Ping Talk Blog

RSA Conference identity riff plays over changing chords of security

Mon, 05 Mar 2012 14:54:00 -0700

There was a riff going at the RSA Conference last week.

“We say identity is the new perimeter.” If you think this was heard on the show floor or was a T-shirt slogan, think again.

The quote came from Nasrin Rezai, CTO security for worldwide security architectures at Cisco. She participated in a session focused on mobile device adoption: “BYOD(device) without BYOI(insecurity)”. Dan Houser, security and identity architect at Cardinal Health, and his colleague Goran Avramov, senior infrastructure architect, were also there speaking about the thousands of personal devices that have invaded their enterprise. The two Fortune 100 companies dispensed implementation knowledge from the trenches.

According to Houser, Cardinal’s “perimeter” identifies personal devices, keeps them off the network altogether and treats them like a kiosk.

What Rezai and Houser are describing is a transition that others are starting to see: security perimeters now extend beyond traditional firewalls and the creation and consumption of identity – who, what, when, why and no way – is happening in distributed infrastructures, platforms, applications and devices.

“Identity is an architectural anchor point," said Rezai.

The discussion of that identity anchor point eventually won’t be around the architecture, but on the apps and security options it enables.

[More]

This Week in Identity - Rubber Hose Cryptanalysis

Tue, 28 Feb 2012 08:17:00 -0700

One of the problems with password-based encryption is that sometimes the best way for an attacker to break the cryptosystem is to break the password holder! This is infamously known as rubber hose cryptanalysis. This takes many forms, including threatening the individual with imprisonment if they don’t tell, which has been popular in the United States. As my colleague John Fontana reports in his excellent ZDNet Identity Matters blog, this may be about to change. Child pornography is abhorrent, but civil rights are the bedrock of American society:

Identity Matters: Landmark decision allows child-porn suspect to plead Fifth in password case
“In what will likely become a landmark case for the digital age, a federal appeals court has ruled that a suspect in a child pornography case is protected under the Fifth Amendment from disclosing a password that would decrypt his computer files.”

There were several other items of interest to the identity community (click more for the list and links):

[More]

Google password generator project a stopgap toward OpenID

Fri, 24 Feb 2012 13:35:00 -0700

Google is adding to its palette of identity projects with a new password generator project for its Chrome browser.

The goal is to have the browser generate strong passwords to help users thwart phishing, malware and other attacks. Google is looking at browser sign-in as a stopgap measure until OpenID is widely accepted on the Internet.

The OpenID Connect specification, which is currently in an “implementer’s draft” and undergoing interop testing until the end of February, is a standard that outlines a consumer-grade authentication credential for use across Web sites.

Today, a combination of Chrome Password Manager and Browser Synch provides a browser sign-in, but users are still susceptible to phishing because they know the passwords they have entered in the Password Manager.

Google says the generator eliminates the phishing vulnerability by logging the auto-generated passwords into the Password Manager.

Long term, Google says the project could lead to the capability of changing all of a user’s passwords if it is detected their account has been hacked.

The generator is but one of many ways Google is attempting to eliminate passwords. There is a collective mindset in the industry around doing away with passwords, which are notoriously weak or re-used.

[More]

Introducing PingFederate 6.6 - Your Bridge to the Cloud

Tue, 21 Feb 2012 10:17:00 -0700

I talk technology to my wife a fair amount. She just rolls her eyes. While she admits to having a password problem, she couldn’t look more bored when I start talking about single sign-on as the solution to all of our Internet woes.

Teleporting. Now that’s a technology she’d get excited about. She hates driving, flying or sitting in traffic, and she’s always talking about wanting to be ‘beamed’ somewhere. And who wouldn’t want to just show up somewhere and skip the middle?

Unfortunately, we don’t yet have a beaming machine, and neither can we simply make a wholesale jump to the cloud without bridging 30 years of legacy enterprise infrastructure, data and apps.

Introducing PingFederate 6.6 - Beaming Machine Not Required

And that’s where I get really excited about our new PingFederate 6.6 – recently released and available for immediate download. It’s designed to help you bridge today’s on-premise methods of control to the cloud with simplicity and elegance.

PingFederate 6.6 may indeed be one of our biggest misnomers to date. It’s more or less deserving (in my mind at least) of a 7.0 title, because it really unlocks the potential for federation, we’re calling it “adaptive federation.”

Adaptive Federation. It’s all about you!

In short, PingFederate’s new adaptive federation features wrap around your existing authentication policies and enable you to tap into multiple identity stores to pull user attributes for inclusion in federation and cloud single sign-on. Wow, that's a mouth full, but read on, it's important.

Multiple data sources

As we attempt to exert more control over the cloud, we need more granularity in how we leverage our existing knowledge of users. This is where having an ability to access information about a user (attributes) from multiple data-sources within the enterprise is so important. With PingFederate 6.6, now you can connect and pull attributes into assertions from any number of databases or directories. Whereas before you may have used a virtual directory or meta-directory to get the aggregated 360 degree view of a user, now you can do so without the need for yet another layer of infrastructure.

Secondly, with so many systems being accessed by so many different types of individuals, employees, customers and partners, the one-size-fits-all authentication schema just doesn’t make sense. Enterprises need more sophistication leveraging different authentication techniques for different users or types of transactions. And that’s where our new authentication rules and authentication chaining becomes so useful. Now you can create any number of different multi-factor authentication policies for use behind different single sign-on initiatives, all with the same product, and just a touch of configuration.

As integration, security and control of the cloud becomes a larger issue for our organization, know you can count on PingFederate to provide you world-class flexibility in taking what you have now, and leveraging it to control the cloud.

More on PingFederate 6.6:

Eight links to PingFederate 6.6 you can't live without

PingFederate 6.6: Use case proliferation

PingFederate 6.6: Adaptive Federation

PingFederate 6.6: Datasheet

Eight links to PingFederate 6.6 you can't live without

Wed, 15 Feb 2012 12:39:00 -0700

Yesterday, we released PingFederate 6.6, which introduces a number of new controls that should have security architects smiling. PingFederate’s adaptive federation features put the control where it belongs; enterprises gain control over cloud application access policies for any type of user. That includes combining strong auth with social identities for an improved customer experience that doesn’t compromise security, or giving employees remote access to applications while meeting compliance requirements.

I’d say more, but perhaps it is said best by one of our customers, Eric Uythoven, vice president of security solutions at Seros:

“Ping Identity understands enterprise security requirements for securing identity to the Cloud. That is why we have partnered with them. Our clients are asking us for a secure centralized architecture to verify and manage access for customers, business partners and employees. Time to market for our clients is extremely important and PingFederate’s adaptive federation helps us respond quickly with a solution that’s simple, proven and secure."

We have collected all the fundamentals you need to know in the list below.

Launch Press Release
Ernst and Young Report referenced in the Press Release, Into the Cloud, Out of the Fog; 2011 Global Information Security Survey
PingFederate 6.6 Announce Landing Page - Everything you need to know about PingFederate 6.6.
PingFederate 6.6 Video - Features and use cases for Adaptive Federation
PingFederate 6.6 Webinar Registration - Make sure your customers and prospect registered for the Webinar exploring Adaptive Federation
PingFederate Web Page
PingFederate Datasheet
PingFederate Product Guide

Maybe that should be 10 links; here are two stories from the tech press:

Cloud Pro: Ping pulls cloud into enterprise security schemes

ReadWriteWeb: It's PingFederate 6.6 vs. "Identity as a Service"

PingFederate 6.6: Use case proliferation

Tue, 14 Feb 2012 13:37:00 -0700

A week or so ago when the Ping Marketing crew started rolling out our next version of PingFederate, version 6.6, I had one of those moments in product management when you realize you have underestimated the value of the new features prioritized for a release. You always expect to have a few new use cases emerge as you talk with existing and new customers, analysts and partners, but rarely do you get to see the number of use cases blossom as we have seen with this release.

Like many great ideas, the new features in PingFederate 6.6 grew out of customer demand. As we started to see more and more requests for advanced authentication and complex attribute retrieval, our engineering team at Ping put their heads together and realized that they could add some unique management capabilities that leverage the flexible and extensive adapter framework that PingFederate is built on. Here are the highlights that I see:

Flexible authentication rules that provide the ability to define rules based on remote user location or context (data sensitivity), which would enable our customer’s to ensure that their cloud-based services comply with corporate security and compliance policies. What makes this feature very cool is that “context” is any aspect of the authentication request that is presented to PingFederate. So, one could create a rules set that evaluates HTTP header values, or query parameters to determine how a user will authenticate to any application or service based on the risk of their context. For example, if you have an application or service being accessed by a user with a social media identity, or a location outside the firewall, you can step-up their authentication requirements to ensure that they are who they say they are before granting access.

Authentication chaining provides the ability to form “chains” of authentication methods (adapters) for creating unique multi-factor authentication patterns or fall-back scenarios. This gives our customers stronger security and higher availability. Tied with the new authentication rules, you can now address a variety of security policies based on the applications and services you need to protect.

Identity Attribute Aggregation doesn’t seem as sexy as the other features, but the few customers we have shown this feature to tell us how much money and time it saves them. This feature allows quick and easy onboarding of new SaaS applications that requires additional user information. Customers have the ability to interact with multiple sources for gathering user profile data (attributes) needed to interact with identity and service providers.

As the 6.6 version of PingFederate is rolled out, I’m looking forward to hearing about more unique use cases customers are able to address with these new features. I’m sure I’ll continue to be amazed at the creativity and ingenuity of the Ping community.

Encryption: You gotta have heart

Tue, 14 Feb 2012 13:36:00 -0700

Who knew as humans we’ve always been carrying a unique embedded encryption key.

It’s not in your pocket, it’s buried in your chest.

Your heart can be doing more than keeping you alive. Taiwanese researchers think the heart’s beats can be a key cog in helping users encrypt data and communications.

Four researchers in the Department of Electrical Engineering at Taiwan’s National Chung Hsing University – Ching-Kun Chen, Chun-Liang Lin (pictured, right), Cheng-Tang Chiang, and Shyan-Lung Lin – have used electrocardiogram

(ECG) signals and mathematical concepts such as chaotic Henon and Logistic maps to create personalized cryptography.

The researchers developed an encryption algorithm based on the of chaos theory, which examines small changes in results that can make long-term predictions impossible.

[More]

This Week in Identity - Don’t you know who I am?

Mon, 13 Feb 2012 17:56:00 -0700

Surrounded by identerati, I always find it refreshing to be reminded that everybody gets the concepts of identity at a gut level. Elizabeth Lumley is a professional journalist. She writes about her experience trying to establish bank accounts when she first moved to England. Her struggle is humorous, yet thought-provoking. Know-your-customer (KYC) policies need to evolve to encompass all the reputation information now available via the Internet.

Don't you know who I am?!
“But I was intrigued by the bank-side folks getting so worked up about 'hard identification' and dismissing 'soft and fluffy' identification coming in from the likes of Amazon and Facebook. I'll tell you why. “

There were several other items of interest to the identity community (click more for the list and links):

[More]

RSA Ping Party 2012

Tue, 07 Feb 2012 08:59:00 -0700

Friends of Ping,

If you're going to the RSA Conference, please allow us to thank you for your support throughout the years. The party begins at the ROE nightclub Monday evening at 9:01pm. Additionally, if you're a customer, please feel free to show up between 8:30pm and 9pm and allow me to thank you personally for your business

- Andre Durand, CEO

This Week in Identity - Rev. Bradley and the gospel of OpenID Connect

Tue, 07 Feb 2012 08:58:00 -0700

John Bradley, @ve7jtb,a long-time identian, brings a passion of near missionary zeal to his work. As a contributor to the work of OpenID, OAuth, and now OpenID Connect, John is a keen thinker who worries about the details. Last week he put out four widely read posts on his blog, ThreadSafe:

There were several other items of interest to the identity community (click more for the list and links): [More]

UMA goes to the (blue) birds

Mon, 06 Feb 2012 20:02:00 -0700

The User Managed Access (UMA) Working Group is taking to the Twitterverse.

The group, operated out of the Kantara Initiative, will hold its first-ever chat on Twitter this Wednesday.

UMA founder and group chair Eve Maler (@xmlgrrl) and Maciej Machulak, UMA group vice-chair (@mmachulak) will host the hour long event from 9-10am Pacific time. The UMA pair plan to focus on the specification and on UMA implementations, interoperability testing, best practices and development advice.

Those interested in the protocol only need a Twitter account to participate. Those who don't want to sign up for Twitter can read the chat transcript but can't post questions or contribute to the discussion. The Twitter hashtag to contribute and follow the discussion is #umachat.

UMA promises to give users and corporate policy makers tight access controls over their personal or sensitive data housed in online social, sharing and business sites. User-managed data access controls such as UMA potentially could put a dagger in the privacy and usage debates burning around social networking sites such as Facebook and Google, and solve questions about control over more sensitive data stores such as health-care records and government databases.

[More]

This Week in Identity - Take 2 at G+ for names and nyms

Wed, 01 Feb 2012 15:04:00 -0700

As Google+ continues to grow, reason prevailed over insanity: they relented on their silly pseudonym policy. Sort of. Read the official announcement and rationale from Google’s Bradley Horowitz, then read Identity Woman’s reaction:

Toward a more inclusive naming policy for Google+
“Today we’re pleased to be launching features that will address and remedy the majority of these issues. To be clear - our work here isn’t done, but I’m really pleased to be shipping a milestone on our journey.”
Identity Woman: The new Google+ Names process

There were several other items of interest to the identity community (click more for the list and links):
[More]

This Week in Identity - Another group of purpose maximizers

Wed, 25 Jan 2012 18:39:24 -0700

At Ping Identity, our culture and values are everything. Our good friend, Nishant Kaushik, relates that the same is true at Identropy. He explains their drive to maximize purpose. Also, check out the great video about one of his favorite books, Drive, by Daniel Pink.

Nishant Kaushik: We Are Purpose Maximizers!

There were several other items of interest to the identity community (click more for the list and links): [More]

Ping 2011: One for the history books

Thu, 19 Jan 2012 13:23:00 -0700

Last week, we flew everyone in Ping to Denver from around the globe to celebrate 2011 and kickoff 2012. We only do it when we hit our stretch goals, so we celebrate as if it were our last time all being together physically as a company. Certainly as we've grown, the logistics have become more significant, but what a week it was. One for the history books here at Ping for sure.

Here are a few highlights of 2011 and then some pics from the week.

Surpassed $100 million in lifetime sales
200 New Enterprise Customers
- 2 of the 3 largest U.S. hospital conglomerates
- 3 of the 5 largest U.S. health plans
- 4 of the 6 largest U.S. banks are now customers of Ping Identity
- 42 of the Fortune 100

61 new SaaS companies leveraged Ping for cloud identity integration
200% growth in EMEA and new Asia Pacific and Japan sales offices
Named a most exciting vendor by 451 Group: TheInfoPro “Security 14 -- Information Security Study 2H 2011”
Hosted 5 different Cloud Identity Summit events with over 500 industry leaders
Secured $21 million financing
Introduced 1st commercial support for OAuth -- secure native mobile application access and API security
Introduced new Cloud Identity Connectors for LinkedIn, Facebook, Twitter, Microsoft Live, Salesforce.com and Google
Introduced CloudDesktop -- giving companies a single point of access for all of their SaaS and Cloud-based apps
Introduced PingFederate on Amazon EC2 -- an easy public cloud deployment alternative
Helped create Simple Cloud Identity Management (SCIM) provisioning standard
Introduced our new certified partner training program
Expanded our 3 offices to accommodate growth (Denver, Boston, Vancouver)
Won the Denver Grow Healthy Employer Award
Improved our customer satisfaction to 99% (as reported by an independent survey)

[More]

Will it be love that finally kills the password?

Wed, 18 Jan 2012 14:10:00 -0700

Love is officially “stupid,” finally edging out “blind” on the strength of password sharing among lovelorn teens.

This from the New York Times today, a story that teen couples are showing their love for one another by sharing their passwords. And not just for one application, but wherever their digital lives take them: e-mail, Facebook, Twitter.

You laugh at their naïveté, but remember some of these teens will be your employees in four years – maybe less. Perhaps your junior executives within the next six years.

Old habits die hard, especially when socialized at such a young age. And they look like a giant liability when they find their way onto your network. It's not just sharing passwords, but the nonchalance towards snooping through another person's account - "authorized" or not. A lover's today, a friend's tomorrow, the boss's after hours.

[More]