Planet Identity

Kevin Marks: Welcome Apple, seriously

2010-09-02T21:32:46Z

Yesterday's update of iTunes added Ping, a music-focused social network. When I tried it out early in the evening, it had Facebook Connect enabled, and both imported friends from Facebook, and notified me when new ones joined. Shortly afterwards, Mark Zuckerberg joined, and shortly after that the Facebook connection was missing.
This morning, neither company is talking on the record, though Kara Swisher reports that Steve Jobs complained about 'onerous terms' from Facebook.

This naturally reminds me of the problems we had with Google Friend Connect, where Facebook's accusation of a ToS violation was never backed up by an explanation of what would not violate the terms, leading to the "Data Roach Motel" accusations at Supernova. The underlying issue is whether you should give another company veto power over your application. Last time I wrote on this, it was Apple's veto I was warning about, though at the same time Apple was trying to avoid giving Adobe veto power over their platform again.

The thing is, we have been round this cycle before, and the answer is known too - the way to interoperate with another company without having to have a business agreement with them is to use open standards, not proprietary APIs.

Apple knows this - they have helped lead development of HTML5 and WebKit, along with many other standards in the past, including podcasting and MPEG4. Facebook knows this too, and they have been strong supporters of OAuth and Activity Streams, and even of Portable Contacts, when it's them doing the importing.

Clearly it good for us as users to be able to delegate our contact lists to an existing source - this weeks launch of conference sharing site Lanyrd shows that. It's also in our interests to be able to propagate the actions of playing, liking and purchasing music, videos and anything else between sites of our choosing, so that we can share with our friends, and so we can get more useful recommendations for the future (at minimum, not suggesting things we already have).

This was the core of the discussion at the VRM Workshop last week in Boston - that we should control over who sees what about us, and I think that with these common standards we can solve both problems - the individuals get to save having to re-enter their information everywhere, and control what flows to where, and the companies get the ability to interoperate without bizdev and single source lock-in. Activity Streams (and the associated standards they build on) are our best hope for this.

Identity 360 - Imprivata: Webcast: Give Clinicians a Jump Start for EMR Adoption

2010-09-02T20:53:38Z

This interactive webcast will explore how healthcare organizations are bridging the gap between clinician productivity and security. A few of the topics include the introduction of one-touch follow-me desktop and securing unattended desktops.

Identity 360 - Imprivata: HealthTechnica - Why You Should Consider a Single Sign On Product in Health Care

2010-09-02T18:12:11Z

http://www.healthtechnica.com/blogsphere/2010/09/01/why-you-should-consider-a-single-sign-on-product-in-health-care/

Phil Windley - Kynetx: Twitter and the OAuthalypse: A RESTful Misfire

2010-09-02T15:57:10Z

Yesterday was the OAuthalypse--the day when Twitter stopped accepting HTTP Basic authorizations on theis API. I had a few apps break--like almost everything I've done with Twitter. To get them back working I'll have to spend some time on each moving them over to OAuth. For some that won't be hard--they're already using a library that supports OAuth. For others it will be more work. All of them are single user apps (like the UtahPolitics retweeter and so will use the OAuth single token pattern.

The reason for moving to OAuth is so that apps won't need to ask users for their Twitter password or store it anymore. Twitter had a bad experience with this and that led to the decision to go nuclear on usernames and passwords on their API. This is a clear win for delegated authorization protocols like OAuth and the more capable ones that are surely to follow. What's more it trains users to use a delegated authorization scheme. I love it.

But what's curious about the move is that in everycase (except the retweeter) my apps are not updating information. These are read-only apps that simply read a friend timeline for a partcular user. I can't figure out why any authorization is needed at all. Since who I follow is public information, it would be simple enough to reconstruct my friend timeline from available information. My theory is that Twitter uses authentication on read-only data as a substitute for a poorly designed API. That is, they use the authentication as a substitute for merely allowing me to specify whose timeline I want to see.

This is classic REST stuff and it seems that Twitter got it wrong. Thousands of apps are failing today because Twitter requires them to authorize when they don't really need to. Am I wrong?

Identity 360 - Imprivata: SC Magazine UK - VMware launches new virtualised technology, as Imprivata and F5 confirm support

2010-09-02T15:49:06Z

http://www.scmagazineuk.com/vmware-launches-new-virtualised-technology-as-imprivata-and-f5-confirm-support/article/178125/

Identity 360 - Imprivata: Medical News Today - Imprivata Delivers Fast And Secure Access To Applications For VMware View 4.5 Users

2010-09-02T15:48:27Z

http://www.medicalnewstoday.com/articles/199516.php

Marc Canter - Broadband Mechanics: the final FYI video

2010-09-02T03:57:02Z

This is what I’m showing tomorrow to Chancellor Fingerhut. This is what I did on my summer vacation.

Mark Wilcox - Oracle: Another helpful hint for installing Oracle Fusion Middleware Components on Oracle Enterprise Linux

2010-09-02T03:44:47Z

I'm helping a colleague get OVD 11g up and running for an upcoming demo. We're running on OEL 5 and I forgot to remind him to make sure to put the Oracle Validated package during install.
If you don't do this - you'll most likely be missing some packages.

An easy way to resolve this is to either run:

up2date oracle-validated (if you are a OEL support subscriber)
Or you have configured OEL to connect to the public YUM server:
yum install oracle-validated

Posted via email from Virtual Identity Dialogue

Paul Madsen: New line of greeting cards

2010-09-01T22:30:26Z

Posted via email from Pre(posterous)

Brad Tumy - Oracle: Identity Mgmt Publication Survey #IDM #Survey

2010-09-01T19:32:50Z

I am trying to gather more information to help provide a better source of information for the IDM community. I have put together a simple survey to give you the opportunity to provide feedback and to help steer the direction of this new publication. We are targeting the first part of November for the initial release and would love to have your feedback to help shape this great resource. The survey should take about 10 minutes of your time and as a thank-you I am giving a way a free year (1 year) subscription to everyone that completes the survey (be sure to include your email address).

Please let me know if you have any questions or comments!

Survey (http://www.tumy-tech.com/idm-publication-survey)

Thanks,

Brad Tumy

Filed under: IdM

Identropy: Identropy Adds New Advisory Offering: the Identropy IAM Primer Series

2010-09-01T17:07:00Z

Identropy adds a new offering as part of its well-known Advisory Services: the Identropy IAM Primer Series. This offering not only provides access to Identropy's IAM best practices library, but also provides direct access to an Identropy IAM professional.

Our seasoned Identity and Access Management (IAM) professionals, each with over 10 years of experience in IAM, have created IAM best practices reference documents that capture practical and empirical knowledge in various aspects of the identity and access management landscape, spanning business processes and technologies. They are intended to educate IAM initiative stakeholders of industry best practices and facilitate their adoption in a cost-effective, self-paced manner, thus helping organizations improve their business processes by making optimal use of IAM.

In addition to the best practice documents, the offering includes five hours of direct access to an Identropy IAM professional. Rather than read a static document, customers can also engage in a live conversation regarding the practical aspects of an IAM initiative. This approach will help organizations get started with a specific IAM topic with the practical hands-on guidance that is often missing in IAM initiatives, thereby leading to a more effective approach to adopting and implementing the solution specific to the customer's environment.For more information on this Identropy's IAM Primer Series, click here: http://www.identropy.com/iam-primer-series/

Identicentric: Tempo Maintenance Tonight, Sept 1st 11PM EDT

2010-09-01T14:00:32Z

For customers of our time-tracking system, Tempo, the web interface will be temporarily unavailable starting at 11PM EDT tonight, Wednesday September 1st.

Just a couple of small fixes, service should only be offline for a few minutes while we make sure nothing’s amiss. Reporting time entries via Twitter and Email will continue to function without interruption.

Mark Diodati - Gartner: VMware’s Purchase of TriCipher

2010-09-01T01:31:45Z

When it rains, it pours. Yesterday, CA Technologies announced its purchase of Arcot Systems. My blog post about the purchase can be found here. Today, VMware announced its purchase of TriCipher. Arcot Systems and TriCipher are eerily similar. Both companies started with innovative technology which protects the user’s private PKI key in software (in TriCipher’s case, the private key is split). Both expanded into the cloud identity management market. Cloud identity management products are SaaS-based. They provide authentication and provisioning services for cloud-based applications. As discussed in my blog post yesterday, these products provide relatively simple solutions for enterprises as they reach out to cloud-based applications. With the Arcot Systems and TriCipher acquisitions, it is safe to say that the emerging market for cloud identity management products has been validated.

VMware (a subsidiary of EMC) has good reasons for the purchase, including building out its cloud portfolio. But I wonder if TriCipher belongs with RSA (another subsidiary of EMC). Its products are security- and identity-based, and are complimentary to RSA’s enterprise authentication, consumer authentication, and web access management offerings. As with CA Technologies’ purchase of Arcot Systems, TriCipher products would extend RSA’s enterprise offerings into the cloud without wholesale development effort. There’s no product conflict between the authentication products of both companies; TriCipher’s authentication technology would be a great compliment to RSA’s SecurID, consumer authentication, and PKI products.

One of RSA’s core marketing messages is that it is “The Security Division of EMC”. Perhaps we’ll learn more about RSA’s role in all of this as the dust settles on the purchase. For more information on TriCipher, please see our published research documents (subscription required). Also, we are close to publishing our “Federation, Directory Services, and Cloud” research document, which focuses squarely on Arcot and TriCipher. Stay tuned.

Burton Group Catalyst 2009: Cloud SSO Interoperability Summary

New Directions in Federation

Market Profile: Identity Management 2010

Ping Talk - Ping Identity: Twitter OAuth: Keep your eye on the API

2010-09-01T01:21:00Z

So Twitter cut over to OAuth today and as far as I can tell the Earth is still spinning on its axis.

But it is a watershed event for the microblogging service, or in plain language; Twitter-based apps won’t store your password anymore.

I've said here before that OAuth's development bears watching as more services cut over to the emerging protocol, which will eventually intersect with current enterprise identity systems – mostly because API access to application components will demand it.

Here is how Twitter explains its OAuth moment to application developers:

“You, as the application developer:

don't have to worry about exposing the credentials for your users whether through a bug or other means (especially considering that a lot of people use the same password for multiple services);
don't have to worry about the user changing their password — a user can change his or her password and the OAuth "connection" to your app will still work;
don't have to worry about other applications masquerading as your application - only you can set the byline with your application name;
will eventually have access to more APIs from Twitter that will only be available to "trusted" OAuth-enabled applications; and
give the @twitterapi team more visibility into the network — you help us plan for capacity, and you help us squash spam and you help us identify bugs."

Twitter is on the right track, but not a pioneer. They are adopting version 1.0 and still working on support of version 2.0, which is a more secure version but won’t be finalized until the end of the year. But others such as Facebook and Gowalla are already using 2.0.

The bottom line here is securing the API. Why? Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API.

APIs will help users integrate features or data from their SaaS apps with their on-premise systems.

Ping is working on OAuth support that our end-users are likely to see by the end of the year to help make such possibilities comes true.

In addition, Ping’s principal engineer Brian Campbell is already working through the IETF on a bridge between SAML and OAuth 2.0 that will allow a specifically structured SAML token to be exchanged for OAuth.

From what I am hearing, some of what you should be thinking about in terms of OAuth is how systems manage it.

One expert I know told me that concerns may center on making sure the cryptography, negotiation, management of OAuth peer servers, the establishment/honoring/caching of tokens, etc. can be separated from the applications themselves, so it all can be centrally managed/logged/audited.

Follow John on Twitter and check out our Identity-Conversation Tweet list

Mike Jones - Microsoft: Information Card SAML Token Profile Committee Specifications

2010-09-01T00:29:50Z

As editor of the OASIS IMI TC, I wanted to bring to your attention that the committee specifications for the SAML V1.1 Information Card Token Profile Version 1.0 and the SAML V2.0 Information Card Token Profile Version 1.0 specifications have been posted by OASIS. These specs are standard profiles for SAML 1.1 and SAML 2.0 tokens when used with the Identity Metasystem Interoperability Version 1.0 (IMI 1.0) specification for Information Cards.

Thanks again to Scott Cantor and the OASIS Security Services (SAML) TC for driving the creation of these profiles.

Internet Identity Workshop: Our DC Location

2010-08-31T23:21:49Z

We thought we would share with you some more information about our venue. It is 0verlooking Meridian Hill Park, and is a 18,000 sq ft, 40-room Renaissance-revival style mansion. It has been quite fascinating to find over the course of organizing the event that several people we know have gotten married here.

The Center has undergone a landmark restoration to its former glory of the 1927 Renaissance Revival design, with adaptations to serve a broad range of modern needs and environmental retrofitting. The special event space is where we are hosting the Internet Identity Workshop.

We are making sure there is going to be adequate wifi for the event with Jump Labs sponsoring that aspect of the conference. Just as we do in our regular IIW we will be having a barista for most of the 2 days.

Dinner Thursday evening will be hosted thanks to Booz Allen Hamilton who is sponsoring AND we will be having a bus transport people from the venue to our dinner location that will be even closer to a metro then IIW.

We know it is quite different then our usual home on the west coast at the Computer History Museum however we think it will prove to be a great starting point for future events on the East Coast.

Simon Willison: RasterWeb: Lanyrd

2010-08-31T20:49:35Z

RasterWeb: Lanyrd. Pete Prodoehl calls me out on Lanyrd’s integration with the Twitter auth API at the expense of OpenID. I’ve posted a comment with my justification—essentially, tying to Twitter’s ecosystem means I can actually implement the features I’ve been talking about building on top of OpenID for years, with far less engineering effort.

Pamela Dingle - Ping Identity: This Woman in Tech says: Thank you

2010-08-31T19:53:53Z

I’ve been reading the various recent articles about women in tech bubbling around the interwebs with mixed feelings. I’ve seen a lot of these debates go by, and although I have strong opinions (I know, you’re surprised, right?), I usually choose not to comment here.

There is only one thing that I find myself wanting to say publicly in this week’s resurgence of the debate, and that is: Thank you. I have had the incredible blessing of being surrounded by group after group of intelligent, thoughtful men and women who have not only treated me equally and fairly, but have encouraged my abilities and helped me to reach greater and greater heights. I have nobody to blame, but many to acknowledge – and why should the jerks get all the press time?

I may not be on anyone’s top 30 women in tech, and I may never be the CxO that people seem to so desperately need all women in tech to be, but I have a fulfilling and challenging job and I have achieved my primary goal in my career, which is to work with people who make me smarter every day. By the only standards that count (mine), I have it all.

I believe that a lot of women have fought difficult fights over the years so that I could have this kind of positive experience, and I know that not all women in tech have been so fortunate. To those women who take on the establishment in this area – You have my support, gratitude and thanks. You take the heat today so that the next generation of girls can simply accomplish and wonder what all the fuss is about.

Why am I writing this? I don’t know. I suppose, it seems wrong for the unhappy examples to be the only examples out there. What I do know, is that I am one of the luckiest women in tech; the people who stand out in my life are not the ones who tried to hold me back, but the ones who have helped me fly. Thank you, to some of these exceptional people: Darcy, John, Cliff, Don, Cullen, Alan, Tammy, Tim, Pete, Doug, Brian, Dave, Janelle, Kaliya, Gordon, Derek, Barb, Bob, Kim, Craig, Mike, Vittorio, Ben, Sydney, Dale, Patrick, Julie, Sean, Andrew, Gil, Laura, Andre, and so many more.

Anil Saldhana - Red Hat: PicketBox XACML v2.0.5.final from JBoss released

2010-08-31T19:03:08Z

It took some extra time (other priorities took precedence). In the end, it all worked out fine.

LGPL licensed free open source project, PicketBox has released the XACML component v2.0.5.final. Please download it from PicketBox downloads.

Main Wiki Page

PicketBox XACML Dashboard Wiki Page

Main Features Added (compared to v2.0.4)

JIRA
PicketBox JIRA

JBoss Integration

PicketBox XACML is integrated into JBoss Application Server v5.0 and beyond. Additionally, it is available as part of the JBoss Enterprise Application Platform (EAP) v5.0 and beyond and JBoss SOA Platform v5.0 and beyond.

Release Notes

** Bug

* [SECURITY-452] - Don't use Xalan classes directly. Use Java API instead
* [SECURITY-461] - AttributeFinder:findAttribute method can throw an NPE if any of the attribute finder modules return null
* [SECURITY-462] - JBossRequestContext should throw IllegalArgumentException for null inputstream
* [SECURITY-507] - JBossXACML: anyURI mismatch
* [SECURITY-518] - JBossPDP should be serializable

** Feature Request

* [SECURITY-454] - Database Attribute Locator
* [SECURITY-463] - AttributeValue.getValue abstract method * [SECURITY-455] - LDAP based attribute locator
* [SECURITY-456] - File based Attribute Locator
* [SECURITY-492] - JBossPolicySetLocator should gracefully handle policies
* [SECURITY-516] - Create a LDAP policy provider for JBoss XACML
* [SECURITY-521] - Decision Cache for constant XACML Requests
* [SECURITY-522] - XACML add hashcode and equals to RequestCtx, Attribute
* [SECURITY-525] - XACML Attribute Locator should support comma separated list of attributeSupportedIds

Vittorio Bertocci - Microsoft: WIF & Yours Truly @ the Knowledge Chamber

2010-08-31T16:43:34Z

Last week Robert Hess, host extraordinaire, invited me to his The Knowledge Chamber show. The casus belli was the release of Programming Windows Identity Foundation, but we ended up having a nice chat about all things claims-based identity. I even had the chance of showing a super-quick demo using WIF, ACS, the security token visualizer control and SelfSTS. Check out the video here

The chat was so nice that we ended up going on for almost 40 minutes, which is practically twice the length of the typical Knowledge Chamber episode. Thank you Robert for having me over!

Identity 360 - Imprivata: E-Health Insider - EHI's industry round up 31.08.2010

2010-08-31T14:47:14Z

http://www.e-health-insider.com/news/6198/ehi%27s_industry_round_up_31.08.2010

Identity 360 - Imprivata: Imprivata Delivers Fast and Secure Access to Applications for VMware View 4.5 Users

2010-08-31T13:23:51Z

Integrated Solution Secures Data and Improves Productivity via One-Touch “Follow me” Desktops with Single Sign-on and Extended Strong Authentication

Paul Madsen: New line of greeting cards

2010-08-31T13:00:14Z

Posted via email from Pre(posterous)

Anil Saldhana - Red Hat: XACML Design Considerations and Pointers

2010-08-31T04:14:58Z

One of the challenges with XACML has been the deep knowledge/expertise required in understanding the XACML vocabulary. It can send shivers down anybody's spine when they come across a bunch of XACML policies. While the language is extremely powerful, lack of editors has been the bane.

While it is difficult to design a general purpose xacml editor without requiring the user to have extensive xacml knowledge, it should definitely be possible to create context based editors for XACML rules. Suppose you are creating XACML policies for your web application, then you can have an editor that is specific to the web application domain. This domain based editor approach will avoid the requirement of xacml knowledge. The policies can be designed in the domain semantics.

If you have some free time to kill and want to understand XACML better, I certainly recommend taking a peak at the Fedora XACML document ( I did not write it or was associated with the project).

Design Consideration

One of the favorite topics broached by XACML designers is the concept of date/time as part of the environment attributes.

You should be able to create XACML policies with rules such as:

Deny requests to web applications between 5pm and 8am CDT.

One point you need to note here is that if you are setting up automated tests to validate your policies, then the time at which the PDP is running your tests, can affect the outcome of the test result.

You should embed the current time as part of your XACML request during tests such that they simulate a request occurring at a particular time - rather than when the test is run. :)

You should definitely take a look at the XML Date and Time functions including Timezone configuration as listed here.

Vittorio Bertocci - Microsoft: Just Out: The eBook Version of “Programming Windows Identity Foundation”

2010-08-31T04:10:31Z

[UPDATE: I eventually got it too, see at the end of the post]

Yes, you get to see the eBook version of my book even before I do :-)

O’Reilly just made available today the eBook option for Programming Windows Identity Foundation. Thanks to Mike Erickson’s tweet we also know that the download now works (thanks Mike!).

I admit my general ignorance in terms of {<format,device>} well-formed pairs, but from a quick search I learned that

Mobi is for Kindle
ePub is for Sony Reader, iPad, iPhone, Android, various mobile devices
PDF is, well, PDF. I’m sure you’ll figure it out :-)

It’s true, I haven’t seen the book in a single file just yet. Will I buy this one? Weeell, I am still a big fan of the paper versions. Besides, I already know how this particular book ends… but if digital books are your thing, by all means :-)

[Updated: PS, here it is!]

Ben Laurie - Apache / The Bunker: Cod Chowder

2010-08-31T04:05:11Z

Chowder isn’t exactly rocket science, but this went pretty well, so documenting it here…

I actually made this almost entirely from frozen ingredients and it was just fine. Fresh might be better.

Finely chopped leek
Smoked bacon, sliced (I used some lardons I had in the freezer)
Cubed potatoes
Chicken stock (maybe fish stock would be better, I didn’t have any) or water
Milk (about half as much as stock)
Pepper
Mace
Cod
King prawns
Sweetcorn
Cream

Fry the leeks and bacon in a little butter/olive oil (I used both) until pretty soft – I didn’t crisp the bacon for a change. I think it is better for chowder not to. Add cubed potatoes and fry for a bit longer, then add chicken stock (or water or fish stock) and bring to the boil. Simmer until the potatoes have softened, then zap half the mixture with a blender (I just did this in situ). Season (I didn’t need salt, there was enough in the bacon). Add milk, fish, prawns and bring back up to a simmer, cook for a few minutes, making sure the fish falls apart. Add cooked sweetcorn and bring back up to temperature. Finally, add some cream.

Quantities should be chosen so that the final result is good and thick.

Serve with warm, crusty bread and butter. Works as a whole meal.

Phil Windley - Kynetx: Come to Kynetx Developer Day

2010-08-30T22:30:23Z

In the past Kynetx has held two Kynetx Impact conferences, one last fall and one last spring. Kynetx Impact exceeded my expectations both times with lots of people and energy. But holding a conference of that size is, frankly, a lot of work for a small team. Consequently, we've decided to move to an annual schedule with Kynetx Impact, holding the conference once a year in the spring. At the same time, we didn't want to lose the ability to contact and work with developers, so we've created Kynetx Developer Days. The first Kynetx Developer Day will be held in our Utah office on September 18, 2010. (Register here...it's free!)

At Kynetx Dev Day, you'll find tracks for beginning KRL programmers as well as more advanced topics for experienced KRL developers. The full agenda is available online. We'll be announcing and teaching people how to use some cool new features, including how to use Kynetx with email and telephony services like Twilleo via webhooks. But there's more...

Last Friday we gave a demonstration of the power of Kynetx to orchestrate multiple services (Web, email, telephony, and so on) in pursuit of the end-user's purpose. In this case we showed how an email from a person's radiologist suggesting they need neck surgery based on their MRI results could kick-off a whole series of interactions and tasks. Our demo showed how a dozen individual, small, simple cooperating KRL applications could automate the interactions to significantly reduce the user's cognitive load.

Not only will we be showing the latest version of that demo at the Sept 18th Dev Day, but we'll be teaching about the techniques necessary to build those kind of compelling experiences. You don't want to miss it.

And for those who can't be in Utah on Sept 18th, one of the reasons for moving to the simpler format for our fall event was to be able to spread them around more. We plan on conducting similar Kynetx Dev Days in other locations in the coming months. Stay tuned for more information...

In the meantime, register for the Sept 18th event if you'd like to come. It's free. We'd love to have you.

Identity 360 - Imprivata: Healthcare Info Security - Survey: Spending on Security Up

2010-08-30T19:41:11Z

http://blogs.healthcareinfosecurity.com/posts.php?postID=686

Identity 360 - Imprivata: HealthTechnica - Imprivata Announces Healthcare Advisory Board

2010-08-30T19:40:39Z

http://www.healthtechnica.com/blogsphere/2010/08/27/imprivata-announces-healthcare-advisory-board/

Identity 360 - Imprivata: InternetNews.com - Security, EMRs Top Healthcare IT Priorities

2010-08-30T19:37:57Z

http://www.internetnews.com/security/article.php/3900416/Security+EMRs+Top+Healthcare+IT+Priorities.htm

Phil Windley - Kynetx: Come to Internet Identity Workshop East Next Week

2010-08-30T19:16:16Z

The East Coast edition of the Internet Identity Workshop (IIW) will happen next week on Thursday and Friday (Sept 9-10) at the Josaphine Butler Parks Center in Washington DC. The theme for this edition of IIW is Open Identity for Open Government. You can register online. Late registration fees kick in after Friday, so register now.

Mark Diodati - Gartner: CA Technologies to Purchase Arcot Systems

2010-08-30T17:34:05Z

I’ve been following the evolution of Arcot Systems for twelve years. I became aware of them as a potential competitor (and acquisition target) while working at RSA, and I’ve kept up with them in my role at Burton/Gartner. I’ve seen the evolution of its products beginning with its innovative “Camouflage” technology, which provided enhanced protection of the PKI private key in software.

Arcot has since expanded in three important product classes: consumer authentication (RiskFort and WebFort), the Verified by Visa program, and cloud identity management (A-OK On Demand). A-OK On Demand is SaaS-based. It provides SSO, authentication, and provisioning services to cloud applications. Cloud identity management products provide a relatively simple solution for complex enterprise needs. Along the way, Arcot has also picked up the expertise of hosting large-scale applications, including multi-tenancy. This expertise will come in handy as CA Technologies crafts its go-to-market cloud identity management strategy.

The purchase of Arcot provides good benefits for CA Technologies, without much (if any) downside. Over time, the synergies between Arcot’s cloud identity management offerings and CA Technologies’ enterprise-based identity management products will grow. For this to happen, CA Technologies must integrate its provisioning and web access management products with the Arcot products. If CA Technologies executes correctly, it can provide “desktop to cloud” identity management using existing products, without wholesale development effort. From a roadmap conflict perspective, the only capability overlap is federation.

CA Technologies has worked with Arcot for several years, including integrating its SiteMinder web access management product with Arcot’s consumer authentication solution. CA Technologies’ competition, Oracle, has offered a converged web access management/consumer authentication solution, which began with its acquisitions of Oblix (2005) and Bharosa (2007). The Arcot purchase will position CA Technologies to compete with Oracle, with the additional capability of a SaaS option.

For more information on Arcot and CA Technologies, please see our research documents (subscription required):

Market Profile: Identity Management 2010

Burton Group More, More, More: The Challenge of Extended Enterprise Authentication Mobility

Burton Group Catalyst 2009: Cloud SSO Interoperability Summary

Kim Cameron - Microsoft: Kim Komando on location services

2010-08-30T15:06:42Z

Kim Komando has a great piece at USA Today where she explains geotagging through the experiences of two women who also happened to be using the foursquare location service. This article is one of the first of what I expect will become a torrent as the media learns the implications of geolocation:

Sylvia was dining out with a friend. The restaurant manager interrupted her dinner to tell her she had a phone call. It was from a complete stranger who tracked her online. He had described her to the manager.

Louise was at a bar with colleagues. A stranger began talking to her. He knew a lot about her personal interests. Then, he pulled out his phone and showed her a photo. It was a picture of Louise that he found online.

Both of these stories are true. And they’re very unnerving. There is also a common thread. The women were tracked by something known as “geotagging.”

Geotagging adds GPS coordinates to your online posts or photos. You may be exposing this information without even knowing it. Geotagging is particularly popular with photos; many smartphones automatically geotag photos.

Photos can be plotted on a map for easy organization and viewing. But if you post photos online, and you could reveal your home address or child’s school. You’ve given a criminal a treasure map.

Layers of information

A geotagged photo is the most obvious threat to your privacy and safety. But, in Louise’s and Sylvia’s cases, there was more going on. Both used the location-based social-networking service Foursquare.

Location-based social-networking services are designed to help you meet up with family and friends. When you’re out and about, you check in with the site. At the coffee shop? Check in so friends nearby can find you.

Unless you have a stalker, these services aren’t particularly dangerous on their own. You need to think about the layers of information you leave online. As you use more services, it’s easier for criminals to track you.

Let’s say you post a photo of your new house to a photo site. The photo is geotagged. You’ve linked your photo account to Facebook. And you use Foursquare or Twitter on the go; updates are sent to your Facebook account.

One night you go to the movies. You send a tweet as you wait in line. When you get home, you discover you’ve been robbed. The burglar used your photo to find your address. He learned more about you on Facebook. Your tweet tipped him off to your location.

Thanks to a movie site, he knew exactly how long the movie ran. He scoped out your house and neighborhood on Google Street View. He devised a plan to get in and out fast and undetected.

Protecting yourself

If you use these services, protect yourself. Use a little common sense. First, don’t geotag photos of your house or your children. In fact, it’s best to disable geotagging until you specifically need it.

On the iPhone 4, tap Settings, then General, and then Location Services. You can select which applications can access GPS data. These options aren’t available in older iPhone software, so tap Settings, then General, then Reset. Tap Reset Location Warnings. You’ll be prompted if an application wants to access GPS data. You can then disallow it.

In Android, start the Camera app and open the menu at the left. Go into the settings and turn off geotagging or location storage, depending on which version of Android is on your phone. On a BlackBerry, click the Camera icon. Press the Menu button and select Options. Set the Geotagging option to Disabled. Save your settings.

You can also use an EXIF editor to remove location information from photos. EXIF data is information about a photo embedded in the file. Visit www.komando.com/news for free EXIF editors.

Don’t check in on Foursquare or similar sites from home. And make sure your Twitter program is not including GPS coordinates in your tweets.

For many people, Facebook ties everything together. Reconsider linking other accounts to Facebook. Pay close attention to your privacy settings. Only trusted friends should know when you are or aren’t at home. Finally, if you have contacts you don’t fully trust, it’s time to do a purge.

[Kim Komando hosts the nation's largest talk radio show about computers and the Internet. To get the podcast or find the station nearest you, visit www.komando.com/listen. To subscribe to Kim's free e-mail newsletters, sign up at www.komando.com/listen.. Contact her at C1Tech@gannett.com. ]

It is well worth reading Foursquare’s privacy policy - which is well thought out and makes Foursquare a paragon of virtue when compared to the contract with the devil you sign when you install iTunes, for example. I’ll explore this more going forward.

CA on Security Management: Delivering the Enterprise-Ready Cloud – The Acquisition of Arcot Systems, Inc.

2010-08-30T14:08:00Z

Today CA Technologies announced an agreement to acquire Arcot Systems, Inc. This transaction will result in several immediate and longer term benefits for our customers. Current on-premise IAM customers, particularly customers of CA SiteMinder, will gain immediate benefits by using Arcot's strong authentication and fraud prevention capabilities to complement their well established...

Vittorio Bertocci - Microsoft: Simon Says

2010-08-29T19:48:43Z

[No technical content in this uncharacteristically brief post, be warned]

This morning I was leafing through the September issue of Wired, when I got to an interview with Simon Singh (no links to it, Wired’s Web site does not appear to have the September issue up yet).

Mr. Singh is a great science writer. A decade ago his The Code Book (Codici & Segreti nella versione italiana) was one of the reasons for which I got an interest in security and protocols (one other being Cryptonomicon, of course); more recently, I indirectly referenced his work on Fermat’s Enigma from my Programming Windows Identity Foundation (doesn’t that titillate your curiosity? ;-)).

I won’t get in the details of the article I was reading here, but just highlight a quote from it:

“You have to decide who you trust before you decide what to believe”

Taken alone that may be a tad out of context, however I could not resist putting it out here: because that, folks, is such a beautifully concise enunciation of the very essence of claims-based identity that I may just start putting it everywhere.

Jackson Shaw - Quest: Location services pose huge security risks

2010-08-28T14:46:59Z

Interesting article in USA Today regarding this topic. What interested me about the article was the two real-life stories associated with the story:

Sylvia was dining out with a friend. The restaurant manager interrupted her dinner to tell her she had a phone call. It was from a complete stranger who tracked her online. He had described her to the manager.

Louise was at a bar with colleagues. A stranger began talking to her. He knew a lot about her personal interests. Then, he pulled out his phone and showed her a photo. It was a picture of Louise that he found online.

Both of these stories are true. And they're very unnerving. There is also a common thread. The women were tracked by something known as "geotagging."

Kim Cameron and others have been blogging about the privacy of location information – especially in light of the revelations about the Google street view service. This article brings to Earth exactly what the ramifications of the abuse of this information can lead to.

Technorati Tags: privacy,Kim Cameron

Kuppinger Cole: Not Just Any Port in a Storm

2010-08-28T09:53:54Z

In Tim Cole

As anyone in the identity industry knows, more lies between America and Europe that just an ocean. In fact, when it comes to privacy and data protection, a wide gulf separates the old and new worlds.

Germany in particular is often perceived as hidebound, not to say paranoid, when it comes to companies collecting personal data about their customers. People are signing up by the thousands to have their houses deleted from Google StreetView, with the mass-circulation “Bild Zeitung” running panic-inducing headlines like “StreetView snoops private data” and warning their readers about“Google’s next attack: Now they’re using bikes to film us!” The German minister of consumer affairs, Ilse Aigner, has publicly urged her fellow citizens to follow her example and cancel their Facebook accounts.

Most Americans I know simply shake their heads and grumble about “unhinged eurocrats run amok”. But unfortunately, it isn’t that simple. For better or worse, American companies need to realize that these are genuine concerns by genuine people. And no matter how lackadaisical US consumers may be when it comes to handing out personal information, the reality is that Europeans are not.

“But isn’t that what Safe Harbor is all about?”, one American identity expert (who shall remain nameless) exclaimed recently when I asked him how he thinks the problem should be addressed. True – but apparently, safe harbors in the US are anything but. That at least is what the so-called “Duesseldorf Circle”, a group of data privacy officials from all German states, stated in a report released last April. They accuse US companies of cheating on the agreement which was reached way back in 2000 between the United States and the EU.

This essentially confirms results of a study conducted in 2008 by the Australian consulting firm Galexia, in which they concluded that most companies that purport to be certified members of the Safe Harbour Framework actually aren’t. Their findings are a shock to anyone believing in self-regulation:

Only 348 of 1,597 enterprises and organizations on the official Safe Harbor List, which is jointly kept by the European Commission and the U.S. Department of Commerce, meet even the most basic requirements. Many do not have a privacy policy, and most fail to comply with Principle 7 of the agreement which stipulates that signees must identify an independent dispute resolution process for consumers.
209 organizations selected a dispute resolution provider that was not affordable (including the infamous American Arbitrations Association, AAA, that charged up to $1,200 an hour with a four-hour minimum charge plus a hefty $950 administration fee!).
206 companies claimed on their public websites to be members of the Safe Harbor, but aren’t.73 companies falsely claimed to be members of a Privacy Trustmark Scheme such as eTrust, or the BBB Online Privacy program which ceased to operate in June of 2008.
20 organizations displayed a fictional Department of Commerce Safe Harbor “seal” on their website.
24 claimed to have been certified by the Department of Commerce or the Euroepan Commission, which is obviously impossible: The program is based on self-certification.

In a recent article in “Öko-Test”, a magazine published by the prestigious German foundation “Stiftung Warentest”, the privacy policies of U.S.-based companies such as Google, Facebook, Twitter and YouTube were graded. They all failed.

Facebook, the article states, is in open breach of German law, while Google introduces the concept of “sensitive personal information” (which implies that some personal data are somehow “insensitive” and therefore free to be put to any use Google might think of). Twitter blandly informs visitors to their website that they “collect and use your information to provide our services and improve them over time”, but fail to mention which information they are referring to and what specifically they do with it, blatantly ignoring the four guiding principles of German privacy laws, namely allocation of purpose, necessity, transparency and minimal disclosure.

While Facebook and Google at least pay lip service to the Safe Harbor Agreement, Twitter hasn’t even bothered to sign, Öko-Test maintains. And anyway, why bother: “These contracts aren’t worth the paper they were signed on or the e-mails they were sent with”, the magazine writes.

Rainer Erd, a well-known expert on privacy and data protection with the law firm Schmalz in Frankfurt/Main, recently weighed in with a comment in the “Sueddeutsche Zeitung” in which he accuses U.S. companies such as Google and Facebook of duping European consumers by making them believe that they follow the provisions of the Safe Harbor Agreement, when actually they routinely store personal data on “secret servers” in the United States.

So why should U.S. companies be worried? After all, German policemen won’t be turning up anytime soon in corporate headquarters in Silicon Valley, and writs issued by German courts aren’t likely to be enforced by authorities on the other side of the Atlantic.

The real cause for concern is the growing uneasiness of European consumers with the high-handed manner with which U.S. companies treat their data. If Google seriously thinks it can make StreetView fly in Germany, they will need to launch a whole-hearted goodwill campaign including ironclad guarantees that they will follow not just the letter but the spirit of local privacy laws. As of even date, there is no sign that this has been really understood, either in Mountain View or in the headquarters of other U.S. companies seeking growth in Europe as the domestic U.S. market continues to sag.

Above all, governments and companies on both sides of the Atlantic need to strengthen and enforce the Safe Harbor Agreement so that it does in fact become a secure port for business – and not another murky swamp into which data disappears.

Marc Canter - Broadband Mechanics: End of August 2010 blogging

2010-08-27T22:51:18Z

Getting lots of things done. We have a killer book from our Futuristic Young Ideas STEM student summer internship program. The Civic Commons is rocking - running towards an end of Sept ship date.

There are a lot of really basic person->many communication tools which Facebook doesn’t have - let alone how shitty their messages tool is. Looks like Orkut sees this as a hole - and they’re right. Now all they (Orkut) need are the 500M people.

Now that Orkut is pitching multiple personae, how long until we need Persona Editors?

Hmmmm - I wonder if I could help invalidate these Paul Allen patent claims from Interval research. I knew a lot of people who worked there - and I specifically recall showing similar interfaces to Brenda Laurel when she visited my MediaBar in 1996. Hmmmmm - I’d just LOVE to fuck Paul Allen and ALL those interval people!

SCVNGR rocks - I love this stuff

the Activity Streams standard is growing

Congrats to Rohit Khare and Adam Rifkin!

How gardens stitch together communities

Killer Scott Pilgrim/Matrix mashup

Whiplash fatigue,

Identity 360 - Imprivata: NextGov - Doctors cry, 'Enough!'

2010-08-27T15:06:02Z

http://healthitupdate.nextgov.com/2010/08/password_please.php?oref=latest_posts

Identity 360 - Imprivata: SC Magazine UK - Avoiding the loss that leads to the fine

2010-08-27T15:04:31Z

http://www.scmagazineuk.com/avoiding-the-loss-that-leads-to-the-fine/article/177567/

Kuppinger Cole: New Survey

2010-08-27T11:10:21Z

In Kuppinger Cole

And even in private environments, either on-premise or in dedicated environments of service providers, things are changing. In this survey, we'd like to understand your views and experiences on security in virtualized environments and the developments happening in this space. How do you secure your virtual environments today? And how does your future roadmap look like?

Kuppinger Cole have launched a survey on these questions and based on the results of this survey, a report and analysis will be produced. If you participate in the study, you will receive a complimentary copy of that report and analysis. Of course, you may respond anonymously to the questions within the survey. However, you must provide your e-mail address to receive a copy of the study when it is released. Participating in the survey, you will also have a great chance to win one of 3 tickets for the European Identity Conference (EIC) 2011, or an iPad.

At no time will any individual's name, any company or university name, your participation, or individually identifiable response be released to any third party. The survey and analysis is being conducted by Kuppinger Cole and is sponsored by CA. You will also be invited to a KuppingerCole webinar where results of this survey will be presented and advice for actions will be provided. This survey should take you only around 20 minutes to complete.

Clayton Donley - Oracle: Facebook Lists and the Enterprise

2010-08-27T04:38:44Z

This article on TechCrunch reminds me of how much I dislike enterprise systems that require you to recreate many of the relationships that are inherent in an organization using constructs that are available and remain unused in many popular consumer social sites.

Tonight at a Facebook Developer's Garage meeting at Facebook's headquarters in Palo Alto, Zuckerberg fielded a question about the service's privacy controls. He said that the ideal solution for sharing different things with different people is to make a friend list. "But guess what? Nobody wants to make lists," Zuckerberg admitted.

Yes, nobody wants to make lists.

The TechCrunch proposal is excellent for Internet-facing applications, as differentiation between "friends" and "followers" is usually a good first cutoff in a relationship. Enterprises have these relationship distinctions too...hence why you're likely to see a broadcast from your CEO, but your CEO probably isn't seeing broadcasts from each individual employee.

In the enterprise, your peers, managers, reports, approvers, and so forth are already grouped in meaningful ways as part of business applications. Since these systems need to be accurate for payroll, promotions, mailing lists, and a number of other processes to work, there is significant incentive for the specific relationships to be accurate.

Contrast this with single-purpose lists used by a single platform that need self-management. Such lists are maintained manually, are not going to be corrected by others if incorrect, and are unlikely to stay meaningful.

We've long said in the directory space that the directory is a place for identity information that has utility in the broadest number of places. Similarly, many of these existing relationships are already modeled in the directory. With virtual directories, even those relationships found in external business systems can be brought into the scope of your applications via a single, simple LDAP request.

I'd like to see mor enterprise applications become more social by simply using the "lists" and relationship granularity that is already defined rather than try to mimic Facebook and other Internet sites that require me to maintain these on my own.

Kuppinger Cole: Google authentication support

2010-08-27T02:45:35Z

In European Identity Conference Blog

In addition to Facebook authentication, which we have added last month, you’re now able to log in to our website with your Google account.

Don’t forget to check out your account page after signing up to edit your personal information and subscribe to our newsletters!

Mark Dixon - Sun: Identity Management for Zombies?

2010-08-26T21:36:19Z

Note: This little post chronicles my favorite social media exchange in a long time. You need to see the embedded images to get the gist of an intriguing conversation.

The intrigue began Wednesday afternoon when I was waiting in the Chicago O’Hare airport for a flight to Central Wisconsin Airport, near Wausau, WI. I tweeted my intentions:

Within a few minutes, I was being followed on Twitter by Wausau Loner:

I had never heard of the Zombie Apocalypse, so I started poking around the web. I thought, “Do Zombies need Identity Management?”

I found that my tweet was listed on the Wausau Wisconsin Best Blogs and Tweets …

… along with my new follower, the Zombie Apocalypse expert, Wausau Loner.

This morning (Thursday), I received a nice thank you note from Wausau Loner:

I pinged him back and got this reply:

I posed the big question: Do zombies have unique Identities? Do they need Identity Management?

Sadly, the answer was negative:

Well, there are still many unanswered questions. May be next time I visit Wausau, I’ll get together with Wausau Loner and get more details! I’ll let you know.

Technorati Tags: Wausau,Zombie Apocalypse,Social Media,Twitter,IdentityManagement

Neil Wilson - UnboundID: LDAP Password Changes in Active Directory

2010-08-26T15:10:31Z

I've never really been a big fan of Active Directory. Microsoft tends to treat standards more like suggestions than rules, and Active Directory has some good examples of that. I was recently asked a question about how you can change a password in Active Directory over LDAP. In most directory servers, you would either use the LDAP password modify extended operation (as described in RFC 3062), or you would perform a simple modify operation to replace the userPassword attribute with the clear-text password (and the server would automatically perform any necessary encoding to obscure the value). However, Active Directory has a number of very unusual requirements, so it's probably worth making a note of them. They include:

Active Directory doesn't appear to support the password modify extended operation, so you must change passwords using a normal LDAP modify operation.
Active Directory stores passwords in the unicodePwd attribute, rather than userPassword.
Active Directory will only accept password changes over secure connections. I have only ever used SSL. It may be that you can also use StartTLS, or perhaps SASL with confidentiality, but I'm not sure about that.
The new password must be enclosed in quotation marks, and it must use a UTF-16 little-endian encoding.
Active Directory may impose some strength requirements on the password, although exactly what those requirements are may vary from one instance to another.

Knowing these requirements, you should be able to write code using any LDAP API that will allow you to perform password changes in Active Directory. The following code demonstrates how to do it using the UnboundID LDAP SDK for Java:

import java.io.UnsupportedEncodingException;
import javax.net.ssl.SSLSocketFactory;

import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.Modification;
import com.unboundid.ldap.sdk.ModificationType;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.util.StaticUtils;
import com.unboundid.util.ssl.SSLUtil;
import com.unboundid.util.ssl.TrustAllTrustManager;



/**
 * This class provides a simple utility method that may be used to change the
 * password of a user stored in an Active Directory server instance.
 */
public class ADPasswordChange
{
  /**
   * Perform the complete set of processing required to change a user's
   * password in an Active Directory server.
   *
   * @param  adHost        The address of the Active Directory server.
   * @param  adSSLPort     The SSL-based port of the Active Directory server
   *                       (typically 636).
   * @param  bindDN        The DN to use when binding to the Active Directory
   *                       server instance.  It must have sufficient permission
   *                       to change user passwords.
   * @param  bindPassword  The clear-text password to use when binding to the
   *                       Active Directory server instance.
   * @param  userDN        The DN of the user whose password should be changed.
   * @param  newPassword   The clear-text new password to assign to the user.
   *
   * @throws  LDAPException  If a problem is encountered while performing any
   *                         of the required processing.
   */
  public static void changePasswordInAD(final String adHost,
                                        final int adSSLPort,
                                        final String bindDN,
                                        final String bindPassword,
                                        final String userDN,
                                        final String newPassword)
         throws LDAPException
  {
    // Properly encode the password.  It must be enclosed in quotation marks,
    // and it must use a UTF-16LE encoding.
    System.out.println("Going to encode the password.");
    final byte[] quotedPasswordBytes;
    try
    {
      final String quotedPassword = '"' + newPassword + '"';
      quotedPasswordBytes = quotedPassword.getBytes("UTF-16LE");
    }
    catch (final UnsupportedEncodingException uee)
    {
      throw new LDAPException(ResultCode.LOCAL_ERROR,
           "Unable to encode the quoted password in UTF-16LE:  " +
                StaticUtils.getExceptionMessage(uee),
           uee);
    }


    // Create an SSL socket factory to use during the course of establishing
    // an SSL-based connection to the server.  For simplicity, we'll cheat and
    // use a trust manager that will trust any certificate that the server
    // presents, but in production environments you should validate the
    // certificate more carefully.
    System.out.println("Going to create the SSL socket factory.");
    final SSLSocketFactory socketFactory;
    final SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
    try
    {
      socketFactory = sslUtil.createSSLSocketFactory();
    }
    catch (final Exception e)
    {
      throw new LDAPException(ResultCode.LOCAL_ERROR,
           "Unable to create an SSL socket factory to use for establishing " +
                "a secure connection:  " + StaticUtils.getExceptionMessage(e),
           e);
    }

    // Create a secure connection to the Active Directory server.
    System.out.println("Going to establish the secure connection.");
    final LDAPConnection connection = new LDAPConnection(socketFactory, adHost,
         adSSLPort, bindDN, bindPassword);

    try
    {
      // Attempt to modify the user password.
      System.out.println("Going to replace the user's password.");
      final Modification mod = new Modification(ModificationType.REPLACE,
           "unicodePwd", quotedPasswordBytes);
      connection.modify(userDN, mod);
    }
    finally
    {
      System.out.println("Closing the connection.");
      connection.close();
    }
  }
}

Nick Wooler - Sun: Free Webinar Today: Simplify Access Management with F5 & Oracle

2010-08-26T14:51:15Z

On Thursday, August 26. We are hosting a webcast that will take you through the solution and talk about why we believe this will simplify Access Management. Please join us as F5 and Oracle product experts explain this simple solution.

Title: Live Webcast: Streamline Access Management with F5 & Oracle

When: Thursday, August 26, 2010, 10:00 a.m. PT or 1:00 p.m. ET

Where: Register for this live webcast here: Streamline Access Management with F5 & Oracle

Identity 360 - Imprivata: Imprivata Demonstrates Secure and Convenient Application Access and Roaming Desktops Throughout VMWORLD 2010 Conference

2010-08-26T13:05:14Z

Imprivata Founder and CTO to Join Expert Panel Discussing the Impact of Virtualization on the Delivery of Healthcare IT

Pat Patterson - Huawei: Bookmarks for August 25th 2010

2010-08-26T13:00:00Z

These are my links for August 25th 2010:

500 Internal Server Error – 500 Internal Server Error

Paul Madsen: New line of greeting cards

2010-08-26T11:31:30Z

Posted via email from Pre(posterous)

Kuppinger Cole: Felix Gaehtgens: Security bei der Entwicklung für die Cloud

2010-08-26T09:47:18Z

In Kuppinger Cole

Einer der Gründe (wenn auch nicht der einzige) für das Cloud Computing ist eine hohe Skalierbarkeit, die man durch die Verteilung von Ressourcen in der Cloud erreicht. Das lässt sich beim Programmieren durch ähnliche Ansätze erreichen, etwa bei der Programmierung auf einem Multiprozessor-System und/oder bei der Entwicklung von Multithreaded-Programmen. Es ist wichtig, Prozesse in kleine, modulare Teile zu gliedern – Atomizität, Statuslosigkeit sowie Synchronisierung sind wichtige Konzepte und haben bei der Entwicklung von Cloud-Applikationen ebenfalls ihre Geltung.

Ein guter Vergleich ist der mit der Entwicklung innerhalb einer serviceorientierten Architektur (SOA). Hier spielen die genannten Faktoren eine wichtige Rolle, doch es kommt noch ein zusätzlicher Punkt hinzu: eine Sicherheitskomponente, die Authentisierung und Autorisierung innerhalb einer SOA bereitstellt. Dort finden sich mehrere verbreitete Standards, etwa WS-Security bei SOAs auf Basis von SOAP oder Spring Security.

Beim Cloud Computing kann es jedoch viel komplexer zugehen: Oftmals werden einzelne Module komplett aus der Kontrolle eines Unternehmens ausgegliedert. So fließen Daten zwischen Unternehmen und Applikationsprovidern hin und her. Das ist einerseits vorteilhaft, da sich Firmen mehr auf ihr Kerngeschäft fokussieren und somit Anwendungen und Prozesse auslagern können. Andererseits ist das problematisch, da es wesentlich schwieriger ist, die Kontrolle zu behalten über das, was mit den Daten geschieht und wer Zugriff auf die Prozesse hat.

In der heutigen IT-Landschaft ist es immer noch üblich, auf Benutzer und Rollenkonzepte zu setzen. Daher liegt es auf der Hand, sie auch im Cloud-Umfeld zu verwenden. Das führt jedoch langfristig zu Problemen, gerade wenn die Komplexität der Cloud-Infrastruktur zunimmt, was durchaus bei einer positiven Bilanz einer Cloud-Initiative eines Unternehmens zu erwarten ist. Benutzer-IDs, Passwörter und Rollen sind meist stark an einen Kontext gebunden und haben in einem verteilten Cloud-Konzept keine eindeutige Gültigkeit. Dafür sind Richtlinien notwendig, die den Umgang mit Daten oder Prozessen regeln.

Es gibt dazu mehrere Ansätze, die sich mit dem Thema beschäftigen. Das von Microsoft spezifizierte Identity Metasystem realisiert es beispielsweise, Informationen zu Benutzern in sogenannten "Claims" mitzuliefern und sie im gesamten Prozess mitzutragen. Die Claims können nicht nur Informationen über den Benutzer enthalten, sondern auch weitere Datenfelder, die für den Prozessablauf wichtig sind. Somit lässt sich von der herkömmlichen, aber unsicheren Praxis absehen, Teile von Prozessen als privilegierter Benutzer auszuführen – das war (und ist) leider oft der Fall.

Der XACML-Standard (eXtensible Access Control Markup Language) erfährt zunehmend Beachtung und findet mittlerweile selbst in komplexen Umgebungen Anwendung. Er definiert sowohl eine XML-Sprache zur Zugriffskontrolle als auch eine standardisierte verteilte Architektur. Letztere besteht aus mehreren Teilen:

Policy Enforcemente Point (PEP)
Policy Decision Point (PDP)
Policy Information Point (PIP)
Policy Administration Point (PAP)

Der Policy Enforcemente Point sitzt überall dort, wo ein Zugang überprüft werden muss und sich entweder einteilen oder abweisen lässt. Er führt jedoch keine Entscheidung durch, sondern fragt sie beim Policy Decision Point ab. Der kann wiederum (wenn notwendig) zusätzliche Informationen bei Policy Information Points abfragen. Die lassen sich – wie ihr Name verrät – zum Verwalten der einzelnen Policies verwenden. Die XACML-Sprache lässt sich gut innerhalb der definierten XACML-Architektur einsetzen, sie ist aber unabhängig von der Architektur – demnach eignet sie sich auch gut zum Austausch von Policies.

Interessant ist die Verknüpfung des Identity Metasystem mit XACML. Dadurch dass Ersteres in den Claims beliebige Daten mitliefern kann, ließe sich auch eine XACML-Policy mit übergeben, und diese könnte man dann dazu benutzen, um in feiner Auflösung den Zugang zu kontrollieren. In dem Zusammenhang bedeutet "feine Auflösung", den Zugang bis ins kleinste Detail zu regeln – beispielsweise den Zugriff auf bestimmte Datenfelder. Das steht im Gegensatz zu einer groben Auflösung, die lediglich den Zugang zum kompletten Prozess bewilligt, mit allem, was er enthalten mag.

Es ist jedoch noch einiges zu tun, bevor sich ein solcher Ansatz auch konsequent einsetzen lässt. Zum einen gibt es noch wenig Erfahrung beim Einsatz, zum anderen sind noch einige Fragen offen, insbesondere zur Skalierung: Wie lässt sich etwa ein solches Konzept effizient einsetzen, wenn Transaktionen immer feiner und modularer werden, über traditionelle Unternehmensgrenzen hinaus verteilt sind und drastisch in der Zahl zunehmen?

Letztlich geht es aber besonders um das Vertrauen (Trust). In einer verteilten Umgebung ist es sicherlich von Vorteil, mit einem Datensatz gleich noch eine Policy mitzuliefern, die den Umgang mit den Daten regelt. Man muss sich jedoch darauf verlassen können, dass die Regeln auch eingehalten werden. Das gilt ebenso beim Einsatz von Policy Decision Points, die Anfragen zur Zugriffserteilung von Policy Enforcement Points beantworten. Man muss sich darauf verlassen können, dass die Enforcement Points die Entscheidungen von den Decision Points korrekt umsetzen.

Das verwandte Rights Managements erreicht das durch sogenannte "Trusted Clients": Man verlässt sich auf die Softwareanbieter von Client-Software (wie die DRM-Media-Player), die ihre Software angeblich ordnungsgemäß absichern. Doch für eine verteilte Umgebung, in der viele unterschiedliche Module innerhalb und außerhalb eines Unternehmens verteilt sind, gibt es zwar gute Ansätze, aber noch keine komplette und offene Lösung. Eines ist aber sicher: Daran wird fieberhaft gearbeitet.

Gerry Beuchelt - MITRE: Links for 2010-08-25 [del.icio.us]

2010-08-26T07:00:00Z

Blogs - Technology Blog and Community from IT Experts - ComputerworldUK.com
"Which Open Source Licence" Is The Wrong Question
The debate over the demise of "Open Core" has led to a reprise of "which open source license is best" arguments again. But the real driving force is not the licence; it's the equality of participants.

Gerry Beuchelt - MITRE: Preparing some paper

2010-08-26T03:24:57Z

Here is a couple of questions I'd love to put out - if you have the time, please let me know since I am genuinely curious:

Who has implemented a successfully chained service, with some propagation of identity?
If you have, what architectural approach/technology stack have you used?
How are you propagating identity - "sender vouches", "holder of key", "just trust me"?
How complex is the chain? Single step, multiple steps, complex orchestration?

There are really very few actual success stories I can find on this subject ... I have a sense why this could be, but I'd love to verify my suspicion.

Ping Talk - Ping Identity: Came. Saw. Conquered.

2010-08-25T18:26:00Z

One thing I love about technology is getting to talk to people who get dirty up to their elbows in the stuff. I enjoy writing about end-users because once warmed up they usually have some great stories and unique anecdotes to share.

Internally, we have been juicing our efforts to get more customer stories into the flow. So today’s post is as much highlighting one of those end-users – Australian telecom provider AAPT – as it is a kickoff to some customer case studies you’ll see pass through these virtual pages.

Specifically regarding AAPT, it is shooting for the cloud, literally, and aiming at being strongest out of the gate with a range of business services from authentication, to storage, to reselling Google Apps

The company is cutting its services teeth on internal adoption of Google Apps and Gmail.

Internally, the company spent five days rolling out Google Apps to 1,200 user and is in the process of rolling out 1,700 Google Gmail inboxes. User access to those services is secured with a hosted Single Sign-On service run off Ping Connect, a hosted service from Ping Identity.

Last year, however, AAPT nearly hit a nasty and potentially embarrassing roadblock. As part of a partnership with Google, AAPT was set to record a television commercial detailing how they rolled out Google Apps and secured it via Single Sign-On.

The problem was the IT architects might have been the last to know, according to David Tarrant, AAPT IT architect and a consultant on the company’s cloud build out and Google adoption.Ten days before the commercial, IT was informed of the SSO requirement and had to not only roll out software but pick a product.

Parent company Telecom New Zealand had an identity platform built on Sun Microsystems products, said Tarrant, but the estimated time to federate it with the Google platform was 2-3 months.

“So I found Ping and we had it done in 3-4 days,” he said. “As soon as I found Ping had a hosted service [PingConnect] that is what I wanted.”

But Tarrant acknowledges it was a means to an end. “We didn’t care about SSO, what is important is the same password. You don’t have to learn new passwords. And all of it falls under compliance.” And Tarrant says the Google/Ping strategy saves the IT department $252,000 per year.

Now Tarrant is eyeing the Salesforce.com users within the organization as the next project.

In parallel, the third-largest telecom provider in the country also is actively building out a commercial offering designed to provide virtual private clouds to customers. The company plans to ramp up services like desktops, applications and email. Tarrant says that should be in full swing in the next 18 months to two years.

AAPT owns and operates its own national voice and data network. It provides residential, business, government and wholesale customers with local and long distance voice, mobile, data and internet solutions.

“We don’t want to build our own authentication service we want to use somebody else’s, we don’t want to build our own Google services we want to use somebody else’s, we don’t want to build storage services we want to use somebody else’s,” said Tarrant. “We want to build relationships with cloud providers all over the world.”

And how is the cloud services build-out going?

In May, Paul Broad, CEO of AAPT made a presentation at the company’s investor briefing day and singled out content delivery and cloud computing as areas targeted to grow, highlighted Q3 as the launch of Google Apps for business users, and named Specialty Fashion Group, Rio Tinto, Austar and WPP Holdings as key new customers.

Follow John on Twitter and check out our Identity-Conversation Tweet list

Marc Canter - Broadband Mechanics: FYI book v3

2010-08-25T15:49:38Z

All the chapters have been reordered - it’s much more comprehensible now!

We’re doing a dress rehearsal tonight at the WOW (Wade Oval Weds) at 7:15

FYI by Marc Canter and Christian Nieves | Make Your Own Book

Identity 360 - Imprivata: Imprivata Announces Healthcare Advisory Board

2010-08-25T13:02:58Z

Healthcare Executives, Industry Experts and Thought Leaders Address Healthcare IT Challenges, Trends and Priorities for Improving Clinician Workflow and Securing Patient Data

Vittorio Bertocci - Microsoft: Infographic: IPs, Protocols & Token Flavours in the August Labs release of ACS

2010-08-25T08:10:31Z

The newest lab release of ACS shows some serious protocol muscle, covering (to my knowledge) more ground than anything else to date. ACS also does an excellent job in simplifying many scenarios that would traditionally require much more thinking & effort: as a result, it is very tempting to just think that any scenario falling in the Cartesian product of possible IPs, protocols, token types and application types can be easily tackled. Although that is true in principle, in reality there are uses and scenarios that are more natural and easier to implement. Discussions about this, in a form or another, are blossoming all over the place both internally and externally: as a visual person I think that a visual summary of the current situation can help to scope the problem and use the service more effectively. Here there’s my first attempt (click for bigger version).

I am fairly confident that this should be correct, I discussed it with Hervey, Todd and Erin, but there’s always the possibility that I misunderstood something.
There’s quite a lot of stuff in there, let me walk you through the various parts of the diagram.

The diagram is partitioned in 3 vertical disjointed regions: on the left there are all the identity providers you can use with ACS, on the right the applications that can trust ACS; and between them, there is ACS itself. On the borderline between ACS and your applications there are the three issuing endpoints offered by ACS: the WS-Federation endpoint, the WS-Trust endpoint and the OAuth WRAP one. Here I didn’t draw any of the ACS machinery, from the claim transformation engine to the list of RP endpoints; it’s enough to know that something happens to the claims in their journey from the IP to the ACS issuers.

The diagram is also subdivided in 3 horizontal regions, which represent the kind of apps that are best implemented using a given set of identity providers and/or protocols. The WS-Federation issuer is best suited for applications which are meant to be consumed via web browser; WS-Trust, and the OAuth WRAP profiles that ACS implements, are ideal for server to server communications; finally, WS-Trust is also suitable for cases in which the user is taking advantage of rich clients. This classification is one of the areas of maximum confusion, and likely source of controversy. Of course you can use WS-Federation without a browser (that’s what I do in SelfSTS), of course you can embed WS-Federation in a rich client and use a browser control to obtain tokens; however those require writing custom code, a very good grasp of what you are doing and the will to stretch things beyond intended usage, hence I am not covering those here.

Let’s backtrack through the diagram starting from the ACS issuer endpoints.

The WS-Federation endpoint is probably the one you are most familiar with; it’s the one you take advantage of in order to sign in your application by leveraging multiple identity providers. It’s also the one which allow you a no-code experience for the most common cases, thanks to the WIF SDK’s Add STS Reference wizard.
You can configure that endpoint to issue SAML1.1, SAML2 and SWT tokens. The latter can be useful for protocol transition scenarios, however remember that there’s no OOB support for the format.
The sources here are the ones you can see on the portal, and the ones that the ACS-generated home realm discovery page will offer you (if you opted in). Every IP will use its own protocol for authentication (Google and Yahoo use OpenID, Facebook uses Facebook Connect, ADFS2 uses whatever authentication system is active) but in the end your application will get a WS-Federation wresult with a transformed token. It should be noted that “ADFS2” does not strictly indicates an ADFS2 instance, anything that can do WS-Federation should be able to be used here.

The WS-Trust endpoint will issue tokens when presented with a token from a WS-Trust identity provider, that is to say an ADFS2 instance (or equivalent, per the earlier discussion). It will also issue tokens when invoked with username and password associated to a service identity, static credentials maintained directly in ACS.

The OAuth WRAP endpoint will issue SWT tokens when invoked with a service identity credential; it will also accept SAML assertions from a trusted WS-Trust IP, pretty much the ADFS2 integration scenario from V1. Note that the profiles supported by ACS are server to server: the username & password of a service identity are not user credentials, but the means through which a service authenticates with another (including cases in which the user does not even have a session in place).

That’s it, that should give you a feeling of the scope of what you can do with this release. I’ll probably add to this as things more forward. Have fun!

Kuppinger Cole: Martin Kuppinger: Virtualisierung: Nicht immer nützlich

2010-08-25T07:38:18Z

In Kuppinger Cole

Das Konzept der Server-Virtualisierung hat sich durchgesetzt. Zu Recht, wenn man eine ausreichende Zahl von Servern hat. Denn damit lassen sich die physischen Server besser und flexibler auslasten. Dass sich auch unterschiedliche Betriebssysteme einfacher nebeneinander betreiben lassen und dazu noch die Betriebssysteme von der physischen Hardware entkoppelt werden und damit die Hardware einfacher gewechselt werden kann, ist ebenso ein feiner Nebeneffekt wie die Vorteile für die Verfügbarkeit durch den Wechsel auf andere Hardware.

Storage-, Desktop- und Application-Virtualisierung
Inzwischen gewinnen auch die Storage-, Desktop- und Application-Virtualisierung immer mehr an Bedeutung. Nur: Machen diese Ansätze genauso viel Sinn? Gerade bei der Desktop- und Anwendungsvirtualisierung muss man sich diese Frage stellen, denn hier gibt es berechtigte Zweifel. Die Storage-Virtualisierung – wie beim Server am Backend – ist dagegen im Grundsatz durchaus sinnvoll.

Kein klarer Nutzen bei der Desktop-Virtualisierung
Ganz anders stellt sich die Situation bei der Desktop-Virtualisierung dar. Desktop-Virtualisierung ist zum aktuellen Zeitpunkt vor allem auf die Bereitstellung weniger Varianten von relativ einheitlichen Systemumgebungen ausgerichtet. Das bekommt man aber mit Terminaldiensten und auch mit klassischem Client Lifecycle Management gut in den Griff.

Die Variantenvielfalt bei den Benutzern, die sich nicht in das Standard-Raster pressen lassen, ist aber damit nicht effizient beherrschbar – und für mobile Benutzer steckt die Technologie auch noch in den Kinderschuhen. Desktop-Virtualisierung bringt durchaus einige Vorteile. Aber so klar wie auf der Server-Seite ist der Nutzen nicht. Deshalb sollte man Desktop-Virtualisierung auch eher als eine Deployment-Option für Client-Systeme sehen und nicht als die perfekte Lösung.

Hoher Aufwand für Anwendungsvirtualisierung
Auch bei der Anwendungsvirtualisierung ist eine kritische Distanz sicher kein Fehler. Wenn Unternehmen darüber nachdenken, gerade die Standard-Anwendungen wie Office-Anwendungen zu virtualisieren, stellt sich doch sehr deutlich die Frage nach dem Warum.

Denn diese Anwendungen lassen sich einfach in virtualisierten Desktops oder über die Software-Verteilungsfunktionen auf physische Desktops verteilen. Interessant wird es eigentlich erst mit Anwendungen, die nur Teile der Benutzer benötigen – und das nicht dauernd.

Diese Anwendungen bereitzustellen und auch zu deinstallieren ist die eigentliche Herausforderung. Gerade bei solchen Anwendungen darf man aber auch den Bereitstellungsaufwand bei der Anwendungsvirtualisierung nicht unterschätzen. Und gerade bei spezialisierten Anwendungen kann man auch eher auf Kompatibilitätsprobleme stoßen.

Die Marketing-Versprechen der Hersteller
Letztlich empfiehlt sich gerade am Frontend eine gewisse Skepsis gegenüber den Marketing-Versprechen der Hersteller. Denn nicht alles, was am Backend Sinn macht, stiftet auch beim Client einen vergleichbaren Nutzen. Zudem ist die Variantenvielfalt beim Client auch schwieriger zu beherrschen. Hier geht es eher um ein Sowohl-als-auch als um ein Entweder-oder.

Drummond Reed - Cordance: Finally Taking Off a Hat

2010-08-25T05:27:15Z

When the Information Card Foundation (ICF) and OpenID Foundation (OIDF) launched the Open Identity Exchange (OIX) at RSA on March 2, I temporarily added the hat of OIX Executive Director. ICF agreed to loan me half time to OIX to work through the startup stages of establishing the industry’s first open trust framework platform provider. For its part, OIDF contributed the time of OIDF Executive Director Don Thibeau to serve as OIX President and board chair, and it has been a tremendous pleasure working with Don, OIX counsel Scott David, and Global Inventures program manager John Ehrig to lay the foundation for OIX.

Now, with the announcement at last month’s Burton Catalyst conference that AT&T has joined OIX, that several new OIX Working Groups are starting up, and that OIX and Kantara have begun collaborating on trust framework infrastructure, the startup phase of OIX is over, and I can finally take off the OIX ED hat.

This does not mean I will be any less involved with OIX, however. On the contrary, as I have been blogging throughout this year, the need for a particular trust framework—one governing data exchange with personal data stores (PDX)—is becoming acute. That need also intersects directly with the work I’ve been doing on the XDI data sharing protocol at OASIS since 2004.

So as fast as I’m taking off the OIX ED hat, I’m preparing to take on another one spearheading the development of a PDX trust framework at OIX. This will be one of the key topics both at the VRM+CRM conference in Boston this coming Thursday and Friday, and also at the Internet Identity Workshop East on September 9 and 10 in D.C. following Gov 2.0.

If you are attending either event and want to know more about PDX and the PDX trust framework, please come to the open space sessions we’ll be holding.

Paul Madsen: New line of greeting cards

2010-08-24T22:56:27Z

Posted via email from Pre(posterous)

Ping Talk - Ping Identity: Got trust?

2010-08-24T21:03:00Z

This morning I got a reminder why trust is such an important part of the identity architecture that is being constructed as corporations begin to understand concepts from federation to cloud computing.

In fact, why trust is an indispensable tool for any architecture, organization or society.

Here in Denver, the city’s safety manager Ron Perea resigned last night after being engulfed in a controversy over the discipline he handed police officers involved in abuse cases involving citizens.

Perea told his boss, Mayor John Hickenlooper, that he didn’t think he could rebuild trust with the public after his decision not to fire two police officers caught on video tape beating a young man.

"Once he put it in that context, it was hard to argue with," Hickenlooper told the Denver Post. "It would be very difficult to rebuild after all the events of the last four or five days. It would be very hard to rebuild that trust."

Three months on the job and Perea, the former head of the Los Angeles office of the U.S. Secret Service, knew that a public that distrusted him made impossible his job of ensuring safety.

Without trust, all is lost.

The same is true whether you’re protecting the streets of a city or the virtual pipes of a global distributed network.

PayPal’s Andrew Nash described to me a few months ago how a collection of trust brokers on the Internet were needed to create any sort of relevant connections online. In other words, without trust between parties, between machines, nothing of significance gets done.

A few days ago, a panel of experts on a Webinar on Federal News Radio concluded that trust was indeed the next killer app. They talked about integrity, policies, transparency and just the plain fact that people will need a system that allows them to trust other people.

At Ping’s recent Cloud Identity Summit, Accenture’s Mike Neuenschwander told the audience, "If we are going to have an environment of any-to-any and not repave existing partnerships, the industry has to develop a systematic approach to trust."

Trust frameworks were a foundational element of the Obama administration’s recent National Strategy for Trusted Identities in Cyberspace (NSTIC).

Get yourself plugged into the work of groups like Kantara, InCommon and the Open Identity Exchange (OIX), which was approved by the federal government in early March to certify online identity management providers.

Trust me, watch this space.

Follow John on Twitter and check out our Identity-Conversation Tweet list

Phil Hunt - Oracle: Pulling For Change

2010-08-24T19:46:12Z

This past spring, several organizations began a discussion on the SAML TC about the possibility of adding subject and attribute management functions to SAML. The proposal was the subject of a some debate. Why was this an important requirement? Why not use SPML or other protocols? After considering several possibilities, a new concept emerged called "Change Notify" which suggests converting identity management operations from state-based explicit adds/modifies/deletes to pull based operations that could enable identity changes to be exchanged between partners in federated scenarios.

Before we talk about the new proposal, let's cover some of the discussion about why the state-basedm, push solutions wouldn't work.

Yes, Updates Happen

There was agreement that there are lots of scenarios where updates of some kind are needed. A web retailer, after completing a sales process with a user, might want to have some method to update a shipping address at a customer's IDP after the user indicated the address was out-of-date. An Identity Provider might want to notify relying parties with retained data of important changes. An enterprise might want to notify a cloud service provider that the employee has changed roles or has been retired.

Some of you may be asking, but why is this an issue? Shouldn't applications avoid retaining data from Identity Providers? There is often a need for some data to be retained. Applications may need to retain data because of complexity with other integrated systems. It might be needed for offline processing (where backend calls to the identity provider aren't practical or possible). Consider that business applications often generate application specific data that is tied to individuals (purchase history, reputation, to name a few) and is not associate with data originating at an identity provider. Because of this, even in a so-called "zero data" scenario where applications retain no federated data about users, there is still one key update that cloud applications often need: the de-provisioning update. How does an enterprise, acting as an Identity Provider, notify a web service provider that an employee has retired?

Why Traditional IDM Protocols Won't Work

We realized that traditional "push" approaches of adds/modifies/deletes would probably not function well because traditional enterprise approaches assume an updater has full knowledge of the target identity to be updated. Yet, by design, federated systems work at arms reach. Identity Providers have many relying parties and thus support many federated relationships.

Conversely a service provider can have many organizations, each with their own identity provider as clients. Or, even more complex, individuals may have a relationship with a service provider having nothing to do with their employer. Cell phones come to mind as an industry where there is often both an employee and personal relationship with a telephone company. Because of this, the state of an personal information and relationships in a federated system are not assured, and thus they cannot be assumed to be fact. Traditional "state" based approaches will run into issues such as adds of entries that already exist, or modify operations failing because an entity no longer exists.

Are we saying that state based protocols aren't useful? Quite the contrary. State-based protocols work very well inside the enterprise environments. They can also work in some federated scenarios where there is tight agreement between business partners. But assumptions about "state" begin to break down when you consider that federated business entities are working independently of each other.

Pulling For Change

It was interesting timing that Bob Blakley, Gerry Gebel, and my colleague Nishant Kaushik blogged recently on Pull vs. Push. While our requirements were focused on how to share ongoing updates to federated entities, there seems to be some natural alignment in thinking going on. For it was a "pull" oriented solution proposed to the SAML TC in July just prior to the Catalyst conference. The Change Notify specification allows one party to notify another about a change without actually pushing raw data. Rather then "push" a transaction, the initiating party simply pushes a notification. The receiver can then simply "pull" data using a protocol of its choosing. A few important observations:

There is no rigid assumption of state between parties
The modify operation is converted into a simple "read" by the pulling entity.
The change notification is relatively lightweight and doesn't need to carry data values other then references to the entity being modified.
The technique can be applied to almost any federation protocol.
There is flexibility to switch protocols.

The initial Change Notify proposal can be found here.

Since publication to the SAML TC there has been some broader interest in building a lighter weight profile supporting a simple HTTP binding, REST, or JSON. While SAML adds a lot of messaging security, there is argument to be made that Change Notify can run in lighter weight implementations. These comments seem reasonable. I'm looking for your thoughts on how we can broaden this proposal in a multi-protocol way. Would people like to discuss the proposal at the next west coast IIW? Feel free to comment!

Phil Windley - Kynetx: CTO Breakfast this Thursday: The Once and Future Web

2010-08-24T19:45:25Z

The CTO Breakfast will happen this Thursday at 8am in the cafeteria at Novell's Provo Campus. As usual, we'll talk tech; so bring interesting topics you'd like to discuss.

Anyone interested in how information technology is used to build products or run companies. Despite it's name, you don't have to be a CTO to attend--just interested in technology, where it's headed, and the problems of starting and building a high-tech business in Utah.

There's a calendar of upcoming CTO Breakfast events if you'd like to subscribe.

At this CTO Breakfast, Sam will have a special demo of some cool ideas we've been working on at Kynetx that foreshadows the future Web and the role personal data can play. This will blow your mind.

Ping Talk - Ping Identity: Provisioning searching for door out of no man's land

2010-08-24T18:10:00Z

Standards-based provisioning, which is lining up to be the next major evolution of cloud computing, is facing some significant gyrations in the near future.

Major players staking major bets on the cloud want to see something get done given that SPML 2 has not garnered any takers. Cloud providers need a standard specification that speaks squarely to their particular use cases.

Large enterprises need reliable, standards-based tools for deploying users in mass to cloud applications in order to preserve cost and agility benefits.

Will the solution eventually be an evolution of SPML, the OASIS Provisioning Services Technical Committee is going again after a near death experience, or will something different come to pass?

Those with provisioning on their minds met in July at the Burton Catalyst Conference as part of a special interest group (SIG). Burton analyst Mark Diodati was tasked with writing up a statement for the group, which he published a few days ago on his blog.

The conclusion is that work should revert to the basics, Diodati wrote. “The next iteration of SPML should focus on solving ‘the connector problem’ and provisioning use cases for cloud-based applications.”

Diodati said 11 of the 12 participants, which are listed on his blog, agreed that a standards-based provisioning protocol is needed, and that it is best to evolve the SPML standard rather than introduce a new one.

Prateek Mishra, product manager for Oracle identity management and a major contributor to the SAML specification, said on the OASIS TC mailing list that Oracle is opposed to a new version of SPML. “This is a very large effort and typically takes 3-4 calendar years and dozens of person years to complete.” Oracle would like to evolve SPML and focus on specific use cases that are “important to the community.”

But Diodati noted that one SIG participant, Chuck Mortimore from Salesforce.com, had still not made a decision one way or the other.

Mortimore is not alone. His stance aligns with some of what I heard at Catalyst.

Some of the big cloud vendors are not yet convinced that SPML can meet their requirements. One vendor told me that there is also concern that SPML comes with a lot of baggage.

But there is agreement that provisioning is a sore spot for cloud providers who need an answer to customer questions about on-boarding users in an efficient and relatively painless manner. SPML 2 failed at passing the acid test on those requirements.

Does a provisioning standard need to be hashed out among an independent group of motivated participants who can set a framework and then move it into a more formalized standards body for critique and refinement?

That is how it worked with many of the early SOA standards that Microsoft and IBM developed. Not all survived scrutiny, but many are still around today after going through the wash at standards bodies.

The notion of an independent group framing a provisioning specification is a 180-degree turn from the path SPML has taken. The specification was incubated at OASIS.

In May, Richard Sand, CEO for Skyworth TTG and the co-chair of the revised OASIS Provisioning Services TC, told me his goal for a “SPML 3.0” would be to ignore compatibility with 2.0 and adopt only “building blocks” from the existing work.

He said he would like to simplify some of the use cases and add some higher level ones. In addition, he favors REST over SOAP.

But what he needs is support for a majority of the major cloud vendors – including Microsoft, Google and Amazon. None of those companies were part of the Catalyst meeting nor are they currently part of the OASIS TC.

Consensus and forward progress needs to come quickly, however.

As one vendor told me, “We can’t defer this problem any longer.”

Where do you stand? Should SPML be revived and revised? Or should something new be created that might better align with the rise of cloud computing?

Follow John on Twitter and check out our Identity-Conversation Tweet list

Identity 360 - Imprivata: HIPAA NEWS - Survey Says Preventing HIPAA Data Breaches is the No.1 Concern in Healthcare IT

2010-08-24T18:06:21Z

http://hipaanews.net/archives/2010/08/18/survey-says-preventing-hipaa-data-breaches-is-the-no-1-concern-in-healthcare-it/

Nishant Kaushik - Oracle: Upcoming Webcast on Service-Oriented Security

2010-08-24T17:16:51Z

You’ve seen me blog a whole lot about Service-Oriented Security over the years; now you can also hear me talk about it. I’ll be doing a live webcast on “Service-Oriented Security: Blazing a New Trail of Innovation in Application Security” on Wednesday, August 25th (that’s tomorrow!) at 11:00 a.m. PT/2:00 p.m. ET . In it, I and my colleague Bharath Shashikumar will talk about how SOS offers a revolutionary architectural approach to efficiently develop security as discrete reusable services – resulting in faster development lifecycles, better IT agility and dramatically lower integration costs. You can get more information on the webcast here and register to attend for free here.

And if there are any questions you want to ask me, then ask them during the webcast, or send them my way ahead of time via twitter.

Tags: Application Security, Application-Centric IdM, Service-Oriented Security

Nishant Kaushik - Oracle: Pushing forward on Standards-based Provisioning

2010-08-24T15:57:18Z

Lest all the recent posts about “pull”-based identity make you think that I have completely forgotten about good old “push”-based identity provisioning, here is some news on that. As I have discussed here in the past, SPML has been under a cloud in recent years, with low adoption and a litany of issues being documented. At the same time, the need for a standards-based approach has never been clearer. So something needs to be done.

This was the topic of discussion at a SIG on Standards-based Provisioning organized by Gartner’s Mark Diodati at the recent Catalyst conference. The meeting was attended by some really smart folks in the community, and engendered a lively discussion on the future of SPML and the direction it should take. Mark has published a statement on the Gartner blog network that reflects the outcome of the discussion. Given the recent reboot of the Provisioning Services Technical Committee at OASIS, this is an important document for everyone concerned to read.

One of the most important points raised during the meeting was this:

In trying to address every possible use case, interoperable provisioning services leveraging the SPML v2 standard became impractical. Since the approval, few (if any) conformant implementations exist due to the complexity of the v2 standard.

The path to success in the standards world is based on a focused approach to solving specific use cases. No standard can be all things to all people, and with provisioning in particular, we need to recognize that there are different approaches that solve the challenge in optimal ways for their use cases (my recent assertion regarding IGF as underlying pull-based provisioning is an example). So there need to be an effort to continue refinement of SPML 2.0, making it simpler to implement and based on specific use-cases that are of interest to the community. If you have such use-cases, please consider joining the discussion within the PSTC and submitting them there. There is much that needs to be done.

And a big thank you to Mark for pulling together the SIG. It was an excellent and timely effort, one that I hope proves instrumental in accomplishing it’s goal.

Tags: Burton Catalyst Conference, Cat10, Provisioning, SPML

Kim Cameron - Microsoft: Non-Personal Information - like where you live?

2010-08-24T14:56:08Z

Last week I gave a presentation at PII 2010 in Seattle where I tried to summarize what I had learned from my recent work on WiFi location services and identity. During the question period an audience member asked me to return to the slide where I recounted how I had first encountered Apple’s new location tracking policy:

My questioner was clearly a bit irritated with me, Didn’t I realize that the “unique device identifier” was just a GUID - a purely random number? It wasn’t a MAC address. It was not personally identifying.

The question really perplexed me, since I had just shown a slide demonstrating how if you go to this well-known web site (for example) and enter a location you find out who lives there (I used myself as an example, and by the way, “whitepages” releases this information even though I have had an unlisted number…).

I pointed out the obvious: if Apple releases your location and a GUID to a third party on multiple occasions, one location will soon stand out as being your residence… Then presto, if the third pary looks up the address in a “Reverse Address” search engine, the “random” GUID identifies you personally forever more. The notion that location information tied to random identifiers is not personally identifiable information is total hogwash.

My questioner then asked, “Is your problem that Apple’s privacy policy is so clear? Do you prefer companies who don’t publish a privacy policy at all, but rather just take your information without telling you?” A chorus of groans seemed to answer his question to everyone’s satisfaction. But I personally found the question thought provoking. I assume corporations publish privacy policies - even those as duplicitous as Apple’s - because they have to. I need to learn more about why.

[Meanwhile, if you're wondering how I could possibly post my own residential address on my blog, it turns out I've moved and it is no longer my address. Beyond that, the initial "A" in the listing above has nothing to do with my real name - it's just a mechanism I use to track who has given out my personal information.]

Mark Dixon - Sun: Stuxnet Worm: Hijacking Critical Infrastructure

2010-08-24T03:29:32Z

CNET published a thought-provoking article last week, about Stuxnet, a sophiscated software worm that “targets critical infrastructure companies.” It “doesn’t just steal data, it leaves a back door that could be used to remotely and secretly control plant operations.”

This complex software is targeted not at desktop or laptop PC’s, but at industrial control systems. It has infected systems particularly in Iran and India, but also companies in the US.

The malware, which made headlines in July, is written to steal code and design projects from databases inside systems found to be running Siemens Simatic WinCC software used to control systems such as industrial manufacturing and utilities. The Stuxnet software also has been found to upload its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs. …

An attacker could use the back door to remotely do any number of things on the computer, like download files, execute processes, and delete files, but an attacker could also conceivably interfere with critical operations of a plant to do things like close valves and shut off output systems

The eCommerce Times commented:

“The Stuxnet worm, which targets industrial control systems, or "SCADA" systems, is one of the most sophisticated bits of digital malware security researchers have come across in a long time. Now, those researchers want to know where it came from. Was Stuxnet the product of a den of hackers working on their own accord, or did a national government somewhere in the world have a hand in its creation?

"Given the sophistication and organization behind it, we highly suspect it has nation-state involvement rather than being a tool for competitive intelligence," Roel Schouwenberg, a senior antivirus researcher with Kaspersky Lab, told TechNewsWorld.

In a recent post, I quoted a report entitled, “21 Steps to Improve Cyber Security of SCADA Networks,” where the US Department of Energy stressed the importance of security in control systems:

The U.S. energy sector operates the most robust and reliable energy infrastructure in the world. This level of reliability is made possible by the extensive use of Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), and other control systems that enable automated control of energy production and distribution. These systems integrate a variety of distributed electronic devices and networks to help monitor and control energy flows in the electric grid and oil and gas infrastructure.

Automated control has helped to improve the productivity, flexibility, and reliability of energy systems. However, energy control systems communicate with a multitude of physically dispersed devices and various information systems that can expose energy systems to malicious cyber attacks. A successful cyber attack could compromise control systems and disrupt energy networks and the critical sectors that depend on them.

Securing control systems is a key element in protecting the Nation’s energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the nation safer across all critical infrastructures.

By targeting systems that control vital parts of a nation’s critical infrastructure, this worm is an example of how increasingly sophisticated technology can be used as an offensive weapon. Lots of questions still exist about this specific worm, but it really illustrates how we must be concerned about the security of all computer-based systems, not just those in data centers.

Somehow, this causes more concern in my paranoid mind than vulnerabilities in my iPhone.

Technorati Tags: Information Security,SCADA,Worm,Malware,Critical Infrastructure Protection

Vittorio Bertocci - Microsoft: SelfSTS: when you need a SAML token NOW, RIGHT NOW

2010-08-23T23:15:06Z

A little new toy for you claims-based identity aficionados to play with! Available here.

Tokens are the currency on the identity market. Any identity solution you develop will require you to acquire & consume tokens (& associated claims) at some point.
ADFS2 is super-easy to install, but does require Active Directory and as a result it is not always readily available at development time, especially if you are not targeting a departmental application or a classic federation scenario. And even in that case, you don’t always have a test endpoint set up. When you test a payment service you don’t move real money right away, there’s no reason to do the same with identities: do you have a test account for all the role values you want to test?
The standard solution, one that has been used big time also in out training kit and other examples, is creating a custom STS. Almost three years have passed since the very first preview we gave in Barcelona of what became WIF, and I still remember Barry in the first row facepalming at the sight of one STS built in under 10 minutes. Well, with the WIF SDK tooling now that happens in seconds (or less, if your machine has an SSD ;-)) hence it’s incredibly easy to set up a test STS. However, after you’ve done that hundreds of times (and believe me, I did) even that can start to wear you off; writing new fed metadata every time you change something takes time; and above all, creating many custom STSes can litter your IIS and certificates stores if you are not disciplined in keeping things clean (I’m not). Also, if you are packing your solution for others (in my case for making labs and sample code available to you, more commonly you need to do that when something is not working and you want the help of others) you need to include some setup, which has requirements (IIS, certificate stores, etc) and impact on the target machine.

Well, enter SelfSTS.

SelfSTS is a little winform app which will not deny a token to anyone. It’s an EXE which exposes one endpoint for a passive STS, and one endpoint with the corresponding fed metadata document. The claim types and values are taken from a config section, which can be edited directly in the SelfSTS UI. The tokens are signed with simple self-signed certificates from PFX files, the certificates tore remains untouched. You can even create new self-signed certs with a simple UI, instead of risking to conjure mystical beasts by mistake if you write the wrong makecert parameter.

With SelfSTS you can produce test input for your apps very easily: you start it, point the Add STS Wizard to to the metadata endpoint, and hit F5. If you want the token to have a different claim type or value, you just go to the claims editing UI and change things accordingly. If you need more than one STS at once, you just copy the exe, the config and the PFX certificate you want to another folder, you change the port on which the STS is listening and you fire it up; here you go, you can now do all the home realm discovery experiments you want. I already heard people considering to use this for testing SharePoint even in situations in which you don’t have the WIF SDK installed: that’s right, it just requires the WIF runtime! I am sure you’ll come out with your own creative ways to use that. I am even considering using it instead of many of the custom STSes in the next drops of the training kit…

I feel silly even at having to say that, but for due diligence… SelfSTS is obviously ABSOLUTELY INSECURE. It is just a test toy, and as such it should be used. It gives tokens without even checking who the caller is, and it does that on plain HTTP. It signs tokens with self-signed certificates, and it stores the associated passwords in the clean in the web config. It is the very essence of insecurity itself. Do not use it for anything else than testing applications at development time, on non production systems.

Below there’s an online version of the readme we packed in the sample. Have fun!

Overview

Securing web applications with Windows Identity Foundation require the use of an identity provider, which may not always be available at development or test time. The standard solution to the issue is creating a test STS. The WIF SDK templates make it very easy to create a minimal STS; however it requires you to write code for customizing the claims it emits and, if you want to be able to use the WIF tooling to its fullest, customize the metadata generation code. What’s worse, you need to repeat the process for every new application.

SelfSTS is a quick & dirty utility which provides a minimal WS-Federation STS endpoint and its associated federation metadata document. You can use SelfSTS for testing your web applications by simply pointing WIF’s Add STS Wizard to its metadata endpoint.

Figure 1
The main SelfSTS screen

SelfSTS is a simple .EXE file, which does not require IIS and never touches the certificates store. There is no installation required, you just need the .EXE file itself, its configuration file and the PFX file of the certificate you want to use for signing tokens. Its only requirements are .NET 4.0, the WIF runtime and (if you want to generate extra certificates) the Windows SDK.

SelfSTS provides a simple UI for easily editing the types and values of the claims it will emit: the metadata document will be dynamically updated accordingly.

SelfSTS offers a UI for simplified creation of self-signed X.509 certificates, which you can use if you need to use a signing certificate with a specific subject or if for some reason you cannot use the certificate provided out of the box.

WARNING: SelfSTS is not, and is not meant to be, secure by any measure. All traffic takes place in the clear, on HTTP; requests are automatically accepted regardless of who the caller is; certificates are handled from the file system, without specific passwords protections. This is all by design, SelfSTS is just meant to help you to test web applications by providing you with an easy way of obtaining tokens via WS-Federation.

Using SelfSTS

The simplest way of using SelfSTS is launching the .EXE, hitting the start button (marked as (a) in figure 2), using the (e) button for copying to the clipboard the metadata address, and pasting that address in the Add STS Reference wizard in your web application. Just hit F5 and you’ll get your token right away: SelfSTS does not attempt any form of authentication.

Figure 2
The elements of the main SelfSTS UI and their function

The button Hide (f) will minimize SelfSTS to the system tray, but the endpoint will remain active until you don’t hit the button Stop again.

If you want to configure things by hand, you can get the endpoint address in the clipboard via (d). The details of the signing certificate are shown on the UI, but remember that the certificate itself is not present in the store.

Editing Claims

You can easily change the claim types and values issued by SelfSTS.

Figure 3
The Edit Claims Dialog

Clicking on (b) from Figure 2 opens the dialog shown in Figure 3.

You can edit existing claims in place through (a), (b) and (c). (a) is a dropdown populated with all the claim types which come out of the box with WIF; however you can explicitly type in (a) an arbitrary URI if you need to define a custom claim.

If you want to delete a claim entry you can just press on the corresponding X button (d).

You can add a new entry using the button add (e): of course you can have as many instances of the same time as you want (for example, you will often have multiple entries with the Group claim type).

If you hit Save the current configuration will be committed to the config file of SelfSTS. Please consider that SelfSTS does not make a lot of validation checks, hence if you leave things in messed state you may have to go to the config and fix things manually afterwards.

If you hit Cancel you’ll be back to the main UI, and all the changes will be lost.

Generating a New Certificate

SelfSTS comes with its own default certificate file. However there will be times in which you will want to use a different certificate, for example if there is a specific subject you want to assign to the issuer or if you need to simulate multiple issuers.

SelfSTS offers you a wrapper on top of MakeCert and similar utilities, allowing you to easily create a new self-signed certificate.

Figure 4
The New Certificate Generation Dialog

One interesting side effect of generating a PFX is that the underlying utilities will prompt you for the certificate password multiple times, as shown in Figure 5. Make sure you always use the same password!

Figure 5
Creating a new certificate will result in multiple password prompts

Once the certificate generation is done, SelfSTS changes its config accordingly and will use the new certificate for signing form now on. The certificate password is saved in clear in the config.

WARNING: Needless to say, this is all astonishingly insecure. SelfSTS is not meant to provide a token securely, or to have access to certificates actually in use for business functions. NEVER use a certificate that has actual business uses with SelfSTS.

SelfSTS Configuration Section

The SelfSTS UI is largely an editor for the SelfSTS custom config section. There are things you can do only by touching the config directly.

<SelfSTSSettings port="8000"
                 signingcertificate="SelfSTS.pfx"
                 signingcertificatepassword="Passw0rd!"
                 issuername="SelfSTS">
  <claims>
    <clear />
    <add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"          displayname="Email Address" value="test@company.com" />
    <add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"          displayname="Given name" value="Joe" />
    <add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"          displayname="Surname" value="Doe" />
    <add type=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone         displayname="Other Phone" value="555-5555-5555" />
    <add type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"          displayname="Name" value="joe" />
    <add type="http://schemas.xmlsoap.org/claims/Group" 
         displayname="Group" value="Sales" />
  </claims>
</SelfSTSSettings>

The config format is very straightforward.
You might want to edit the config directly if you want more than one instance of SelfSTS to run at the same time (in which case you can just copy the exe and the config in a new folder, and edit the port value to avoid collisions). You might also want to edit the config for pointing to a certificate you already have as opposed to the default or newly generated ones (NEVER use a certificate you are using in production or that has any business value).

Finally, sometimes you may end up in a messed state when using the UI (say if the certificate generation fails at mid-operation) and you may come here to fix the values before being able to restart SelfSTS.

Summary

SelfSTS can help you to test your web application by providing a WS-Federation endpoint readily available and with little/no infrastructure requirements. Please use it only in test and dev environments and exclusively with self-issued certificates.
SelfSTS will help you to experiment with WIF and claims-based identity without worrying about finding a token source to test against. Have fun!

Gerry Beuchelt - MITRE: An annoying Neverending Story: REST vs. SOAP

2010-08-23T21:27:45Z

Who does not know and dread the recurring discussion of a topic long thought dead? The most egregious one lately was a discussion about the applicability of RFC 2119 to a particular standard I was working on (to protect the innocent I will not disclose the name of the SDO) - the last time I had a discussion about the meaning of "SHOULD" was about 11 years ago... sigh!

But this is not the reason for my current urge to vent - a bug long thought dead is reappearing once more: the old discussion about REST vs. SOAP. It is really annoying for two reasons. Firstly, it is settled - both have their place, and pitting them against each other is pointless. But secondly, posing the question of "Is SOAP or REST better?" is - to paraphrase Mona Lisa Vito - a bu****it question.

Representational State Transfer (REST) is an architectural style, i.e. a general approach on how to design distributed computing architecture. While it was initially described by Roy Fielding using HTTP, and also uses constraints familiar from the web, it is not tied to a particular technology.

The Simple Object Access Protocol (SOAP) is - in contrast - a specific technology; more precisely an XML based protocol designed to transport data across a variety of different underlying transports. In real-world deployments it often uses HTTP (actually almost exclusively its POST method) as underlying transport for the SOAP Infoset. The architectural style used by many (if not most) SOAP designs is best captured by describing it as remote procedure call (RPC) oriented [1].

So a correct (in the sense of "apples to apples") comparison would align itself along the lines of comparing HTTP web service using an RESTful architectural style with SOAP web services using an RPC-based architectural style. A simple, incomplete table might look like this:

Architectural Style	RPC	REST
Commonly used protocol	SOAP over HTTP/POST	HTTP
Common payload	XML	Any Internet Media TYpe
Number of methods/verbs	many	four (PUT, GET, POST, DELETE)
Scalability technology	ESB	Load balancer

That's it - rant over.

[1] Note that while SOAP operates typically in two different modes (rpc/encoded and doc/literal), these have nothing to do with the architectural style of the distributed design.

Mark Wilcox - Oracle: What To Do When You Cannot Login to Oracle Directory Server Manager (ODSM)

2010-08-23T21:15:34Z

By default during an ODSM install Weblogic will configure the managed node that is running ODSM so it's only able to accept incoming connections from browsers running on the same machine as Weblogic.

Assuming that's not the behavior you want (usually expressed by "Why can't I get to ODSM from my laptop or desktop") here is how to fix it:

Go to weblogic console( http://emservenamer:7001/console).

Go to wls_ods1 (make sure it's running).

Make sure the field listen address is empty (you'll need to click lock & edit, then edit, then save).

Restart the wls_ods1 if weblogic console doesn't do this for you.

Posted via email from Virtual Identity Dialogue

Radovan Semančík - nLight: Identity Garbage

2010-08-23T21:09:33Z

Recent discussions are about whether push or pull is the right model for future identity management. Unpractical standards are being revived. Everybody discussing the technology, the future, the visions. There is almost no discussion about the most difficult current problem of identity management: data.

There is (at least) one critical problem with implementation of single sign-on, identity federation, provisioning to the cloud and other fancy buzzwords. The problem is user database. It is not that difficult to deliver the information that someone should have access somewhere using whatever push, pull, standard or proprietary method - as long as you have that information. The reality is that enterprises does not have that information in a usable form. It is almost always distributed in several data stores, usually provided in incompatible formats, it is often inconsistent and sometimes even contradictory. And it is far from complete. Many provisioning cases are solved by non-algorithmic methods, e.g. manager or security officer deciding whether the request "looks valid enough" to be approved. The current situation is best described as semi-organized chaos.

How could anyone build an automated, Internet-scale, cloud-enabled and standards-based identity management mechanism on top of that? Hardly. Such project will most likely fail. But it will waste a lot of time and money before it fails.

The first step is to consolidate the data. Build a consistent user database, align policies, design business processes that can support 80% of cases with 20% of effort. It is naïve to expect that everything could be automated, therefore prepare for a reasonable amount of exceptions and human interactions from the very beginning. Single sign-on, identity federation, support for the cloud (whether push or pull) and even the standards will not provide any considerable help in that. It is mostly manual work of security staff, business people and engineers that is needed.

What can help is a well-designed and well-deployed provisioning system. In contrary to the popular beliefs the provisioning system is not really about provisioning. Yes, provisioning is a important part of the system, but other aspects are in fact much more important. Provisioning system can take data from several sources, covert them to a common format and merge them. Therefore it can create a unified database. Provisioning system can compare data among several system, correlating them, therefore detecting the inconsistencies. Provisioning system supports workflow and human interaction to clean up the data and supplement missing information. Both during initial migration and (most importantly) during the day-to-day operation.

Reasonable identity consolidation project including a decent provisioning system is a necessary pre-requisite for any other identity-related activity. It is a shame that engineers forget the Garbage In, Garbage Out phrase that was popular few decades ago. If the data are bad, any system built on top of such data can only be worse.

Mark Wilcox - Oracle: How To Map Port 389 and 636 For Oracle Virtual Directory

2010-08-23T21:06:49Z

OVD is a Java-based app and one of the limitations for Java-based servers is that if you want to run the service on a port under 1024 on Unix - you have to run it as root. The reason is that by default Unix requires anything on those ports to be run as root. In C-based applications - there is a switch-user API call that lets you start as root and then switch to another user.

Java never mapped this call and so there is lots of different schemes for dealing with it. For example in app servers - you might run Apache as a proxy running on 80 to Weblogic running on 7001.

I stumbled on another way to do this - at least on Linux. And that is to use iptables.

Here is how you can map 389 to 6501 (OVD 11g default non-SSL port):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 389 -j REDIRECT --to-port 6501

Here is how can you map 636 to 7501 (OVD 11g default SSL port):
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-port 7501

Posted via email from Virtual Identity Dialogue

Kevin Kampman - Gartner: Role Management – Demonstrating value, or not

2010-08-23T17:59:37Z

Those of you who attended Catalyst in San Diego in 2009 may remember the lively panel on Role Management’s Evolution. The participants included Edward Coyne of SAIC, representing InterNational Committee for Information Technology Standards (INCITS), David Laurance of JPMC, Alan O’Connor of RTI, Robert Amos of NuStar Energy LP, and Paul Rarey of Safeway. The panel provided a candid perspective on the adoption of role management in organizations; details of the panel discussion were published in the blog “Role” World Challenges.

In the course of the conversation, Alan O’Connor identified that the National Institute of Standards and Technology (NIST), the government sponsor for the role-based access control (RBAC) standard (ANSI INCITS 359-2004), will be soliciting real-world investment information on the implementation and benefits of role management. The purpose of this effort, ultimately, is to justify new government funding for the refinement of the RBAC standard, and also to provide organizations with information that can be used to demonstrate value in their own situations.

The survey was finally launched in August 2010. Sponsored by NIST, this solicitation, entitled “The Economics of Access Control,” covers access control strategies and lifecycles, user provisioning, and compliance activities. The survey is located at http://accesscontrolsurvey.rti.org. The results will be published by the end of 2010 and contributors will receive a copy of the report. This is a perfect opportunity to provide your input and perceptions about RBAC and related activities and to shape the standards activities in the future.

Paul Madsen: Consent can't be 'informed' without 'information'

2010-08-23T16:01:47Z

In its OAuth consent flow, Google refers to the requesting party (Flickr in this instance) as the generic 'third party service'

Posted via email from Pre(posterous)