Planet Identity

Mark Dixon - Sun: Best Practices for the IAM/Compliance Journey

2009-11-10T11:09:28Z

As explained in my recent post, I am awaiting final publication of a white paper I recently authored, entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.” This post is a excerpt from that paper.

In the thirteen years since the initial passage of the HIPAA act, practical experience in the field has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance. We recommend the following:

Understand requirements. By developing a better understanding of compliance requirements, how compliance affects information technology (IT), and how IT in general and IAM specifically can help support the privacy, security and notification requirements of HIPAA/HITECH, companies can establish efficient, cost-effective, and sustainable programs that address all of these complex requirements within a holistic compliance framework.
Recognize IT's critical role. In many companies, IT has evolved to become the critical backbone behind almost every operation, but many people still view technology as a cost rather than an investment or asset. By understanding the key roles that IT plays in support of HIPAA/HITECH compliance, enterprises can maximize the value of their technology investment.
Understand the role of IAM. IAM plays a critical role in compliance with HIPAA/HITECH privacy, security and notification requirements.. However it does not automatically satisfy all HIPAA/HITECH requirements. Recognizing the value and the limitations of IAM in the entire spectrum of HIPAA/HITECH compliance is essential.
Think program, not project. HIPAA/HITECH compliance is a journey, not a short term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.
Establish privacy and security policy. A success privacy and security program requires a documented set of principles, policies, and practices. Using the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information as a guide, the enterprise's privacy and security principles should be documented as a foundation upon which to build policies, practices and strategies.
Develop a strategy. The only way to effectively address the wide spectrum of compliance requirements is to integrate them into a common compliance strategy that is intertwined with the business itself. A business-driven, risk-based, and technology-enabled compliance strategy can help create enterprise value by rationalizing unnecessary complexities, driving consistency and accountability across the enterprise, and identifying opportunities for a possible enhancement of operational performance and information quality.
Collaborate. HITECH extends compliance responsibility and penalties to all business associates. Work closely with your vendors and business partners to form an overall security and privacy framework, including updating legal relationship documents as ncessary.
Establish a governance process. Compliance efforts affect a broad spectrum of an enterprise. Stakeholders from many organizations, often with conflicting priorities, have vested interests in the outcomes of a compliance strategy. The governance process must provide representation from the impacted functional areas of the organization. A governance board should have appropriate representation from IT, security, audit, application owners, human resources, business process owners and applicable business associates. The board should be accountable for the project objectives and be vested with authority to make program decisions. The board should be empowered to 1) establish a statement of purpose for the program, 2) promote and give visibility to the program throughout the larger organization, 3) act as a mechanism for quickly making decisions regarding program scope, issues, and risks, and 4) monitor the program health on an ongoing basis.
Implement your strategy in phases. By segmenting the overall solution into manageable parts, an organization can realize quick, visible business benefits and progressively realize overall program objectives in an orderly, measurable way. Implementing in manageable phases also makes it easier to battle issues such as scope creep or requirements drift.
Standards. Follow the NIST and other applicable standards for electronic healthcare records. Adjust to form a compliance model with this emerging standard. Focus on open standards and vendors that are open standards compliant to insure long-term flexibility of computing platforms and security frameworks.
Give real-time visibility. Real-time views into the functioning of controls across these systems and across the enterprise, through job-specific dashboards or portal views, can provide insight into compliance status, progress, and risks. Effective communications with all stakeholders is essential.
Unify disparate compliance efforts. Many companies are beginning to realize the potential of technology to support sustained compliance and are actively looking to combine existing fragmented, reactive, and inefficient governance and compliance efforts into a single sustainable compliance program. Bringing together compliance, governance, and risk management under a holistic framework, can result in a centralized compliance organization with the understanding, structure, and ability to help optimize the company’s compliance efforts in a sustainable, strategic, and cost effective manner.
Assess progress and adjust as necessary. Each phase of the progressive implementation of the compliance strategy will yield more in-depth understanding about the compliance process as it pertains to the specific enterprise. Implementing methods of continual process improvement will yield progressively refined results.

Please let me know what you think. What have you found that really works in this IAM/Compliance Journey?

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, HIPAA, HITECH, Privacy, Security, IAM, Compliance

Ludovic Poitou - Sun: OpenDS Silent install

2009-11-10T09:09:58Z

One of the things we're the most proud of in the OpenDS project is the simplicity of installation and initial configuration, thanks to the Java Web Start QuickSetup installer. We say that you can download, install and configure OpenDS to run on your machine in less than 3 minutes and 6 clicks.
But OpenDS can also be downloaded as a Zip and installed with the setup program, which can be either graphical or in command line and even used in silent mode.
The OpenDS community is often full of resources and Lucas Rockwell pointed out to his script for downloading and installing OpenDS automatically. I've taken the liberty to improve his idea and show it here :

#!/bin/sh

# This is the OpenDS version number to install
VER=2.2.0-RC2

# Download with curl or wget, uncomment the preferred download method
curl -O http://www.opends.org/promoted-builds/${VER}/OpenDS-${VER}.zip
# wget -nd http://www.opends.org/promoted-builds/${VER}/OpenDS-${VER}.zip

unzip OpenDS-${VER}.zip

cd OpenDS-${VER}/

# Some possible option change :
# Replace -d 20 (generate sample data with 20 entries) with -a (create
# top entry) or -l <ldifFile> (load data from the LDIF file)
# Change -w "secret12" with -j /tmp/me/passwordfile to avoid hardcoded
# cleartext password
# Add -O to avoid starting the server after install
# Add -Q for a quiet install
# ./setup --help for more information on options
./setup --cli -n -b "dc=example,dc=com" -d 20 -p 1389 \
--adminConnectorPort 4444 -D "cn=Directory Manager" \
-w "secret12" -q -Z 1636 --generateSelfSignedCertificate

As you can see, it's really trivial and it does the work from a few seconds to a few minutes depending on the speed of your internet connection.
The script can be downloaded here.
Have fun !

Technorati Tags: directory-server, java, ldap, opends, opensource

Henry Story - Sun: 7 days in SF Jail - arrival

2009-11-10T06:20:05Z

On October 29 I left London for what was to be a month tour of California. On all previous trips I prepared very little. This time though I spent two weeks organizing a Social Web Camp in order to build up contacts in the Bay. But things took a very different turn.

It says in Hexagram 64 of the Yi Ching, the oldest book in China, in the section "Before Completion":

The caution of a fox walking over ice is proverbial in China. His ears are constantly alert to the cracking of the ice, as he carefully and circumspectly searches out the safest spots. A young fox who as yet has not acquired this caution goes ahead boldly, and it may happen that he falls in and gets his tail wet when he is almost across the water. Then of course his effort has been all in vain. Accordingly, in times "before completion," deliberation and caution are the prerequisites of success.

Flight to San Francisco

The British Airways flight left in the late morning from London Heathrow. To keep me busy for the 10 hours trip I had bought the UK and US editions of Wired Magazine at the airport to complement the 1300 pages long collections of essays by Francois Jullien comparing European and Chinese approaches to wisdom which I had bought in Paris a few weeks earlier. ( some of these are available on Google Books in English ).

The plane took off and we were a served a very good and healthy lunch - I was pleasantly surprised. The shades were then pulled down to allow people to sleep or watch films. Even though I woke up at 5am that morning, I was too excited to sleep. So I read the easier Wired magazines from beginning to end to help me get back into the Silicon Valley spirit. One article that caught my attention and that was reprinted in both editions was Neil Christy's "Empty the Prisons" in the "12 Shocking Ideas that Could Change the World" Section. The following diagram makes the point very simply:

The cost of putting people in prisons is very high. Not just the monetary cost, but also the cost to Liberty. The easier it is for the state to put people in prison, the easier it is for this to be abused by underground operatives to put pressure on people to do things they would not have done otherwise. Perhaps there are crimes that should not be crimes. Not impossible: Alcohol was illegal in the 30ies in the US before being legalised after the complete failure of the program.

Having finished those mags I started reading a longer article by Francois Jullien on the different conceptions of Evil and negativity in the East and the West. It is an interesting story that goes all the way back to the earliest conceptions of religion. If God is pure good, how does evil enter the world? Is evil just the lack of Good, as Socrates would have had it? Or is the universe a battle between two equal forces, Good and Evil, as Saint Augustin, had been tempted to think in his earlier days as proponent of the Manichean religion. Or as the Taoists would have it, and as is symbolized so well in the Taoist Tajitu symbol, are these concepts such that they cannot exist without one another? Just as light cannot exist without dark, or high without low, perhaps good cannot exist without bad. And perhaps there is bad in the good and good in the bad? Certainly the Good of One can be the Bad of the other, as this poem - which is part of John Cage's Indeterminacy series - so nicely illustrates:

Kwang-tse
points out
that a beautiful
woman

who gives
pleasure

to men

serves
only to
frighten

the fish

when she
jumps
in the water.

Moving away from the desire for purity, may be a very healthy thing to do.

I was tired and would not have had time to finish the 200 page article. Dinner was served. It was then just a short wait till we arrived. The plane dipped. I yawned to relieve the pressure on my ears, and looked out of the window, to what was the only view of the Bay I was going to be allowed to have. The plane landed around 3pm California time, which would have been 11pm London time.

Arrest

I had not filled in the forms for immigration, so I decided to do that comfortably in the plane. Those are the sheets where you are asked questions such as "Have you ever been or are you now involved in espionage or sabotage; or in terrorist activities; or genocide; or between 1933 and 1945 were you involved, in any way, in persecutions associated with Nazi Germany or its allies?" One has to enter 3 or four times the same information. I had to look up the address and phone number of my contacts in the Bay Area. As a result I was the last person to get out of the plane. A huge line awaited me at the passport control check point, and I was upset with myself for not getting out faster. I still wanted to get my bicycle out of the box, and go to Menlo Park to get a few posters for the Social Web Camp and place them around the Bay Area.

I arrived at the control point, gave the officer my passport and cards. But I had forgotten to enter my birth date on the back of one form, so he ordered me to the side to do that, while he dealt with another traveler. I came up, he processed the forms, asked me to put my hand on a fingerprint machine. Something beeped. He did not seem to happy, and told me to go down to the corner of the huge room, to the door I could see in the distance. "Straight down there", he said. I wondered what that was about.

As I entered the room I first saw a row of benches with a little under 10 people sitting there waiting to be processed. I was told to put my passport in a slot and sit down. I thought I could perhaps phone someone, but one was not allowed to make calls there for some reason. I did not want to bother anyone before I knew what the problem was anyway, so I just waited. Slowly people were processed. Some came out of interview rooms. A Woman was asked if she knew someone the Bay Area. She seemed not to understand. An interpreter came around. Her son was called...

I was asked to step to the back office, where they passed my hand through a machine which took the prints of my whole hand and of the side of my hand. They took a few photos. Then they asked me if I knew why I was arrested. No I did not. I thought perhaps I had failed to pay a parking ticket, but I could not imagine that that would warrant my being stopped at the border. So no, I did not understand.

It turns out that a case from 2001, which I was certain had been closed had popped up in their systems. This was from my last year working in the Bay Area, when I had moved to San Francisco to work for E-Translate, at the end of the dot.com boom. So quite some time ago. I had come to the Bay Area three or four times since then, which seemed to shock them, as much as their bringing this issue up shocked me. I told them this was certainly a mistake. Everything had been taken care of. I would be certainly very happy to get this problem cleared up at the courts, and I told them it would very certainly not take much time - Indeed when 6 days later I saw the judge it took him 30 seconds to clear the case. But the officer in front of me did not know that. The information against me on the computer looked bad enough for him, and that was it.

By this time they had taken my telephone, passport and other material, and I was no longer in a position to get advice. I certainly had never been read any rights, and I could not ask anyone for help - I suppose that is just for US citizens. In fact by signing the entry papers I had waived my rights to an immigration court hearing I was told. The interrogating officer, very slowly typed up a report. The first question on the report was: "How are you feeling?" My answer: very tired. It was probably 3am in the morning UK time.

I had pleaded with the officer that I had come just to talk at a conference which I had organized, and to then present talks in different venues. My interest was to have a clear record, and so I would certainly show up in court. Somehow he made me think that I could get bail, and that from there on I could organize the hearings. That seemed like a good enough solution. I felt relieved. Shit happens. At least I'd get a free ride in a cop car.

Ride in a police car

After another long wait, I was asked to remove my shoe laces, empty all my pockets, was handcuffed and walked out to the front of the San Francisco airport. There a couple of policemen were waiting for me. I squeezed into the back seat on the very narrow bench separated by glass and metal from them. They closed the door and drove off, the bag with my cell phone, passport and other bits and bobs with them in the front seat.

They were quite entertaining. One of the officers asked the other if he wanted to go for a pizza, to which the first officer replied that he could no longer eat greasy foods since his appendicitis operation. He went into detail to describe both the cause of appendicitis, the operation, the stones they found in the appendix and the whole trouble that this caused. His colleague did not abandon the pizza idea, and described in detail a famous low cost pizza place where there were only 4 types of pizza available, and where you had better be careful not to ask for anything else. I suggested that I would not be against going for a pizza, to which the pizza loving officer responded jokingly that that clearly showed that I was evil: trying to kill his appendix missing colleague with fatty foods!

We arrived at the San Mateo police station. I had been taken to this station I was told because the San Francisco airport is in fact located in the San Mateo district. They would have to send me over to San Francisco within 5 days. How long that would take would depend on the space available there. I was hoping I could bail out before hand I told them, to which they replied that I would have to talk to the officers in the San Mateo station, they would help me work that out.

San Mateo police station

In San Mateo I was then asked a lot of details all over again. Contact details for people in the Bay, what I was doing here, if I was suicidal, and so on. If you think that the checks at the airport are intrusive - when they ask you to clear everything out of your luggage, and remove your shoes - then you may not want to read the next paragraph.

I was placed into a room and told to strip naked. The officer then frisked my body, then my balls, then asked me to turn against the wall, lean over, spread my cheeks and say "ahh". Not sure what the "Ahh" was for. It did not seem like a good idea not to obey. "Nothing is hidden" as Wittgenstein so well writes in the Philosophical Investigations. I was just happy that the officer did not have to make his blue plastic gloves dirty. As Scott McNeally once quipped: "You have zero privacy anyway. Get over it". So I did.

I could then put my shoes and clothes back on. I was sent to a window where a nurse asked me to fill out a form for diseases I could have, if I practiced safe sex, if I was gay or straight, if I was suicidal, and so on... I then had to go through a hand scan and fingerprint scan once more. Then I was sent to a glass protected cell facing the police office, with a small hard bench and behind a low wall, a metal toilet.

In the room was a telephone attached to the wall for collect calls only, and plastered against the wall was a list of bail agents and their telephone numbers. These could be called to borrow money for bail. They take 10% of the money lent. I called one of them to see if and how they would be able to help. Nope he said. We don't help foreigners. Mhh. Well I could pay for bail myself if I had to.

The Drunk Depressive

As I was doing this, the door opened, and I was joined by a strong, slightly overweight and effeminate man, with a bit of a South American look to him, but unusually well dressed. Not very well dressed, I should add. Just that he had a striped office shirt, and clearly paid attention to his looks.

"Burn, burn. They should all burn in hell", he said, which made me just a little uncomfortable.

"People are bad. They deserve to die.", he continued. "They all deserve to die, each one of them.", and after a pause. "We will all die". This he repeated quite a lot.

I let him go on like this, looking through the window. I wanted to find out how I could get bail, as I was quite keen to leave this place. If I could get out of here then I could find hotel close by, and prepare for my talk on Monday. There was still time.

I knocked on the window, as an officer passed and asked how I could find out about bail. They told me to wait for the O.R. people, and pointed to two women working diagonally across the room. I tried waving to them. Time passed.

I found out that the guy in my cell had been arrested for Jay walking and being somewhat drunk. Though to me he seemed more depressed than drunk. He certainly did not smell heavily of alcohol. I did not know Jay Walking could land you in Jail. I never heard of anyone in France being booked for that. It is also I think quite rare for people to be sent away for being tipsy, unless they make a lot of noise, in which case they would be sent out for being a public nuisance I suppose. He wanted to go home, because he had to work at 5 or 6 in the morning at what I understood to be something like a cafe. He had been unemployed for a while, and this was his first job a lady had helped him get. So he had just been celebrating his new job that evening, and things had turned bad.

No exit

"Look at them, they are like children", he said pointing at the officers. "Playing their little games, so sure of themselves. They don't care. They don't care at all. Playing sheriff. Look at that one..."

And it is true they did not seem to care. It must have been 11pm now, and I had been up for over 26 hours without sleep. I was wondering when I could get bail! I might as well sleep here I thought, that would save me a night at the hotel. I started to get worried, so I called the friends in California, whose number I was had written down on a scrap of paper they had left me - I thought someone at least ought to know where I am.

At some point, one of the women came up to the door, and told me I could not get bail. The immigration officers had put an ICE hold on me, disallowing that. I broke up in tears, as I felt the doors close one by one on me.

Dave Kearns' IdM Newsletter: Centrify Delivers First Identity and Access Management Solution Certified for Windows Server 2008 R2

2009-11-10T06:01:01Z

The Centrify Suite is an integrated family of Active Directory-based auditing, access control and identity management solutions that secure cross-platform environments and strengthen regulatory compliance.

Dave Kearns' IdM Newsletter: Radiant Logic Delivers a Global View of Identity

2009-11-10T05:43:42Z

Identity and context virtualization allows enterprises with highly distributed, heterogeneous sources of identity to “manage globally and act locally,” by delivering a complete view of identity while enforcing security at the data source level.

Mark Dixon - Sun: CIO Roundtables: Identity Management – Starts Tomorrow!

2009-11-10T02:28:53Z

Tomorrow is the first of five “CIO Roundtables” sponsored by CIO Magazine and Sun Microsystems to be held in Washington DC, New York, San Francisco, Vancouver and Toronto. It will be a good experience to participate in each event with Michelle Dennedy, Chief Governance Officer of Cloud Computing for Sun Microsystems, and dozens of CIOs and IT management folks in what promises to be a lively and invigorating discussion of Identity Management issues facing modern enterprises and government institutions. We will address the subject, “Identity Management - Pathway To Enterprise Agility.”

A list of locations and further information are included in a previous post.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, CloudComputing, CIOMagazine, Governance

Mark Dixon - Sun: The Role of IAM in HIPAA/HITECH Compliance

2009-11-10T02:28:21Z

I recently authored a white paper entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.” The paper is now in the final editing and formatting process. As we awaiting the final publishing date, let me share an excerpt from the paper, focused on the key ways IAM enables HIPAA/HITECH compliance.

HIPAA/HITECH requirements for privacy, security, auditing and notification are supported directly by IAM. By streamlining the management of user identities and access rights and automating time-consuming audits and reports, IAM solutions can help support strong privacy and security policies across the enterprise and throughout Health Information Networks while reducing the overall cost of compliance.

IAM provides the following key enablers for HIPAA/HITECH compliance:

Assign and control user access rights. Securely managing the assignment of user access rights is critical to HIPAA/HITECH compliance, particularly in distributed and networked environments typical of modern healthcare business. Decentralized provisioning is not only inefficient and costly, it also increases the risk of security and privacy violations. Automated provisioning allows centralized control of resources and applications that have historically existed in silos. This provides a much greater level of control over access to those resources. Checking audit policy at the time or provisioning ensures regulatory compliance, thus preventing audit policy violations.
Adjust user access rights when responsibilities change. Business risk is introduced when employees change jobs and access isn’t appropriately adjusted or removed. Failing to appropriately adjust or remove users’ access when job changes occur can result in superuser-access and SOD violations. Automated provisioning effectively eliminates many of these risks, especially when combined with auditing and role management capabilities.
Revoke user access upon termination. IAM systems can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly-exploited security gap and opportunity for policy violation that may occur after an employee or contractor has been dismissed.
Manage allocation of user credentials. Managing user names, passwords and other user access credentials is essential to assuring that only authorized users are granted access to information systems. IAM technology can provide enterprise-wide control of user credentials, including the enforcement of uniform password policies (e.g. password strength, periodic change).
Enforce segregation of duties (SOD) policies. Segregation of duties (also known as separation of duties), has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. IAM methods can prevent, detect, and resolve access rights conflicts to reduce the likelihood that individuals can act in a fraudulent or negligent manner. Once violations are identified, notification and remediation steps are automatically initiated based on corporate policies.
Provide uniform access policy. IAM can provide administration and enforcement of common user access policies across a wide span of diverse systems, improving executive confidence in how the enterprise complies with HIPAA/HITECH requirements.
Manage access based on business roles. Provisioning and auditing at the business role level, rather than just at the IT access control level, ties user access rights more closely to business processes. With a role management solution, managers can approve access rights that have a meaningful business context, thus reducing the risk of managers inadvertently creating SOD violations by granting carte blanche access to their direct reports.
Enforce secure access policies. While automated identity administration, provisioning and auditing are essential to HIPAA/HITECH compliance, these methods don't actually enforce the use of security policies when a user accesses the controlled systems. IAM Access Management technology can enforce user access policy at the point of entry to an application or other system, in harmony with established policy. Examples of such enforcement include Web access management (including single sign-on or SSO), enterprise single sign-on (ESSO), and Web service security.
Enforce informed consent principles. Informed consent principles (e.g. opt-in, opt-out, notice) can be enforced, based on identities of individual patients and potential users of personal information associated with such data.
Extend access control to business associates. Identity Federation can extend access control beyond enterprise boundaries to enable secure access to electronic records while safeguarding the privacy of sensitive information. This is essential to complied with extended requirements of HITECH.
Verify access rights. While automated user access provisioning is designed to accurately assign access rights, such access rights should be confirmed by audit. IAM can provide the ability to both assign access rights according to established polices and then periodically verify that access rights are still compliant with those same policies.
Conduct periodic compliance assessments. Periodic audits of access rights and privileges can assure that security and privacy policies are consistently enforced. Re-certification is a process where managers approve direct reports’ access to enterprise resources and applications. IAM can provide the ability to automatically present managers with the correct information to attest to each employee's access rights needs. By applying role management principles, this re-certification process can enable the approving manager to work at the business-role level, attesting to those entitlements quickly and accurately because they are given in a meaningful business context.
Provide automated reports. The delivery of accurate, timely and complete reports can assess compliance with established requirements. IAM can provide scheduled and ad-hoc compliance reports, including automated violation notifications, comprehensive work flow processes, and audit assessment reports. Such reports can generated across multiple systems and enterprise applications and be submitted to appropriate people within the enterprise, to business associates and to appropriate regulatory agencies.

I’ll share more excerpts soon and let you know when the full paper is ready for download. Please stay tuned.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, HIPAA, HITECH, Privacy, Security, IAM

Jackson Shaw - Quest: Gartner: Directories and Virtual Directories: Foundations of Your IAM Infrastructure

2009-11-09T23:33:04Z

Andrew Walls definition of today’s directory proliferation problem is quite appropriate: “I am Legion and we are many!”

Andrew talked about how virtual directories are “in fashion” these days. Interesting that when Andrew presented which vendors have a virtual directory that he put up Microsoft and IBM with question marks after them. His caution: Don’t assume that either of these vendors have these capabilities despite having info on their web site that they do. Andrew’s belief is that IBM and Microsoft don’t want their customers to look to another vendor to solve the virtual directory problem. I’m not sure about anyone else but I never believed either of these vendors had a virtual directory.

Andrew characterized meta-directory as storing data rather than fetching data like a virtual directory – and called them fundamentally the same. I disagree with this simple of a characterization but I certainly agree with Andrew’s statement that rapid deployment of a virtual directory is possible whereas in most cases you are not going to rapidly deploy a meta-directory.

Are meta-directory and virtual directory products melding – blurring the lines between themselves? Yes, and it’s high time that they did. Generally speaking, I think a customer can benefit from both of these technologies so why not use one product for that? Simple is always better. A virtual directory is the perfect veneer to stick on top of your directory infrastructure(s) because it allows you to swap underlying directory pieces in and out as your business changes.

And, I agree with Andrew’s comment that adding a virtual or meta-directory can hide the complexity of your infrastructure – it doesn’t fix it.

Technorati Tags: Gartner,identity management,Active Directory,virtual directories,meta-directories,#GartnerIAM

Paul Trevithick: Schema Mapping Session at IIW

2009-11-09T21:48:01Z

I led a session about schema mapping at IIW last week. The basic idea is this. Rather than trying to get the world to agree to a single schema for attributes (e.g. OpenID AX, ICF Schema Catalog, Plaxo Portable Contacts, etc., etc., …you know the old saw that the great thing about standard is that there are so many of them (like 75!)) we just let the natural authorities for attributes mint their own URIs.

And while we’re being lazy, we just sit back and watch as these schema-creators evangelize their particular schema as far and as wide as they wish to. Today the only way an IdP can talk to an RP is if both know how to speak a common schema. This is true regardless of protocol or transport. It is as true of SAML tokens as OpenID attributes.

Its all a form of tight coupling. And tight coupling requires a lot of effort. You know what they say “consensus is harder than code.” Experience shows that the richer the schema the higher the costs to get everyone on board, the longer the process takes, and the narrower the diffusion/adoption. These economic realities drive the creation of more and newer schemas in each sub-ecosystem, even when common schemas could theoretically be agreed to.

But if we can’t all agree to the “one schema to rule them all” aren’t we doomed to a Tower of Babel?

Not entirely. There is another possible route to interoperability. Mapping. Instead of creating N*N mappings between each schema we create 2N mappings into and out from a common, rich, granualr, and horribly complicated schema (that nobody would use directly).

We use a mechanical process (think web service, library, etc.) that maps an input schema into a rich, intermediate schema, and from there to an output schema. This schema mapping process, being both algorithmic and data driven, can live at the RP, in the cloud, or at the IdP, depending on the need.

I will now describe one way to do this schema mapping. I have a personal bias towards declarative approaches that involve rich data and simple algorithms. The mapping rules that I’m about to describe can themselves be described as data with embedded names of a few simple functions. So that’s the design approach. Here are the details.

Every input attribute must come from some known namespace (schema name). A set of mapping rules must have already been created; one for each attribute in the input schema. The rule for the specific input attribute is then looked up and applied to transform this input attribute into its equivalent attribute(s) in the internal, intermediate data model (schema). To create the output attribute(s) the process is reversed. The target namespace (schema name) must be known, and a set of mapping rules must have been created for it. The output process takes the attribute in the internal data model, looks up the mapping rule for it and uses this rule to generate the output attribute.

This approach was discussed a lot on the second day of the recent Tao of Attributes workshop, and a some similar thinking was discussed a couple years ago regarding a Common Dictionary Service (CDS) on the IdentitySchemas.org list at Identity Commons

The Higgins project is starting work on an open source Persona Data Model that could serve as a common internal schema. A schema that nobody would actually use per se, but useful to map into and out from. We’re also experimenting with declarative mapping rules.

A quick aside:

The straw that broke the camel’s back for me happened recently. In the ICF’s Schema Working Group, we created a super-lightweight, email-based process to simply list whatever attribute/claim URIs that any party reasonably suggested they wanted. Here’s the catalog we created. When Equifax wanted an “I’m over 18″ URI we swung into action and minted http://schemas.informationcard.net/@ics/age-18-or-over/2008-11. Cool.

Then the ICF and OpenID foundations start working together with the GSA and other parts of the Federal government. There’s a need for a “Level of Assurance” 1 claim. No problem. We created http://schemas.informationcard.net/@ics/icam-assurance-level-1/2009-06. Trouble is, when the GSA’s profile for IMI Infocards was published the URI started with http://idmanagement.gov.

Why? Who knows. That’s what they wanted. And since (sadly) in SAML there are no sub-namespaces allowed with the URI namespace, one URI is as good as another since all must be treated as an opaque string. So it’s hard to push back on the “customer” and tell them that the attribute should really start off http://schemas.informationcard.net… They think that the LOA 1 URI is theirs. To make a separate URI and thus define another schema over such a trifling matter, was all the convincing that I needed to rethink things.

Matt Flynn - NetVision: Implication of Cisco MARS decision on SIEMs?

2009-11-09T21:30:09Z

Notice the question mark first. I'm interested in what you think this means. This isn't me trying to make any great claims.

Cisco has acknowledged that it will stop adding support for additional devices on its MARS SIEM platform. While the plan is to continue providing updates for already-supported devices, it's difficult to argue that this isn't a strategic move toward completely dropping support for the product (in it's current form).

I, of course, wanted to use a title like "The END of SIEM", but it's hard to make that leap given that one of the biggest SIEM players was ranked among Deloitte's 2009 Technology Fast 500 with over $100 Million in revenue for 2008. And ArcSight has shown 32%, 34%, and 25% year over year growth in its last three quarters respectively.

Still, Cisco is thought to be the most widely deployed SIEM with over 4000 installations. For them to make a strategic move to discontinue addition of future platforms means (and read this with your favorite accent) something doesn't smell right in Denmark.

As I speak to organizations about NetVision (and we are clearly NOT a SIEM player), I hear concerns about SIEM tools and log management applications that are big, complex, difficult to implement, expensive, and not user-friendly. I have nothing against SIEM tools or the role they play. In fact, many of our customers integrate our product with SIEMs. ...which is why the topic comes up. But, I've been wondering if the fire-hose approach to data collection is proving to be too much. i.e.) too much data and too much complexity given the problem at hand.

I sense that the SIEM approach is troublesome and that SIEM vendors who can't adapt to changing market expectations for more readily available answers will start making announcements like Cisco's indicating that they won't be around forever continuing to support an ever-growing number of devices. There will likely continue to be a market for large scale event data collection into the foreseeable future. I'm not arguing against that. But a segment of the market seems to be defining itself as a group that wants easy answers in lieu of a data flood.

Am I reading too much into it? What do you think?

Phil Windley - BYU: KNS Build 351: FLWR Comes to KRL

2009-11-09T19:43:57Z

One of the big features missing from KRL as a rule language is a foreach statement that allows looping. Build 351 of KNS (released today) fixes that problem. The thing that kept holding me back was confusion on my part about the best way to add it and how it should work.

The problem was that I wanted, thought KRL needed, more than just looping. I wanted full-blown FLWOR statements (foreach, let, where, order by, result). I realized one day on a bike ride that the entire rule ought to be a FLWOR statement and that meant that the foreach needed to happen before the rule body executed.

The rule prelude already functions in the capacity of a "let," the rule premise (condition on the action) already functions in the capacity of a "where," and the rule action itself is the "result." Yeah, I left out "order." More on that later.

KRL now allows one or more foreach clauses to be added to the select statement like so:

select using "/archives/" setting ()
  foreach [1, 2, 3] setting (x)

The value of x will be bound to the values 1, 2, and 3 on successive executions of the rule body. KNS optimizes the rule so that declarations in the prelude aren't executed inside the loop unless they depend on the value of the variable (directly or indirectly).

Of course, the array is an expression, so it doesn't have to be an array literal. You could do this:

select using "/archives/" setting ()
  foreach f.pick("$..store") setting (x)

This works fine as long as f has been declared outside the rule in the global and the pick returns an array.

The entire rule body--everything after the select is executed once for every loop. If the premise is true, an action is produced, so a rule with a foreach over a three element array would produce three actions if the premise were true each time.

We can't order the array yet. Adding a sort operator on arrays would do the trick but to do that I need someway to specify the comparison function and KRL doesn't have functions or closures...yet.

Looping has been a long time coming, but I'm excited to see what people do with it. Surprise me!

Jackson Shaw - Quest: Gartner and The Death of IAM

2009-11-09T18:15:48Z

Earl Perkins kicked off the Gartner IAM summit with this talk: The Death of IAM and the Loss of Identity Innocence – A Review of Program Maturity, Service-Driven Change and New-Era Threats. Catchy title, eh?! It was certainly penned this way to draw attention to what Earl called an “inflection point” that is now happening in the IAM market.

Earl’s commentary centered around IAM – especially the “A” access part – accountability as the new phase of IAM. Gartner has clients who approach them daily who are now talking about replacing their first generation IAM systems – as Earl calls it, a “disaster summit” or a “do-over” conversation. In the area of governance (GRC) we are in the same place where we were with provisioning 5 years ago which means we are early and still have a long way to go in this area.

Earl see these trends in the “IAM Age of Accountability”:

- Externalization + decentralization = “The out is now in”

- Finding or identifying who is in charge

- “Scale” is becoming off the scale

- Delivery methods increase

- Expanding business process management

I think we have all seen much of the above. Much of this is being driven by the effects of compliance pressures on companies along with the drive to save money through the use of the “cloud”. It’s only going to get worse as federation begins to take off.

Earl also talked about the death of the IAM suite and birth of the IAM partnership. Not the actual, real death of the IAM suite but the importance of partnering with your IAM vendor and picking the right vendor that you can work with over time. While Earl didn’t say this nor do I think he meant that the magic quadrant is “dead” but I do wonder about customers who make IAM choices simply by looking at the MQ. Partnership cannot be measured by the Gartner MQ in my opinion.

Earl concluded by discussion how you map an IAM program into an information security program – taking you to serious business enablement, security effectiveness and security efficiency – where I expect we all want to end up.

I like how Earl characterized this as an “inflection point”. It’s a better term than saying IAM 2.0 or “next generation”. The fact of the matter is that market pressures (“requirements”) are causing the slope to change of companies needs in this area and by definition that is an inflection point. I do think that many of the early IAM products and suites are struggling with this inflection point whereas some of the newer vendors in these areas are able to cope with or build directly to this inflection point.

Interesting times for sure. For all of us – vendors and users.

Technorati Tags: Gartner,identity management

Marc Canter - Broadband Mechanics: “How to build a Digital City” keynote - Aarhus ‘09

2009-11-09T14:08:48Z

The video is choppy, but the content is real. I even sing a little ‘Recitative’ to begin.

Hubert Le Van Gong - Sun: Why Should We Be Consistent?

2009-11-09T13:32:26Z

A little tip: deploying a war file on different containers / application servers can lead to different results. Although their scope widely differs, Sun has 2 offerings when it comes to deploying a war file: Sun Java System Web Server (SJWS) and Glassfish.

Well, it turns out that Glassfish replaces the entire content of the directory where the application is deployed while Sun JSWS will simply overwrite the existing files, thus leaving all other files in place. In a recent case, I had copied some properties file in that directory (after a first deployment) and was surprised to find them there after a re-deploy.

Now, I know that I’m not really supposed to mess around with files of a deployed war but I find it to be a good reminder of the sometimes not so subtle differences between containers.

Marc Canter - Broadband Mechanics: Kanye West is not here, but security is….

2009-11-08T20:06:20Z

Kuppinger Cole: Sony VAIO VGN-Z series – finally with VT-support

2009-11-08T18:02:07Z

In Sebastian Rohr

I recently bought a very expensive high-end Sony VAIO VGN-z31 and was more than surprised and downright angry, when I found out they had disabled the “VT”support of the Intel CPU, making it almost useless when it comes to virtualization with Virtual PC, VMware Workstation, Xen or what ever your favourite Hypervisor was.

With their latest set of updates for their EFI (the new BIOS technology) now finally they gave in to the numerous customer complaints, all coming from power users and professionals, who were upset to just have spent 2.000 -3.000 €/$ on a machine, that was basically leaving them without support for virtualization.

Vaio customers, rejoice! Check the update sources for your machine, and hopefully you will find a matching update. For all others: check out the “reverse engineered” hacks for activating VT…
Happy VMwaring

Sebastian
PS: off to get that SQL Server running…

Ben Laurie - Apache / The Bunker: SSL MitM, Day 4

2009-11-08T17:12:46Z

Are we having fun yet? First, thanks to Benson, the only person so far to have expressed any kind of appreciation for the work we volunteers do.

Now to Q&A.

Several people have pointed out that Adam Langley is unhappy that I (and others) have maligned TLS. Apparently

…it’s not a flaw in TLS. The TLS security properties are exactly what was intended.

Isn’t that wonderful? Notice how much more secure the world became now we’ve got that cleared up.

Also notice how this “intended” property was so carefully explained, and how everyone involved immediately noticed that every single protocol that is layered on top of TLS got this wrong and had them fix it. Not.

I’m not particularly interested in the blame game. I don’t really care who’s at fault here. What I care about is fixing the problems we have. TLS is broken. TLS is not broken. Whatever. I still seem to be patching code, either way.

By the way, Adam is incorrect in supposing this is tied to client certificates – this seems to be a common confusion. Any TLS session can be hijacked, so long as the server allows renegotiation. Which pretty much anything based on OpenSSL does.
Many people seem to think that fixing this (or working around it, as in OpenSSL 0.9.8l) will break session resumption. I’m not sure where this comes from, but it won’t.

On a related note: can a resumed session be attacked? I don’t quite have the energy to test this, but I assume it can – although it would be a weird thing to do, I believe a client is allowed to resume a session during a renegotiation. So, to the server, this would look like the client connected, negotiated a new session, said some stuff, then renegotiated an old session and continued.

On why this isn’t the same as XSRF, when considering HTTPS – I forgot to mention that the attacker can use methods other than GET or POST, which is all you can do with XSRF.

Again on XSRF: those who think no clicks are necessary for XSRF are wrong – the victim must first follow a link to your evil page.

Is this really a MitM attack? Eric Rescorla correctly points out it is rather more limited than a classic MitM attack, but I don’t like his term either. When I first heard of it I called it a blind prefix injection attack. Which is still my preferred term.

So, what next? Eric Rescorla et al have proposed a TLS extension which, when implemented by both clients and servers, fixes this problem by cryptographically binding the two sessions (before and after renegotiation) together.

I have today committed code (mostly written by Eric Rescorla) implementing this extension to the OpenSSL tree, in the OpenSSL_0_9_8-stable branch. This is to allow review, of course, but also interop testing. An earlier version of this, which was based on 0.9.8l, was tested against a completely independent implementation by Nasko Oskov. Unfortunately we (the OpenSSL team) later decided that 0.9.8m should be based on the head of the 0.9.8 branch so that it would include various other bug and security fixes, so this version is not exactly the same as the one I tested with Nasko. I will be re-testing at the earliest opportunity.

Implementing and testing this fix has raised a problem, though. One of the nice features of the extension is that it is back compatible with old clients, so long as they don’t try to renegotiate. However, there is no corresponding mechanism for back compatibility with old servers. A client connecting to an old server has no way to know whether an attack occurred or not – only the server can detect that (it sees a renegotiation) – but since the server is old, it won’t know this is bad. I don’t have a solution to this problem at this time. Perhaps we shouldn’t try to solve it, and just require servers to upgrade.

Jackson Shaw - Quest: Windows Identity Foundation release candidate now available

2009-11-08T16:10:43Z

The Windows Identity Foundation (WIF) is now available as a release candidate per the Forefront Team Blog posting here.

Look for more information about "WIF" coming out of Microsoft's Professional Developer Conference, the week of Nov 16.

We are sending a number of our smart people to the PDC to check out WIF. This release will definitely mark the beginning of true market adoption of web-services based identity. (What we have seen so far has mostly been science experiments and very specific industry segment adoption)

Technorati Tags:
identity management, Windows Identity Foundation, WIF

Pat Patterson - Huawei: Bookmarks for November 6th 2009

2009-11-07T13:00:00Z

These are my links for November 6th 2009:

Remus – Transparent High Availability for Xen – Remus provides transparent, comprehensive high availability to ordinary virtual machines running on the Xen virtual machine monitor. It does this by maintaining a completely up-to-date copy of a running VM on a backup server, which automatically activates if the primary server fails
OpenSSL is written by monkeys – Marco Peereboom's rant on OpenSSL. To be honest, looking at the examples of OpenSSL code, it's difficult to disagree – sorry, Ben!

Vittorio Bertocci - Microsoft: Download the November 2009 release of the Identity Developer Training Kit

2009-11-07T00:00:45Z

Let’s close the WIF RC day with the November refresh of our Identity Developer Training Kit.

The new version of the Identity Developer Training Kit ported forward the three WIF labs (web site, web services, ASP.NET Membership provider) to the RC, and improved support for Windows 7 and Windows Server 2008 R2.

The ACS labs have been temporary removed, to give us the time to accommodate the new REST scenarios it now supports, but it will be back in in no time.

In addition to that, we’ll also be adding some new interesting content very soon… but I won’t spoil the surprise ;-)

Happy coding!

Vittorio Bertocci - Microsoft: ClaimsDrivenModifierControl has been updated to WIF RC

2009-11-06T19:32:51Z

Following the route of FabrikamShipping, the Claims-Driven Modifier Control is now ready to influence the behavior of your federated sample websites… using WIF RC :-)

enjoy!

Vittorio Bertocci - Microsoft: FabrikamShipping has been updated to WIF RC

2009-11-06T19:08:23Z

That’s right, the big sample you know and (hopefully?;-)) love has been updated for taking advantage of WIF RC.

Get it while it’s hot at http://code.msdn.microsoft.com/FabrikamShipping

Jackson Shaw - Quest: See you at Gartner's Identity Conference?

2009-11-06T18:52:21Z

Gartner's Identity and Access Management conference starts this coming Monday in San Diego. Will you be there? I'll be there and Quest Software will also have a number of our IAM experts present along with a booth in the exposition area.

We'd love to see you so please drop by our speaking slots or come by our booth. I fully expect this to be an eventful conference - as usual!

Technorati Tags:
Gartner, identity managment, Quest Software, QSFT

Vittorio Bertocci - Microsoft: The Id Element Special: up close & personal with WIF RC

2009-11-06T18:21:00Z

The Federated Identity team finally unwrapped the RC version of Windows Identity Foundation: as you have come to expect, the Id Element did some fact gathering for you. Enjoy!

The release candidate of Windows Identity Foundation is here! Chock-full of improvements driven by YOUR feedback, WIF RC gives a very good idea of how the final release will look like.
Vittorio went to visit Sidd, Govind and Sesha to learn about the new features and explore the rationale behind some of them. From a comprehensive list of new features to deep dives in their favourite scenarios, the guys tell it all. Tune in!

Vittorio Bertocci - Microsoft: The RC of Windows Identity Foundation is here!

2009-11-06T18:06:00Z

You have been waiting for it: it is finally here. We have just released WIF RC, you can download it here. Note how nicely the logo reflects WIF’s status of member of the .NET family… i love it!

This release has very few breaking changes, but it is full of small & big improvements. You can learn all about it in our RC special of the Id Element!

Also, we updated to the RC the Identity Training Kit, FabrikamShipping and the ClaimsDrivenModifierControl; as the new versions come online I will post accordingly (and change the text into links).

And now… heads down for the Big R!

Johannes Ernst - NetMesh: Why We Really Don’t Need an “Identity Selector”

2009-11-06T16:58:26Z

As of this week’s Internet Identity Workshop, I’m now rather convinced that an “identity selector” is the wrong product and the wrong feature set, regardless of the exact details of a particular vendor’s implementation. Several discussions in several contexts, including how to best make a browser identity-aware, all point to the same conclusion, regardless if the context is a card context or an identifier / OpenID context. Something had always been bothering me about the identity selector concept over all these years since I saw the first CardSpace demo, and now I know what it is.

To make my point, consider the interaction of a user with a site over some period of time:

Here, the user (necessarily) is anonymous at the site when visiting for the first time. As time progresses, the user may chose to register at the site (and log in at the same time), and then continue to have an active session for some time. This session later times out and the user returns to the site after the timeout. The user authenticates again, and later logs off intentionally, after which (one hopes) the user is anonymous again for the site.

The blue sections in the diagram show the times at which an “identity selector” is useful: upon initial registration, and then again upon re-authentication. However, compare these minuscule amounts of time with the time that the user and the site have a relationship with each other centered around the user’s identity. If it takes me 20 seconds to log in, for example, but I stay at the site for an hour with the authenticated session, the “identity selector” helps me with my identity at that site only for 0.5% percent of the time.

What about the other 99.5%?

We need functionality in the browser, or at least somewhere close to the user when using a web browser, that assists the user 100% of the time their digital identity is in the picture, not 0.5% of the time. By thinking of that product as an “identity selector”, we are excluding the other 99.5% and thus are getting the product exactly wrong.

The correct product is not a “selector”. It also must be:

An identity “de-selector”, with which the user can become anonymous again (or perhaps even remove all the information from the site which was conveyed during the “identity selection” phase). The much-desired “single sign out of the web” button should logically reside there.
An identity-aware session “visualizer”, which conveys to the user that there they have open sessions with which sites, which of the user’s identities are currently used with which site, which others they have used with which site in the past, whether the session is valid (as opposed to expired), what information about them they have shared with the site and perhaps how to log out.

This is particularly important if the user has multiple active sessions, perhaps with multiple identities, occurring in parallel, such as in multiple browser tabs — increasingly a fact of life for many internet users. Keeping track which sessions are still open, and which can be easily reactivated (e.g. by an OpenID checkid_immediate check) is cognitively impossible for many people (myself included) and computer support in the browser (not on the browser page) would be really useful. Throw in the use case of somebody briefly borrowing the computer to check their e-mail or Facebook account, while the primary user still has all their windows and session open, and perfect confusion ensues with a range of scary security and privacy issues around them.

So, what we need is not an “identity selector” for 0.5% of the time we use identity in the browser. What we need is a continually active, perhaps proactive assistant that helps us create and tear down sessions, watches our sessions, keeps track of the information that flows back and forth and helps us when we need it, 100% of the time.

Now I’m not a usability guy by any stretch of the imagination, but the following strawman picture popped into my head earlier today. It could live somewhere in the sidebar:

Each active session could have a separate section (rather like the Windows task bar). It would show the name of the site, whether or not the user was currently identified there, and the user’s current identifier (or card) there.

To log out, click the “x”. To log out everywhere, click the big button. To reactivate an expired session, click on the red light and it will turn green if re-authentication was successful. Clicking on the section could bring the tab / window to the front that belongs to the site, like in Windows or OSX. Right-click would show the information that has flown between user and site so far, perhaps with a time-based log. And so forth.

An alternate version could sort by identity first and then by site (as opposed to this figure, which is sorted by site and then by identifier). That might be useful, too.

But regardless of the details of this strawman screen shot, which you may or may not link, I think the idea of covering the entire lifecycle of the user’s identity-based relationship with a site would lead to a much more useful product than a mere “selector”. Many others at IIW seemed to think so, too, but I’ll let them speak for themselves if they feel inclined to.

Yes, we don’t have the protocols and conventions for all of this. But I don’t think they are hard either, so that should not be an excuse.

Let’s mull this a bit … at least one major browser manufacturer does not seem to be too disinclined to go in this direction… with a bit of squinting, today’s identity selectors could even be re-interpreted as version 1 of the more inclusive approach…

Nick Wooler - Sun: Google Dashboard and Identity Security

2009-11-06T16:46:17Z

This week Google launched a new service called Google Dashboard which can be found in the account settings in top right hand corner under "personal settings". The service is a great idea for a couple of reasons. One, it served as a reminder (at least to this user) of all the services that I had actually signed-up for from Google over the years. Which given the pace of their innovation and continuous beta approach and my propensity to try new things in the technology space was quite a few. The second reason and arguably the most important was that it offered you the link to go and manage your privacy settings from the dashboard to the services you have subscribed. This is critical and important for those customers and users that are interested in actively managing their identity at Google. Here are the reasons why!

In the world of Web 2.0, Mashups and Federation business's are constantly stitching together different applications to provide value to customer's and consumer's. Organization's need to give user's control of their privacy setting's to allow them to control what information they share when and where on the internet. Most user's don't mind providing the information or more likely are unaware of what they are sharing. This is why the Google Dashboard feature is a powerful tool for user's to improve their security. The ability to access these privacy setting's existed in each of the services that Google offered. However, as I mentioned above, I had forgotten about all the different services I had signed up for within Google Land. This consolidation in one spot, gave me information, power and most importantly choice in one spot making my ability to make better decisions about how my identity is managed on the internet.

Facebook has learned this lesson and has done a lot to put the power in user's hands of controlling how applications user their information. I applaud what they have done to provide not only the tools but the education to users about what that privacy information actually means. You can join the Facebook Security Fan Page to get updates on different steps they are taking to improve the choices users have to manage their identity data. Another great step they have taken is also in the user experience they provide users in the pages that manage services and privacy by providing contextual help for users. Big improvements that contribute to better user decision making.

Click here and go check out your dashboard.

Mark Wilcox - Oracle: Upcoming Webcast: 4 Ways to Optimize Your Identity Management with Virtual Directories

2009-11-06T15:35:31Z

I'll be joined by Alex Petrushko from our partner Identigral to talk about how Oracle Virtual Directory can improve your identity management implementation. Alex will be speaking about how a large telco provider used OVD to reduce time it takes to deploy new applications.

The webcast will be live at:
Nov 19, 2009
12:00 p.m. Eastern/ 9:00 a.m. Pacific (60 minutes)

I believe it will also be available for replay as well.
Register for the Webcast

Posted via email from Virtual Identity Dialogue

Hubert Le Van Gong - Sun: Don’t Try This At Home

2009-11-06T14:25:33Z

When it comes to software, I like to try all available features (even the most obscure ones) and sometimes I end up in a situation where my chances of recovery seem pretty slim. I recently managed just that by setting my OpenSSO top realm (/) to inactive…
Why would I do such thing I hear you say? Well I was trying to solve some issues related to our OpenID 2.0 extension and was experimenting with various realms, so there you have it…

The result of this great inspiration of mine is that I could not log anymore to the admin console; a tad annoying…
The solution (thanks to Shivaram!) is to edit the LDAP configuration tree and change the value of ou=services,dc=opensso,dc=java,dc=net and set it back to active. That’s it, you’re in!

Now me thinks we should change the console so as to prevent this from being possible…

Hubert Le Van Gong - Sun: A Lightweight Approach

2009-11-06T14:01:15Z

The great thing about being involved in a community like OpenSSO is that you get to meet people (virtually at least) with all kinds of background and knowledge. In my last blog entry I described the standard way of deploying DSEE on Solaris (using DSCC and Java Web Console). While discussing just that on the OpenSSO IRC channel, nettezzaumana described a DSCC-free process to install DSEE. He’s posted it as a comment to my previous entry, check it out!

Ian Yip: CA DLP headed in the right direction

2009-11-06T13:34:08Z

When CA acquired Orchestria, I said it was a good move. I even wrote a follow-up post about why Identity & Access Management (IAM) and Data Security/Data Leakage Prevention (DLP) fit so well together. 2 weeks ago, CA sent out a fairly lengthy press release with a list of products they've updated. The 2 products that caught my eye were GRC Manager 2.5 and DLP 12.0. This post covers the DLP product.

I spoke with Gijo Mathew, Vice President of Security Management at CA about the DLP announcement to get a better understanding of CA's strategy in the longer term and clear up a few things which confused me with their press release. Here are the "new features" for DLP 12.0 which I've lifted from the release:

Enhanced Discovery – Provides the ability to scan data locally on endpoints and to scan directly into structured ODBC databases to identify sensitive data.

Extended Endpoint Control – Leverages existing data protection policies to control of end-user activity such as moving data to writable CDs or DVDs, and taking a screen print of sensitive content.

Seamless Archive Integration – Integrates with CA Message Manager, a product in CA’s Information Governance Suite, to help deliver end-to-end message surveillance, reporting, and archiving.

The first thing I should point out is that the ability to scan structured databases is a BIG plus. Many DLP vendors out there do quite a lot with either unstructured data (e.g. files on disk, data in memory) or structured data (e.g. databases), but they don't usually handle both. Orchestria fell into the "unstructured data" bucket. Now under the CA banner, they can finally support the ability to scan and classify data sitting in databases. Note however, that the ability to scan/identify/classify data and the ability to enforce controls over access to this data are completely separate things. To be able to properly enforce controls over structured data, a product would need to hook into the low level database security mechanisms. As a result, the enforcement of access controls into databases based on the content being accessed is difficult and very few vendors can actually do this at the moment (CA included).

While we're talking about scanning, CA also improved the way they scan for unstructured data. In previous versions, the scanning had to be performed from a central server. This is not ideal in many cases thanks to all the things that get in the way like firewall rules, security restrictions on machines, desktops not necessarily being available when required for scanning (either by being off the network or turned off) and so on. A more robust scanning strategy should support the ability to have the endpoints scan local data when required. It takes the load off the central server and allows for a more complete view of the environment from a data management standpoint. The new version of CA DLP added this capability. The negative however, is the performance hit taken by the endpoint while the scanning is being done (this is not a CA specific drawback - any endpoint scanner is going to impact performance).

The second point about the additional features around endpoint control (specifically regarding the mention of moving data to CDs, DVDs and controlling screen print events) really confused me. The examples given are supported by just about every single endpoint DLP vendor out there. I was shocked that Orchestria didn't have these capabilities. Alas, this was not the case. Gijo mentioned that they merely enhanced the capabilities around the CA DLP endpoint component and that these were some examples they picked out. The point CA were trying to make was around the fact that they still do the core DLP things expected of any DLP product worth implementing. Apparently after the previous release of DLP, many assumed they were no longer focusing on the core DLP capabilities and going down the "identity aware DLP" road. This is definitely not the case according to Gijo.

While the points mentioned in the press release are interesting in that they show CA are serious about core DLP capabilities, what impressed me most was the longer term vision CA has for the product. In fact, it is this longer term vision that had some accusing CA of neglecting their core DLP capabilities in the previous release.

CA are fortunate in that the natural evolution of products in the DLP space fit nicely with their need to work at integrating DLP with their portfolio of products. It makes product management decisions slightly easier for them instead of having to spend a lot of time trying to balance the need for additional features with being able to sell a cohesive suite of solutions (which is commonly the problem with acquisitions). In other words, adding integration points provides CA DLP with additional capabilities that make sense for most of the other products involved as well. For example:

The ability to add context to access control is a very powerful thing. Context is very much about information, with data at its core (although it's not everything, because data alone does not tell us what a user is actually doing). What I'm referring to is commonly labelled as content aware access management. A common use case here typically involves integration of access control decisions by a web access management component (Siteminder in CA's case) with data aware mechanisms provided by a data security solution (CA DLP in CA's case). The web access management product can either make decisions based on static tags on the information/resource being accessed or dynamic analysis made in real time by the data aware component (e.g. this data looks like a bunch of credit card numbers so we should not be giving the user access).
The analysis of data usage patterns across different environments allows for additional smarts when trying to manage risk, especially in cases where patterns are outside the norm of a user's peers. The trick here is being able to turn the data gathered into information to feed back to a GRC (Governance, Risk & Compliance) solution or SIEM (Security Information and Event Management) dashboard. Otherwise, you could just point any old reporting engine at the data and achieve the same result (which is far from what one would call proper integration).
Access and data governance are typically silos in organisations today. If you're able to tie the two together, the management overhead is reduced significantly. That's why it's a big deal if an organisation is able to get a single view of both from a management standpoint. This is not to say it cannot be done today. The key point I'm making here is that it's just really hard to do. If a vendor makes it that much easier to achieve, it saves time and money.
Improving the lifecycle activities around enterprise information and content management by using the data discovery and classification capabilities to provide additional context to the relevant processes.

I'll leave it as an exercise for the reader to figure out which CA product/s to slot into each example. The point is, they have something in their product stack to integrate with DLP in each example. What these illustrate however, is the direction CA are headed in with regards to the DLP strategy (even though some of it is a little high level).

Gijo was honest in acknowledging they don't have a lot of the things they want out of the box just yet. At this stage, many of the things I've mentioned (in terms of product strategy) will require a good amount of services work. I'm not going to criticise them for this as they only acquired Orchestria earlier this year and it's unrealistic to expect all the required integration to be built out so quickly, especially with a whole suite of products like CA's. What I do like a lot, is where they're going.

CA's strategy is good. They're on a journey and their DLP product is the jewel in their security suite from a competitive standpoint (against the other big IAM vendors). They also stack up well against their competitors in the data security space; in this case the advantage comes in the form of their IAM suite (and to a certain extent, their ever improving GRC prowess), which other data security vendors do not have. Those familiar with the security space might notice I haven't made any mention of the fact that RSA also have both IAM and DLP capabilities. Don't forget however, that it's a bit of a stretch to call RSA's IAM capabilities a suite (e.g. they don't do provisioning). They also have no real GRC capabilities to speak of (their GRC page is a bit of a joke).

As long as CA don't neglect the core data security capabilities in DLP along the way, they're going to do just fine.

Ben Laurie - Apache / The Bunker: SSL MitM Attack, Part 2

2009-11-06T11:46:18Z

A lot can happen in a day. Yesterday the news broke that SSL was compromised. We immediately (OK, it took about 10 hours) released a new version of OpenSSL, 0.9.8l, which mitigates the problem by completely disabling renegotiation. Obviously this will break some sites, and so is not a full fix, so the next step is to implement Eric Rescorla’s TLS extension. However, before I get on with that, it seems I have a few questions to answer.

Firstly, I must thank the anonymous poster who said “OpenSSL is written by monkeys”. But dude, you should’ve included the link. I’ve been meaning to link to that for ages. Well, days.

Secondly, as Marsh said, there is a better answer for people who need renegotiation. This is the extension mentioned above. It won’t work unless clients also implement that, but we are working on that, too (and clearly any client that uses OpenSSL will get it for free as soon as I get the next version out).

To the bloke who asked about ISA and OWA: I have no idea what either of those are.

Does this affect SGC (Server-Gated Cryptography)? I don’t actually know. I think it does, because I think SGC uses renegotiation, but I am not sure. If anyone knows, comment!

To the “but this is just XSRF” (Cross-site request forgery) guy:

XSRF does not give the attacker control over headers.
Your attack didn’t work on me: I didn’t click the link.
HTTP is not the only protocol that uses SSL.

Though the fact that this attack doesn’t actually make HTTP much worse is a pretty damning indictment of HTTP (and HTML)!

Will this patch break session resumption? No – and nor will the 0.9.8l release, which does the same thing more elaborately and correctly.

Finally, even once we’ve implement the extension it seems to me this is not really the true fix – really applications should be aware of renegotiations and not carry trust across their boundaries. But more on that later, I’ve got code to write.

Ingrid Melve - Feide/UNINETT: House RFID tag privacy?

2009-11-06T10:54:50Z

My house was tagged with a little RFID tag yesterday. It sits quietly inside the door jamb, under a sticker with the logo of the cleaning company. When I got the CTO job, a condition from the family was to get cleaning help, and we got a company to come and clean the house. They do a good job, and they work hard.

I suspect that the reason for the tag is to be able to change our bill if the cleaning of our house consistently runs over time, and to keep track of employees who slack off compared to others. The latter is related to privacy, the first is economics.

The company sent us a letter two weeks before the sticker was applied. The main topic of the letter was informing us about the sticker, since it sticks to stuff in our house and they would like us not to remove it by accident. The main text was about how this RFID was not in any way an invasion of our privacy, and that it had been cleared with the Data Inspectorate.

On one hand, this was encouraging, since privacy obviously was a major topic that needed more text than the simple fact of redecorating our entrance hall. On the other hand this was discouraging as the privacy invasion is on the part of the company employees who will now be monitored on how much time they use in each house, and this was not the focus.

Posted in Curiosa Tagged: privacy

Simon Moffatt - Sun: IDM09 Conference London

2009-11-06T10:29:18Z

At the start of the week I attended the IDM09 Conference in the Docklands in London. This relatively new one day event was host to several key security, identity and access control vendors and partners as well as delegates from the private and public sector. Most delegates held positions in leadership, architecture or implementation positions related to security or audit.

The attendance was fair considering the time of year and the ongoing economic uncertainty and credit issues facing many finance related organisations - the very companies that most security solutions are aimed at. The vendor sponsorship list contained the standard big name players including Sun and Oracle as well as developing vendors such as Aveksa, Courion and the Benelux based Bhold. The consultancy partner and SI space was also well attended with the likes of DNS, Infinitum and Oxford Computer Group sponsoring and presenting.

Due to the event being only the single day the agenda was quite compact with the idea of 15 minute bullet style presentations, case studies and vendor pitches spread throughout the day. The case studies were mainly SSO based with some touching on the provisioning arena, covering the implementation and project deliverable cycle. An increasing focus was on the goverance and compliance aspect of access control, be it from a provisioning perspective or from an audit and reporting perspective. Sun's SRM tool is one of the industries leading compliance, certification and identity cleanup tools and many of the techniques, and methodologies used by Sun are now being adopted by the industry and other vendors as a means to cleanup identity data either before or during a provisioning project.

Conversations were again placed on Microsoft and their small scale attempts to enter the full identity lifecycle and provisioning landscape with their ILM tooling. Many of the features discussed - like a UI for management or workflow design - were new to Microsoft and again tend to focus on none-heterogenous landscapes. Many were discussing the use of AD as a central repository for authN across legacy and *nix based applications. Whilst this is a great idea in principle - reduction of silo'd LDAP repo's, easier provisioning/deprovisioning, centralised identity information and so - the main question was still around authZ. Unless an applications is being designed from scratch, existing deployments will need to have considerable remodelling with regards to internal access control in order to use AD as an authZ store. The discussions will continue no doubt due to the omnipresent nature of Microsoft in the desktop and directory landscape.

One of the other areas I took note of, was the discussions surrounding the Kantara Initiative. The relatively new organization is to focus on "Bridging and harmonizing the identity community with actions that will help ensure secure, identity-based, online interactions while preventing misuse of personal information so that networks will become privacy protecting and more natively trustworthy environments".

An interesting presentation by ex-Sun employee Robin Wilton on the focus and benefits of the initiative gives food for thought. Like most cross vendor forums however, the most notable vendors tend to be the ones not involved.

Overall the event was a worthwhile addition to the identity calendar.

JISC Access Management Team: and the Catalyst Award for

2009-11-06T09:53:24Z

being a Federation catalyst goes to Nicole Harris (and I2 and SWITCH).

The award really shows how far access management has come, with parts of the UK experience considered so embedded that they have become informative history as Norman Wisemans excellentpresentation at Educause demonstrates.

Vittorio Bertocci - Microsoft: The New ACS is Live: if you do HTTP, you can play the Game

2009-11-06T07:56:32Z

Today the .NET Services team released the first CTP that reflects the changes announced back in September: you can read about it in their team blog and in Justin’s blog and experiment with the service here.

You know, it’s kind of a big deal! The power of the claims-based approach is now within reach for REST developers and a surprisingly wide array of platform and devices: all it takes for taking advantage of the service is being able to use http and perform super-simple crypto (did I just say an oxymoron or what? Come on, you know what i mean :-)). Substantially, many of the diagram you have seen me drawing in the last 4 years remain pretty much unchanged: the difference is mainly in the kind of tokens exchanged (a minimalist bearer that plays fair with the space limitations in HTTPland) and in the protocol used.

The protocol ACS uses is WRAP, or Web Resource Authorization Protocol; in fact I should probably call it OAUTH WRAP, given what is mentioned on the WRAP discussion group home page… which is now moved to http://groups.google.com/group/oauth-wrap-wg. OAUTH WRAP has a companion token, the Simple Web Token or SWT, whose spec can be found here. Take the time to leaf through them: you’ll be surprised by how simple & straightforward they are.

I am itching to pick the pen and start scribbling on my tablet some schema for you, but I’ll resist the temptation: we are working on some content for helping you to explore the new possibilities that the service offers, and it will be available to you very soon. In the meanwhile, you can play with the samples in the SDK: and of course, don’t forget to add Justin’s session in your PDC09 agenda!

Mark Wilcox - Oracle: Has Facebook Connect Trumped Them All?

2009-11-06T04:04:00Z

I wasn't able to make it to Internet Identity Workshop this week because I would like to know the thoughts on Facebook Connect. It appears that more and more sites are now allowing you to use your Facebook account to authenticate you.

The experience in my opinion may make this Facebook's killer app (though my wife's obsession with Cafe World, makes me wish I had paid more attention to Flash development back when it first emerged).

The reason is that - I simply clicked on the Facebook icon on the site I was accessing. And because I happened to be logged into Facebook at the time - I I was granted access. If you are not logged in, you are presented with the familiar Facebook login in a screen. And it then connects you - NO REDIRECTS.

I fell out of my chair. I didn't think that would be possible. But yet, there it was.

And of course the Connect process is potentially prone to phishing attacks but we've been dealing with those for a long time now. So even if you were a bank and wanted to use Facebook Connect -if you combined it with an anti-fraud solution like Oracle Adaptive Access Manager including potential secondary pin (so you would have 2-factor authentication without needing to manage millions of additional passwords) - it's not any less secure than current systems.

I'm not sure of the technology behind it. And I know that the bulk of my friends on Facebook - wouldn't care. And if I was running a consumer-facing business that needed authentication for whatever reason - I would strongly consider rolling the dice on just supporting Facebook Connect backed up with traditional local accounts. And tell the other big-guns out there - if you want to play in my space - you have to give me an experience like Facebook Connect.

Posted via email from Virtual Identity Dialogue

Mark Wilcox - Oracle: One more autopost test

2009-11-06T00:34:10Z

I'm trying out http://www.posterous.com which is a nifty new service I found about via This Week In Startups. Basically it radically simplifies blogging. You send an email to post@posterous.com and bingo you have a blog. No preregistration is necessary. In fact if you don't need to edit your blog - you never ever log into anything.

Plus it will post anything - blogs, photos, video, audio (the latter as attachments). And it supports autoposting which hopefully will make it easier for me to post more frequently. It also means duplicate blogging but that's ok - because it means I can have an IDM blog that is hosted on Oracle and one that is not in case I need the latter in the future.

((tag: marktest))

Posted via email from Virtual Identity Dialogue

Mark Wilcox - Oracle: Test autopost

2009-11-06T00:22:47Z

I'm testing new blog update software.

Sent from my iPhone

Posted via email from Virtual Identity Dialogue

Mark Dixon - Sun: Identity Management Trends and Predictions: Index

2009-11-05T22:16:06Z

Over the past several weeks, I have posted a series of articles about Identity Management Trends and predictions. This brief post provides an index to that series of posts.

Overview article: Identity Management Trends and Predictions

Individual articles:

Thanks for joining me in this little exploration. Any feedback you might have would be most welcome.

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, IdentityTrends

Mark Dixon - Sun: Identity Trend 11: Identity in the Cloud

2009-11-05T21:56:04Z

This post is the last in a series of eleven posts I have written about trends in the Identity Management industry.

I am certainly not an expert in the entire field of cloud computing, but find it fascinating to learn about this significant trend in computing technology. I recently read a book entitled, “The Big Switch: Re-wiring the World, from Edison to Google,” by Nicholas Carr, which proposed that the shift from traditional data center computing to a utility-based computing model will follow the same general trend that electricity generation followed – from a model of each individual factory maintaining its own electricity generation capability to our current utility-based electricity generation and grid delivery model. While I agree that the general direction is correct, there are several factors which make a move to utility computing much more difficult than a move to utility electricity generation. I’ll address some of my thoughts about those differences in a future blog post.

Nevertheless, we can see that just like Identity is a core platform technology for computing in traditional enterprise IT environments, Identity is a critical foundation for cloud computing or utility computing. Identity may be a component of cloud computing infrastructure, or exposed as a separate set of services in the form of Identity as a Service (IDaaS).

In some ways, the challenges and solutions about Identity in the Cloud are similar to Identity in traditional data center. However, there is increased technical and administrative/legal complexity because of the locations and increased number of physical and virtual components involved.

A few of the areas of increased complexity include:

Scale and distribution: Large numbers of accounts on large numbers of servers distributed globally.
Division of responsibility: The different levels of cloud computing – Infrastructure as a Service, Platform as a Service and Software as a Service - may be split between different service providers.
Security Policy: Logging and auditing are essential to assure that cloud providers are not circumventing or compromising security policy.
Risk Management: Risk profiles are different for cloud users, depending on type of company (e.g. difference between SMB and high profile public company).
Legal and administrative: Control of Identity is often be delegated to external parties, so more complex trust relationships must be put in place.
Pricing. How will Identity Services in the cloud be priced? How can the business value of Identity Services be quantified?
Governance. How will Identity governance procedures become more complex as the number of stakeholders and individual companies increases?

One example of this increased complexity was highlighted in a recent legal case, where a lawsuit filed against eBay in Pennsylvania was transferred to Santa Clara, California because of a clause in eBay’s user agreement. As with many areas of technology advancement, I expect that legal and procedural issues associated with cloud computing will be a challenging as the technologies involved.

A number of companies are emerging with the express emphasis of Identity Management in Cloud computing. A couple of such companies I have recently connected with are Symplified and Conformity. I expect many more will emerge and that existing vendors of Identity Management software will release software versions specifically tailored for cloud computing.

For example, some interesting discussions about cloud computing have been held with Oracle recently. When asked about cloud computing by Ed Zander at the Churchill Club on September 21, 2009, Larry Ellison remarked, “just a lot of water vapor – nothing new!”

On the surface, it would seem that Larry was denigrating the whole idea of cloud computer. However, further discussions revealed that Larry thinks that cloud computing is just another label for technology that has been around for awhile. Oracle has been offering their ERP applications in a hosted, pay-as-you-go model for a decade. I actually worked on that initiative while employed by Oracle nearly a ten years ago.

Coincidentally, the day I heard about Larry Ellison’s comments at the Churchill Club, I learned that Nishant Kaushik of Oracle had recently given an interesting presentation entitled “Identity Services And The Cloud.” He also gave a follow-on presentation at Oracle Open World, entitled, “Identity Management in the Cloud: Stormy Days Ahead?” Clearly, Oracle is right in the middle of addressing the issues surrounding Identity in the Cloud.

Questions to consider:

As you consider the implications of Identity Management as it applies to cloud computing, perhaps these questions will help:

How does your enterprise use cloud-based computing now?
What are your plans for the future?
How do you plan to leverage your existing Identity infrastructure as you adopt more cloud-based computing models?
What information security challenges do you see in extending Identity and Access Management into the cloud?
How will inclusion of multiple cloud computing vendors affect your privacy protection methods?
How will you will you comply with internal and external audit requirements as you adopt cloud computing principles?

Technorati Tags: Identity, IdentityManagement, DigitalIdentity, CloudComputing, Oracle

Marc Canter - Broadband Mechanics: Aarhus blogging - ‘09

2009-11-05T21:06:14Z

Its snowing here in Denmark, meanwhile…..

We are not clicks or eyeballs, we are people ….deal with it

Open Data Network in Germany - OurData.eu

Google Wave Federation

Innovation in Open Networks

Speaking of Copenhagen, Bruse Sterling at Reboot

HTML5 is getting out there - especially the canvas feature

ccMixter transitions from the Creative Commons to ArtisTech Media

Traffic Server, Salmon Protocol,StatusNet, QuickMix, Squeeze 6, GreenEnergyTV, Google Dashboard, Bodega,

VeriSign Infrablog: Trust assurance in open identity networks

2009-11-05T19:14:06Z

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance framework should be flexible enough to support different levels of assurance based on the transaction risk and value. For low assurance Web federation where large brands such as email providers and major social networks dominate as OPs, certification may seem overkill, unless of course, the federation is built on open principles stating that any OP meeting the standard should be able to participate. For high assurance identity, such as payment networks, financial networks or eHealth record exchanges, certification is primordial. In fact, in such environments, both the OP(s) and the RPs need to be certified.

The NIST guideline for electronic authentication is often referenced in the community as a good model for any identity trust framework. The NIST guideline defines four levels of insurance for e-authentication. Each level is deemed appropriate
Depending on transactional risks. Tiered levels of identity assurance are essential to any pragmatic trust framework. Set the bar too high and deployment becomes impractical. Set the bar too low, and the bad guys will have a ball. Justifiably, the NIST guideline provides a solid starting point. Nevertheless, one needs to observe that the framework may be too narrowly focused on user credentialing and credentials strength to provide a complete answer. Open Identity systems cannot ignore the reality of today's Web vulnerabilities, threats and exploits that feed identity theft around the globes such as man in the browser exploits, session hijacking or Web vulnerability driven exploits like mass SQL injections. A trust standard also needs to go beyond security and address the major consumer concerns and political challenges of privacy. When it comes to trusting identities, security, privacy and anonymity are intricately intertwined. Trust in a federated identity Web mandates a holistic approach that looks not only at user authentication but also takes into account the current state of desktop exploits, Web site compromises and most importantly establishes clear and enforceable privacy protection guidelines.

Trusting the OP/RP Websites: web security & business authentication

For low and medium assurance identity transactions, it seems to be that both the OP and RP website security would need to be asserted. There I think, one can learn from Internet security standard such as PCI. Even though the standard is far from being perfect (a euphemism, perhaps), it provides a shared base of security requirements for all websites to engage into ecommerce and securely handle credit card information. If one believes that consumers will require for their personal identity the same level of security as for their credit card, the parallel can be useful. The OP website should then be scanned for network security vulnerabilities; Ports should be closed. Network services should not run outdated or un-patched software; the OP should not be vulnerable to common Web exploits such SQL injections, cross-site scripting (XSS), or Cross-Site Forgery requests (CSRF). For web application vulnerabilities, the OWASP standard that identifies the top 10 Web vulnerabilities provides a useful reference. In addition to security assessment, a set of security best practices should be required. For example, the OpenID profile retained by the federal pilot already specifies that SSL should be part of the deployment profile. Verifying the authenticity and legitimacy of the organization behind the OP is as important as verifying the security of its website. There, a proven model that the industry could re-use is the EV business authentication standard. EV certification already defines a strong process for vetting organizations and it is already widely used across the industry.

Trusting the user: beyond identity verification and credentials

As mentioned, NIST will provide the foundation for user trust assurance (both for runtime and initial authentication of end users). Equally important, however, is to consider that Internet threats have significantly evolved since the NIST framework was initially published. In particular, we need to recognize that one of the main threat vector for identity theft is now malware. An identity trust framework can no longer ignore the potential of a man-in-the browser attacks (Trojans, key-loggers, worms, etc). Knowing whether the end user has any end-point protection (and maybe encouraging websites to introduce out-of-band messages into high assurance identity transactions when such protection is lacking) could be of consideration.

Trusting the transaction: from activity to security streams

Believing that the OP can provide strong identity assurance by simply checking credentials and abandoning the user at the RP front door is a dangerous over-simplification. Because modern exploits often let the user authenticate to commit fraud further down the session, it is important to enable OPs to leverage the knowledge of the end-user and her transaction patterns to identify high-risk conditions. Since we cannot assume the existence of adequate desktop protection (Internet security that exclusively relies on the presence of a client on the user desktop is no more than an academic exercise), high assurance federation models need to enable the use of fraud engines techniques across RPs (most logically, run at the OP although it could be a separate). The ability to create an effective user risk profile across transactions is what has made the credit card networks work. High assurance identity networks are going to need an equivalent (think VISA of identity). An interesting idea could to leverage the concept of activity stream as a real-time fraud detection primitive. A security stream back to the OP (under complete user consent and strict privacy protection) would allow RPs to feed transactional information back to the OP, allowing it to build a complete risk profile of the user across her Internet activities (fraud detection is often based on clustering techniques that measure abnormal deviation from normal behavior). Even without a risk-engine running at the OP, a security activity stream could have tremendous security value if used as a simple identity alert system to notify the user of all ongoing transactions. In high risk cases, the activity stream could trigger an out-of-band consent for the transaction (think of Visa calling you to confirm and authorize a suspicious transaction); it is interesting to think that the social concept of activity stream that is today missing from OpenID (not from Facebook Connect) could actually be used to drive better identity theft protection. With such transactional feedback loop, a security minded OP would be able return a transaction score and possibly a liability guarantee based on the user risk and behavioral profile built over time. Incidentally, interesting new OP business models could emerge (VISA-like: "I will take a cut of the transaction", Credit-Bureau-like: "I will charge you for the score", Insurance-like: "I will take the liability risk").

Ensuring trust across these three dimensions (the organization, the website and the user) is non-trivial. Yet, it is critical to enable consumers worldwide to engage into shared identity interactions with peace of mind across the Internet. Very much like PCI vendors emerged from the existence of a commercial PCI standard, one would hope that Identity trust assurance services could emerge as well since security companies need economic drivers to build great services. One of the key challenges of the standard will be to strike a balance between where to set the security bar to permit a high level of automation for accreditation. Such balance is always hard to strike, but it is also what makes the challenge worthwhile.

Internet Identity Workshop: Workshop Day 3 in full swing

2009-11-05T19:02:06Z

This 9th Internet Identity Workshop is in full swing here on Day Three.
You can see the plethora of tweets happening via twitter search – Twitter Search.
We have also created a “Twitter list” of all attendees.

We just crated a Slideshare account for IIW!
Paul Trevithick sent us his slides from the opening day. We are happy to post any other slide shows from IIW too.

Relationship Cards Iiw Nov 3 2009

View more presentations from Internet Identity Workshop.

Dave Kearns' IdM Newsletter: The Expanding Footprint of the Privileged Identity Management Challenge

2009-11-05T17:45:18Z

Today, organizations spend a lot of resources building an infrastructure for securing the enterprise and assuring their business continuity and compliance. Every typical IT environment comprises of hundreds or thousands of servers, databases, network devices and more, all controlled and managed by a variety of privileged and shared identities – also known as break-glass, emergency or fire IDs – which are the most powerful in any organization. This includes the Root account on UNIX/Linux, Administrator in Windows, Cisco Enable, Oracle system/sys, MSSQL SA and many more.

Dave Kearns' IdM Newsletter: Vasco Uses IPhone, IPod Touch for Authenticating Users

2009-11-05T16:32:36Z

The company has developed a version of the application for the Apple devices that can be downloaded for free from the App Store. Vasco's server products are also needed for the system to work.

Dave Kearns' IdM Newsletter: Likewise Simplifies Upgrade Path for Open Source Authentication

2009-11-05T16:31:32Z

Likewise Enterprise makes it easy for IT managers to authenticate users, control access to applications and data, centrally manage settings with group policies and create reports for regulatory audits. Likewise Enterprise is also the only solution to provide 100 percent native support for Apple's Workgroup Manager application.

Dave Kearns' IdM Newsletter: Identity management: still seeking a sense of identity?

2009-11-05T16:30:40Z

As Simon Veale of Oxford Computer Group suggested, it might be best to think of identity and management projects as a string of people-and-process change management challenges with some technology to come at the end.

Kuppinger Cole: Why cloud services will sell despite slowdowns in outsourcing and MSS growth

2009-11-05T10:56:30Z

In Martin Kuppinger

Within the last few months, I’ve read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don’t believe, for several reasons:

There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others – and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press way…).
In days of economic turmoil (and we are still in these days, despite the quick recovery of the bonus mentality in financial institutions), customers tend to first drop external services before they fire employees – that affects MSS.
Outsourcing is sort of a “big beast” which is diffcult to tame. It takes a long preparation, it is inflexible. Overall, it needs to adopt to become more flexibile and easier to use. Cloud Computing with its granularity of services is an approach to address the shortcomings of outsourcing.
A feedback I had from multiple CISOs regarding MSS is that the quality of service and the level of contol frequently is insufficient – thus it is about implementation and delivery of MSS, not the overall concept.

Two reasons why the Cloud (in my understanding of an approach for a flexible use of IT services with the ability to switch between and choose the best provider, internal or external – e.g. much more about service than about external things from the Internet) will be successful shortly explained:

If you think about a matrix like shown below with two axis, Outsourcing is just sort of the specialized approach to the cloud. And from our expectations, the sweet spot for most providers will be around “community clouds”, in the centre of this. That potential for industry clouds, community clouds, and point solutions isn’t unveiled yet. Thus, there is much more in the cloud than is discussed today.
The cloud is not new. It didn’t just appear at the sky but grew over years. SaaS is out there for a while, service management as well. Not even to talk about outsourcing. The cloud is, from my perspective, just the result of an evolution from a tactical, opportunistic use of external services towards an strategic approach on how to best provide IT services (external vs. internal). We’re at sort of the “break-even”, to use an analogy.

Cloud Matrix

By the way: The biggest risk for the cloud is too much marketing. But that was the same with Client Server, the Internet, and many other things. None of them disappeared, but all big changes took years to become reality. The same is true for the cloud.

I appreciate your feedback on that! And see you at EIC 2010 and Cloud 10, both to be held in Munich, May 4th to 7th, 2010.

Ben Laurie - Apache / The Bunker: Another Protocol Bites The Dust

2009-11-05T07:03:37Z

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line “X-Swallow-This: “. That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request.

It’s obviously going to take a little while for the world to patch this – and since the news is spreading like wildfire I’ve put up a patch to OpenSSL that bans all renegotiation. I’m sure an official release will follow very shortly.

Note that the patch is against the head of the OpenSSL 0.9.8 development tree (that is, it is against 0.9.8l-dev). You may have to do a little work to patch against other versions. And if you intend to deploy this patch permanently, please change at least the textual version of the version number, which you can find in crypto/opensslv.h. Also note that if you need renegotiation for your site to work, I have no solution for you, other than you redesign your site. Sorry.

Dave Kearns' IdM Newsletter: The State of the Identity Governance Market

2009-11-05T05:32:39Z

The tough economy has made buyers more selective about how they invest in IdM solutions. Budget constraints have ensured that companies are laser-focused on solutions that provide immediate, measurable results.

Phil Windley - BYU: Spamming Like a Pro: The Value of Social Data

2009-11-04T22:28:40Z

Image via Wikipedia

This article at TechCrunch: How To Spam Facebook Like A Pro: An Insider's Confession is written by Dennis Yu, a reformed ad spammer on Facebook. In it, he says:

When the Facebook platform first launched, developers used Google AdSense, which was paying 10-15 cent eCPMs, meaning that developers were earning 10 to 15 cents for every 1,000 ads they shown. But soon, ad networks, such as the one I operated, stepped in to show that by using social data and some clever ad copy, we could raise this to well over $6--that's 60 times better than AdSense. AdSense was getting a 0.1% CTR and earning 15 cents a click. Our ads were getting up to a 4% CTR and also earning 15 cents a click. You do the math.
From How To Spam Facebook Like A Pro: An Insider's Confession
Referenced Wed Nov 04 2009 14:19:41 GMT-0800 (PST)

That number--60x--jumps out of that statement. There's trmendous pressure, as this article points out, to sell out users. That's a good reason to find technologies that let users manage their data. With the right model, users could share in that revenue and make this kind of sale more above board that what's happening right now.

JISC Access Management Team: The Greatness in You

2009-11-04T21:39:40Z

Jim Collins wants us all to be great. He wants everything we do to be great for everyone. Good is the enemy of great. That’s quite an interesting challenge for the opening session of Educause 2009. Collins believes that greatness is not a function of circumstance but of choice, and he believes that Universities can and should be great. Apparently this can all be achieved by a culture of discipline, and not by trying to turn institutions in to businesses.

I was immediately struck by how this approach to thinking about improving educational institutions could be compared with Mandelson’s speech and the recent launch of the Higher Ambitions report.

To be truthful, the presentation was all a bit self-helpy for me, but I think that Collins identified some important points. He highlighted the fact that the power base within educational institutions is incredibly diffuse, particularly within higher education. This makes the pattern of leadership very different from that found in business environments. People who come in to this environment and try to act as if they have concentrated power inevitably fail in the face of tenured professors! Conversation, debate and involvement of staff in decision making is far more important within education than dictation.

There are lots of nice shots from Collins’ presentation on twitter including this which shows his five stages of decline, which i found amusing.

The message that Collins had for education was don’t over-reach, serve your core first and foremost and most importantly have the right people in the right seats. This focus on the best staff does seem somewhat at odds with the Higher Ambitions approach and the discussions around students as “customers”.

I’ll finish with what Collins defines as the “right people”. I thought it was a really interesting list:

The right people share your values. Values cannot be taught.
The right people don’t need to managed - guided, directed but not managed.
The right people don’t talk about their job, they talk about their responsibilities.
The right people always do what they say they will do, so are careful about what they commit to.
The right people take responsibility.
The right people come to work with enthusiasm.

JISC Access Management Team: The Last Man on Earth Sat Alone in a Room

2009-11-04T21:14:15Z

The best storytelling starts with a sense of mystery to pull you in, but what is NOT a story? This is the opening to the “teaching and storytelling using Web 2.0″ session at Educause. An exercise in the room included comments around something that is not heard, something that lacks personal engagement, something that does not have narrative. This describes a lot of the way we present information.

Of course the web was used for storytelling before web 2.0: Dreaming Methods is a good example of this. So what is the difference now? I think the real difference is a) the ease in which everyone can now communicate online without needing to understand html and b) the ability to respond to stories, which is closer to the older concept of storytelling as a community exercise.

Bringing this back to make it a bit more relevant to this blog, I’m interested in the difference between fictional storytelling and personal storytelling. As we all use web 2.0 tools, how do we build and manage our own storytelling? This is described as character 101 in this session. We have the aibility to create characters online using persona, and to also use our personas to tell non-fictional stories without necessarily revealing our identity. This creates interesting nuances, with people following and befriending fictional characters (such as meerkats from adverts) and personas of real people that are entirely disconnected from the real person behind them.

Important take away from this session for me? what we do in Web 2.0 is no different from what we have always done. We Chat. We Gossip We Relate. We Discuss. We sometimes Work. Is Web 2.0 really all that different from attending a ball at Netherfield?

Phil Windley - BYU: IIW Trending Topics: OpenID and IC Cooperation and Activity Streams

2009-11-04T19:02:43Z

IIW IX, the 9th Semiannual Internet Identity Workshop is underway at the Computer History Museum in Mountain View. At each meeting, I'm usually surprised by the emergence of one or two topics and pleased to see continued moves toward even further consolidation and cooperation between mature identity protocols.

There continues to be increased cooperation between OpenID and Information Cards. I've see demos of using Information Cards to store and apply OpenID from Microsoft and heard discussion around OpenID selectors and trust frameworks. I quipped that OpenID keeps adding features incrementally in a way that asoptotically approaches the design of Information Cards. Information Cards, on the other hard, search for way to ride the popularity of OpenID to relying party acceptance. For both, getting relying parties to accept them for authentication remains the hopy grail.

One topic that is trending up at IIW is activity streams. Activity Streams is an extension to the Atom feed format for sharing user activities among various systems. The Activity Streams format has already been adopted by Facebook, MySpace, Windows Live, and Opera. Monica Keller created a Prezi on the anotomy of an activity stream: who did what, where, when, and under what circumstances. What did they say about it? Who else was there?

As I learned about activity streams I couldn't help thinking how neat it would be to build them into KRL so that you could write rules around activities.

Nick Wooler - Sun: Gartner IAM, Nov. 9-11: Identity Management Isn't Hard

2009-11-04T17:23:31Z

Next week, Nov. 9-11, the Identity Management Team travels down to Gartner Identity Access Management conference to showcase two of our latest releases DSEE 7 and Role Manager 5. Gartner IAM is a great event because it not only gather's together experienced practitioners in the identity management space but has a number of events that are small enough that you can have quality conversations about real problems. Last year, Verizon presented at this conference on the Directory and OpenSSO implementation that serves 50M users. The presentation is a great example of the proven expertise that Sun brings to Identity Management and the proven extranet scale our products can support---not a marketing benchmark.

publisherID=1460825906">

Our team has taken a different approach to this even this year and we are participating in Gartner's Learning Lab's. Vendors, customer's and identity specialists are encouraged to come-by in a classroom style and learn about specific problem's Sun's product, partner's and customer's are using to solve their identity business problems. This is crucial today as the cost of failure or doing nothing rises exponentially. The best way to ensure success is to learn from real-world implementations not marketing based slideware presentations. This is why we have assembled not just the product teams but partners and real customer's to share their experience in these "learning labs".

The other great thing about Gartner IAM is that there are usually a few different ways to combine great industry expertise and a little fun. On Tuesday, Nov. 10 at 9:00pm you can meet the Sun Identity team at the Hard Rock Rooftop bar for drinks and conversation. The first 50 people get a wristband for free drinks. Identity management isn't hard so come to the Hard Rock to find out how to make it easy!

Gartner IAM Sun Schedule

Monday, Nov 9th

Learning Lab:

12:40 - 1:05pm “Increase Speed & Performance while reducing TCO with Sun Directory Server Enterprise Edition” Speaker: Nick Wooler, Sr Product Manager – Sun Microsystems

1:05 - 1:30pm “Changing the Rules of the game; Raising the bar with Rule Life-cycle Management and closed-loop remediation” Speaker: Neil Gandhi, Sr Product Manager – Sun Microsystems

1:35 - 2:00pm "IAM Governance, Risk and Compliance -- the future of IAM", Speaker: Sachin Nayyar, President - BrinQa

2:05 - 2:30pm "Enterprise Single Sign On for Sun Identity Management", Speaker: Stephane Fymat, VP of Strategy and Product Management - Passlogix

Sun Booth:

12:30 - 2:30pm Daniel Raskin showcasing OpenSSO

12:30 - 2:30pm Mat Hamlin showcasing Identity Manager

Tuesday, Nov 10^th

Learning Lab:

12:10 - 12:35pm “Role based user provisioning; using business roles for identity life-cycle management and identity auditing”, Speaker: Mat Hamlin, Sr Product Manager, Sun Microsystems

12:35 - 1:00pm “Three tough challenges, one powerful solution: OpenSSO for web access management, federation and Web services security”, Speaker: Daniel Raskin, Chief Identity Strategist – Sun Microsystems

1:05 - 1:30pm "Privileged Identity Risk Management: Mitigating the Insider Threat", Speaker: Richard Weeks, VP of Channels and Business Development, Cyber-Ark

1:35 - 2:00pm "The WHO behind the WHAT: Arcot Authentication and Sun OpenSSO Enterprise " Speaker: R 'Doc' Vaidhyanathan, Chief Product Officer - Arcot

Sun Booth:

12:00 - 2:00pm Nick Wooler, showcasing DSEE

12:00 - 2:00pm Neil Ghandi, showcasing Role Manager

Dave Kearns' IdM Newsletter: Two-factor authentication, constant vigilance foils password theft

2009-11-04T17:21:11Z

It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior.

Dave Kearns' IdM Newsletter: Chamberlain: A User-Serving Model for Identity Management

2009-11-04T17:14:46Z

I believe that the best way to solve these problems is to move to an entirely different metaphor. Rather than thinking of identity as something manually managed by the user (like cards in a wallet), I believe the vast majority of users want identity to be something that is managed *for* them — the way a chamberlain in a palace might keep keys to all the rooms, and control who was allowed to go where in accordance with royal policy.

CA on Security Management: SharePoint ®Conference 2009: Growth Drives Demand for Management and Security

2009-11-04T17:06:00Z

The Microsoft® SharePoint 2009 Conference took place recently at the Mandalay Bay in Las Vegas and it was sold out, with over 6,000 attendees. It seems like many are surprised at how quickly SharePoint use has grown over the past couple of years. This rapid growth has created a situation where many enterprise IT groups are now scrambling to improve the management and security of their...

Dave Kearns' IdM Newsletter: Aveksa to Showcase Access Governance Solutions at Gartner

2009-11-04T16:24:54Z

Today’s identity and access management is not just essential to workplace efficiency - it’s also key to cutting IT enterprise costs and delivering value beyond security and compliance services. This year’s Gartner Identity & Access Management Summit will show organizations how to: quantify the IAM contribution, leverage existing resources for new benefits, optimize costs, contribute more to the organization overall and establish the right priorities and next steps.

Dave Kearns' IdM Newsletter: NIST test proves 'the eyes have it' for ID verification

2009-11-04T16:23:03Z

After fingerprints, iris recognition has emerged in recent years as the second most widely supported biometric characteristic. This marketplace rests, in large part, on the ability of recognition algorithms to process standard images from the many cameras now available. This requires images to be captured in a standard format and prepared so that they are compact enough for a smart card and for transmission across global networks. The images also have to be identifiable by computer algorithms and interoperable with any iris-matcher product regardless of the manufacturer.

Dave Kearns' IdM Newsletter: New RSA(R) Security Brief Outlines Best Practices for Protecting Enterprise Data and User Identities in the Cloud

2009-11-04T16:20:30Z

In the new Brief, the authors collectively contend that cloud security has vast potential to surpass the levels of information security that are possible today. In the cloud, security protocols can be built into the virtualization layer, not just imposed at the application level where they are typically enforced.

Kuppinger Cole: Commenting Print: Welt Kompakt 4.11.2009

2009-11-04T14:50:17Z

In Sebastian Rohr

I guess it became unpopular to read printed news in some societies but I really enjoy reading WELT KOMPAKT, a smaller printed formfactor of well-known daily WELT. Today, the more or less entertaining “Internet” section had a lead article called “Safe in the Web 2.0″ or “Sicher im Web 2.0″ by author Peter Zschunke. Eager to learn more about how “the general public” is informed about the dangers that lurk in the web, I read the mid-size article, featuring a James Bond-like shot of what seems to be Security Ops Center. My interest turned into surprise, ending in a sort of rage when I finished the article.
It takes quite some time and effort to make me angry, but I instantly – for the first time in my life – wrote a letter to the author and the editors, and went like this:
Sehr geehrte Damen und Herren, sehr geehrter Herr Zschunke!

Ich habe anfangs mit Interesse, später mit zunehmender Verwunderung das gelesen, was die Welt Kompakt als redaktionellen Beitrag in der Internet Rubrik hat drucken lassen. Für mich klingt diese doch sehr einseitige, leider wenig von journalistischer Qualität sprechende Berichterstattung eher nach Advertorial, denn nach guter Recherche und umfassender Information. Dem Format und dem Umfang sei geschuldet, dass hier nur ein Bruchteil der Problematik von Datensicherheit und Datenschutz im Web 2.0 beleuchtet werden kann – aber dann ernsthaft dem Leser zu vermitteln, die Firma RSA hätte „die Lösung im Schrank“ und könne diese Probleme quasi „wegzaubern“ wenn sich die sozialen Netzwerker denn endlich mal aus dem Sessel bequemen würden? Das halte ich nicht nur für inkorrekt, ich halte es für gefährlich! Zumal „RSA“ nun wirklich nicht das Produkt sondern der Firmenname ist und Sie, wie ich annehme, eigentlich von einer Kombination der enVision Produktlinie mit anderen Werkzeugen sprechen. Zumindest die Nennung einiger vergleichbarer Technologien oder Anbieter wie Novell, ArcSight, CA etc. hätte der Neutralität gut getan… Die Produkte und Lösungen der RSA sind sicher anerkannt und wirkungsvoll – sowohl bei der Analyse von (Fehl-)Verhalten als auch beim Zugriffsschutz und der Verschlüsselung. Aber, um es sinngemäß mit den Worten von Bruce Schneier zu sagen:
„Wer denkt, dass Technologie seine Probleme lösen kann, der hat weder die Technologie noch die Probleme verstanden.“

Das Problem mit der sehr einseitigen Berichterstattung bleibt – es gilt eher am Konzept der sozialen Netzwerke, ihrer Datensammlung und Datenverwaltung zu arbeiten und den Anwender besser aufzuklären. Meiner Meinung nach steht Ihr Artikel der Aufklärung der Anwender eher im Weg, da hier ohne Sinn nach Technologie verlangt wird obwohl der eigene Menschenverstand ein viel besseres Mittel zum Schutz vor Missbrauch wäre. Bei mir hinterlässt dieser Artikel einen sehr faden Beigeschmack.

There is nothing wrong with a good advertorial or product related story, but this was so blatently single-sided, I just could not resist! I would love to discuss this with alll of you – feel free to comment, mail or call me!

Robin Wilton - Future Identity: What the Home Secretary didn't say

2009-11-04T11:47:35Z

All of us, from time to time, have something which we want to avoid saying: "I'm sorry", "I was wrong", "Let's do it your way..." and so on.

There are some tried and tested tactics for these situations. For instance:

1 - Change the subject - "Oh look, there's a gecko in my cereal!";

2 - Completely ignore the subject:

Bored offspring: "Mum... mum... I need £10, Michael and I are going to the park to drink cider"
Parent (from behind newspaper): "Mmm? That's nice, dear"... (no tenner is forthcoming, naturally).

3 - Boldly assert exactly the opposite of what we don't want to say: "That new tie of yours is superbly tasteful".

Politicians, of course, are no different. If anything, they have to be all the more careful about what they do say, because of the enormous scrutiny applied to their every utterance. They have the same techniques at their disposal, and I have the impression of having been given an object lesson in their use by Alan Johnson, the current Home Secretary, at Monday's RSA event.

He was speaking on the topic of "Security in the 21st Century - Global, National, Local" (which, now that I type it, I realise looks a lot like the marketing strapline for a recovering bank...).

OVer the course of about 20 minutes, Mr Johnson discoursed - fluently, it has to be said - on immigration policy (about 10 minutes), and then about 2 minutes each on counter-terrorism, how rubbish Tory policy is (tactic No.1, while we're here), RIPA and proportionality, Control Orders and proportionality, and the Human Rights Act.

You may have seen my brief reactions/quotations on Twitter - but the 140-character format doesn't really lend itself to a more reasoned critique.

So here's the big problem I had with the Home Secretary's performance yesterday, competent exercise though it was: in essence, much of his argument was that, although the privacy rights of the individual need to be balanced against the powers of the State, there is, as he put it "no grand contest" between the two. His argument was that provisions such as the Human Rights Act do a good job of that. He also cited RIPA (the Regulation of Investigatory Powers Act) as a positive step - casting it as an Act which curbs the authorities' ability to abuse existing powers of interception. A creative interpretation, and not one I have heard before - even from the law enforcement representatives I heard arguing for the new IMP (Intercept Management Programme) at the All-Party Parliamentary Group on Privacy back in July (Tactic No.3 in operation, one suspects).

In glossing over the government's policies on biometrics and ID Cards (he mentioned them only by reference to foreign nationals, not UK citizens), and in avoiding any mention of the National Identity Register, the National DNA Database, ContactPoint or any of the other aggregations of personal data this government has established, the Home Secretary simply avoided any possible discussion of the real practical issue underlying his claims of balance and proportionality (A positively textbook deployment of Tactic No.2).

All the policy objectives he mentioned - better management of migration and immigration; counter-terrorism; 'protection of our way of life' against local, national and global threats - all these are predicated, more or less explicitly, on the aggregation, connection and sharing of data about individuals and citizens. For Mr Johnson, the counter-balance to that is the idea that 'our way of life' might be founded on principles of respect for the individual and the individual's rights to privacy, self-determination and so on, as set out in the Human Rights Act. All well and good - but in the digitally-mediated world which Mr Johnson depicted, those rights depend precisely on the opposite of what he's using to achieve his first set of objectives.

In the digitally-mediated world, privacy and self-determination depend on the individual's ability to exercise consent and control over the disclosure, aggregation and sharing of their personal data. Most online services, as they currently stand, do a pretty poor job of that, even in the limited use-case of delivering whatever service it is they provide. For example, as someone shrewdly pointed out recently, most so-called "Privacy Policy Statements" are actually nothing of the sort: they are in fact invitiations for the consumer to waive their privacy rights.

When you then try to combine the goals of privacy-respecting service provision (control, consent) with parallel goals of law enforcement, the two sets of objectives clash directly. One requires you to segregate and compartmentalise data, granting access only as specified by the data subject; the other requires you to aggregate and share data, whether or not the data subject knows or consents.

Simultaneously meeting those conflicting objectives requires information management disciplines for which UK public sector organisations are, regrettably, anything but a showcase. I don't mean that as a criticism of them, by the way: those information management disciplines are rare indeed, and no organisation I can think of has mastered them all. In many cases, the technology to underpin them just isn't in the market.

The Home Secretary does no-one a service by either behaving as if that problem doesn't exist, or - possibly worse - ploughing ahead in the delusion that our public sector bodies have already cracked it.

Robin Wilton - Future Identity: Shameless vote-mongering... moi?

2009-11-04T11:33:33Z

Woo hoo! Have made it onto the shortlists for the Computer Weekly blogging awards again this year - presumably karmic compensation for going to the dentist this morning :^#

Putting me up against the likes of Redmonk (James Governor) is probably a bit like shoving Nick Griffin into the ring with Mike Tyson: entertaining, sure; desirable, quite possibly - but only ever going to end one way. That said, honour is honour... so I have no hesitation whatsoever in grovelling and pleading for your vote. Here's the page in question.

Thank you - and may the winner pay for the loser's orthodontic work.

Paul Trevithick: OpenID Summit & IIW IX Presentations

2009-11-04T07:19:45Z

Kantara ULX WG – a quick intro to what we’re trying to do
Relationship cards – newbie intro

Neil Wilson - UnboundID: Austin Film Festival 2009 part 2

2009-11-04T04:32:18Z

Day 4 -- Sunday, October 25

Strigoi -- This is a very authentic Romanian vampire movie, by which I mean it is true to the Romanian vampire legends and not the more popular version that we typically see portrayed in movies. The Romanian vampires don't vaporize in the sunlight, and although the may not like eating garlic or going into churches, doing so won't do any significant damage. The writer/director has spent a lot of time in Romania, and her husband (who I think was a producer) is Romanian. The movie is in English rather than Romanian with English subtitles or dubbing.
Overall, I liked the movie. It did feel a bit slow at times, but it was interesting to see how vampires are portrayed in their original culture. 7/10.

Shorts -- This is a series of short films (10-20 minutes each) shown back-to-back. They were:

Sugar Rush -- A Gremlins-type tale about a little girl who turns into an absolute monster when she is given sugar, and a babysitter and her boyfriend who ignore the advice of her parents. It was pretty fun, if not a bit cliche. 6/10.
A Little Mouth to Feed -- A religious woman who has repeatedly failed to have a baby prays to the devil instead and gets a demon child. 6/10.
Unawakening -- A story about a man who has a recurring nightmare of killing someone and burying the body, triggered by a past event that he has repressed. 6/10
Lambs -- A couple of guys stage a broken-down car so they can rob whoever comes to their aid, only to find the tables turned when a 50's style Ward Cleaver type turns hardcore. 8/10.
Survivors -- A man and woman hole up in a bar to try to stave of a zombie attack. 7/10.
Slasher -- A story about a rather outcast kid who stabs a fellow classmate in an altercation at a party. No obvious point, and very boring. 2/10.

Hunger -- Five loners with varied pasts find themselves abducted and held hostage together in an underground bunker. They are given plenty of water, a crude toilet, a knife, and a clock to tick off the number of days they've been held. They aren't given any food, but it becomes clear that their captor expects them to eventually turn against each other.
This was an excellent psychological thriller, that wasn't really scary or particularly intense but was a well-told story and well-acted movie. My only real complaint is that the characters' appearances didn't seem to reflect the duration accurately (e.g., guys weren't really amassing a lot of facial hair, and a girl's white shirt was still a pretty brilliant white after a couple of weeks). The director did mention that they had someone looking at continuity, and scenes were shot in sequential order and within a time frame that was about the same as that portrayed in the movie, so it's probably something that probably should have been handled a little better. Nevertheless, it was still a great movie so I'm willing to overlook the continuity. 8/10.

ZMD: Zombies of Mass Destruction -- A small island town off the coast of Washington finds itself in the midst of a zombie infestation. Like every other zombie comedy, a small group of people try to survive, while family, friends, and neighbors are overcome.
There have been a lot of zomcom movies in the last few years, and this one isn't a serious contender against the top tier movies like Shaun of the Dead or Zombieland, but it can hold its own against most others. It was quite funny and had plenty of gore, so it was never slow or boring. The director said that they had recently gotten a distribution deal, so it may be making it to theaters early next year, and I think that it's worth seeing if you like this type of film. 7/10.

Day 5 -- Monday, October 26

Little Fish, Strange Pond -- Callum Blue plays a murderer named Sweet Stephen who's a bit off his rocker. He's accompanied by a man known only as "Mr. Jack" (Matthew Modine), who is kind of like a human embodiment of the voice in Stephen's head encouraging him and antagonizing others (more like Tim Roth/Amanda Plummer in Pulp Fiction than Edward Norton/Brad Pitt in Fight Club). It's a very fun dark comedy that also features Zach Galifianakis, Adam Baldwin, and Don McManus. I give it an 8/10.
I really loved Callum Blue's performance in this, and it evoked a lot of fond memories of his role in Dead Like Me. A small grim reaper doll was prominently featured in one scene, and you could consider him playing a kind of reaper role to Matthew Modine's graveling. He also had a great "don't talk during the movie" scene that would be perfect for the Alamo Drafthouse to run before the trailers.

Happy Ending -- This is a Japanese movie (with Engrish subtitles) about a not-very-girly lead character who is very into movies and is beginning to see her life as a movie, much like Jamie Kennedy's character in Scream. She's generally more into horror movies than romantic comedies, but that starts to change when she happens across a guy who she wants to notice her. She enlists the help of her friends (including one who secretly likes her, ala Duckie in Pretty in Pink).
I generally liked this movie, although it wasn't very original. It also seemed to develop a bit slowly toward the end. Nevertheless, I liked the humor and the self-referential nature. 7/10.

Day 6 -- Tuesday, October 27

Myna Se Va -- This is a movie about a woman living as an illegal alien in Spain, where she was a nanny for a young boy. His parents went out of town on a ski trip, and she was left to care for him. When he got injured, she had to find help for him while avoiding being found out and deported.
The premise for this movie sounded interesting, but its execution fell flat. This was without question the worst movie I have ever seen. The subtitle translation was horrible. The camerawork was horrible, and there were minutes at a time with absolutely nothing happening on the screen (no people or objects of interest visible, and not particularly focused on anything, with only occasional sounds). The pacing was unbearably slow. It had more false endings than Return of the King. It had completely unnecessary flashbacks that didn't provide any useful information. And there was a 30-minute sequence in the middle of the movie that was so painful to watch that I can't even bring myself to describe it. I would say that at least half the audience walked out, and I would have if there hadn't been two other movies following it in the same theater that I wanted to see. I can't see any value whatsoever in this movie, and I give it a rating of zero out of ten.

Earthwork -- This is a documentary that tells the true story of a man who creates incredible artwork through landscaping. From the ground, they don't look like much, but from the air they turn into very intricate scenes depicting all kinds of things, like people and nature. He had been doing this all his life and had become a bit of a minor celebrity in his hometown of Lawrence, Kansas but he wanted a bigger audience, and jumped when he heard about an opportunity to create his artwork on land owned by Donald Trump shortly before it was to be used to erect skyscrapers. He undercut all of the other competitors by basically offering to do the work for free, and paying all of the expenses himself (effectively putting himself deep into debt by taking out a loan to cover the costs), and he enlisted several homeless men to help him out. He of course encountered a number of difficulties in the process, and it doesn't necessarily turn out as you might expect, but it's definitely worth a watch. 9/10.

The Vicious Kind -- Alex Frost plays a college student who brings his girlfriend (Brittany Snow) home for Thanksgiving. His father (J. K. Simmons) and brother (Adam Scott) aren't on speaking terms, nor can they even stand to be in the same place at the same time. They haven't spoken in several years, since the mother's death. Things got even more tense when the brother's treatment of the girlfriend alternated between hostile and obsessive.
This was a very good movie, although at just over 90 minutes I felt that it could have been longer and a couple of story lines weren't pursued as well as they could have been. The line producer (who was in attendance) mentioned that a lot had been cut out in editing to prevent it from dragging on too much, but I think that perhaps too much had been cut. 8/10.

Day 7 -- Wednesday, October 28

Tenure -- Luke Wilson plays a literature professor named Charlie who is up for tenure at a small college, after two previous unsuccessful attempts at other schools. He loves teaching, and the students love him, but he's under pressure to focus more on other academic pursuits like getting published. Things get a little more anxious when another professor (played by Gretchen Mol) enters the picture and joins the tenure race. Even though she gets off to a rocky start as a teacher, she has more impressive credentials and has been published in a prestigious journal.
This movie had two different personalities. I think that the primary story was well executed and generally enjoyable. However, it was awkwardly intertwined with some attempts at comedy which fell a bit short. The quest by a fellow professor (David Koechner) to find Bigfoot, a student's attempts at erotic comedy, and a fake double date (with Rosemarie DeWitt) felt out of place and in some cases were almost painful to watch. 6/10.

American Cowslip -- This is a very odd movie about a heroin addict named Ethan Inglebrink (played by Ronnie Gene Blevins) who hasn't left his house in years but is being evicted by his landlord/next-door neighbor (Rip Torn) because he's unable to pay the rent. About the only thing that he does well is tend to his garden, and he is the primary obstacle in the way of his landlord's victory in a home landscaping competition.
Despite his addiction and agoraphobia, and in spite of his constant neediness and lack of personal responsibility, Ethan is very well-liked by most of his neighbors (a pretty noteworthy cast, including Diane Ladd, Cloris Leachman, Priscilla Barnes, and Hanna Hall), although his well-meaning but somewhat misguided brother (Val Kilmer) appears to be the only one trying to get him to really improve himself. The film has a pretty crazy climax, but I think that it took too long to get there and I just couldn't connect with the characters and get into the movie like I wanted to. 5/10.

Dave Kearns' IdM Newsletter: Oracle’s Acquisition of Sun and the Impact on Identity Management

2009-11-04T02:00:21Z

First, it’s important to put the IAM part of the discussion in context with the major decision Oracle made to acquire Sun. In the great tradition of my favorite philosopher Dirty Harry, “a man’s got to know his limitations”. In this context, it means that the role of IAM in the Oracle decision to buy Sun was practically non-existent.

Michelle Dennedy - Sun: Rest in Peace Don Bowen

2009-11-04T01:00:47Z

My friend Don Bowen, great champion of ID management and all around creative innovator, has seen his battle with cancer come to a close. He died on Halloween. I can't say that he 'lost' his battle because he was strong, faithful and funny down to the last &, since we all have to go at some point, I'll call his a victory. I wish we could keep him here with us for many more decades.

Here is a link to our podcast, Pimp My Privacy: http://wcdata.sun.com/webcast/download/podcast/IDM/pod10.mp3 from back in 2007.

Wherever you are Don, I am a faithful fan. Rest in peace my friend.

Daniel Raskin - Sun: Gartner IAM: Sun's Tuesday Night Extravaganza

2009-11-03T22:30:16Z

Jackson Shaw - Quest: Security = smoke detectors?

2009-11-03T22:14:50Z

We're always reading about fires and deaths that could have been prevented by smoke detectors. We are also always reading about security breaches that could have been prevented by having the proper software or policies in place.

I was reminded about this in "Better Security For Not Quite All" which appeared in ComputerWorld on November 2, 2009. The article isn't about a huge security breach but does discuss the difficulties and findings of just trying to enforce "screen locking" at the company in question:

We found that more than 70% of our approximately 6,000 users had disabled both the password requirement and the screen saver.

Clearly, these 6,000 users feel that their own convenience is more important than the company's security posture. This is, however, not too surprising is it? What was a bit more interesting were the results of the author's survey related to what other companies were doing:

When I proposed the change in our lockout policy to the CIO, he asked me to determine what other companies in our industry are doing. I have a pretty decent network of peers in this industry, so I asked them whether they enforce a screen lock -- and if so, what the timeout value is, and if not, what their policy regarding screen locks is. I was surprised by the results: Only one of the 20 companies in my survey enforces the screen lock. That wasn't the response I had anticipated, and it certainly wasn't what I wanted to report to the CIO. In the end, though, he agreed with me that this is one area where it's worth bucking the industry norm.

One in twenty? That's only 5%! I congratulate the author and his company for their choice to turn on the screen lock. I can only imagine that so many other firms haven't bothered to turn on such a basic security feature. It's cheaper than a smoke detector: If you're running Active Directory all you have to do is use Group Policy to turn this capability on.

Do you have a smoke detector installed? Is the battery still good? Have you tested it recently?

Technorati Tags:
security, identity management, QSFT, Quest Software

Johannes Ernst - NetMesh: Kim Cameron: OpenID is the Most Widely Adopted System for Reusable Internet Identity

2009-11-03T22:13:20Z

The list of brand-name OpenID adopters speaks for itself, with — by some counts — now more than 1 billion functional OpenIDs on the open internet, but for the internet identity movement this quote from Kim Cameron, Microsoft’s Chief Identity Architect, is rather significant:

In the last year, OpenID has without doubt become the most widely adopted system for reusable internet identity. Adoption by destination sites continues to grow dramatically: approximately 50,000 sites as of July 1, 2009. The big Internet properties like Google, Yahoo, AOL, MySpace, and Windows Live have become (or are becoming) OpenID Providers. As a result, the vast majority of the online US population has an account that can be used to log in at the growing number of destination sites.

What a little URL could do …

Dave Kearns' IdM Newsletter: Google's 'Hybrid Onboarding' Aims to Cut Down on Passwords

2009-11-03T21:34:16Z

At this point, if you get a Gmail message inviting you to Facebook, that link will take you to the social networking site and require you to set up an account. Google, however, has developed a process by which users who click on that link will be given the option to set up a Facebook account using their Google account information in two steps.

Gerry Beuchelt - MITRE: hData specifications and a first glimpse at the security architecture

2009-11-03T20:03:39Z

Today, we released the hData technical specifications: hData Record Format and hData Packaging and Network Transport. This is the mail that went out to the mailing lists:

Today we are releasing the first public version of the hData specification for the record format and the packaging and network transport (REST API). They are available here:

http://www.projecthdata.org/documents.html

We will be making some changes to the documents in the next few days to add a simple meta data model and streamline certain elements. Once this is complete, we are planning on moving the specification to a wiki and open up the process of editing. Until this is done, we would like to ask you sending your comments to hdata-general@googlegroups.com

At this time we are also exploring how the hData specifications can be licensed in an open source friendly way. Possible options include an OASIS style non-assertion covenant – please contact us if you have suggestions.

So far, this covers the core data and exchange architecture, but we have started to work on a RESTful security architecture, as well. The scenario we are trying to solve is outline in a recent presentation at NIST's IT Security Automation Conference. In support of this I have come up with a meta data schema, which I will put into the v0.8 version of the hData Record Format specification. Hopefully, I can upload that new version some time next week.

We are very much looking for comments and suggestions.

tags: hData ehr health care hl7 hitsp

Dave Kearns' IdM Newsletter: Whitepaper outlines identity issues for federal website users

2009-11-03T18:28:26Z

The federal government is in the process of launching a series of pilot programs that will use a third party to store and authenticate the data of federal Web site users. The Center for Democracy and Technology recently released a whitepaper outlining some possible issues -- and best practices -- for the federal government.