May 26, 2016

GluuGoogle on Identity: “Don’t try this at home!” [Technorati links]

May 26, 2016 08:56 PM

don't_try_this_at_home

Last year at the Cloud Identity Summit Google’s Product Management Director of Identity, Eric Sachs, gave an insightful talk about OpenID Connect. It was mostly the normal stuff about Account Chooser, and the idea of “identifier first” authentication workflow (great idea!).

But then came a surprise.

I’ll have to paraphrase since the talk was almost a year ago. But Sachs said something like “Identity is really hard. Leave it to the professionals.” Essentially he was advocating for the use of Google or a SaaS identity provider–or, in other words, he was saying that identity is too difficult for the masses.

Gluu is not anti-SaaS. In many situations we recommend SaaS providers like Okta to organizations that do not have the economies of scale to operate their own identity service. We also do not under-estimate the capabilities required to run a robust identity and access management service.

Nor are we anti-Google. We frequently point to Google as having the best consumer identity platform on the planet (note: consumer, not enterprise). From a usability perspective they have gotten so many things right; support for strong authentication is excellent; obviously it scales. And Google is on the cutting edge of new security paradigms–for example, their tight integration of identity with document sharing is wonderful.

But the idea that an identity platform is too hard or even inefficient for most organizations to operate is not accurate either.

As Google can probably attest, excellence at identity is a competitive advantage. The future of many organizations hinges on their ability to adapt to the digital revolution that is underway. If your organization’s capability to secure digital assets is constrained by a third party, will that impact the ability to innovate new products, services, and business relationships? What’s more important: top line growth or cost savings?

SaaS, like any utility, is made possible by two things: capital and established operating process. It’s the latter that presents a potential conflict of interest for the utility. The biggest cost for a SaaS identity provider is people. To achieve maximum profitablity, the best strategy is to reduce the support surface area.

Innovation is not always in the interest of enterprise SaaS providers. Supporting the latest and greatest technology is risky–if something fails, a SaaS provider may have to continue to support it for years (as long as some of their customers are still using it). This creates an atmosphere of extreme risk-aversion when it comes to enhancements. But for your organization to succeed, you may need to push the technology envelope.

Anything that is unfamiliar is hard. Is identity hard, or just unfamiliar?

I remember attending Microsoft seminars years ago about how to deploy a Kerberos server. Why is no similar effort underway to evangelize the adoption of OpenID Connect providers? All of a sudden it’s just too hard? Or, is it that operating an OpenID Provider is a valuable trade secret that will no longer be shared with the public because the monthly fee business model is more profitable?

I love utilities as much as the next person. I am not going to suggest that you build your own electricity plant to power your factory. But it’s important that we not dumb-down the security capabilities of our organizations–in fact, we should be doing the exact the opposite. Only then will we be able to build a new secure, inter-connected digital society.

Rakesh RadhakrishnanCore CISO Org Structure & "Threat Centric IAM” [Technorati links]

May 26, 2016 05:28 AM
Recently I authored a paper and presented a "brighttalk" on the same topic: "Threat Centric IAM". Both the paper and the tech talk was well received by at least 12+ CISO's I had met. Quite often they came back to me with more people, process and governance related questions to this approach, hence this blog entry.

 One of the interesting trends in enterprises, that I have witnessed in the past few years is a CISO organization that is folding the IAM resources under the CISO as opposed to having IAM resources distributed within IT and related groups. In the past IAM folks with expertise in Authentication, SSO, IDM provisioning and externalized fine grained access (entitlement developers), have been in IT organization that run IT support services or within Application Development teams. With the technology trend moving towards Cloud adoption by IT and SAAS models by application groups and given that IAM is a key control amongst all security controls, and its significance, in terms of addressing Compliance Reporting, IAM teams are getting folded within the CISO organizations as a new parallel pillar. This is further necessitated with the Mobile and IOT trends as a business enabler.

This to us is a reflection of the increased significance given to IAM by the CISO organization and the recognition that IAM is a critical core control for all distributed security controls (intra and inter enterprise). It is also helping in terms of leveraging resource expertise across an entire enterprise, as Authentication is a Service that gets reused and so is IDM provisioning as a service and Authorization as an externalized enterprise wide entitlement service that can integrate into Risk Systems (for risk based access), etc.

This is a welcome development as the IAM team works closely with Security Architecture and Engineering while modernizing and maturing its IAM Programs (via Standards interfaces and policy compliance) driven by requirements coming from Risk Management and Compliance teams. In addition, the IAM team has opportunities now to partner with Security operations and the cyber security team to work on “threat modeling” of the AS-IS IAM footprints and also drive towards “Threat Centric IAM” –integrating the Threat Intelligence and recommended coarse of actions (STIX COA) into IAM controls one step at a time. This can include threat intelligence integration into IAM vetting/proofing processes, IAM provisioning processes, authentication and multi factor authentication processes, network admission control processes, cloud access security brokers and enterprise fine grained access controls, including data base firewalls and DLP systems.

Folding the IAM team under the CISO org chart allows for these two pillars to collaborate more extensively moving forward to realize higher levels of maturity as described in the “Threat Centric IAM” paper.

Good to see a blog on CISO mind map…  11 functional domains highlighted here are collapsed into 5 organizational pillars, in my blog.
 
 
 
 
 
 
 
 
 
 

 


 



 
May 25, 2016

Nat SakimuraOpen Data in Finance @ London は6月15日! [Technorati links]

May 25, 2016 02:17 PM

FinTechの3本柱の1つとして注目されるAPIですが、特に欧州ではPayment Service Directive 2で銀行が2017年末までに金融API提供を義務付けられたことに伴い、とてもホットな話題になっています。日本ではまだまだブロックチェインの後塵を配していますが、まだまだリサーチ・プロジェクトと言っても良いブロックチェインに比べて、金融APIは喫緊の課題です。

こうした中で、金融APIをメインに取り扱う、「Open Data in Finance」というカンファレンスが、欧州金融の中心地・ロンドンで6月14日、15日の2日間にわたって行われます。6月14日はワークショップで、メインのカンファレンスは6月15日です。到底力不足ながら、不詳、わたくし、Nat Sakimura が、カンファレンスを通じたChair を拝命しております。

Screen Shot 2016-05-25 at 23.03.32

プログラムは、こちらのページ(Agenda)からご覧いただけますが、The Open Banking Standard のステアリング・コミッティのチェアの Open Data Institute の CEO の Gavin Starks とバークレイズ銀行のManaging DirectorのMatt Hammerstein の Armchair Chatに始まり、多くの有識者たちによるパネル・ディスカッションやラウンドテーブルを聞くことができ、欧州における金融APIの「今」を知るための貴重な機会となろうかと思います。

6月15日にロンドンにお立ち寄りの折には、ぜひお寄りください。

それでは、ロンドンでお会いしましょう。

 

Copyright © 2016 @_Nat Zone All Rights Reserved.

Kuppinger ColeJun 28, 2016: Externes Beziehungsmanagement: Kommunikation und Kollaboration mit Partnern und Kunden sicher steuern [Technorati links]

May 25, 2016 10:08 AM
Mit der steigenden Nachfrage von Unternehmen nach engerer Kommunikation und Kollaboration mit externen Partnern und Kunden wächst auch der Bedarf an professionellem Web Access Management und Identity Federation. Geeignete Lösungen ermöglichen sichere Zugänge von und auf externe Systeme, auch aus der Cloud. Um die Vielzahl an Anforderungen für eine sichere Kommunikation und Kollaboration erweiterter und vernetzter Unternehmen nahezu lückenlos mit IT abzudecken und gleichzeitig agil zu bleiben, sind Standardinfrastrukturen notwendig.

Kuppinger ColeComplexity Kills Agility: Why the German Reference Architecture Model for Industry 4.0 Will Fail [Technorati links]

May 25, 2016 10:00 AM

by Martin Kuppinger

The German ZVEI (Zentralverband Elektrotechnik- und Elektroindustrie), the association of the electrical and electronic industries, and the VDI (Verein Deutscher Ingenieure), the association of German engineers, has published a concept called RAMI (Referenzarchitekturmodell Industrie 4.0). This reference architecture model has a length of about 25 pages, which is OK. The first target listed for RAMI 4.0 is “providing a clear and simple architecture model as reference”.

However, when analyzing the model, there is little clearness and simplicity in it. The model is full of links to other norms and standards. It is full of multi-layer, sometimes three-dimensional architecture models. On the other hand, the model doesn’t provide answers on details, and only a few links to other documents.

RAMI 4.0 e.g. says that the minimal infrastructure of Industry 4.0 must fulfill the principles of Security-by-Design. There is no doubt that Industry 4.0 should consequently implement the principles of Security-by-Design. Unfortunately, there is not even a link to a description of what Security-by-Design concretely means.

Notably, security (and safety) are covered in a section of the document spanning not even 1% of the entire content. In other words: Security is widely ignored in that reference architecture, in these days of ever-increasing cyber-attacks against connected things.

RAMI 4.0 has three fundamental faults:

  1. It is not really concrete. It lacks details in many areas and doesn’t even provides links to more detailed information.
  2. While only being 25 pages in length and not being very detailed, it is still overly complex, with multi-layered, complex models.
  3. It ignores the fundamental challenges of security and safety.

Hopefully, we will see better concepts soon, that focus on supporting the challenges of agility and security, instead of over-engineering the world of things and Industry 4.0.

May 24, 2016

Kuppinger ColeKim Cameron - The Future of On-Premise AD in the days of Azure AD [Technorati links]

May 24, 2016 11:57 PM

Azure AD is here. It can act as a domain controller. It helps you managing your partners. It is ready-made for managing your customers. The application proxy builds the bridge back to your on-premise applications. That raises an important question for all organizations running AD on-premises: What is the future role for on-premise AD? What is the right strategy? Who can and should get rid of on-premise AD now or in the near future, who should focus on a hybrid strategy? Where is the overlap?



Kuppinger ColeDarran Rolls - The Anatomy of Your Next Cyber Attack: IAM Pitfalls and Protections [Technorati links]

May 24, 2016 11:56 PM

Security breaches and cyber attacks have become a daily occurrence. Worse, in some cases it can take an organization months to realize they’ve been breached. Open the pages of the latest breach forensic report and you will find a litany of basic IAM errors that read like a horror story. Many companies are missing the basic IAM best practices that can help prevent, detect and mitigate attack. In this session, SailPoint's CTO Darran Rolls presents the anatomy of a typical cyber attack and explains where and how IAM controls should be applied to better enable close-loop cyber protection for enterprise systems. You may not be able to prevent an attack, but you can minimize the damage and your exposure.



Kuppinger ColeDimitra Kamarinou - From Suppliers to Consumers: Issues of Liability in Industry 4.0 [Technorati links]

May 24, 2016 11:24 PM

This session looks at the responsibilities and liabilities of organisations involved in the ‘smart manufacturing’ process both internally (e.g. towards employees) and externally (e.g. other organisations, suppliers, consumers, the environment) and at the difficulties of attributing liability in a complex web of stakeholders that might include cloud service providers. We also discuss the importance of contractual and non-contractual liability as well as statutory and common law liability, including fault-based and strict liability. This session also looks at why these legal questions are important and at potential ways to clarify issues of attribution of liability in Industry 4.0.



Kuppinger ColeLuigi de Bernardini - Industry 4.0 and IIoT: Different Approaches to a Smarter Industry? [Technorati links]

May 24, 2016 11:23 PM

In most cases, the terms Industry 4.0 and Industrial Internet of Things (IIoT) are used interchangeably. But these two terms, though referring to similar technologies and applications, have different origins and meanings. Industry 4.0 is focused specifically on the manufacturing industry and the goal of ensuring its competitiveness in a highly dynamic global market. The IIC is more focused on enabling and accelerating the adoption of Internet-connected technologies across industries, both manufacturing and non-manufacturing. That’s why it’s important to understand the differences between Industry 4.0 and the "Industrial Internet of Things" and where our mindset and approaches best fit.



Kuppinger ColeThe Need to Destroy in the Era of Populous Data and Cloud [Technorati links]

May 24, 2016 10:43 PM

What often gets overlooked in the conversation on cloud security is the subject of “deletability" of cloud data. During this session our expert panel explore the topic of whether cloud data that is “deleted” by an end-­user is actually completely removed from the cloud? By end-user we mean the consumer and the cloud administrators.



Kuppinger ColeTrends & Innovation Panel: What Are the Most Important Innovations and Who Are the Innovators? [Technorati links]

May 24, 2016 10:40 PM

The idea of this trends & innovation panel is to give each panelist the opportunity to tell the audience what company or companies out there are doing something innovative, what it is, why it is important and why the audience should care track the company. For example, one of the panelists might talk about how the perimeter is disappearing and it’s important to be thinking about governance, security and privacy for cloud properties like Salesforce, Workday, etc. The only restriction on panelists is that they are not allowed to talk about their own products or products from anyone on the panel.



Kuppinger ColeTransforming Governance, Security and Compliance [Technorati links]

May 24, 2016 07:48 PM
The number of companies investing in modern “Big Data”-type SAP products and cloud-based SAP deployment models is growing constantly. Having formerly been stored in standalone database silos, SAP information from CRM, ERP etc. for Big Data deployments is now being migrated to a central high-volume and high-performance database. Deploying traditional SAP environments in the cloud and leveraging new cloud-based SAP applications introduce new groups of customers to SAP services and shift the focus of existing SAP users.

ForgeRockWhat’s Up in the Cloud? ForgeRock’s New Cloud Foundry OpenAM Service Broker [Technorati links]

May 24, 2016 01:00 PM

 

With the Cloud Foundry Summit underway in Santa Clara this week, we thought it would be a good time to announce our preview version of a new identity service broker for the Cloud Foundry platform. An extension of the OpenAM project, the new service broker will allow externally deployed ForgeRock solutions to protect applications and microservices running on any iteration of Cloud Foundry. In short, the service broker will enable developers to create persistent identities that are portable across clouds. ForgeRock identity solutions have been implemented as cloud deployments previously – notably European telecom giant Swisscom has offered identity as a service built on the ForgeRock Identity Platform for some time now. But this service broker project marks the first time that a cloud offering is universally available through the open source OpenAM project. We’re throwing around a lot of terms here that might not be immediately recognizable to everyone in the identity community, so let’s clarify a bit.

 

CloudFoundaryCorp_cmyk 2

What exactly is Cloud Foundry?

Cloud Foundry is an open source cloud computing platform as a service (PaaS) that is available as freeware, and also as commercial offerings from Pivotal Software, IBM Bluemix, Swisscom, HP and several other vendors. All of these iterations of Cloud Foundry offer a collection of platform elements that enable developers to create and host production versions of online services and applications. These platform elements include features for monitoring, logging, messaging, authentication, traffic routing and other tasks. One of the core concepts of the Cloud Foundry project is the service broker.

 

What exactly is a service broker?

A service broker is code that enables an application in the cloud to invoke or “point to” a needed service for that application to run. So in our case, an application on the cloud – let’s imagine the application is a smart car onboard navigation and information system – could point to the ForgeRock service broker to invoke identity and access management when a driver “logs in” by starting up their car. The advantage of using OpenAM as the authentication server for the Cloud Foundry platform is that it offers very rich capabilities, including authentication, authorization, adaptive risk and multifactor authentication. For instance, in the smart car scenario there could be different levels of identity required for different drivers – so for instance, parents could set certain restrictions for their teen drivers.

 

What are microservices?

Well-known software industry observer Martin Fowler, describes microservices thusly: “In short, the microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API.” Speaking last week to my colleague David Ferriera (cloud technology director here at ForgeRock and the exec who oversaw the development of our service broker project) he provided this overview of what microservices mean in the identity management context:

Microservices is a popular new architecture where monolithic applications are broken down into subcomponents that can then be used to scale independently. The promise of cloud is ubiquity, persistence and flexibility, and microservices are a natural fit in this kind of environment because they give developers more choices in how to approach technical and business challenges. Now, why is identity necessary in a cloud architecture? Identity and access management are key here because a single enduser request may result in many, many microservices requests, and you need identity to be consistent across all those requests. You need to make sure they’re all acting on the same person, and you need to make sure that each one of those microservices requests is authorized. And that’s what we released today – what the ForgeRock service broker does is it supports OAuth and allows you to extend OpenAM capabilities to secure those microservices.

 

What is OAuth?

OAuth is a standard for authorizing access to applications and data. It enables users to grant restricted access to resources they own—such as pictures residing on a site like Facebook—to a third‐party client like a photo printing site. Before OAuth, it wasn’t uncommon to find websites or online services asking users to share their username and password with the client, a deceptively simple request masking serious security risk. In contrast to this, OAuth promotes a least privilege model, allowing a user to grant limited access to their applications and data by issuing a token with limited capability. OAuth is beneficial because it hands the management of web delegation to the actual resource owner. The user connects the dots between their accounts on different Web applications without involvement from security administrators on the respective site. This relationship can be long‐lasting but can also be terminated at any time by the user. One of the great advancements OAuth brings to the Web community is formalizing the process of delegating identity mapping to users. OAuth originated through the OpenID project at Twitter, and became a standard with input from Google and other Internet companies. The OAuth 1.0 protocol was published as RFC 5849 in April 2010, and the OAuth 2.0 framework followed in 2012.

CF_rabbit_Blacksmith_vector

Final thoughts?

Daniel: The beauty of the cloud / service broker approach is that when a developer is coding an app, they can actually see the service and call out to it. They don’t have to think about deploying the service. If your developers are focused on code, and all they’re doing is pushing this stuff to where it needs to be deployed, and all that infrastructure – everything underneath it is taken care of – that’s gold.

David: That’s the point of the platform. If you’re a developer, you only need to worry about writing the business logic that you’re responsible for. You don’t have to become an expert in identity, deploying databases and all that other infrastructure stuff – it’s just write your code and get on with it.

Daniel: Yes, well there’s two things here, right? Why do developers care about a cloud identity service broker, and why do identity architects and security groups care about it? Because they can now plug into Cloud Foundry as well as their data center and have one single place to manage their security / identity processes. It’s beneficial for both, and that’s a powerful thing.

 

Where can I access the ForgeRock Cloud Foundry service broker?

The open source code for the service broker preview is accessible through GitHub, and ForgeRock welcomes feedback on the project. The service broker preview and IAM for cloud deployments will be discussed at ForgeRock’s upcoming UnSummit, taking place in San Francisco on June 1st. More information on the ForgeRock Identity Summit Series is accessible here.

 

 

 

 

 

The post What’s Up in the Cloud? ForgeRock’s New Cloud Foundry OpenAM Service Broker appeared first on ForgeRock.com.

Nat SakimuraCISでのOpenID Trackは6月7日火曜日 [Technorati links]

May 24, 2016 07:24 AM

昨年までは、CISでのOpenID Trackは、Pre-conference day でしたが、今年は 『Achieving Internet Scale Identity with OpenID Connect』と題して、main conferenceに取り込まれました。

トラック・コーディネーターはDon Thibeauです。
今年は、わたしは金融API WGの紹介をします。

Achieving Internet Scale Identity with OpenID Connect

Tuesday, June 7.

Copyright © 2016 @_Nat Zone All Rights Reserved.

Kuppinger ColeExecutive View: PingAccess - 71507 [Technorati links]

May 24, 2016 06:54 AM

by Ivan Niccolai

PingAccess is a web and API Access Management offering from Ping Identity. PingAccess is tightly integrated with PingFederate and provides a superior alternative to traditional Web Access Management products with its ability to provide policy- and context-driven access control to traditional on-premise web applications and cloud applications, as well as to REST-based APIs.

Kuppinger ColeFintech, Insurtech, Supply Chain, Automotive: Use Cases where Blockchain meets IoT and Identity [Technorati links]

May 24, 2016 02:10 AM

During the first part of the blockchain track at EIC 2016, we have learned a lot about the concept and technology of Blockchain Identity. In this session we build on this and have a look at what happens in different use case scenarios, if blockchain, the internet of things, identity and the need for privacy "collide". Has blockchain been the missing link to put the "platform" thought away from "Life Management Platforms" to make it a universally available privacy by design representation of humans in a digital world?



Kuppinger ColeProof of Identity for Refugees and Beyond: Blockchain Identity for the World [Technorati links]

May 24, 2016 01:42 AM

Recent research estimates that there are 1.5 billion individuals who do not have any means to prove their legal identity. Failing states lacking to perform even the most basic administrative tasks, supressed ethnic groups, and of course all those who have to flee their home due to conflicts or disasters.

New thinking is required to make identification available to all humans, and to help refugees and displaced people to cross borders and to apply for asylum. In this panel discussion, we will try to outline a blockchain based supranational identity infrastructure under the roof of an organization like UN.



Kuppinger ColeHow to Make the Blockchain a Reality [Technorati links]

May 24, 2016 01:09 AM

Blockchain is not yet ready to support industrial use cases. In this panel session we discuss the requirements across industries and how to improve and accelerate the maturity of this shared ledger technology through an open and coordinated approach.



Kuppinger ColeDr. Jutta Steiner - Blockchains Beyond the Hype [Technorati links]

May 24, 2016 12:00 AM

For the last few months, every day there has been a new announcement of a major corporate (successfully ?) trialing blockchain technology in a Proof-of-Concept. For anyone outside of the blockchain space and hype, it has become difficult to discern the signal from the noise. We give a brief introduction into the true technical innovation of these open multi-user platforms and present several use cases where businesses can benefit: From IT security to data privacy to IoT.



May 23, 2016

Kuppinger ColeSebastien Meunier - Blockchain – a New Compliance Paradigm? [Technorati links]

May 23, 2016 11:58 PM

One of the most promising use-case for distributed ledgers in financial services is the implementation of compliance and risk management solutions. In this session, we will analyze how the blockchain technology can be used to build trusted registries of identity and ‘know your customer’ data about individuals or companies, with concrete examples. We will also highlight the difficulties of such approaches and discuss the possible scenarios of evolution in this domain.



Kuppinger ColeIvan Niccolai - Blockchain, Identity, Cybersecurity [Technorati links]

May 23, 2016 11:57 PM

How is trust established without trusted third parties? Although it is not possible to offer a prediction of how distributed ledger technology with change society, the assertion that new and publically-accessible technology such as the internet, file sharing and social networks would empower individuals and lead to a more transparent and equitable society has been made before. While the advent of the internet has led to unparalleled global communication capabilities, it has also allowed for a situation of total, mass surveillance. The blockchain offers a trustless information security model, replacing human judgement with proof-of-work algorithms and perimeter security with total transparency.



OpenID.netAnnouncing the Financial API (FAPI) Working Group [Technorati links]

May 23, 2016 08:15 PM

In many cases, Fintech services such as aggregation services uses screen scraping and stores user passwords. This model is both brittle and insecure. To cope with the brittleness, the new OpenID Foundation Work Group invites developers, architects and technologists to contribute to an open standard approach using an API model with structured data and to cope with insecurity, it should utilize a token model such as OAuth [RFC6749, RFC6750].

The OpenID Foundation Financial API (FAPI) Working Group aims to rectify the situation by developing a REST/JSON model protected by OAuth. Specifically, the FAPI Working Group aims to provide JSON data schemas, security and privacy recommendations and protocols to:

Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered.

The FAPI Working Group is building a Fintech bridge through open standards. This effort builds on the wide international adoption of OpenID Connect.

The FAPI Working Group was proposed by Nat Sakimura (NRI), Tony Nadalin (Microsoft), and Cindy Barker (Intuit). A charter will be approved and a chair selected at the first FAPI Working Group meeting.

The FAPI Working Group chairs will be presenting on the focus of the group at upcoming conferences including the 2016 Cloud Identity Summit in New Orleans and the Open Data Finance conference in London, both in June.

The Open Data in Finance conference is an end-user driven event that focuses exclusively on open data and data sharing in the finance sector.

It will bring together influential representatives at the nexus of the open data initiative, to give insights into the plans of government and key industry players, and share how they are shaping and responding to this market change.

The Open Data in Finance organizers have offered OpenID Foundation members a 20% discount to attend. Please contact me directly if interested.

Links of interest:

OIDF FAPI Working Group Page

Subscribe to the FAPI Working Group Mailing List

Those interested in participating will need to submit a signed IPR Agreement indicating their participation in the FAPI WG. The IPR agreement can be submitted online via DocuSign or emailed to help@oidf.org.

Kantara InitiativeKantara Initiative To Present Digital Identity Blockchain Workshops At MIT [Technorati links]

May 23, 2016 07:10 PM

Massachusetts Institute of Technology “Digital Contracts, Identities and Blockchains” Conference To Help Develop New Processes And Standards For Digital Contracts

 

WAKEFIELD, Mass., USA – May 23, 2016 — Kantara Initiative, which provides strategic vision and real-world innovation elements for the digital identity transformation, announced today it will present digital identity workshops at the Massachusetts Institute of Technology (MIT) “Digital Contracts, Identities and Blockchains 2016” conference May 23-24 at MIT, 75 Amherst Street, Cambridge, MA.  

 

The conference was organized by MIT Connection Science and brings together many of the world’s blockchain thought leaders and practitioners to discuss and develop better, more standardized approaches to digital identities and contracts using distributed ledger technologies.

 

“We are delighted that the Kantara Initiative as a standards defining organization is co-sponsoring technical sessions at the ‘MIT Digital Contracts, Identities and Blockchains 2016’ conference,” said Thomas Hardjono, CTO, MIT Connection Science. “The UMA Legal Subgroup in Kantara continues to be a creative forum for bridging between legal and technical communities addressing identity, trust frameworks and data privacy.”

 

 

About MIT Connection Science

MIT Connection Science under the leadership of its Founding Faculty Director, Prof Alex “Sandy” Pentland, is spearheading a new initiative around the legal and technical aspects of smart contracts, distributed incentives, and blockchain technology.   

 

Connection Science seeks to build better societies through data/analytics, with faculty-led research, training programs, and open-source tools libraries.  It is publishing a multi-part blockchain & financial services whitepaper series on “The Fifth Horizon of Networked Innovation”.  Contact shrier@mit.edu for a copy.

 

About Kantara Initiative
Kantara Initiative, Inc. provides strategic vision and real world innovation elements for the digital identity transformation. Developing initiatives including Identity Relationship Management, User Managed Access (EIC Award Winner for Innovation in Information Security 2014), Identities of Things, and Minimum Viable Consent Receipt, Kantara Initiative connects a global, open, and transparent leadership community, including CA Technologies, Experian, ForgeRock, IEEE-SA, Internet Society, Nomura Research Institute, Radiant Logic and SecureKey. More information is available at https://kantarainitiative.org/.

 

Follow Kantara Initiative on Twitter — @KantaraNews

Nat SakimuraLet’s Encrypt あらため certbot でSSL証明書インストール [Technorati links]

May 23, 2016 05:48 PM

Let’s Encrypt がついにβフェーズを終わって正式リリースされました。そして、EFF提供のcertbotになりました。

インストールと設定も、βのころに比べると格段に楽になりました。

まず、https://certbot.eff.org/ に行ってください。すると、Web Server と OS を選ぶ画面が出てきます。

Certbot Front Screen

図)自分が使っているWeb ServerとOSを指定すると、インストラクションが出てくる。

 

ここで、自分の使っている Webserver と OS を選ぶと、お使いの環境ごとのマニュアルが出てきます(英語ですが)ので、それに従うだけです。たとえば、Apache + Ubuntu 14.04 だと、

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto

で、certbot のインストールファイルを落としてきて権限変更し、

$ ./certbot-auto

とすることで、certobot のインストールができます。

certbotのインストールが終わったら、証明書のインストールです。Apacheを使っている場合は、

$ ./path/to/certbot-auto --apache

でできます。使い勝手はほぼ Let’s encrypt と同じです。

ついでに、Courier MTA のSSL certs も切り替えてみよう

さて、Apache はほとんど全自動で設定できたのではないでしょうか?ついでですから、Courier MTAのSSL certs もこれに切り替えちゃいましょう。

Courier MTA で使う .pem ファイルは、プライベート・キー+証明書+証明書チェーンとつなげたものです。certbotの場合、あなたのドメインが「example.com」だった場合、/etc/letsencrypt/live/example.com/ にこれらのファイルは入っています。Courier MTA SSL の設定ファイル(/etc/courier/esmtpd-ssl ) から読んでいる .pem ファイルが /etc/courier/esmtpd.pem だったとしましょう。その場合、

$ sudo cd /etc/letsencrypt/live/example.com/
$ sudo cat privkey.pem cert.pem fullchain.pem > /etc/courier/esmtpd.pem
$ sudo /etc/courier-mta-ssl restart

で良いはず。例によって、保証はしませんがね。

Copyright © 2016 @_Nat Zone All Rights Reserved.

Kuppinger ColeThere Is No Such Thing as an API Security [Technorati links]

May 23, 2016 11:00 AM

by Martin Kuppinger

Kuppinger ColeThere Is No Such Thing as an API Economy [Technorati links]

May 23, 2016 11:00 AM

by Martin Kuppinger

Martin Kuppinger explains why there is no API economy.

ForgeRockTomTom Wins “Best Consumer Identity Project” at EIC [Technorati links]

May 23, 2016 10:46 AM

Breaking news! ForgeRock customer TomTom won “Best Consumer Identity Project” at Europe’s biggest identity conference, EIC, presented by KuppingerCole.

“TomTom has initiated a program for delivering a new identity platform that manages identities of customers and devices worldwide at very large scale. The identity platform is a global solution. It is a great example of a way to manage all identities ─ of peoples, devices, and things ─ in a consistent way.”
KuppingerCole 2016

IMG-20160511-WA0008 (1)TomTom accepting the award for Best Consumer Identity Project at EIC 2016

TomTom is a navigation, traffic, mapping, and GPS-focused company that uses the ForgeRock Identity Platform to secure the identities of consumers, devices, and things, worldwide. They’re working with us and our partner Everett to launch cool services like these:

EIC_AWARD__016 (1)Members of the ForgeRock, TomTom, and Everett teams at EIC.

We love to see TomTom in the spotlight for this ambitious and highly successful identity project. And, we’re proud that this award confirms that ForgeRock offers the best unified identity platform on the market for innovative digital businesses like TomTom.

KuppingerCole thinks so too. In their recently released “Leadership Compass – Access Management and Federation,” KuppingerCole named ForgeRock a leader in all four categories (Overall, Market, Product, and Innovation) and the outright leader in the Innovation category. Read up on the report here.

 

You can download the complete Leadership Compass here.

Want to know more about TomTom and their award winning identity project? Read on!

About TomTom

TomTom empowers movement. Every day millions of people around the world depend on TomTom to make smarter decisions. They design and develop innovative products that make it easy for people to keep moving towards their goals. Best known for being a global leader in navigation and mapping products, TomTom also creates GPS sports watches, as well as state-of-the-art fleet management solutions and industry-leading location-based products.

The TomTom business consists of four customer-facing business units: Consumer, Automotive, Licensing and Telematics. It has over 4,600 employees and 58 offices in 35 countries worldwide. Since 2004, TomTom has sold over 78 million personal navigation devices and the company’s navigable maps span over 135 countries, reaching more than 4 billion people. TomTom’s real-time traffic information service is available in 50 countries and over 625,000 professional drivers are powered by the TomTom fleet management solution WEBFLEET

The Challenge

Over time, TomTom’s different business units grew independently and created their own customer identification systems. With the introduction of new digital technologies and their rapid growth globally, TomTom needed to unify their customer databases and create a single consumer experience that would allow them to truly understand their consumer across all channels. To enable new technology like MyDrive, a smart route planner, TomTom needed consumers to have a single, persistent identity that followed them from their laptop, to their mobile device, to their car navigation system in order to create a seamless user experience. The identity platform also had to be able to scale to handle millions of concurrent users.

Originally, TomTom’s solution for Identity and Access Management was proprietary and did not follow industry standards. However, the growth of the IoT in the automotive space meant that navigation was no longer solely delivered on hardware manufactured by TomTom or on a dedicated navigation solution. This created external demands for TomTom to develop an IAM platform that met industry standards in order to integrate with other services and systems. TomTom realized that their legacy platform could not support the demands of the digital era.

The Solution

TomTom turned to ForgeRock to unify their approach of managing the identity of users, devices, and things. Working with identity systems integrator and ForgeRock partner, Everett, TomTom has migrated to the ForgeRock Identity Platform to manage its digital identities worldwide. There are three main components to the project:

All of these initiatives have the same goal: to gain control of consumer identity across all TomTom market areas and channels by consolidating identities in a central location.

Global Impact

The ForgeRock Identity Platform supports millions of TomTom consumers, devices and things throughaout the world. The solution is primarily focused on consumer identities for TomTom’s connected devices, the e-commerce platform, and for in-dashboard devices installed by car manufacturers.

Consumer Benefit

The solution is designed to provide a central point containing all accounts and a uniform identity strategy over all users, devices and touch points, providing a number of key benefits to the consumer:

Primary Business Drivers

TomTom’s digital ecosystem continues to evolve as it develops new products and services. This requires a market leading IAM platform that can keep up with the pace of innovation. The ForgeRock Identity Platform helps TomTom to reach their strategic business goals and empower movement around the globe.

Recognized as a leader in digital identity

The TomTom identity solution is one of the largest deployments worldwide based on a single identity platform. It delivers TomTom a secure platform with which to build trust with its customers (consumers and OEM) while also enhancing the end-user experience. From a business perspective, this identity platform is directly impacting both the top and bottom line revenue as well as stockholder value. The TomTom identity project is unique and demonstrates the true value IAM can have for the business.

 

The post TomTom Wins “Best Consumer Identity Project” at EIC appeared first on ForgeRock.com.

Kuppinger ColeExecutive View: Omada Identity Suite v11.1 - 70835 [Technorati links]

May 23, 2016 08:06 AM

by Ivan Niccolai

Omada Identity Suite is a strong offering which is well-respected for its advanced Access Governance features. New functionality and strategic partnerships position the solution as a comprehensive Identity and Access Management product, with flexible cloud and on-premise deployment options.

May 22, 2016

Kuppinger ColePatrick Parker - Reimagining Identity and Access Management Processes with Algorithms [Technorati links]

May 22, 2016 11:56 PM

We are on the brink of a machine learning revolution in which computers won't just speed up existing security processes but enable the automation of processes and decisions too complex for the human mind to imagine. The machine-reengineering revolution will leverage powerful algorithms and the immense lakes of organizational data to drive changes in business processes that will fundamentally change the way security is managed. This session provides an overview of machine learning and big data technologies as they apply to Identity and Access Management.



Kuppinger ColeJason Rose - Balancing Personalization and Trust in the Age of the Customer [Technorati links]

May 22, 2016 11:53 PM

In this session, find out how customer-obsessed businesses are increasing their audiences and creating trusted, customized experiences across devices and platforms in exchange for first-party data. We provide case studies of how leading brands are leveraging customer identity and access management (CIAM) to create personal relationships at scale while maintaining high degrees of data privacy and security.



Kuppinger ColeDr. Carsten Bange - How Big Data Technology can help Increasing Cyber Attack Resilience [Technorati links]

May 22, 2016 11:51 PM

Big Data meets Security: Analyzing systems logs to understand behavior has become one of the main applications of big data technology. Open source initiatives as well as commercial tools and applications for big data integration, collection and analytics become more important building blocks of cyber attack resilience through better collection and analysis of very large sets of log and transaction data, real-time analysis of current events and potentially also prediction of future behavior.



Kuppinger ColePatric Schmitz - Managing User Risk: How to Constrain, Control and Empower [Technorati links]

May 22, 2016 11:49 PM

A large proportion of time spend securing IT systems involves managing user risk in a variety of guises. Balancing the need to be secure against the needs of users to be productive in their day-to-day activities is an on-going challenge. In this session I will show how you can deliver reductions in user risk without impacting their productivity. How IT Security can empower users to do more with less risk.



Kuppinger ColeJackson Shaw - The Internet of Things One Year Later [Technorati links]

May 22, 2016 11:48 PM

Last year we had our first discussion of risk and value related to IoT. Over the last 12 months we have gone from “What is this IoT?” to IoT becoming a driver of digital transformation. All of the major platform (PaaS) players have made IoT a key part of their strategies. In this session Jackson will highlight how the IoT landscape has changed from a risk & security perspective for both consumers and enterprises, how it is driving digital transformation and why it is even more important for you to be planning your IoT strategy now.



Kuppinger ColeKim Cameron - The Cloud is Rewiring the World: What Does it Mean for Identity? [Technorati links]

May 22, 2016 11:45 PM

The Cloud is turning out to have important “emergent properties” – features not previously observed in computing systems, never imagined by cloud architects, and not yet widely discussed or understood.  They will be key to determining which strategies prevail in meeting cloud era challenges. Kim Cameron discusses how this impacts the world of identity – leading to better applications and simpler identity solutions for people and things.



Kuppinger ColeHenning Christiansen - Driving Digital Expansion at Axel Springer while improving Cybersecurity through Identity & Access Management [Technorati links]

May 22, 2016 07:40 PM

Axel Springer becoming a truly digital publisher and further investing in digital expansion. Meaning and selling of Identity and Access Management in a media company like Axel Springer. A way to bundle forces and gain buy-in from related parties and sponsors. Increasing importance of Identity and Access Management to manage cloud services.



Kuppinger ColeIsabel María Gómez González - The Secret Keys for the New Age of the CISO [Technorati links]

May 22, 2016 07:38 PM

How many times do you change your hat per day? In the new age, the CISOs will change their roles as much as they can for making decisions about how to affront new risks. Compliance, Governance, legislation, data protection, cybersecurity, intelligence, cyberdefense, cyberfusion…. how can we deal with them?



Kuppinger ColePaul Grassi - From Digital Transformation to Perpetual Disruption [Technorati links]

May 22, 2016 01:46 AM

Transitioning the NSTIC from the 2nd goal to the 4th and how we plan to finish the job, as, US President Barack Obama stated it, NSTIC was really a 10-year effort. In this keynote, Paul Grassi talks about modularization and performance-based standards, future proofing by leveraging a diverse marketplace, transition to the next phase of Connect.gov which will be moving from pilot to production, and landing high-risk, large user volume of transactions.



Kuppinger ColeChristian Loeffler - From Shadow IT to an IDaaS Solution [Technorati links]

May 22, 2016 01:43 AM

In this keynote session, Christian Loeffler talks about: project conduction, architecture definition, IDaaS election and implementation,key challenges for business and IT, lessons learned.



Kuppinger ColePaul Simmonds - The Trust Conundrum [Technorati links]

May 22, 2016 01:41 AM

It's all too easy to pretend to be someone else, whether it's organised crime, social engineers, hackers or paedophiles. The financial impact of this impersonation runs to 100's of billions of dollars per annum. As a result business costs increase, not only because of the increasing losses, transactional friction increases as do the processes that business implements to increase their level of trust.



Kuppinger ColeSebastien Meunier - From Exploration to Implementation – Preparing for the Next Steps of Blockchain [Technorati links]

May 22, 2016 01:39 AM

Blockchain technology is certainly at the peak of the hype cycle. In this keynote, Sebastien will give you the keys to understand the reality of blockchain beyond the myths and anticipate the next steps.



Kuppinger ColeJohn Worrall - The Most Travelled Attack Route: Securing the Privileged Pathway [Technorati links]

May 22, 2016 01:37 AM

Privileged accounts have been at the center of each recent high-profile attack. This session will explain how hackers that successfully exploit these accounts are able to gain a privileged foothold, allowing them unfettered access to elevate privileges and move about the network freely without detection.



May 21, 2016

Matthew Gertner - AllPeersSummer Music Festivals in Paris: 2016 [Technorati links]

May 21, 2016 12:20 PM

Paris is a musical in every manner as here you can find legendary jazz clubs to the thriving independent and underground music scenes. The city is brimming with some great sharp record stores and in the last few years the number of music festivals has also accelerated with interesting line-up of international artists. Big hitters like Pitchfork, and radical home-grown treats like We Love Green and Weather Festivals are also celebrated here, covering almost all genres in music that you like.

We Love Green  

We Love Green

The festival is known for its eclectic mix of rock, pop and electronic music. Promoting and encouraging responsibility and community values owing to its eco-friendly values at its core. Here you can get to see innovative line-ups like Hot Chip, Diplo, PG Harvey and Amon Tobin, French acts and with strong threads of techno and indie-rock. Join the festival if you want to enjoy a beautiful outdoor partying indulging in organic food.

Details 

Afropunk

Afropunk

Afropunck is a multi-genre black music and culture festival that celebrates pop, rock, electro and hip-hop music. Some of the stellar lineup in this event is Saul Williams, Angel Haze, Lizzo, Michael Kiwanuka and Samm Henshaw, among others. Joining this event, you can also enjoy ‘cultural experience’, as the venue features excellent food stalls and art displays done by local artists.

Download Festival France 

Download Festival France

 The legendary 14th annual heavy rock festival, Download is the favourite event for heavy-metal and hard rock fans. Apart from the great music, the festival is also popular for its several other events like Heavy Metal Dating, Dog’s Bed Stage, and the real ale house. Download has all rock bases covered and more, giving you an intense dose of rock and heavy metal music. Some popular music bands that will be performing here are Deftones, Korn, Biffy Clyro and Megadeth.

Details 

Paris Jazz Festival

Paris Jazz Festival

This summer, experience your favourite live jazz concert in a Paris park. The festival begins from mid-June until the end of July. You can enjoy two jazz groups’ performances every Saturday and Sunday in the big open hall of the Parc Floral de Vincennes. Join this free event to enjoy great music, performances, and the sunshine amid coloured flowers, woodlands and lakes.

Details

Paris International Festival of Psychedelic Music

Paris International Festival of Psychedelic Music

If your interest lies in listening an audacious program of live performances, visual arts, and film projections this festival worth visiting. This underground mixed-media festival will take place over five days in popular venues of Paris. This year the musical festivals line-up will feature live performances from The Horrors, King Gizzard & The Lizard Wizard, Rendez Vous, and Dorian Pimpern, among others.

Details

About the Author-

Hi, I am Krishna, avid traveller, foodie and music lover. I like to explore new places and share my experiences. Here I am sharing upcoming music festivals in Paris, so if you are music lover in this romantic city, make sure to attend these music events. While my visit to romantic city-Paris, I had an amazing time staying in Paris serviced apartment to experience a bit of everything in the city like a local.

The post Summer Music Festivals in Paris: 2016 appeared first on All Peers.

Kuppinger ColeEnsuring Compliance Through Automation [Technorati links]

May 21, 2016 03:13 AM
The definition, implementation and maintenance of an adequate set of policies is a major task for many areas of today’s organizations. However, continuously ensuring compliance to these policies and providing adequate documentation of evidence is even more challenging. Keeping computer security definitions in compliance with your corporate security policy and with mandatory regulations is overly complex when done the conventional way.

May 20, 2016

Mark Dixon - OracleHappy Birthday, Levi’s Jeans! [Technorati links]

May 20, 2016 10:45 PM

Levi’s blue jeans have been a staple in my life for a long time.  Today I am wearing a new pair I bought last week. The Levi’s brand is quintessential Americana. In fact, complex.com dubbed Levis as the eighth most iconic brand of all time!

Today, we celebrate the birthday of Levi’s. According to History.com:

On this day in 1873, San Francisco businessman Levi Strauss and Reno, Nevada, tailor Jacob Davis are given a patent to create work pants reinforced with metal rivets, marking the birth of one of the world’s most famous garments: blue jeans.

Levis

The pair of Levi’s I am wearing now don’t have classic copper rivets, but I like the comfort and fit. I suppose that wearing Levi’s is the closest I’ll ever come to being “hip.”

 

Matthew Gertner - AllPeersIs Your Sexual Relationship as Healthy as It Can Be? [Technorati links]

May 20, 2016 08:45 PM

This couple's Sexual Relationship might need some work ...

Photo by CC user Skedonk on Flickr

Sexual relations are never quite as easy as some people may make them out to be.

On the one hand, some individuals/couples find their sexual relations to be all but perfect.

On the other side of the coin, some individuals/couples find nothing but frustration in their sexual relations, almost getting to or even reaching giving up.

If you are in the latter group, what are you doing specifically to make things better?

Talk and Action Both Go a Long Way

For your sexual relations to improve sooner rather than later there are a number of steps you can put into place to do just that.

These include:

 

 

 

One of the hot-button issues in relationship can be sexual relations.

While one of the partners may feel like things are just fine or even satisfactory, the other can see things in a totally different light.

In order for both parties to come together and enjoy everything that a healthy sexual relationship can provide, being honest with one another, being open to new experiences, and being able to talk and listen to each other proves critical.

So, is your sexual relationship as healthy as it can be?

If not, start working on it today.

The post Is Your Sexual Relationship as Healthy as It Can Be? appeared first on All Peers.

Mike Jones - MicrosoftInitial ACE working group CBOR Web Token (CWT) specification [Technorati links]

May 20, 2016 06:54 PM

IETF logoWe have created the initial working group version of the CBOR Web Token (CWT) specification based on draft-wahlstroem-ace-cbor-web-token-00, with no normative changes. The abstract of the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. CWT is a profile of the JSON Web Token (JWT) that is optimized for constrained devices. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value.

Changes requested during the call for adoption will be published in the -01 version but we first wanted to publish a clean -00 working group draft.

The specification is available at:

An HTML-formatted version is also available at:

Kuppinger ColeExecutive View: Universal SSH Key Manager - 71509 [Technorati links]

May 20, 2016 07:52 AM

by Alexei Balaganski

Universal SSH Key Manager from SSH Communications Security Corporation is an enterprise-grade solution for centralized automated management of SSH keys across multiple platforms and network devices.

Kuppinger ColeExecutive View: CA Privileged Access Manager - 71264 [Technorati links]

May 20, 2016 07:40 AM

by Ivan Niccolai

CA Privileged Access Manager (PAM) is a well-integrated suite that provides a comprehensive solution for privileged identity management in physical and virtual environments. CA PAM enables centralized control and management of privileged user access to a broad range of servers, network devices and applications. 

May 19, 2016

Mark Dixon - OracleCSA – State of Cloud Security in 2016 [Technorati links]

May 19, 2016 12:30 AM

CSA2016

The State of Cloud Security 2016, published by the Cloud Security Association Global Enterprise Advisory Board, is a short, but interesting document, focused on articulating the gaps in current cloud security practices to help cloud providers better understand the needs of their customers.

Cloud computing is an incredible innovation. While at its heart a simple concept, the packaging of compute resources as an on demand service is having a fundamental impact on information technology with far reaching consequences. Cloud is disrupting most industries in a rapid fashion and is becoming the back end for all other forms of computing, such as mobile, Internet of Things and future technologies not yet conceived. As governments, businesses and consumers move to adopt cloud computing en masse, the stakes could not be higher to gain assurance that cloud is a safe, secure, transparent, and trusted platform.

With the stakes rising in cloud adoption, cloud providers need to step up with better built-in security:

Cloud computing adoption is solid and increasing. Security and compliance can be adoption barriers. Now is the time to increase the pressure on cloud providers to build security in, not try to bolt it on as an afterthought.

Cloud computing demands new approaches to security:

We need to take a hard look at many of our existing security practices and retire them in favor of new “cloud inspired” approaches that offer higher levels of security.

Finally, solving these tough problems will require cooperative effort between cloud providers and their customers:

Both enterprises and cloud providers need to work together to better align their security programs, architectures and communications.

Let’s work together to conquer these tough challenges.  

Mark Dixon - OracleCloud Security – 2016 Spotlight Report [Technorati links]

May 19, 2016 12:02 AM

Spotlight title

This afternoon, I read the Cloud Security – 2016 Spotlight Report, presented by CloudPassage. It was an informative report based on responses from a Linkedin security community. Aside from the insight it provided about Cloud Security, I found it intriguing that social media groups are proving to be a valuable source of market information.

The report focuses on the risk factors facing enterprises as they progressively adopt cloud computing

Security of critical data and systems in the cloud remains a key barrier to adoption of cloud services. This report, the result of comprehensive research in partnership with the 300,000+ member Information Security Community on LinkedIn, reveals the drivers and risk factors of migrating to the cloud. Learn how organizations are responding to the security threats in the cloud and what tools and best practices IT cybersecurity leaders are considering in their move to the cloud.

It is no surprise that security is a key concern.  I would expect such a response from a self proclaimed information security community.

Cloud security concerns are on the rise. An overwhelming majority of 91% of organizations are very or moderately concerned about public cloud security. Today, perceived security risks are the single biggest factor holding back faster adoption of cloud computing. And yet, adoption of cloud computing is on the rise. The overwhelming benefits of cloud computing should drive organizations and security teams to find a way to “get cloud done”. This is a prime example to where security can have a profound impact on enabling business transformation.

Spotlight concern

It was not surprising that most respondents thought that traditional security tools were inadequate.

The survey results confirm that traditional tools work somewhat or not at all for over half of cybersecurity professionals (59%). Only 14% feel that traditional security tools are sufficient to manage security across the cloud.

Spotlight tools

I am not a expert on the validity of this type of survey vs. a more traditional survey conducted outside of the social media environment, but I think it provides some valuable insight.  There is a lot of work to do, folks!

May 18, 2016

Kuppinger ColeThe Future of Authentication - Killing the Password [Technorati links]

May 18, 2016 11:39 PM

We all understand that the concept of username/password to control access is insecure and out of date in a world where anything is connected and a new approach is needed. But how can we make the password obsolete?



Mark Dixon - OracleThe Treacherous Twelve: Cloud Computing Top Threats in 2016 [Technorati links]

May 18, 2016 11:24 PM

Treacherous12

This week, I read an interesting report created by the Top Threats Working Group of the Cloud Security Alliance and sponsored by Hewlett Packard. Entitled, “The Treacherous Twelve: Cloud Computing Top Threats in 2016,” this report points out that new security vulnerabilities are emerging …

the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging.

… and that security is no longer just an IT issue. 

The 2016 Top Threats release mirrors the shifting ramifications of poor cloud computing decisions up through the managerial ranks. Instead of being an IT issue, it is now a boardroom issue.

More vulnerabilities and increased business awareness/responsibility. The urgency of security is rising.

The report identifies security concerns so business leaders can make better decisions about security:

The purpose of the report is to provide organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in CSA community about the most significant security issues in the cloud.

The 12 critical issues to cloud security (ranked in order of severity per survey results):

  1. Data Breaches
  2. Weak Identity, Credential and Access Management
  3. Insecure APIs
  4. System and Application Vulnerabilities
  5. Account Hijacking
  6. Malicious Insiders
  7. Advanced Persistent Threats (APTs)
  8. Data Loss
  9. Insufficient Due Diligence
  10. Abuse and Nefarious Use of Cloud Services
  11. Denial of Service
  12. Shared Technology Issues

The report provides includes a variety of useful information about each critical issue, including:

  1. Description
  2. Business Impact
  3. Anecdotes and Examples
  4. List of applicable controls from the Cloud Control Matrix (CCM)
  5. Links to further information

Some of the anecdotes are both intriguing and disturbing:

British telecom provider TalkTalk reported multiple security incidents in 2014 and 2015, which resulted in the theft of four million customers’ personal information. The breaches were followed by a rash of scam calls attempting to extract banking information from TalkTalk customers. TalkTalk was widely criticized for its failure to encrypt customer data.

Praetorian, an Austin, Texas-based provider of information security solutions, has launched a new cloud-based platform that leverages the computing power of Amazon AWS in order to crack password hashes in a simple fashion.

Heartbleed and Shellshock proved that even open source applications, which were believed more secure than their commercial counterparts … , were vulnerable to threats. They particularly affected systems running Linux, which is concerning given that 67.7% of websites use UNIX, on which the former (Linux) is based.

In June 2014, Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor authentication. All the company’s assets were destroyed, putting it out of business.

The threat is real, folks.  Be careful out there!

Mark Dixon - OracleIs it Real? [Technorati links]

May 18, 2016 08:34 PM

Shuttle

This morning, I saw a cool photo of the Space Shuttle bursting through the clouds on Facebook and shared it with my friends.  

But alas, I subsequently found out in an article on Universe Today, that photographer Richard Silvera faked it;

The picture of the sky and clouds was taken by me from an airplane, and the shuttle is a picture from NASA. Then the assembly was done in Photoshop & Lightroom.

So, as the wise Abraham Lincoln once said, “Don’t believe everything you read on the Internet.”

Or was that George Washington?

Radovan Semančík - nLightTest-Driven Bugfixing [Technorati links]

May 18, 2016 03:18 PM

Test-Driven Development (TDD) tells us to write the tests first and only then develop the code. It may seem like a good idea. Like a way how to force lazy developers to write tests. How to make sure that the code is good and does what it should do. But there's the problem. If you are doing something new, something innovative, how the hell are you supposed to know what the code should do?

If you are doing something new you probably do not know what will be the final result. You are experimenting, improving the code, changing the specification all the time. If you try to use TDD for that you are going to fail miserably. You will have no idea how to write the tests. And if you manage to write it somehow you will change them every time. This is a wasted effort. A lot of wasted effort. But we need the tests, don't we? And there is no known force in the world that will make the developer to write good and complete tests for the implementation once the implementation is finished. Or ... is there?

What are we using in midPoint project is Test-Driven Bugfixing (TDB). It works like this:

  1. You find a bug.
  2. You write an (automated) test that replicates the bug.
  3. You run the test and you check that the test is failing as expected.
  4. You fix the bug.
  5. You run the test and you check that the test is passing.

That's it. The test remains in the test suite to avoid future regressions. It is a very simple method, but a very efficient one. The crucial part is writing the test before you try to fix the bug. Even if the bugfix is one-liner and the test takes 100 lines to write. Always write the test first and see that it fails. If you do not see this test failure how can you be sure that the tests replicates the bug?

We are following this method for more than 5 years. It works like a charm. The number of tests is increasing and we currently have several times more tests that our nearest competition. Also the subjective quality of the product is steadily increasing. And the effort to create and maintain the tests is more than acceptable. That is one of the things that make midPoint great.

(Reposted from Evolveum blog)

Kuppinger ColeMartin Kuppinger's EIC 2016 summary [Technorati links]

May 18, 2016 02:28 PM

KuppingerCole's Founder and Principal Analyst Martin Kuppinger provides his summary of this year's European Identity & Cloud Conference.