posts]
July 25, 2014

Julian BondApocaloptimism. Try to imagine a desirable future in 2114 (100 years) that you would want to live in... [Technorati links]

July 25, 2014 06:13 AM
Apocaloptimism. Try to imagine a desirable future in 2114 (100 years) that you would want to live in. Because we need some more hopeful narratives to counter all the dystopianism.

https://medium.com/message/a-desirable-future-haiku-ff01d63c93c6

"Population 4 billion; 85% urban. Climate change adapted" Getting from here to there would be, ahem, interesting.

Quite a lot of Californians in there hoping for a future that's all "graphite and glitter" in some http://en.wikipedia.org/wiki/Gernsback_Continuum

Of course the 100 year future will be messier than that and more like today than like Startrek. But what about the 1000 and 10,000 year futures? ;) Try and imagine an Earth economy in 10,000 years that can support 5B people. 100% recycling but no Helium. And of course the 10 year future in 2024 that you would want to live in.
 A Desirable-Future Haiku »
The coming hundred years, in one hundred words

[from: Google+ Posts]

Vittorio Bertocci - MicrosoftProtecting an ASP.NET WebForms App with OpenId Connect and Azure AD [Technorati links]

July 25, 2014 06:12 AM

All of our official .NET samples that show some web UX are based on MVC. This caused somebody to speculate that the new OWIN components for OpenId Connect and WS-Federation require MVC to function. Nothing farther from the true! You can totally use those to secure your WebForms apps. Here there’s a super quick tutorial on how to do it. It is super easy. 98.8% of the tutorial is exactly the same of the corresponding MVC based tutorial, but for the sake of de-normalization I am going to go through those steps by value instead of by reference, on account of the possibility that some of you guys might not have had any previous exposure to this given the samples’ MVC bias.

Create an empty project

Fire up the good ol’ VS2013, and head to new project->ASP.NET Web application. On the project template dialog, pick Web Forms. Hit OK.

image

Visual Studio will create your project according to the template you picked. Before moving any further, let’s enable SSL.

Provision the app in Azure AD

Let’s leave VS for few moments and pay a visit to the Azure portal, where we will tell to our Azure AD tenant about our newly minted application.

Navigate to https://manage.windowsazure.com/, sign in as your tenant admin, scroll to the Active Directory tab, choose the tenant you want to use, select the Applications tab, and click the Add button on the appbar at the bottom of the screen.

Choose “Add an application my organization is developing”.

Give to the app any name you like. Keep the default “web application and/or web api”. Click the Next arrow.

In the Sign-On URL enter the HTTPS address you got when you enabled SSL on the project (mine is https://localhost:44307/). In the App ID URI enter any valid URI that will later remind you of what this app is. For my test app I chose http://wifeistravellinghenceIblogoutofboredom. Click the Done button.

Click on the Configure tab and leave the browser open there. We’re going to need some of the values here in just a moment.

Add references to the Cookie/OpenId Connect/SystemWeb NuGets

Next, let’s go back to Visual Studio. Go to Tools->Library Package Manager->Package Manager Console. In the console, enter the following three magic commands:

Install-Package Microsoft.Owin.Security.OpenIdConnect -Pre

Install-Package Microsoft.Owin.Security.Cookies –Pre

Install-Package Microsoft.Owin.Host.SystemWeb –Pre

Those will bring down the Katana components you need.

Add the initialization logic

We are in good shape! Given that we started from the Individual Auth template, the OWIN pipeline is already present. We just need to change it to use OpenId Connect. If for some reason (e.g ADFS) you want to use WS-Federation, the mechanism is *exactly* the same, you just use the appropriate middleware.

using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;

 

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions());

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = "d04fb01f-0715-4ed7-a656-0793b545e1f1",
        Authority = "https://login.windows.net/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e"
    });

That will change the pipeline to use OpenId Connect. The values you see there are associated to my test app: you will have to change those with the coordinates of your own app, in your own tenant. Namely:

Done.

Give it a spin!

Hit F5. Your page will come up. Click on the Log In link on the top right corner, which comes directly from the template bits.

image

On the right hand side, you’ll notice the OpenIdConnect button. Hit it.

image

You’ll see the familiar AAD authentication UX. Enter your test user.

image

And voila’! The user is signed in. Q.E.D.

Extra Credit

The sequence below does not leave the project in the cleanest possible state – my goal was to show you in the smallest number of steps that the OpenId Connect (and WSFederation) middleware does work with WebForms.

In a more realistic setup, you would likely start from a template with the “no authentication” option. That would leave you with the responsibility of adding Startup.CS, but that’s really boilerplate code. Also, you would likely want to add some automatic authentication trigger. That is easy enough to achieve. For example, consider the following implementation of Default.aspx.cs:

using Microsoft.Owin.Security;
using Microsoft.Owin.Security.OpenIdConnect;
using System;
using System.Web;
using System.Web.UI;

namespace OWINandWebForms
{
    public partial class _Default : Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (!Request.IsAuthenticated)
            {
                HttpContext.Current.GetOwinContext().Authentication.Challenge(
                    new AuthenticationProperties { RedirectUri = "/" }, 
                    OpenIdConnectAuthenticationDefaults.AuthenticationType);
            }
        }
    }
}

That simply triggers a sign in in case the caller is not authenticated. Not hard at all Smile

 

 

Well, there you have it. OpenId Connect, Azure AD and WebForms.
We chose OWIN as the platform for our new wave of identity libraries because of its flexibility – don’t let the fact that we standardized on MVC for our samples stop you from enjoying the latest and greatest Smile

July 24, 2014

Kantara InitiativeIRM Work Group is Live! [Technorati links]

July 24, 2014 09:44 PM

Dear Community,

With great pleasure, I announce the formation of the Identity Relationship Management Work Group (IRM WG)! If you’re interest in evolving or are practicing IRM – this is your innovation space.

The wiki space (work in progress) is here.
The sign up form is here. *

* Note and shameless plug: You don’t need to be a Kantara Member to join the group but we hope you’ll consider it! As a non-profit, every Membership counts.

Not sure what IRM is?  No problem.  The original post is here. IRM (roughly) provides a business focused language to describe the current and future state of Identity Services, Protocols and Standards.  IRM is about the evolution of Identity and Access Management from the IT and GRC team to the Business Development team.  IRM captures the sense that IdM / IAM is about more than solving a help desk issue – it’s about growing connecting for businesses, communities, and governments.

IRM has already resonated with companies on an international scale including the founders: Experian, ForgeRock, and Salesforce.com.  Once the pillars were published innovators like Radiant Logic and Avoco Identity were quick to tell their “IRM Story”.  CA has also noted the language strongly resonates with their mission. IRM is about the evolution and value of Identity and Relationships and how business, governments, consumers, and citizens can use that value to power their market. IRM considers the use of on-line context today and starts to draw the path to provision of user access and control for respect for privacy (resource sharing) management (See User Managed Access – UMA).

In June, I gave a presentation at the IRM Summit to describe the IRM revolution.  You can check the video to get a quick idea of the topic (yes, there might be rainbow unicorns somewhere in the deck).

At the same event, Ian Glazer has already started the ball rolling with his intro to “the Laws of Relationship Management.” Ian has started the community discussion around IRM and what does it look like – perhaps technically and policy wise. Check out Ian’s presentation.

If you’re interested in discussing the business language of Identity, while evolving and innovating use cases, technology and policy, IRM is the group for you.  If you’d like to share your IRM Story, IRM is the group for you.

We look forward to evolving IRM and revolutionizing Identity with you!

Joni Brennan
Executive Director, Kantara Initiative

 

 

 

Kuppinger ColeExecutive View: BalaBit Shell Control Box - 71123 [Technorati links]

July 24, 2014 05:16 PM
In KuppingerCole

BalaBit IT Security was founded in 2000 in Hungary, and their first product was an application layer firewall suite called Zorp. Since that time, BalaBit has grown into an international holding headquartered in Luxembourg with sales offices in several European countries, the United States and Russia and a large partner network. The company has won widespread recognition in the Open Source community by making their core products available as free...
more

Ian GlazerDo we have a round wheel yet? Part 2 of my musings on identity standards [Technorati links]

July 24, 2014 04:26 PM

Yesterday I talked about the state of identity standards with regards to authentication and authorization. Today I’ll cover attributes, user provisioning, and where we ought to go as an industry.

Attributes

The wheel of attributes is roundish. There are two parts to the attribute story: access and representation. We can access attributes… sorta. There’s no clear winner that is optimized for the modern web. We’ve got graph APIs, ADAP, and UserInfo Endpoints – not to mention proprietary APIs as well. Notice I added the constraint of “optimized for the modern web.” If remove that constraint, then we could say that access to attributes is a fully solved problem: LDAP. But we are going to need a protocol that enables workers in the modern web to access attributes… and LDAP ain’t it.

As for a standardized representation, we have one. Name-value pairs. In fact, name-value pairs might be the new comma. And although NVP are ubiquitous, we don’t have a standard schema. What is the inetOrgPerson of a new generation? There is no inetOrgPerson for millennial developers to use. But does that even matter? We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.

 User Provisioning

User provisioning is nearly round. Let’s face it the wheel that SPML v2 built was not round. The example that the standard provided wasn’t even valid XML – not an auspicious start. In fact, SPML was a step away from roundness when we think about DSML v2. DSML v2 was a round wheel. It wouldn’t be very useful to day but it would roll.

So what about SCIM? I’m bullish on it. Some really smart people worked on it, including my boss. We (saleforce.com) are supporting it. Others such as Cisco, Oracle, SailPoint, Technology Nexus, and others are supporting. We hope you support it too. In fact, hopefully, at the end of this week it might just get a final version of the 2.0 draft at the IETF meeting in Toronto. SCIM definitely needs more miles on the road, but I believe that the use cases that have been used to form SCIM are fairly representative of a majority of use cases we have. It can’t do everything but better believe it can do something.

And this narrow focus is important as we think about the work we must do. As we as an industry shift from just dealing with employee identities to those of customers, citizens, and things, there is shift from heavy rich user provisioning to lighter weight registration and profile management. SCIM is just as applicable in an employee identity scenario as it is in a customer identity scenario. And thus is well positioned to make the transition.

More than just wheels

How do you discover identity services of from a service provider? I don’t mean in a specific ODIC way, but in a more general way. How do you know if they use SAML, SCIM, a proprietary attribute API, FIDO U2F, etc?

Is there a way to kickstart point-to-point identity relationships without paying the cost of point-to-point drudgery? Could I point my identity system at yours, form a relationship between the organizations, and start to use our joint identity services to meaningfully interact?

Let me ask this a different way – do we have hubs and axels for our roundish wheels? Can we build something that removes the heavy lifting when offering and/or consuming identity services? I believe this is the uncharted standards territory into which we must blaze a trail.

Measuring our progress

As we continue to refine our standards, we need a way of evaluating the roundness of those wheels, so to speak. We need some set of design considerations to help use decided whether a standard will get us from here to there. A few weeks ago I debuted the laws of relationships.  They a set of considerations that we as identity professionals must be mindful of as we begin to navigate the waters of modern IAM – of identity relationship management. They can help evaluate the roundness of our standards… but only if you lend a hand. Kantara is creating an Identity Relationship Management working group to which I am giving these Laws of Relationships. I hope you will join me, Joni, Allan, and others in this new working group to help make identity ready for the modern era.

The challenge ahead

That modern era is one in which more people and more things are more closely related. It is an era that holds the promise of “identity as business enabler.” And in this modern era identity will not only deliver the right access to the right people at the right time but the right experience to the right people at the right time. Not just people but things too.

To be fair, this modern era will require us to haul a heavy load. To do that we need round wheels. We need workable identity standards. We have made great progress but we are not there yet.

I’ll ask 3 things of this audience and of our industry. First, adopt standards. If you aren’t using identity standards, you are inventing your own wheel. That is a strategy only optimized for the short-run. If the current ones don’t work for you, bring those use cases to standards bodies. If you don’t know where to go, ping people like Kelly, Eve, Justin, Nishant, or Patrick, and they’ll help you find the right place to go.

Second, help others adopt standards. Build SDKs to help people use OpenID and SAML. Support open source implementations of SCIM and OAuth. Start at home – with you organization’s developers and move out from there.

Third, demand standards. From your identity technology providers. Demand standards. From your business service providers. Demand standards. From your own development teams. Demand standards. If for no other reason than to kill off the need for password vaulting. Demand standards.

Lastly, keep in mind that a round wheel is not an end in and of itself. A great spec is potentially satisfying to the hard-core identity dorks in the room, me included, but that isn’t the real goal. We reinvent the wheel, we revisiting and rebuild our standards to get round ones – beautifully functioning ones that help carry the loads we must shoulder and us get to where we need to go in this era of modern identity.

Julian BondSex, drugs and rock 'n' roll are universal characteristics of the human condition. [Technorati links]

July 24, 2014 02:06 PM
Sex, drugs and rock 'n' roll are universal characteristics of the human condition.

http://guerillascience.org/book/

Were it not for our supposedly ‘base’ impulses, we never would have achieved many ground-breaking scientific discoveries. Hedonism has been integral to intellectual progress.
 Sex Drugs and Rock ‘n’ Roll – Guerilla Science »
Guerilla Science create events and installations for festivals, museums, galleries, and other cultural clients. We are committed to connecting people with science in new ways, and producing live experiences that entertain, inspire, challenge and amaze.

[from: Google+ Posts]

Nat Sakimura縦割りスパゲッティの情報基盤整理しようとしているが… [Technorati links]

July 24, 2014 11:22 AM

Twitter   jirok  縦割りスパゲッティの情報基盤整理しようとしてるのですが、「  ...

尊敬する國領先生にお題を頂いたので、ちょっと時間がかかりましたが、ブログにまとめてみました。

まずは結論から。

(1) 識別子 → Identity Register+RA

(2) 本人確認基盤 → IdP+CSP

(3) 属性 → IIA/IIP

(4) サービス → RP/SP

と読み替えるならば、このように分割して分別管理するのが良さそう、ということになります。

以下、その解説です。

IdMの基本は、当該ユーザの識別です。識別とは、その存在を母集団の中の他の存在から一意に区別するということです。わたしたちは、存在を直接的には観測できないので、これは、その存在に紐付いている属性の値の集合が一意になるまで集めるということに他なりません。この状態では、その属性の値の集合が「識別子」になっています。ただし、値はどんどん変わり得て、別の時点では識別性がなくなるかもしれないので、識別された時点でユニークかつ不変な文字列を振っておかないと管理上困ったことになります。この目的のためにふられる識別子のことを、ISO/IEC 24760-1では reference identifier、この識別子を生成する機能のことをreference identifier generatorといいます。

識別には属性の値を使っているので、その識別の信頼性は属性の値の信頼性に依存します。この属性の値の集合の信頼性を測ることをIdentity Proofing といいます。Identity = ある主体に関係する属性の集合と定義されているので、Identity Proofing は「ある主体に関係する属性の集合を確かめること」ということになります。日本でいう「本人確認」は、基本的にはこの特殊系~属性が基本4情報~であると考えて良いです。この属性の集合の値の信頼度をISO/IEC 29115では4つに分けることを提唱しています。

Identity管理(IdM)では、識別された主体のidentityを管理していきます。そのために、Identity Register と呼ばれるレジストリに登録します。この際、Identity Proofingを行ってIdentity Registerに登録する人のことをRegistration Authority (RA)といいます。

Identityはライフサイクルを持っています。ISO/IEC 24760-1では、ライフサイクルを不明、確立済み、有効、停止、保管の5つのフェーズに分けて管理することを提唱しています。

一旦こうして識別された主体がオンラインサービスを利用するには、自分を代理させるidentityをオンライン上に生成して使います。このidentityは、本人しか作ることができなくて、かつ他者から見た時に本人が制御しているということの確認ができなければなりません。本人しか作ることができないようにするために使われる情報のことを「クレデンシャル」と呼びます。これは、本人しか作ることができないものです。代表的なものにパスワードがあります。本人は、このクレデンシャルを「確認者(verifier)」とか「Credential Service Provider(CSP)」とか呼ばれる機構に提示して、今そこにいるのは本人であることを証明します。このことを認証(Authentication)といいます。この認証を経て作られた、他者から見た時に本人が制御しているということが確認できるidentityのことを認証済みidentity(Authenticated Identity)といいます。

この認証済みidentityの信頼性は、使われたクレデンシャルの信頼性に依存しています。そしてこの信頼性は、クレデンシャルの発行~交付~有効化~利用~停止~削除までを通じたライフサイクル管理がどれだけ信頼性高く行われているかによってきます。そして、出来上がった認証済みアイデンティティの信頼性は、それに含まれる属性(クレデンシャルを使って認証したという情報も属性の一つです)の信頼性ですから、Identity Proofing で確認された属性の信頼性と、クレデンシャルの信頼性の両方に依存するということになります。

一方、属性には、識別のために使ったもの以外にもたくさんあります。Identity registerも属性を保存していますが、その属性の範囲は、Identity Proofing に必要な範囲です。それ以外もそこに突っ込んでしまうという運用も多く見られますが、必ずしもそうである必要は無く、独立した属性プロバイダーを想定することができます。ISO/IEC 24760-1では、これのことをIdentity Information Provider (IIP)と呼んでいます。一般には、属性プロバイダー(Attribute Provider)という名称のほうが使われますね。IIP中で、Authoritativeな情報を出せるもののことを、Identity Information Authority(IIA)と呼びます。情報の鮮度・正確性の観点からは、情報は常にIIAからとったほうが良いことになります。ただし、こうするとどこにその情報を提出したのかがIIAに分かってしまうので、それを回避するためにわざと他のIIPを経由して取りに行くこともあります。この辺りは、プライバシーと情報の正確性のバランスで決めるところになります。なお、認証済みアイデンティティを作成して提供する機関もIIPの一種であることに注意してください。このようなIIPのことを、業界ではIdPと呼ぶことが多いです。

なお、Identity Register はクレデンシャルやら本人による認証を通じた認証済みアイデンティティの作成やらとは完全に独立して存在しうることに注意してください。たとえば、顧客データベースなどというものは、典型的なIdentity Registerです。これの管理も広義のアイデンティティ管理の範疇に属します。

一方、こうして作られた認証済みアイデンティティを利用するひとも居ます。他者にidentity情報を依存するので、Relying Party(RP)と呼ばれます。また、これが、本人や第三者に対してサービスを提供するということに着目した場合には、Service Provider(SP)とも呼ばれます。RPは受け取った認証済みアイデンティティの信頼性や有効性を署名などから確認してから利用します。

IIPとRPの間で情報の要求・応答を行うプロトコルのことを、Identity Federation Protocol といいます。わたしが仕様策定をしていたOpenID Connectは、Identity Federation Protocol の代表例になります。OpenID Connectでは、都度、必要最低限の属性情報を要求して、本人の許可のもとに、RPが利用できるようになっています。

さて、これで、アイデンティティ管理と連携をするための機能が揃いました。(ざっくりですが。細かく言うと、PDPとかPEPとかいろいろありますが、それは別の機会に譲りましょう。)問題は、この機能をどのように配置するかです。効率性、セキュリティ、プライバシー、それぞれの観点がありますが、ここではプライバシーの観点から考えたいと思います。

プライバシーの観点から考慮すべきものをまとめたものに、いわゆる「プライバシー原則」というものがあります。OECD8原則や米国のFIPPSなどが有名ですが、ここではISO/IEC 29100の原則を使って考えたいと思います。

ISO/IEC 29100の原則は以下の11個になります。

1. 同意と選択
2. 目的の正当性と規定
3. 収集の制限
4. データ最小化
5. 利用、保持、開示の制限
6. 正確性と品質
7. オープンさ、透明性、通知
8. 個人の参加とアクセス
9. 説明責任
10. 情報セキュリティ
11. プライバシー法令遵守

この中で、配置に関係してくるのが、3. 収集の制限、5. 利用、保持、開示の制限、6. 正確性と品質、です。

「3. 収集の制限」は、当該業務を行う上で必要最低限の情報しか集めてはいけないという要求です。これに合わせようとすると、identity registerに、登録の際に必要になる情報以外を集めるのは良くないということになります。したがって、identity register とその他のIIPは独立させたほうが良いということになります。一方で、reference identifier generator とidentity registerは別管理にすることも可能ではありますが、どの道identity registerにはreference identifier が入ってしまうので、同一組織で運用したほうが効率的でしょう。一方で、Identity proofing を行い、その結果をidentity registerに登録するRegistration Authority (RA)は、Identity Registerとは別組織が運営することは多いです。Identity Registerには、Identity Proofing に使った一部の情報しか収録しないような場合には、収集の制限の原則からすると分けたほうが良さそうです。ただし、Identity Lifecycleを考えると、Identity RegisterとRAはかなり緊密に運営されるべきとなります。そして、ここの緊密な関係が維持されないと、意図されない開示だとか、他のプライバシーリスクが上がってくることが想定されます。こうした観点に鑑みて、個人的にはRAとIdentity Registerは一体運営しても良いと思っています。

「5.利用、保持、開示の制限」は、データの利用は、取得した時に許可を得た目的に沿ってしか使ってはいけない、必要な範囲でしか保持してはいけない、そして同意を受けた範囲にしか開示をしてはいけないということを言っています。ということは、データは利用目的と同意に紐づけて管理されなければならないということになります。そう考えると、異なる目的のために取得したデータをごった煮にして管理するのは、なかなか難しいということになります。したがって、RPもいたずらに統合せずに、管理負荷が大きくなり過ぎないように分割して管理したほうが良いということになります。

最後に「6. 正確性と品質」です。これは、効率上可能な限り、IIAからリアルタイムに情報をとったほうが良いですね。これもまた、いたずらにIdPに情報を集めないほうが良い理由の一つになります。なので、属性はIIA毎に管理するのが良いということになるでしょう。

最後に残ったのがCSPです。CSPはIdentity Registerと一体運営するということは十分考えられます。その場合のプライバシー影響には何があるかということですが、そんなに大きなものは即座には思いつきません。一方で、柔軟性という観点では分離することも十分ありえます。分離すれば、Identity Registerが複数のCSPを使ったり、CSPが複数のidentity registerにサービス提供したりがありえるからです。

というわけで、やっとご質問への回答です。

(1) 識別子 → Identity Register+RA

(2) 本人確認基盤 → IdP+CSP

(3) 属性 → IIA/IIP

(4) サービス → RP/SP

と読み替えるならば、このように分割して分別管理するのが良さそう、ということになります。

July 23, 2014

MythicsReview of the ZS3 Storage Appliances:  Incredible Performance and Efficiencies [Technorati links]

July 23, 2014 08:39 PM

As you know, the Oracle Storage product line has recently undergone some major updates with several significant technology upgrades from the older ZFS Series.

The…

MythicsReview of the ZS3 Storage Appliances:  Incredible Performance and Efficiencies [Technorati links]

July 23, 2014 08:39 PM

As you know, the Oracle Storage product line has recently undergone some major updates with several significant technology upgrades from the older ZFS Series.

The…

Mike Jones - MicrosoftOAuth Assertions specs describing Privacy Considerations [Technorati links]

July 23, 2014 07:19 PM

OAuth logoBrian Campbell updated the OAuth Assertions specifications to add Privacy Considerations sections, responding to area director feedback. Thanks, Brian!

The specifications are available at:

HTML formatted versions are also available at:

Ian GlazerDo we have a round wheel yet? Musings on identity standards (Part 1) [Technorati links]

July 23, 2014 06:18 PM

Why do human continually seem to reinvent what they already have? Why is it that we take a reasonably functional thing and attempt to rebuild it and in doing so render that reasonably functional thing non-functional for a while? This is a pattern that is familiar. You have a working thing. You attempt to “fix” it and in doing so break it. You then properly fix it and get a slightly more functional thing in the end.

Why is it that we reinvent the wheel? Because eventually, we get a round one. Anyone who has worked on technical standards, especially identity standards, recognizes this pattern. We build reasonably workable standards only to rebuild and recast them a few years later.

We do this not because we develop some horrid allergy to angle brackets – an allergy that can only be calmed by mustache braces. This is not why we reinvent the wheel, why we revisit and rebuild our standards. Furthermore, revisiting and rebuilding standards isn’t simply a “make-work” affair for identity geeks. Nor is it an excuse to rack up frequent flyer miles.

Identity in transition

We reinvent the wheel the tasks needed of those wheels change. In IAM, the shift from SOA, SOAP, and XML to little s services, REST, and JSON was profound. And we had to stay contemporary with the way the web and developers worked. In this case, the technical load that our IAM wheels had to carry changed.

But there is a more profound change to the tasks we must perform and the loads we must transport and it too will require us to examine our standards and see if they are up to the task.

It used to be that enterprise IAM was concerned with answering did the right people get the right access. But that is increasingly not the relevant question. The question we must answer is did the right people get the right experience? And not just right people but also right “things” – did they get the experience (or data) they needed at the right time.

There is another transition underway. This transition is closely related to IAM’s transition from delivering and managing access to delivering and managing experience. We are being asked to haul more and different identities

We are pretty good as an industry at managing a reasonable number of identities each with a reasonable number of attributes. Surely, what is “reasonable” has increased over the years and it is fairly safe to say that no longer is a few million identities in a directly a big deal.

But how well will we handle things? Things will have a relatively few number of attributes. Things will produce a data stream that really interesting but their own attributes might not be that interesting. And, needless to say, there will be a completely unreasonable number of them: 20 billion? 50 billion? a whole lot of billions of them.

The transition of IAM isn’t just from managing identities of people carbon-based life forms to silicon ones. This transition also includes relationships. Today we are okay at managing a few relationships each with very few attributes. But what we as an industry must do is manage a completely unreasonable number of relationships between an unreasonable number of things and each of these relationships has a fair number of attributes of their own.

That, my friends, is a heavy load to haul. And so it is worth spending a little time considering if our identity standards wheels are round. Let’s look at 4 different areas of IAM to see if we have round wheels:

  1. Authentication
  2. Authorization
  3. Attributes
  4. User provisioning

Authentication

Overall, I’d say the authentication wheel is round. We’ve got multiple protocols, multiple standards, which is both a reflection of the complexity of the problem and the maturity of the problem. OpenID Connect needs a few more miles on the road, but by no means does this mean you shouldn’t use it today. Expect new profiles over time but you certainly can get going today. And where OpenID Connect cannot take you, trusty SAML still can.

Although authentication is okay, representing assurance isn’t. I wonder if we need to harmonize level of assurance. I also wonder if this is even possible. Knowing that a person was proofed and how they were authenticated is nice, but as Mark Diodati will be the first to tell you deployment matters. You can deploy a strong auth technology poorly and thus transform it into a weak auth system. So knowing your LOA 3 is equivalent to my LOA 2.25 might not be useful. More importantly, I wonder how small and medium sized organizations, those without a resident identity dork, figure out what LOA to require, what trust framework to use, and how to proceed. This, to me, seems like a place for the IDESG and its ilk.

And although the authentication wheel is round, that doesn’t mean it isn’t without its lumps. First, we do see some reinventing the wheel just to reinvent the wheel. OAuth A4C is simply not a fruitful activity and should be put down. Second, the fact that password vaulting exists at this point in history is an embarrassment. To be clear, I am not saying that password vaulting solutions and vendors are an embarrassment. It is the fact that we still have the need to password vault is IAM collective shame.

We have had workable authentication standards for this many years and yet we still password vault. It means that identity vendors have not done enough to enable service providers. It means that service providers still exist who do not want to operate in the best interest of their enterprise customers. At the minimum those service provider must offer a standards-based approach to authentication (and user provisioning would be nice too.)

Let me be crystal clear: if your service provider doesn’t support identity standards, that service provider is not acting in your best interest. Period.

The existence of password vaulting also means that organizations haven’t been loud enough in their demands for a better login experience. Interestingly enough, I think the need for a mobile-optimized authentication experience will force service providers hands.

I know we are all trying to kill the password but I think a more reasonable, more achievable, and more effective goal is to eliminate the need for password vaulting through the use of authentication and federated SSO standards. By 2017, if I am still saying this, our industry has failed.

Authorization

Authorization’s wheel is simultaneously over-inflated and flat. You can’t talk about authZ without talking about XACML. XACML can do anything; it really is an amazing standard. But the problem with things that allow you to do anything is that they tend to make it hard to do anything. My recommendation to the industry is to focus on the policy tools and the PAPS, not the core protocol. Now the XACML TC knows it needs to be contemporary. The work on the JSON and REST bindings is a great start to make XACML more relevant for the modern web.

What about OAuth? Certainly OAuth can be used to represent the output of authorization decisions. But to do this, in some sense, requires diving into the semantics of scopes. It requires that your partners understand what your scopes mean. Understanding of the semantics of scopes isn’t a horrible requirement, but it does require service providers have to invest time to understand that.

What about UMA? It definitely holds promise, especially when we consider the duties of all the parties involved in managing and enforcement access to resources. I really like the idea of a standard that has a profile that describes duties of the actors separate from the wireline protocol description. UMA definitely needs more miles on the road and to be perfectly honest I still have a hard time understanding it in an enterprise context. Maybe now that Eve is coming back to the product world, the community will get more UMA awesomeness.

There is another thing to think about as we study the roundness of the authorization wheel. Knowing that the load we will have to carry is a heavy one and one that includes “things” I think we need to think about how those “things” can make decisions with more autonomy. How can our authorization systems make authorization decision closer to the place of use at the time of use? I believe we need actionable relationships. Actionable relationships allow a thing or a human agent to be able to do something on my behalf without consulting a backend service. Very important in the IoT world. For more on actionable relationships, you can check out my talk on the Laws of Relationships.

Tomorrow I’ll post the rest of the talk and hopefully by Friday the video of it will be available as well.

Mike Jones - MicrosoftJWK Thumbprint spec incorporating feedback from IETF 90 [Technorati links]

July 23, 2014 03:11 PM

IETF logoI’ve updated the JSON Web Key (JWK) Thumbprint specification to incorporate the JOSE working group feedback on the -00 draft from IETF 90. The two changes were:

If a canonical JSON representation standard is ever adopted, this specification could be revised to use it, resulting in unambiguous definitions for those values (which are unlikely to ever occur in JWKs) as well. (Defining a complete canonical JSON representation is very much out of scope for this work!)

The specification is available at:

An HTML formatted version is also available at:

Kuppinger ColeOperation Emmental: another nail in the coffin of SMS-based two-factor authentication [Technorati links]

July 23, 2014 11:17 AM
In Alexei Balaganski

On Tuesday, security company Trend Micro has unveiled a long and detailed report on “Operation Emmental”, an ongoing attack on online banking sites in several countries around the world. This attack is able to bypass the popular mTAN two-factor authentication scheme, which uses SMS messages to deliver transaction authorization numbers. There are very few details revealed about the scale of the operation, but apparently the attack has been first detected in February and has affected over 30 banking institutions in Germany, Austria, Switzerland, as well as Sweden and Japan. The hackers supposedly got away with millions stolen from both consumer and commercial bank accounts.

Now, this is definitely not the first time when hackers could defeat SMS-based two-factor authentication. Trojans designed to steal mTAN codes directly from mobile phones first appeared in 2010. Contrary to a popular belief, these Trojans are not targeting only Android phones: in fact, the most widespread one, ZeuS-in-the-Mobile, has been discovered on various mobile platforms, including Android, Symbian, Blackberry and Windows Mobile. In 2012, an attack campaign dubbed “Eurograbber” has successfully stolen over 36 million euros from banks in Italy, Spain and the Netherlands. Numerous smaller-scale attacks have been uncovered by security researchers as well. So, what exactly is new and different about the Emmental attack?

First it’s necessary to explain in a few words how a typical attack like Eurograbber actually works.

  1. Using traditional methods like phishing emails or compromised web sites, hackers lure a user to click a link and download a Windows-based Trojan onto their computer. This Trojan will run in the background and wait for the user to visit their online banking site.
  2. As soon as the Trojan detects a known banking site, it will inject its own code into the web page. This code can, for example, display a “security advice” instructing the customer to enter their mobile phone number.
  3. As soon as the hackers have a phone number, an SMS message with a link to a mobile Trojan is sent to it and the customer is instructed to install the malicious SMS-grabbing app on their phone.
  4. By having both customer’s online banking PIN and SMS TAN, hackers can easily initiate a fraudulent transaction, transferring the money from customer’s account.

It’s quite obvious that such a scheme can only work when both PC and mobile Trojans operate in parallel, coordinating their actions through a C&C server run by hackers. This means that it can also be relatively easily disrupted simply by using an antivirus, which would detect and disable the Trojan. Another method is deploying special software on the banking site, which detects and prevents web page injections.

The hackers behind the Emmental attack are using a different approach. Instead of delivering a Trojan to a customer’s computer, they are using a small agent that masks as a Windows updater. Upon start, this program makes changes to local DNS settings, replacing IP addresses of known online banking sites with the address of a server controlled by hackers. Additionally, it installs a new root SSL certificate, which forces browsers to consider this hacked server a trusted one. After that, the program deletes itself, leaving no traces of malware on the computer.

The rest of the attack is similar to the one described above, but with a twist: the user never connects to the real banking site again, all communications will take place with the fraudulent server. This deception can continue for a long time, and only after receiving a monthly statement from the bank the user would find out that their account has been cleared of all money.

In other words, while Emmental is not the first attack on mTAN infrastructure, it’s an important milestone demonstrating that hackers are actively working on new methods of defeating it, and that existing solutions that are supposed to make banks more resilient against this type of attack are much less effective than believed. SMS-based two-factor authentication has been compromised and should no longer be considered a strong authentication method. The market already offers a broad range of solutions from smartcards and OTP tokens to Mobile ID and smartphone apps. It’s really time to move on.

July 21, 2014

KatasoftHosted Login for Modern Web Apps [Technorati links]

July 21, 2014 03:00 PM

Hosted Login from Stormpath

It’s no big secret: if you’re not using SaaS products to build your next great app, you’re wasting a lot of time.

Seasoned web developers have learned to solve common (i.e. annoying) problems with packaged solutions. If you’re really badass, your latest app is a symphony of amazing services, not a monolithic codebase that suffers from Not Invented Here.

But I’m gonna put money on this: you’re still building your login and registration forms from scratch and maintaining your own user database.

Why do we build login from scratch?

I have a few hypotheses on this, but one always seems to be true: user systems are the first thing we do after we master the Todo demo app. It’s fun, it’s a feature and we feel like we’ve accomplished something. Eventually we learn that there are a lot of things you can get wrong:

I could go on, but you already know. We commit these sins in the spirit of Ship It!.

Sometimes we use a framework like Rails, Express or Django and avoid most of these pitfalls by using their configurable user components. But we’re trying to get to App Nirvana, we want fewer concrete dependencies, less configuration, fewer resources to provision.

Login as a Service

What if you could send your user to a magical place, where they prove their identity and return to you authenticated?

Announcing Hosted Login – our latest offering from Stormpath!

With Hosted Login you simply redirect the user to a Stormpath-hosted login page, powered by our ID Site service. We handle all the authentication and send users back to your application with an Identity Assertion. This assertion contains all the information you need to get on with your business logic.

And the best part? Very minimal contact with your backend application. In fact, just two lines of code (using our SDKs):

And with that.. your entire user system is now completely service-oriented. No more framework mashing, no more resource provisioning. Oh, did we mention that’s beautiful as well? That’s right: if you don’t want to do any frontend work either, you can just use our default screens:

Screenshot

What problems does it solve?

Hosted Login solves a lot of the problems that are sacrificed in the name of Ship It, plus a few you may not have thought of:

Customization

While we provide default screens for hosted login, you can fully customize your user experience. Just create a Github repository for your ID Site assets and give us the Github URL! We’ll import the files into our CDN for fast access and serve your custom login pages instead of our default.

To customize your hosted login pages, you’ll want to use Stormpath.js, a small library that I’ve written just for this purpose. It gives you easy access to the API for ID Site and at ~5k minified it won’t break the bank.

For more information on this feature please refer to our in-depth document: Using Stormpath’s ID Site to Host your User Management UI

We’d love to know how you find Hosted Login! Feel free to tweet us at @gostormpath or contact me directly via robert@stormpath.com

CourionExtending IAM into the Cloud [Technorati links]

July 21, 2014 02:12 PM

Access Risk Management Blog | Courion

describe the imageYour data is everywhere. And so are your applications. In the past, everything resided in the data center, but today they're stored in the cloud, by a partner (MSP), and even running on mobile devices.

Your customers, partners and employees are also everywhere. As a security professional, you need to ensure that the right people have access to the right data and are doing the right things with it. That's where Intelligent Identity Access Management comes in. But in the era of cloud-computing, who knows where the data physically resides? And with users and accounts spread around the globe, how can you ensure the data is being accessed by the right people, according to your policies? Again, that's where Intelligent Identity Access Management is crucial.

If your data were just centrally located and being accessed by individuals and devices that you manage, traditional IAM solutions work well. But that's probably not the case. You have data in internal and outsourced systems. Some of the outsourced systems may be wholly controlled by your contracts, while others may be shared among thousands of other organizations. And that data is being accessed by employees, partners and customers from their homes, phones and tablets, on planes trains and automobiles.

From a security perspective, it's imperative to provision, govern and monitor information access wherever that information resides and however it's being accessed, whether those are physically in your IT environment or in the cloud. So what are your options?

Options for Provisioning, Governance and Monitoring in the Cloud

Two obvious questions are "where's my IAM solution?" and "where's my data?" After all, both must reside somewhere and be secured. If we constrain the answers to those questions to "on premise" or "in the cloud", we have four options.

1. Host internally, manage internal applications

Traditional IAM solutions reside on IT managed hardware within an enterprise. They're typically located in a server room where they can be physically controlled by IT. They are configured to manage applications that also reside on servers physically controlled by IT. This is a largely closed system, with the administrative control and the application resources both co-located within IT. It makes security simpler, but in the era of cloud computing, is becoming increasingly rare.

2. Host internally, manage internal and cloud-based applications

As enterprise applications have migrated outside of the data center, the need to manage those applications has fallen to traditional IAM solutions. IAM vendors like Courion have evolved their suites to natively connect to cloud-based systems from an on premise administration point. Existing "connector libraries" have been extended to include connectors to cloud-based systems. These new connectors sit side-by-side with existing on premise connectors and reach out to cloud applications.

This evolution has been largely seamless, as the same architecture used for managing internal resources has been applied to external, cloud-based resources. The protocols change, like using SOAP over HTTP rather than files over SMB, or RESTful web services rather than SOAP, but the architecture and techniques survived.

3. Host in the cloud, manage internal and cloud-based applications

Just as enterprise applications are now hosted in the cloud, there is increasing interest in hosting security systems in the cloud. This enables enterprises to focus on their core competencies rather than security management and identity management, while at the same time optimizing CapEx for OpEx expenditures.

Early experiments are promising, with IAM solutions providing tunneling capabilities from cloud-based infrastructure. Tunneling can be through VPNs, reverse proxies or dedicated appliances. Over time, this will likely become the preferred deployment option.

4. Host in the cloud; manage cloud-based applications

If an enterprise has no data in house, then a pure cloud-based solution is ideal. Operating on Office 365 + SalesForce + ADP, a cloud-based IAM solution can effectively provision and govern cloud-based applications. This scenario eliminates the complexity and cost of network tunneling solutions since everything is natively in the cloud. Here, the protocols are rapidly standardizing on RESTFul web services, with common token-based security and federation. However, like the all-internal scenario, all-cloud environments are rare.

Hybrid – the viable solution

Of these options, only two are typically feasible, since most organizations have some data on premise and some in the cloud. There are exceptions, like a startup which is native-cloud or in certain government situations, but in general, a hybrid solution is required. Choosing between the 2nd and 3rd option described above, whether you host your IAM solution in the cloud or host it internally, comes down to a deployment choice.

Courion has customers who are doing each. Most run our IAM solution on premise, while some use deployment in the cloud. For cloud deployments, most choose private cloud infrastructure, while some go for public infrastructure. But the predominant approach, even in 2014, is to deploy on premise. This is chiefly because most data still resides locally, so most applications reside locally, tilting the equation to an internally hosted IAM solution. As more enterprise applications migrate to the cloud, the decision to host the Courion suite in the cloud will likely shift.

Unlike enterprise data however, people have already shifted to the cloud. Mobile devices, from phones to tablets, are the norm. Most organizations provide secure access to critical systems on a 7x24 basis, to individuals located on premise and on the go. So parts of your IAM infrastructure must be either in the cloud, or on the edge (DMZ).

Again, Courion solutions are well suited for this shift. The most common security transaction, other than login, is the humble Password Reset. This must be accessible from anywhere and must be very reliable. It's required from the road, at night, on weekends and 2 minutes before the big sales presentation. Courion customers have hosted their password reset infrastructure in the DMZ for exactly this purpose. In addition, the Courion suite is tooled with a clean interface so customers, partners and employees are met with a consumer-grade experience, accessible on their laptop, tablet or phone.

As your data and apps move to the cloud, so do your identity repositories and access control models, as mentioned earlier. Your IAM solution can span both, but it's still advantageous to consolidate identities and provide a more seamless and simple sign on experience for customers, partners and employees. Enter Ping Identity, another cloud app that integrates with Courion solutions. Just as we expanded to cloud apps as they entered the business, a strong partnership allows for seamless integration with Ping to offer federation and SSO capabilities.

Single Sign On (SSO) impacts the decision of where to deploy an IAM solution. While IAM can provision, govern and monitor access applications in cloud-based and on premise environments, SSO systems provide seamless application login and access to the user community. By coupling the flexibility of Courion's industry leading IAM solution with the SSO and federation capabilities of Ping, organizations can manage access across all of their applications. Because both products leverage a common structure with Active Directory, the result is great experience for the end user and a manageable system for IT.

Conclusion

As the computing world shifts to the cloud, with consumer-grade technology leading the enterprise, our customers, partners and employees expect great access to information. As security professionals, our job is to balance "great" access with "secure" access. We make choices every day in choosing the solutions we deploy and the infrastructure on which it resides. Courion is here to help.

blog.courion.com

Ludovic Poitou - ForgeRockWhat we build at ForgeRock… [Technorati links]

July 21, 2014 10:43 AM

Since I’ve started working at ForgeRock, I’ve had hard times to explain to my non-technical relatives and friends, what we were building. But those days are over.

Thanks to our Marketing department, I can now refer them to our “ForgeRock Story” video :


Filed under: Identity Tagged: ForgeRock, iam, identity, IRM, opensource, security, video

Julian BondApparently the CMax II is for sale. [Technorati links]

July 21, 2014 09:35 AM
Apparently the CMax II is for sale.
http://bikeweb.com/files/images/cmax%20leaves%203%20small.preview.jpg

Sale details here. http://bikeweb.com/node/2909
Bike details here: http://bikeweb.com/image/tid/114

T-Max III, Volvo seat, occasional 2 seater and large luggage area. Faster (maybe!), safer, warmer, more comfortable than a conventional T-Max.

Not sure I can afford it. It's likely to be priced to reflect the work rather than cheap because it's unusual.
 bikeweb.com/files/images/cmax%20leaves%203%20small.preview.jpg »

[from: Google+ Posts]
July 19, 2014

Eve MalerA new identity relationship [Technorati links]

July 19, 2014 06:25 PM

I’ve been writing on this blog about identity and relationships for a long time (some samples…). Now I’ve forged (see what I did there?) a new relationship, and have joined ForgeRock’s Office of the CTO. Check out my first post on the ForgeRock blog. I’m really psyched about this company and my new opportunities to make cool Identity Relationship Management progress there. And I’ve found a lot of fellow rock ‘n’ rollers and Scotch drinkers in residence too — apparently that’s something of a job requirement for me, as many of my dear friends and erstwhile colleagues at Forrester have similar habits!

My new blogging goal is to add some pointers here to my ForgeRock posts, and — hopefully — to blog here more often than I had been in recent years. (Maybe some fresh nutrition-blogging?)

See the icons in the About Me section to the right. If you’re an old friend, stay in touch, and if we haven’t met yet, you can use the links to see about forging a new online relationship.

Anil JohnWhat are KBA Metrics? [Technorati links]

July 19, 2014 01:15 PM

There is currently a discussion going on in the Identity Ecosystem Steering Group (IDESG) regarding knowledge based authentication (KBA) metrics. I am a bit unsure about what is being sought by the IDESG from a standards development organization (SDO). This blog post is an attempt at framing the questions, as I understand them, to determine if there is value here, or if it is the application of makeup to porcine livestock.

Click here to continue reading. Or, better yet, subscribe via email and get my full posts and other exclusive content delivered to your inbox. It’s fast, free, and more convenient.


These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer.

Julian Bond [Technorati links]

July 19, 2014 08:12 AM
July 18, 2014

ForgeRockThe care and feeding of online relationships [Technorati links]

July 18, 2014 06:32 PM

I’m really excited to join ForgeRock! ForgeRock is doing amazing work around identity relationship management, and relationships — secure, identity-enabled, privacy-respecting, data-sharing, network-connected — are near and dear to my heart. (You didn’t think I was talking about Tinder, did you?)

My new role involves driving innovation for the ForgeRock Open Identity Stack, and in just a few short days I’ve already had mind-blowing conversations with my new colleagues about ways we can enable and enhance lots of types of relationships through the OIS. For one, take Scott McNealy’s invocation of “who’s who, what’s what, and who gets access to what” — we know it applies to organizations needing to control access; of course, it’s critically important to every organization to achieve this goal. We’re working on extending this privilege even to consumers who use systems fueled by ForgeRock, so that these individuals have a say in their own digital-footprint destinies. (Admittedly, a Tinder-like use case did come up in discussions today…) For those of you who have followed my work on User-Managed Access for while, yes, UMA will play a part in this story.

Having jumped in with both feet, I’m getting some chances to represent ForgeRock at events in the very near term. For starters, I’ll be speaking at SecureCIO in San Francisco this Friday, and will have the pleasure of joining my colleague Allan Foster for a talk at the Cloud Identity Summit next week. And then there’s our July 29 webinar with my alma mater Forrester Research about adding relationship management to identity — hope you’ll register and join us!

The post The care and feeding of online relationships appeared first on ForgeRock.

Kuppinger Cole05.02.2015: Cloud Compliance & Datenschutz [Technorati links]

July 18, 2014 04:50 PM
In KuppingerCole

Dieses Seminar vermittelt Ihnen die grundlegenden und brachenspezifischen Regelungen für Ihre Cloud-Strategie und informiert Sie über die heutigen und künftigen Anforderungen an Datensicherheit und Datenschutz.

Sie tragen Verantwortung für die Planung, Einführung und das Management von Cloud Services in Ihrem Unternehmen? Dann wird dieses Seminar alle Ihre offenen Fragen zum Thema Compliance und Datenschutz beantworten.
more

Julian BondI hate it when good services on the internet go dark and disappear. [Technorati links]

July 18, 2014 04:43 PM
I hate it when good services on the internet go dark and disappear.

There used to be a wonderful tool for exploring music space at http://audiomap.tuneglue.net/ It gathered data from last.fm and Discogs about related artists and presented it in a Java applet spider diagram.

Now it redirects to an EMI Hosting holding page and that sucks.

There's analternative one here http://www.liveplasma.com/ that's not bad but it's not the same.
 EMI Hosting »

[from: Google+ Posts]

Kuppinger Cole13.11.2014: Cloud Compliance & Datenschutz [Technorati links]

July 18, 2014 04:42 PM
In KuppingerCole

Dieses Seminar vermittelt Ihnen die grundlegenden und brachenspezifischen Regelungen für Ihre Cloud-Strategie und informiert Sie über die heutigen und künftigen Anforderungen an Datensicherheit und Datenschutz.

Sie tragen Verantwortung für die Planung, Einführung und das Management von Cloud Services in Ihrem Unternehmen? Dann wird dieses Seminar alle Ihre offenen Fragen zum Thema Compliance und Datenschutz beantworten.
more

Kuppinger Cole02.02.2015: Big Data für die Informationssicherheit [Technorati links]

July 18, 2014 04:22 PM
In KuppingerCole

Realtime Security Analytics: Worauf Sie beim Einstieg achten müssen.

Erhalten Sie einen Überblick zur Echtzeit-Überwachung mit Hilfe von Big Data Tools und lernen Sie wie Sie die datenschutzrechtlichen Regulatorien im Kontext der Netzwerküberwachung einhalten.
more

Kuppinger Cole12.11.2014: Big Data für die Informationssicherheit [Technorati links]

July 18, 2014 04:05 PM
In KuppingerCole

Realtime Security Analytics: Worauf Sie beim Einstieg achten müssen.

Erhalten Sie einen Überblick zur Echtzeit-Überwachung mit Hilfe von Big Data Tools und lernen Sie wie Sie die datenschutzrechtlichen Regulatorien im Kontext der Netzwerküberwachung einhalten.
more

Kuppinger ColeWhat’s the deal with the IBM/Apple deal? [Technorati links]

July 18, 2014 10:58 AM
In Alexei Balaganski

So, unless you’ve been hiding under a rock this week, you’ve definitely heard about a historical global partnership deal forged between IBM and Apple this Tuesday. The whole Internet’s been abuzz for the last few days, discussing what long-term benefits the partnership will bring to both parties, as well as guessing who will be the competitors that will suffer the most from it.

Different publications would name Microsoft, Google, Oracle, SAP, Salesforce and even Blackberry as the companies that the deal was primary targeted against. Well, at least for BlackBerry this could indeed be one of the last nails in the coffin, as their shares have plummeted after the announcement and the trend seems to be long-term. IBM’s and Apple’s shares rose unsurprisingly, however, financial analysts don’t seem to be too impressed (in fact, some recommend selling IBM stocks). This is, however, not the point of my post.

Apple and IBM have a history of bitter rivalry. 30 years ago, when Apple unveiled their legendary Big Brother commercial, it was a tiny contender against IBM’s domination on the PC market. How times have changed! Apple has since grown into the largest player on mobile device market with market capitalization several times larger than IBM’s. IBM has sold their PC hardware business to Lenovo years ago and is currently concentrated on enterprise software, cloud infrastructure and big data analytics and consulting businesses. So, they are no competitors anymore, but can we really consider them equal partners? Apple’s cash reserves continue to grow, and IBM’s revenues have been declining over the last two years. After losing a $600M contract with US government to AWS last year, a partnership with Apple is a welcome change for them.

So, what’s in this deal, anyway? In short, it includes the following:

For Apple, this deal marks their renewed attempt to get a better hold of the enterprise market. It’s well known that Apple has never been successful in this, and whether it was because of ignoring enterprise needs or simply because of inability to develop the necessary services in-house, can be debated. This time, however, Apple is bringing a partner with a lot of experience and a large portfolio of existing enterprise services (notorious, however for their consistently bad user experience). Could an exclusive combination of a new shiny mobile UI with a proven third party backend finally change the market situation in Apple’s favor? Personally, I’m somewhat skeptical: although a better user experience does increase productivity and would be a welcome change for many enterprises, we’re still far away from a mobile-only world, and UI consistency across mobile and desktop platforms is a more important factor than a shiny design. In any case, the biggest thing that matters for Apple is the possibility to sell more devices.

For IBM the deal looks even less transparent. Granted, we do not know the financial details, but judging by how vehemently their announcement stated that they are “not just a channel partner for Apple”, many analysts do suspect that reselling Apple devices could be a substantial part of IBM’s profit from the partnership. Another important point is, of course, that IBM cannot afford to maintain a truly exclusive iOS-only platform. Sure, iOS is still a dominant platform on the market, but its share is far from 100%. Actually, it is already decreasing and will probably continue to decrease in the future, as other platforms will gain their market shares. Android’s been growing steadily during the last year, and it’s definitely too early to dismiss Windows Phone (remember how people were trying to dismiss Xbox years ago?). So, IBM must continue to support all other platforms with their products such as MaaS360 and can only rely on additional services to support the notion of iOS exclusivity. In any case, the partnership will definitely bring new revenue from consulting, support and cloud services, however it’s not easy to say how much Apple will actually contribute to that.

So, what about the competitors? One thing that at least several publications seem to ignore is that those companies that are supposed to suffer from the new partnership are operating on several completely different markets and comparing them to each other is like comparing apples to oranges.

For example, Apple does not need IBM’s assistance to trump BlackBerry as a rival mobile device vendor. But applying the same logic to Microsoft’s Windows phone platform would be a big mistake. Surely, their current share in the mobile hardware market is quite small (not on every market, by the way: in Germany they have over 10% and growing), but to claim that Apple/IBM will drive Microsoft out of enterprise service business is simply ridiculous. In fact, Microsoft is a dominant player there with products like Office 365 and Azure Active Directory and it’s not going anywhere yet.

Apparently, SAP CEO Bill McDermott isn’t too worried about the deal as well. SAP is already offering 300 enterprise apps for iOS Platform and claims to be years ahead of its competitors in the area of analytics software.

As for Google – well, they do not make money from selling mobile devices. Everything Google does is designed to lure more users into their online ecosystem, and although Android is an important part of their strategy, it’s by no means the only one. Google services are just as readily available on Apple devices, after all.

Anyway, the most important question we should ask isn’t about Apple’s or IBM’s, but about our own strategies. Does the new IBM/Apple partnership has enough impact to make an organization reconsider its current MDM, BYOD or security strategy? And the answer is obviously “no”. BYOD is by definition heterogeneous and any solution deployed by an organization for managing mobile devices (and more importantly, access to corporate information from those devices) that’s locked on a single platform is simply not a viable option. Good design may be good business, but it is not the most important factor when the business is primarily about enterprise information management.

Kuppinger ColeExecutive View: Symantec.cloud Security Services - 70926 [Technorati links]

July 18, 2014 09:23 AM
In KuppingerCole

Symantec was founded in 1982 and has evolved to become one of the world’s largest software companies with more than 18,500 employees in more than 50 countries. Symantec provides a wide range of software and services covering security, storage and systems management for IT systems.   Symantec has a very strong reputation in the field of IT security that has been built around its technology and experience. While Symantec has a wide range of security...
more

July 17, 2014

Kantara InitiativeOpen Standards Drive Innovation – Kantara CIS Workshop [Technorati links]

July 17, 2014 09:36 PM

We have arrived at the revolution of Identity and are ready for the next installment of the Cloud Identity Summit. 

Identity Services are converging more and more with every technology and nearly every part of our lives.  Identity is moving fast and it’s not only a technical or policy discussion anymore.  As IRM notes, Identity Services are key to business development, growing revenue, and economies. But our world has also changed over the last 18 months.  Privacy and Trust are under hot debate… not to mention how they factor in to technology adoption.  We believe that Identity tech and policy standards are core to building a platform for innovation, and not just any standards but Open Standards. With transparency, openness, multi-stakholderism as core value, Open Standards are key to building trusted platforms along with the more traditional national standards.

Open Standards move faster, provide new proving ground, and, ultimately, drive innovation!

We are thrilled to have industry leaders participate in our Cloud Identity Summit Workshop . Their knowledge and expertise will be shared through the CIS event and Kantara Initiative workshop. Why should you attend? This workshop include 3 sessions discussing open standards as a driver to innovation of marketplaces.  Attendees will learn how leading organizations drive innovation through technology and standards development and partnerships. Who should attend? C-Level, Managers, Directors, Technologists, Journalists, Policy Makers and Influencers IEEE_SA_Logo 1. Open Standards Driving Innovation Presented by: the IEEE Standards Association Participants:  Allan Foster, Vice President Technology & Standards, ForgeRock:  John Fontana, PingID:  Scott Morrison, SVP and Distinguished Engineer, CA Technologies:  Dennis Brophy, Mentor Graphics Abstract:  Today, more than ever, open standards are core to unbounded market growth and success through innovation. Those involved in innovation systems—companies, research bodies, knowledge institutions, academia and standards developing communities—influence knowledge generation, diffusion and use, and shape global innovation capacity. As the global community strives to keep pace with technology expansion and to anticipate the technological, societal and cultural implications of this expansion, and as it faces the increasing interference of technology with economic, political and policy drivers, embracing a bottom-up, market driven and globally open and inclusive standards development paradigm will help ensure strong integration, interoperability and increased synergies along the innovation chain across boundaries. Globally open standardization processes and standards produced through a collective of standards bodies adhering to such principles are essential for technology advancement to ultimately benefit humanity, as the global expert communities address directly, in an open and collaborative way, such global issues of sustainability, cybersecurity, privacy, education and capacity building. Working within a set of principles that:

8 Miles Logo2. Federation Integration and Deployment of Trusted Identity Solutions Presentations by: Lena Kannappan  – 8k Miles FuGen Solutions & Ryan Fox – ID.me Abstract: Deployment integration of Identity Federations can be a challenge, but through standards setting and innovative testing that process can move much faster and bring benefits to all parties growing their respective markets and budget power.  Industry based development and application of standards helps set the industry levels for operations while testing and approval marks help support rapid on boarding of partners.  When Identity Federations and partners make use of agreed upon Open Standards the platform is created that allows innovative organizations to build new models and compelling services. Innovators can begin to leap in to new areas proving their business value and vitality. In this session leaders discuss:

mem-securekey 3. Approaches to Solving Enterprise Cybersecurity Challenges Presented by: SecureKey Participants:  Andre Boysen, EVP Marketing & Digital Identity Evangelist, SecureKey Technologies Inc.: Christine Desloges – Assistant Deputy Minister Rank,Department of Foreign Affairs, Trade and Development (DFATD): Patricia Wiebe – Director of Identity Architecture at BC Provincial Government Abstract:  There is an identity ecosystem emerging in North America that is unique in the world. It is a multi-enterprise service that is focused on making more meaningful services available online while at the same time making it easier for users to enroll, access and control information shared by these services. Things like easy access to online government services, opening a bank account on the internet, proving your identity for new services online, registering your child at school or participating in an education portal are becoming possible. The service model for the Internet is moving from app-centric to user-centric. The current password model of authentication needs to evolve. Every web service needs to make a choice between making their credentials stronger by adding multifactor authentication (BYOD) or partnering to get authentication from a trusted provider (BYOC – bring your own credential).

GluuSymplified… So long and thanks for all the fish! [Technorati links]

July 17, 2014 08:49 PM

Symplified Adieu

As many of you have heard, Symplified is exiting the access management market. The company’s founders had a long history in the single sign-on business, having founded Securant in the late nineties. Securant was acquired by RSA in September 2001, and evolved into RSA Cleartrust, which is still in production today at many organizations.

It seemed logical that the experienced team behind such a successful product would have launched an equally successful SaaS offering. I don’t know the whole back story, but many things have to align for a startup to succeed. You need good execution, but you also need a little bit of good luck.

I first ran into Symplified at the Digital Identity World in 2008 (thanks for the flying monkey!). At the next Digital Identity World, I had a long conversation with Eric Olden about utility computing. He gave me a copy of the book The Big Switch, which provided valuable evidence in my thinking about how utility computing could make sense for SSO and access management, and how lowering the price could actually expand the size of the market.

Although Gluu has many competitors, identity and access management is a very large global market, which Gluu cannot serve alone. We’re sad to see the exit of one of the early innovators who helped pave the way for a new delivery model for access management. Here at Gluu we’re grateful for Symplified’s early leadership, dedication to their customers, and management excellence.

As a small thanks and to bid farewell to one of our respected peers, I composed this haiku:

First SaaS SSO
Visionary service
Sadly, fate had other plans

Best of luck to all at the Symplified team!

Kuppinger ColeLeadership Compass: Cloud User and Access Management - 70969 [Technorati links]

July 17, 2014 09:47 AM
In KuppingerCole

Leaders in innovation, product features, and market reach for Cloud User and Access Management. Manage access of employees, business partners, and customers to Cloud services and on-premise web applications. Your compass for finding the right path in the market.


more
July 16, 2014

Julian BondWell, well. So the Myers-Briggs test is totally meaningless, unscientific bullshit. There's a surprise... [Technorati links]

July 16, 2014 05:14 PM
Well, well. So the Myers-Briggs test is totally meaningless, unscientific bullshit. There's a surprise! I wonder how many other cod-psych tests are the same and have about as much 2014 relevance as astrology or palm reading.
http://www.vox.com/2014/7/15/5881947/myers-briggs-personality-test-meaningless
via http://boingboing.net/2014/07/16/myers-briggs-personality-test.html
 Why the Myers-Briggs test is totally meaningless »
It's no more scientifically valid than a BuzzFeed quiz.

[from: Google+ Posts]

Kuppinger ColeEU-Service Level Agreements for Cloud Computing – a Legal Comment [Technorati links]

July 16, 2014 09:20 AM
In Karsten Kinast

Cloud computing allows individuals, businesses and the public sector to store their data and carry out data processing in remote data centers, saving on average 10-20%. Yet there is scope for improvement when it comes to the trust in these services.

The new EU-guidelines, developed by a Cloud Select Industry Group of the European Commission, were meant to provide reliable means and a good framework to create confidence in cloud computing services. But is it enough to provide a common set of areas that a cloud-SLA should cover and a common set of terms that can be used, as the guidelines do? Can this meet the individuals’ and business’ concerns when – or if – using cloud services?

In my opinion it does not, at least not sufficiently.

Having a closer view at the Guidelines from a legal perspective and thus concentrating on chapter 6 („Personal Data Protection Service Level Objectives Overview”), they appear to offer no tangible news. The Service Level Objectives (SLOs) that are described therein do give a detailed overview about the objectives that must be achieved by the provider of a cloud computing service. However, they lack description of useful examples and practical application. I would have imagined some kind of concrete proposals for the wording of a potential agreement. Any kind of routine concerning the procedure of creating a cloud computing service agreement would be a first step, to my mind, to increase the trust in cloud computing.

Since the guidelines fall short especially in this pragmatic aspect, their benefit in practice will be rather little.

As a suggestion for improvement one could follow the example of the ENISA „Procure Secure“-guidelines. They do focus on examples from “real life” and show what shall be comprised in a cloud computing contract. And they support cloud customers in setting up a clearly defined and practical monitoring framework, also by giving “worked examples” of common situations and best-practice solutions for each parameter suggested.

July 15, 2014

Kuppinger ColeLeadership Compass: Cloud IAM/IAG - 71121 [Technorati links]

July 15, 2014 09:39 AM
In KuppingerCole

The Cloud IAM market is currently driven by products that focus on providing Single Sign-On to various Cloud services as their major feature and business benefit. This will change, with two distinct evolutions of more advanced services forming the market: Cloud-based IAM/IAG (Identity Access Management/Governance) as an alternative to on-premise IAM suites, and Cloud IAM solutions that bring a combination of directory services, user management, and access management to the Cloud.

...
more
July 14, 2014

Kuppinger ColeAmazon Web Services: One cloud to rule them all [Technorati links]

July 14, 2014 01:23 PM
In Alexei Balaganski

Since launching its Web Services in 2006, Amazon has been steadily pushing towards global market leadership by continuously expanding the scope of their services, increasing scalability and maintaining low prices. Last week, Amazon has made another big announcement, introducing two major new services with funny names but a heavy impact on the future competition on the mobile cloud services market.

Amazon Zocalo (Spanish for “plinth”, “pedestal”) is a “fully managed, secure enterprise storage and sharing service with strong administrative controls and feedback capabilities that improve user productivity”. In other words, it is one of the few user-facing AWS services and none other than a direct competitor to Box, Google Drive for Work and other products for enterprise document storage, sharing, and collaboration. Built on top of AWS S3 storage infrastructure, Zocalo provides a cross-platform solution (for laptops, iPads and Android tablets, including Amazon’s own Kindle Fire) for storing and accessing documents from anywhere, synchronizing files between devices, and sharing documents for review and feedback. Zocalo’s infrastructure provides at-rest and in-transit data encryption, centralized user management with Active Directory integration and, of course, ten AWS geo-regions to choose from in order to be compliant with local regulations.

Now, this does look like “another Box” at first sight, but with the ability to offer cloud resources cheaper than any other vendor, even with Zocalo’s limited feature set Amazon has all the chances to quickly gain a leading position in the market. First with Google announcing unlimited storage for their enterprise customers and now with Amazon driving prices further down, it means that cloud storage itself has very little market value left. Just being “another Box” is simply no longer sustainable, and only the biggest and those who can offer additional services on top of their storage infrastructure will survive in the long run.

Amazon Cognito (Italian for “known”) is a “simple user identity and data synchronization service that helps you securely manage and synchronize app data for your users across their mobile devices.” Cognito is a part of newly announced suite of AWS mobile services for mobile application developers, so it may not have caused a splash in the press like Zocalo, but it’s still worth mentioning here because of its potentially big impact on future mobile apps. First of all, by outsourcing identity management and profile synchronization between devices to Amazon, developers can free up resources to concentrate on the business functionality of their apps and thus bring them to market faster. Second, using the Cognito platform app developers are always working with temporary limited identities, safeguarding their AWS credentials as well as enabling uniform access control across different login providers. Thus, developers are implicitly led towards implementing security best practices in their applications.

Currently, Cognito is supporting several public identity providers, namely Amazon, Facebook and Google, however the underlying federation mechanism is standard-based (OAuth, OpenID Connect), so I cannot believe it won’t soon be extended to support enterprise identity providers as well.

Still, as much as an ex-developer in me feels excited about Cognito’s capabilities, an analyst in me cannot but think that Amazon could have gone a step further. Currently, each app vendor would maintain their own identity pool for their users. But why not give users control over their identities? Had Amazon made this additional step, it could eventually become the world’s largest Life Management Platform vendor! How’s that for an idea for Cognito 2.0?

CourionWhat Makes Intelligent IAM Intelligent [Technorati links]

July 14, 2014 01:00 PM

Access Risk Management Blog | Courion

Bill GlynnIn order to explain what makes Intelligent IAM Intelligent, we must first discuss why IAM needs to be intelligent.  Fundamentally, IAM is a resource allocation process that operates on the simple principle that people should only have access to the resources they need in order to do their job. So, basically, IAM is used to implement the Marxist philosophy, “to each according to need”. Therein lies one of the problems: without intelligence, IAM operations are inconsistent and can be easily corrupted; resulting in decreased efficiency of workers, increased risk to the corporation (more on that later) or both. The folks with the power have the ability to give some people (the privileged class, like their friends) more access than they need, while others (the exploited workers) may not have access to the resources they truly need, which leads to civil unrest and the potential collapse of corporate society as we know it.

However, given appropriate guidelines (rules) and sufficient information (knowledge), traditional IAM has evolved into an inherently intelligent process for managing resource allocation, such as Courion’s Intelligent IAM solution. On the front end, access requests are evaluated to see if they violate any business rules, such as, “If you aren’t in the Sales department, then you can’t have access to the company sales commission report.”

Such business rules combined with knowledge about the access recipients request and should receive enables the access assignment process to be an intelligent activity; ensuring that people do or don’t get access to corporate resources as determined by their functional role or their operational needs. On the back end, the entire corporate environment is continuously monitored, looking for evidence of any business rule violations.

Today’s corporations are challenged by a complex, mobile and open society; problems don’t necessarily get introduced through the front door.  Therefore, it’s critical to have an intelligent IAM system like Courion’s to both prevent problems from being created and to maintain a watchful eye and take immediate action, such as automatic notifications or even automatically disabling access or accounts should issues be discovered.Likelihood Impact Visual

As an example, Courion’s solution can easily distinguish between a company’s finance department server, which is obviously a far more sensitive resource than a Marketing department’s color printer – (unless you consider the price of replacement ink cartridges, and then it’s not so obvious.) Consequently, Courion’s Intelligent IAM solution, based upon a number of criteria, can determine who should and shouldn’t have access to such sensitive resources. This scenario alludes to a fundamental concept that guides the Courion solution: the concept of risk as it pertains to the corporation.  The system defines risk as a combination of likelihood, as in “OK, so what are the odds that will happen?”, and impact, as in, “So if it happens, how bad can it really be?” In general, a customer can configure the system to behave in accordance with their risk tolerance, which boils down to a basic question, “Just how lucky do you really feel?”

But it’s not just a pattern matching exercise based upon a bunch of If / Then conditions.  Courion’s Intelligent IAM solution not only knows which resources are more sensitive than others, but it also automatically adjusts its knowledge and its perspective over time.

As an analogy, a key isn’t necessarily an inherently sensitive resource. The risk associated with giving someone that key depends upon a variety of dynamic variables, such as who is going to get the key, what other keys may be behind the door that this key unlocks, how many other people also have a copy of this key, and exactly who are they?

So, while it may have seemed like a good idea to give Fred a key to the supply room, a week later we now know that all of Fred’s buddies also have a key to the supply room. More specifically, we know that Fred’s good friend Barney just got access to an additional key that unlocks the back door of the supply room. Consequently, the risk that the company’s expensive monogrammed tissue paper goes missing from the supply room has increased dramatically.

It’s this broad contextual view across a dynamically evolving environment, coupled with the knowledge of what is and isn’t an acceptable level of risk, and the ability to adapt its perspective to changing conditions that makes Courion’s Intelligent IAM solution such a valuable tool for ensuring appropriate access to corporate resources, such as prized paper goods.

However, perhaps one of the more subtle benefits provided by Courion’s Intelligent IAM solution is that it takes the burden off of the IT folks who no longer have to justify to angry users why their request was denied.  It now becomes a much easier conversation:

Rolling Stone Need vs Want“I’m sorry. I like you, and I feel your pain. I want to give you access to the Executive rest room, but I just don’t have that kind of power. You see, we use Courion’s Intelligent IAM solution and it can distinguish between what you want and what you need. So, it knows that you want access to the executive rest room, but it also knows that you don’t really need access to the executive rest room. It’s not like the old days when I might be persuaded to give you what you want. Even if I could give you such access, the Courion solution is always watching and it’s configured to notify the entire executive team of rule violations, and not only that, it will automatically take away your access.  It will simply lock the door. Therefore, continuing to try to open the door might be embarrassing, even for you. Why don’t you just use that nice restroom down the hall like the rest of us and then go back to your desk and listen to some music; I suggest a tune from The Rolling Stones – “You can't always get what you want, but if you try sometimes, you just might find, you get what you need.”

blog.courion.com

Kuppinger ColeExecutive View: Ergon Airlock/Medusa - 71047 [Technorati links]

July 14, 2014 07:05 AM
In KuppingerCole

Die Ergon Informatik AG ist ein in Zürich ansässiges Unternehmen. Neben einem großen Unternehmensbereich für Software-Individualentwicklungen ist Ergon schon seit vielen Jahren auch als Anbieter von Standard-Software am Markt präsent und hat eine signifikante Zahl von Kunden. Die Kernprodukte des Unternehmens sind die eng miteinander verbundenen Lösungen Airlock und Medusa. Airlock ist eine Web Application Firewall, die Web Single...
more

Kuppinger ColeExecutive View: Centrify Server Suite - 70886 [Technorati links]

July 14, 2014 06:28 AM
In KuppingerCole

Centrify is a US based Identity Management software vendor that was founded in 2004. Centrify has achieved recognition for its identity management and auditing solutions including single sign-on service for multiple devices and for cloud-based applications. The company is VC funded and has raised significant funding from a number of leading investment companies. The company as of today has more than 5,000 customers. Centrify has licensed key SaaS...
more

July 12, 2014

Anil JohnIdentity Validation as a Public Sector Digital Service? [Technorati links]

July 12, 2014 03:00 PM

I’ve written before about the role that the public sector currently has in identity establishment, but not in identity validation. This absence has led to an online ecosystem in the U.S. that depends on non-authoritative information for identity validation. These are some initial thoughts on what an attribute validation service, which provides validation of identity attributes using authoritative public sector sources, could look like.

Click here to continue reading. Or, better yet, subscribe via email and get my full posts and other exclusive content delivered to your inbox. It’s fast, free, and more convenient.


These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer.

Julian BondJohn Doran (TheQuietus editor) playing DJ in an open air car park just off Old Street. Wed evening, ... [Technorati links]

July 12, 2014 10:23 AM
John Doran (TheQuietus editor) playing DJ in an open air car park just off Old Street. Wed evening, 16 July. I think it's free but not sure.

http://thequietus.com/articles/15674-red-market-subject-wednesdays-dj-programme 

https://www.facebook.com/events/298139427021855/
http://www.subjectyourself.co.uk/
http://www.redgallerylondon.com/
 The Quietus | News | Red Market: S U B J E C T Wednesday »
The Quietus' John Doran and more announced to play open-air venue

[from: Google+ Posts]