Anil John | Blog

Castles with Glass Doors

2013-06-19T22:00:00-04:00

An all too familiar sight these days...

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

Tools for the Connected Backpacker

2013-06-16T18:00:00-04:00

In this time of always on connectivity, I hike and backpack to enjoy the outdoors and step away from the pace of daily life. Provided you do not let them overpower your reasons for being in the back-country, these are some of the gear and technologies that I've found useful in the backcountry.

I recently got to introduce my son to overnight backcountry backpacking. While he has been with me on numerous day hikes, last night was his first experience with an overnight stay in the backcountry. We hiked a section of the Appalachian Trail and spent the night in a camping area near the Rocky Run Shelter on the A.T. It was a great experience and one we are planning on repeating. Given that we are both gadget geeks, there was definitely a technology component to our trip.

iPhone + Lifeproof Case: I bring an iPhone 4S, but not for being connected to the grid. After all, the point is to not be tethered to the world. This is typically not a problems since where I go, there is often no mobile phone reception. I use it as a GPS and as a Camera (more on both below). But it is important to protect the phone from the harsh conditions on the trail, and I have found the waterproof, dirtproof, shockproof Lifeproof case to be outstanding for that purpose.
Camera+ Photo App: This is my go-to photo app and allows me to bring out the best of the iPhone camera. The feature set is outstanding and includes grid support, self-timer, effects and more.
Leki Trekking Poles + Camera Adapter: I use a pair of Leki Corklite Aergon SpeedLock trekking poles, but what I absolutely love about it is the photo-adapter camera mounting kit which turns the pole's grip into a mono-pod with a universal threaded camera mount.
iStabilizer Camera Mount: By attaching this iStabilizer camera mount to the leki's camera adapter, I get something I can easily mount my iPhone to, and allows me to take very stable photos or group shots with a self-timer.
inReach Satellite Communicator + GPS App: This was one of the best investments I have made for piece of mind and safety in the back-country. Global network coverage for text messages using the Iridium satellite network, GPS tracking, SOS Search and Rescue response, free companion app with topo maps and more. On my last multi-day backpack into the Rocky Mountain National Park, I had no cell phone reception, but was checking in with the family every night via text messages. Massive WAF (Wife Acceptance Factor)!
Goal Zero Guide 10 Plus Battery Pack: The rechargeable power unit, which can be charged from an outlet or from a solar panel, allows me to re-charge my iPhone or my inReach unit if I run out of power. It also doubles as an LED flashlight.

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

FICAM Information Sharing Day and Vendor Expo [Event]

2013-06-12T18:00:00-04:00

Date:	June 18, 2013
Time:	9:30 a.m. to 11:30 a.m. (Full Event: 8:00 a.m. to 4:00 p.m.)
Event:	Federal ICAM Information Sharing Day and Vendor Expo
Topics:	Panel Discussion: Attribute Exchange and Information Sharing in Action Panelists will share the latest updates on technology and approaches for attribute exchange and the importance of information sharing and safeguarding to the national cybersecurity agenda. Panel Discussion: Externalizing Authentication Panelists will provide insights into how Agencies can externalize authentication using shared services. Participants include members of the OMB MAX Authentication Team as well as members of the Federal Cloud Credential Exchange (FCCX) Team.
Host:	U.S. Federal CIO Council's ICAMSC
Venue:	GSA OCS Building 1275 First Street NE Washington, DC
Registration:	Click here to register

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

Purity and Pragmatism in Standards Profile Compliance

2013-06-09T12:00:00-04:00

Profiles of standards allow for interoperability and standards based implementation across disparate systems. As such, they are critical from an enterprise perspective to ensure that investments and choices made regarding technical infrastructure are not vendor specific, and the conformance to a profile can be independently verified to ensure interoperability. I've written about this before, but in this blog post, wanted to focus a bit more on the choices available to relying parties when it comes to conforming to identity federation protocol profiles.

My perspective is shaped by the needs of relying parties, so what I am focused on is the CSP-RP Interface as shown in the graphic above. Typically an organization requires that its applications, which are in the relying party role, only communicate using a specific protocol profile. Provided that the protocol profile chosen is flexible and full featured, this choice allows the organization to leverage existing expertise in implementation, makes testing and verification consistent, and reduces the cost of integration.

But in this scenario, how does an organization take advantage of new protocols? Couple of options are:

Directly support additional protocol profiles at the RP. While this is a valid approach, it negates many of the benefits of supporting a single last mile integration profile. In addition, it requires the organization to develop and maintain multiple protocol profiles. But at the same time, if the number of RPs in the enterprise is low and there is in house technical expertise to understand and implement, some organizations may find this to be a viable option.
Use a "broker-in-the-middle" approach to normalize multiple CSP supported protocols to a single RP supported protocol profile. A broker typically acts as an RP to the actual CSP, and as a CSP to the actual RP. As such, the point of integration with the real RP can always be profile compliant. In addition to the infrastructure and O&M costs of the broker, there is also the requirement that the broker be a trusted entity and has been designed (and independently verified) to support the profile requirements of the RP.

Any additional options that folks are currently using?

RELATED INFO

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

Identity? Privacy? Authorization? It is all about Context!

2013-06-05T21:45:00-04:00

When we speak of identity, privacy and authorization, we note that their fidelity and granularity are contextual.

So what is context?

Michel Prompt, the CEO and Founder of Radiant Logic, has an absolutely stellar series of thought provoking blog posts on this subject. Highly recommended reading if you are interested in these topics.

Check them out:

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

What is the Value of an Assertion of Identity at LOA 1?

2013-06-01T18:15:00-04:00

As described in "E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]", at level 1 there exists little to no confidence in an asserted identity. At the same time, there are many differences of opinion and expectations of what LOA 1 can deliver. This blog post is a summary of some thoughts regarding various expectations of security and privacy, at level 1, within the context of delivering public sector online services.

During a recent conversation with one of my mentors, who has been around the identity block many times and is now happily retired, I mentioned how I was struggling to articulate the value of utilizing a federated level 1 credential at any medium/high value online public sector service.

My position was that given the lack of confidence in the identity, the value of a level 1 credential lies solely in decreasing the burden to users in having to manage multiple identity credentials and reducing, to some degree, the relying party infrastructure and operational costs to manage those credentials.

I was making level 1 into a rather binary or a "buyer beware" choice from the relying party perspective. But my mentor's response was that while the point regarding the lack of confidence in the asserted identity holds true, at level 1 there is also an expectation that the credential service provider (or IdP) is operating in a manner that protects the information that an applicant/user has entrusted to it.

I am feeling a bit challenged on how one could develop a light-weight trust criteria for level 1, given that it feels like a blending of both security and privacy factors. Some potential items that may be applicable are:

An effort must be made to make sure the the applicant has a unique identifier at the CSP/IdP
Transmission of sensitive data must take place over a protected session (e.g. TLS/SSL)
??

What else? Since this is level 1, there is no identity proofing and anonymity and pseudonymity are perfectly acceptable here. Is there an expectation of privacy component here? I am curious as to whether or not anyone has done any further thinking in this area and if so, would appreciate pointers to that work.

RELATED INFO

E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

SIA Government Summit 2013 [Event]

2013-05-29T18:50:00-04:00

Date:	June 4, 2013
Time:	10:15 a.m. to 11:15 a.m. (Full Event: June 4-5)
Event:	Security Industry Association Government Summit 2013
Topic:	Identity, Cybersecurity and Privacy
Host:	Security Industry Association
Venue:	The W Hotel 515 15th Street NW Washington, DC 20004
Registration:	Click here to register

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

An Emerging Standard for Identity Proofing and Verification

2013-05-25T10:00:00-04:00

The Identity Proofing and Verification (IDPV) Standard Development Project (ANSI/NASPO-IDPV-2013) at the North American Security Products Organization (NASPO), which is an ANSI-accredited standards development organization, is developing minimum standards for the assertion, evidence and verification of personal identity. To my knowledge, this is currently the most comprehensive, data-driven, and privacy respecting effort in the area of identity assurance that has active practitioner engagement.

I recently attended the 6th plenary meeting of the IDPV National Standard Project and was impressed by both the rigor of the work, as well as the active engagement of practitioner focused subject matter experts from both private and public sector organizations. The focus of the work is NOT about the initial establishment of an identity, but about:

Developing minimum requirements for (a) Reconciling an asserted identity to a single individual (b) Proofing the asserted identity by verifying corroborative evidence and by looking for symptoms of fraud
Providing guidance for implementation and privacy concerns

The proposed standard identifies sets of core identity attributes across the dimensions of Name, Location, Time and Identifier that in most cases, allows for resolution to a single identity. It also provides a list of supplemental attributes that can be used to prevent collisions in cases where the core attributes are not enough. The basis of these core and supplemental attributes are not theoretical, but based on extensive data modeling and analysis done on data sets that covered the U.S. population.

At the same time, the group has been very cognizant of the privacy aspects of this work and, from the start, baked in the Fair Information Practice Principles (FIPPs) in a contextually sensitive manner regarding the information being requested.

While the foundation appears solid, and applicable equally to jurisdictions outside the U.S., there is still work that needs to be done to make it more consumable to non-experts.

The work is open to anyone and the group feels that, as it stands now, the work would benefit from wider scrutiny and input. If you have an interest in identity assurance and its associated privacy aspects, I would encourage you to take a look at the work, get engaged, and provide feedback.

RELATED INFO

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

Likelihood of Alien Invasions and Assurance Levels

2013-05-18T15:00:00-04:00

One of the first steps taken to protect a system from authentication errors is the determination of its assurance level requirement. That risk assessment process takes as input potential harm and likelihood of harm. This blog post looks at the applicability of the likelihood factor when assessing assurance level requirements for Internet connected systems.

The classic "E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]" defines risk from authentication error as a function of two factors: (a) potential harm or impact and (b) the likelihood of such harm or impact. The categories of harm and impact and how to apply them, per OMB-04-04, can be found in my earlier blog post on HOW-TO Conduct a Risk Assessment to Determine Acceptable Credentials.

The key point to note is that most risk assessment methodologies allow for “tuning” the risk using a “likelihood of harm/impact” factor, which looks something like this:

Risk of Authentication Error = Potential Impact/Harm * Likelihood of Impact/Harm

But how does one determine the "likelihood of harm" number? The two classic approaches are to explore "base rates" or to consult with experts. But there is a gotcha with experts:

The simplest and most intuitive advice we can offer [...] is that when you’re trying to gather good information and reality-test your ideas, go talk to an expert. Here’s what is less intuitive: Be careful what you ask them. Experts are pretty bad at predictions. But they are great at assessing base rates.
Decisive: How to Make Better Choices in Life and Work

So a prediction by an expert may not be all that valuable. But what about the base rates? My concern there is the constantly evolving threat environment that is the Internet, and how base rates that are based on past data are an unreliable predictor of the future.

So my recommendation in this particular case is rather simple. In this type of evaluation set the "likelihood" factor equal to 1. DO NOT discount the likelihood of harm, and ALWAYS assume there is a likelihood of harm:

Risk of Authentication Error = Potential Impact/Harm * 1

What that means is that, if as part of your assurance assessment you need to factor in the impact or harm from an alien invasion, do not discount the likelihood! Stand firm, fully account for it, and put into place compensating controls to mitigate the consequences.

RELATED INFO

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

HOW TO Visualize Access Control Use Cases

2013-05-12T14:40:00-04:00

Identity, authentication, attribute management and authorization domain experts tend to seek clear distinctions between each of those facets. The operational folks who actually deal with these issues often blur the boundaries between them. This blog post shows an example of laying out access control use cases from an operational perspective that I found rather educational.

With the current buzz around mobility and BYOD, there is sometimes a belief that the infrastructure and choices that exist today will have to be completely re-done in order to accommodate new devices. While I am not sure about that, I recently saw a public NASA ICAM presentation that outlined a framework for how to look at access control from an operational perspective that I found relevant.

I've kept the concept, but changed some of the details for the sake of clarity:

The key to the above visualization is to know that no one does credentialing and authentication for its own sake but as a means to an end to manage access to a system or resource. From an operational perspective, it allows for calling out an end to end process using natural language; "A person who is anonymous, using an organization managed PC, on the organization's network, wants to access administrator level functions during normal business hours".

You can then lay out the use case variations using a tabular format:

Use Case	Applicability	Priority	Criteria A
10.10.10.10.10	NO	...	...
30.10.10.10.10	YES	...	...
...	...	...	...

It immediately gives you a way to articulate possibilities that may or may not apply to you; What if it was a Smartphone instead of the PC? What if the connection is from the Internet? etc. It also provides you insights into what aspects change, what aspects still remain the same.

Do you have any pointers to frameworks like these that help to clarify choices people need to make regarding access controls?

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer