Some great investigative work has revealed just how widespread the practice (problem) is. And while everyone has promptly responded to the firestorm by announcing a myriad of fixes, patches and CYA statements, it still feels very reactive. Sure, we’re taking care of location and address book data, but is there a MessageGate, PhotosGate and PlaylistGate on the horizon? Surely we need to look at this holistically, which led me to ask:

Does #AddressBookGate move the onus for ensuring responsible and ethical use of APIs from consumers to providers? /cc @defrag

Ian Glazer’s inital reaction led to a more elaborate response in the form of a blog post titled “Free-ranged Ethically Treating APIs“. His conclusion is that the need for services to innovate and the desire for platforms to become ubiquitious simply cannot be balanced with the need for usability and privacy controls for users. There is too much of a conflict at the intersection of these concerns. That may well be true, but I refuse to believe that as I don’t think we’ve actually tried to address this particular problem. Yes, users can only get so many warnings and alerts from the applications/OS before it becomes meaningless and they start accepting them blindly. But that model originates from the same old construct of thinking about privacy in terms of opt-in and opt-out controls.

Surely some time devoted to creating a usability model for privacy policy enforcement can yield some smarter controls. Is anyone really going to install the Foursquare app without giving access to Location Services? And why would the Pandora app ever need access to the same? The app review process (ostensibly done to ensure security, among other things) should be able to catch this and enforce more than just a ToS or Developer Guidelines. Similarly, allowing users to create Privacy Profiles, much like the Sound Profiles (Silent, Meeting, etc) in the platform could open up some creative ways to address this.

Maybe it is a dream. I acknowledge the distinct possibility that ideas like these have been considered and discarded for good reasons. But one thing is clear – addressing this is going to require work and co-operation on each side of the equation, something that I believe can happen. It’s a copycat industry (as AddressBookGate has amply illustrated), and if a workable solution emerges that gets acclaim, others will be quick to adopt it.

Maybe what we really need to do is add the treatment of user data and APIs to the manifesto for the first ethical iPhone. A topic for Glue Conference, maybe?

[Cross posted to the Identropy Blog]

Tags: AddressBookGate, APIs, Apps, Mobile Security, Privacy

To set the table, we need to make sure we understand adaptive authentication. The concept of being adaptive is at the heart of risk-based security models, which try to align the security protocols and mechanisms being enforced on the user and the organization with the risk inherent in the activity taking place. You can check out a talk I gave last year that expands on this a great deal.

Adaptive authentication relies on being able to measure certain details about the context (is the user inside the firewall or outside, the nature of the device being used, the kind of authentication already done and, obviously, the risk inherent in the transaction) to create a risk score that then determines whether the authentication level (and thereby the level of assurance) of the user needs to be adjusted. Products like Oracle Adaptive Access Manager and (presumably) PingFederate do this by providing ways in which applications can tap into them during transactional flows (in the simplest form, during login).

The title of the article seems to pit this security model against the concept of Identity as a Service (though nowhere in the article itself does this come up). But this is by definition IDaaS, because the application is externalizing the security controls it needs to a service provided by a 3rd party provider. When done the right way, the application doesn’t specify whether it needs the user to authenticate using hardware token based OTP, PhoneFactor or any other model. It simply specifies the risk factors in the transaction and lets the external service use configured policies to determine what is entailed. That way, a change in corporate security policy that switches from one authentication factor to another doesn’t impact the application. On top of that, PingFederate seems to be catering to security models that rely on social (federated) login, which is obviously an IDaaS model.

And even if you presume that Scott meant it as Identity Management as a Service, or more descriptively Identity Management Software as a Service, it still doesn’t hold because given the right integration points, the model shouldn’t impose any restrictions on where the service is run/hosted.

The article also seems to conflate (or confuse) authentication chaining with authentication against multiple identity stores. Authentication Chaining is a way to string together multiple, distinct authentication events (often in sequence) to create a stronger level of assurance about the identity. E.g. this user authenticated correctly using their username-password AND with a One-Time-Password sent via text message to their mobile number of record. Authentication against Multiple Identity Stores is about authenticating the user only once, but by checking it against different identity stores because you’re not sure which one the user is in.

AuthN Chaining vs Split over Distributed Stores (Grossly Simplified for Clarity)

The latter use case is where Virtual Directories are incredibly useful, because they can present a single, unified view to any consuming application, including an authentication application (like an SSO product). Virtual directories are also good at creating a single view of an identity whose attributes are split across multiple repositories (combining LDAP attributes with HR attributes, for instance). But this single view serves many different purposes in the IDaaS realm, especially for consuming applications and services that need that data at different points in time. It isn’t simply about creating a single token during authentication that combines these attributes. That’s why I don’t like the assertion (quoted in the article) that PingFederate’s attribute aggregation feature “makes virtual directory products unnecessary…“. There are many use cases where applications that have externalized identity need access to unified identity data outside of the context of an authentication event. Unless PingFederate actually includes a virtual directory service (which would make the above statement circular), I don’t see how they solve that particular IDaaS architectural need. And if you have multiple identity stores, you are going to have to address that need at some point.

So you see, in the end it is all about Identity as a Service.

[With that, I retreat into my bomb shelter to prepare for the onslaught from Paul, Pam, Patrick and Brian (who really should consider adding a silent P to the front of his name. Just for consistency)]

Tags: Architecture, Authentication Services, IDaaS, Identity Services, Risk Management, Virtual Directory

SPEAKERS

Sally Hudson Research Director, IDC Security Products and Services

Nishant Kaushik Chief Architect, Identropy

Join us for a live webcast with IDC on Tuesday, February 14, 2012 at 2:00 pm EST to detail how Identity Management-as-a-Service can help overcome the challenges of successfully and cost-effectively running an IAM program. During this webinar, guest speaker Sally Hudson, Research Director within IDC’s Security Products and Services group, will discuss why many of these projects fail and what operational areas need to be accounted for to help bridge the divide between project-go-live and long-term success. I will talk about and show our SCUID Operations offering that has helped many customers address their operational concerns and yield long-term and increasing value from their IDM investment. And we’ll take questions too, just not about coach’s decisions in a certain recent football game.

So ask yourself this:

• Would you like to reduce your IDM Operations costs by 50%, while still proving that the IDM program is meeting its goal?
• Is your IT team overburdened with IDM operational support in response to a constant stream of patches and updates that were never budgeted for?
• Do they lack the bandwidth to get to strategic new tasks in an ever-evolving, increasingly important IDM program?
• Do they lack the time or subject matter expertise to enhance your IDM solution in response to changing organizational needs and business objectives?

If so, this webcast is for you. Register now and learn how IDaaS and SCUID Operations can help you take back control of your IAM program.

Tags: Cost Reduction, Cost Savings, IAM Operations Management, IT Security Spending, Live Webcast, Managed Identity Services, SCUID, SCUID Operations

It’s that time of year, when everyone does their best Carnac the Magnificent impression and rolls out their prognostications and top 10 lists. Here at Identropy, we’re not so sure about trying to predict the future, but we do know a thing or two about helping customers succeed in meeting the goals of their IAM programs. So if you’re looking to make a new year resolution, we’re here to remind you of some steps you can take to truly set your IAM program up for success.

First, create an IAM governance body. Without establishing a governance body, your organization is not going to be able to overcome the roadblocks, complexities and sometimes personalities that often derail even the best planned IAM project. Proper governance is also crucial in making sure that the project adjusts properly to the continuously evolving business and policy environment that IAM needs to operate within. Our CTO, Ash Motiwala, recently wrote an article for SC Magazine on how to go about setting up your IAM governance body.

Next, you’ll need an IAM Roadmap (if you don’t have one already – naughty list). If you have more than a few identity related problems that you are trying to solve, an Identity Management Roadmap will be critical to ensure that you tackle it as a program, with various phases that are sequenced in the appropriate priority order and have tangible business benefits and “wins” along each step of the way.  We’ve published a series of blog articles on developing an IAM roadmap that can help you think through how you may want to approach your own situation.

Of course, in order for the governance body to know how the program is progressing and make good decisions, they need good information. To address that, you need to take the final step of using metrics to help measure the effectiveness of your IAM program and identify inefficiencies and issues. Our very own Frank Villavicencio wrote for CSO Online earlier this year about the 10 IAM Metrics that matter. Even if you don’t use a tool like our own SCUID Operations, there are simple reports and analysis you can do on a periodic basis to get some visibility into how your IAM tools and processes are doing against the business objectives laid out by the governance body. It’s a worthwhile investment that can often pay for itself in terms of the improvements it can help identify.

So take some time to figure out how to put in place the support structure your IAM program needs to truly achieve its potential and deliver on the objectives you laid out for it.

And Happy Holidays from the Identropy family to yours!

[Cross posted from the Identropy Blog]

Tags: Best Practices, IAM Metrics, Identity Governance, SCUID, SCUID Operations

Establish Your Fundamental Security Posture

Part of the allure of cloud-based services is the whole access from anywhere aspect of it -  at work, on the road, in a coffee shop, in a public park, in your hotel room. As public, often free, wifi becomes something we (especially road warriors) start to rely on more, make a checklist of things you do in order to secure your interaction with cloud services, which should include (but isn’t restricted to):

1. Make sure you secure your communication with cloud services by using HTTPS instead of HTTP. I highly recommend installing the ‘HTTPS Everywhere’ plugin that the EFF have released
2. Use a Virtual Private Network. It lets you route all your activity through a separate secure, private network, thus giving you the security of a private network even though you’re on a public one. A lot of people can get it through work, but if your job doesn’t come with one then get your own, like CyberGhost VPN or WiTopia (Check out this Lifehacker article)
3. And watch out for shoulder surfers

Don’t Reuse Your Passwords

It’s an all too common phenomenon: when setting up an account with a cloud service, users are forced to come up with yet another password, and they choose a familiar, well used one. Especially when signing up for services for work, people will often use the same password they use to access services internal to the enterprise (like their email system, or their corporate CRM system). Reusing those passwords definitely helps you remember it for next time, but it’s the equivalent of leaving your house keys in the mailbox – someone else will eventually see it and figure out how to use it.

Better Still, Use A Password Manager

As our usage of the cloud increases and we battle password fatigue, that last point becomes increasingly harder for us. But there are tools like LastPass and 1Password that can help us greatly, not only by remembering the passwords for us (in the cloud, of course) and providing simple plugins to autofill those pesky login forms, but by also generating random string passwords that are stronger than your average password. Just remember to follow all their recommendations: create a really strong and unique Master Password, configure the settings to recognize trusted locations (like your home network), make sure to read their ToS and security policies, and use common sense in trusting what is still a cloud service.

Bring Your Own Identity

But those last two points still rely on having multiple passwords, which is recognized widely as an insufficient approach to security. Federation technology has matured to the point where we can now rely on federated login to cloud services. Most enterprise service providers will support federation with your corporate identity, eliminating the need for passwords to log into these services. And on the consumer side it is becomingly increasingly easy to sign into your services like Tripit or Flickr using your Gmail, Facebook or Twitter identity, using mechanisms like OpenID and OAuth that do not share your password with the relying site. The goal is not to go down to one password for one account that is your key to your online life, but rather have a manageable number of identity providers that you then use to access your various services. And use common sense to evaluate the sensitivity of a particular service before setting up a relationship between it and an external site.

Review Those Service-to-Service Relationships

The concept of a periodic review of user access is a cornerstone in enterprise governance programs. Why should our personal life be any different? As you rely increasingly on the federated model, set up time to periodically go into your services and review which Mobile Apps and 3rd Party Services you have granted access to. Did you grant some twitter ranking site access to your twitter account months ago, but have never gone back and used it? Reviewing the access grants will remind you to sever that relationship, removing any possibility of abuse or exploit.

Are there any other steps you take that help keep you safe? Practical suggestions only please, unlike this (hint: see second last bullet).

[Cross-posted from the Identropy blog]

Tags: Cloud Security, Password Management, Passwords Must Die, Personal Identity Management

Maybe I’m being too cynical. Maybe there is reason to be cautiously optimistic about the fact that Google seems to have heard the protestors. But don’t go declaring victory just yet.

Tags: Google Plus, Google+, NymWars, Pseudonymity

Want to get a deep dive on how to achieve success with your identity and access management program? Then join us for a lunch and learn where Quest Software and Identropy will share insight on the key technologies and best practices that can help you improve your security and compliance posture while maximizing your ROI and avoiding common pitfalls that doom these projects. During the Identropy session, we’ll be sharing insights we’ve gathered from well over a 100 implementations. Plus you get to network with your peers and some really cool people from both Quest and Identropy (and me!). Space is limited, so register now (locations, dates and registration links below).

Boston, MA

• Date: Wednesday, September 14, 2011 at 11:45 a.m.
• Location: Davio’s Northern Italian Steakhouse
• Identropy Speaker: Ashraf Motiwala, CTO
• Register Today

Livingston, NJ

• Date: Wednesday, September 21, 2011 at 11:45 a.m.
• Location: Strip House Steakhouse
• Identropy Speaker: Nishant Kaushik, Chief Architect
• Register Today

Tags: Best Practices, Identity Management, Identropy, Lessons Learned, Quest One Identity Solution, Quest Software

In his post, Bob talks of Google trying to do social with an eye on the lucrative targeted advertising dollars that Facebook is currently hogging. This is the motive I alluded to at the end of my post as well. But things (appear to) have become a bit clearer here (albeit still speculation). During an interview with NPRs Andy Carvin, Google CEO Eric Schmidt didn’t throw out the usual pro RealName arguments about maintaining civil discourse online and such, but basically talked about Google’s ambition to be an identity service – a platform on which commerce and government services can run. And for such a platform to be widely adopted and billable, the data needs to have a certain fidelity – no different than the kind of identity stores we build within enterprises today.

Google already has such an identity platform – it’s called Google Profiles. If you’ve ever created a GMail account for any reason – as a GMail user, to enable an Android phone, for using Picasa – you have a Google Profile. The problem is that these service-derived profiles are of low value to the user, created only to get on to the desired service, and so they are never maintained and have low data quality. And like in a lot of enterprises that engage in identity administration and provisioning projects, Google has to deal with multiple identities per person that need to be linked and correlated. If doing that is hard in the enterprise space, imagine how hard that is do in the personal space where users not only have no reason to facilitate this, they actively engage in keeping some of these profiles separate and distinct. Just in writing this post I noticed that mine still reflects my Oracle position – unlike my LinkedIn, Twitter and Facebook profiles. The common thread through those three services that I kept up-to-date? They’re social, an extension of me into the online world.

That’s why Google+ is so important to Google’s aspirations for Google Profiles. Google wants to use social as the honeypot that draws in all those users and keeps them highly engaged and motivated to keep their data up-to-date. They see how well this is working for the Facebook identity platform and want to replicate that success. But here’s the disconnect – Facebook got to this spot organically. While Zuckerberg may be a visionary in many aspects, his first priority when building Facebook was to build a social network where people would hang out. As the social engagement increased the number and fidelity of identities in Facebook’s database grew as well, The team then pounced on the opportunity to build a platform out of this. In true engineering-driven style, Google is reverse engineering this – seeing where they want to get to and trying to replicate the same path, but instituting fixes that short circuit what took Facebook years to do. Except that there are no shortcuts.

The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook is being far more successful in doing so using far more insidious means). Facebook also has a policy of Real Names, but it realizes that to make the social work you have to cater to the psychology of the users. So there are no identity verification processes, no automatic suspension of accounts and schemes that entice us to provide real data instead of telling us to do so. The fidelity of the data is proven by it’s socially verified reputation, not because there is a policy document that can be pointed to (at the end of the day, a much more robust and legitimate mechanism).

Do you know what you get if you feed a tribble too much?

Google may think that social is all cute and cuddly, but they may be about to find out that it’s a completely different beast that could clog up their systems. Meanwhile, the battle for our online self-determination will continue. IIW XIII should be a lot of fun.

Tags: Digital Identity, Facebook, Google Plus, Google Profiles, Google+, Identity Services, IIW, NymWars, Privacy, Pseudonymity, Real Names, RealName

Is This Your Security Solution?

And then there was the notice we got from our building management asking us to tape up our windows. It had very specific instructions on the  pattern in which to lay down the tape. And of course they had tape for sale in case we didn’t have our own. Looking around, we could see a number of other windows where tape had been put up. So, following instructions and the trend, I started the exercise. After one window, I stood back and questioned the wisdom of doing this. It really didn’t seem like this tape was going to do much against any force strong enough to shatter the double-paned glass we had. A quick check on the web turned up enough “myth-shattering” articles (especially from official sources) to make me and my wife realize that the exercise was pointless. It was patently obvious that the tape was not going to prevent the glass from shattering, or keep the shattered pieces from flying around the room.

Yet all around us, people were spending precious time putting up tape. Why? Because they felt like they were doing something – something that would keep them safe, something they could point to and say “well, at least I tried”.

The analogy with how security and risk management goes in IT is laughably obvious. It’s classic security theater – getting a false sense of security for having done something that is of no benefit whatsoever, but which (literally) helps you sleep better at night. The real issue here is not the waste of good tape, but the fact that doing something like this actually increases your risks. Believing you’ve actually reinforced the windows could lead you to make the mistake of actually sleeping close to a window and putting yourself in harms way. And feeling that this option exists keeps you from actually analyzing the situation properly and taking the steps you really should take, like putting up hurricane shutters or installing hurricane proof glass. Keep in mind that you need to assess your risk accurately instead of going overboard, because while installing hurricane shutters may be a tad too much in an area like ours where hurricanes are (gratefully) a rare occurrence, it really should be top of mind if you’re down in Florida.

It’s also important to understand the psychology underlying these wasted efforts. All too often, “tape jobs” are last minute efforts that stem from a lack of planning. If you analyze your threats proactively, you have time to properly measure your windows and install hurricane shutters. But if you push things out and end up reacting to the news that a hurricane is coming – well, then you’ve run out of time to do a good job, the store is probably out of shutters and even plywood, and there’s little you can do at that point except retreat. How many times have we come across organizations that are under the gun to evaluate software, deploy and get a recertification process done in a completely unmanageable timeline because they failed an audit?

So if you’ve been pushing out that risk assessment, get on it now. Or you might just end up standing in a long line at the neighbourhood hardware store buying a roll of tape that will do absolutely nothing for your reality.

[Cross-posted from the Identropy blog]

Tags: Best Practices, Risk Management, Security, Security Theater

This debate is really about the concept of pseudonymity online – an argument that has been going on forever. While pseudonyms and their necessity have long been understood and accepted in the real world, for some reason the same logic is being discredited when the concept is extended to the online world.

As a parent, I know and understand the desire to create a safe haven online for my child. And as someone who does participate in online discussions on blogs and other social media, I am well aware of the problem of spammers and trolls. But these so-called “Real Name” policies have absolutely nothing to do with these issues, which are used as a false crutch to lend legitimacy to the argument. You just have to watch scenes from Capitol Hill, or the British Parliament, or this epic from the South Korean Parliament to see that knowing the commenter does absolutely nothing to tame uncivil discourse (as I hear shouts of “You Lie”!). And since no one is going to pay for any kind of identity proofing to actually validate the identities of these self-asserted “real names”, the promise of protection offered by such a policy is actually a blatant lie.

But what is even worse is that these policies create a discriminatory, exclusionary environment against those that need pseudonymity the most. Kee Hinckley wrote an amazing post that describes why allowing pseudonyms is a crucial part of society’s fabric, especially when brought online. What really gets me is the hypocrisy of social networks touting their role in social and political movements like the Iran and Egypt uprisings or support networks for LGBT youth, and then instituting policies that would remove the very protections that the people involved in those movements relied on. In the case of people organizing and posting during the middle east movements, pseudonymity was a key requirement enabling them to do their work without fear of reprisal on them or their families. And the fact that they were pseudonyms did not detract from us believing (trusting) them, as they built their reputation over time through their actions and voice online.

(source)

The names we choose online are also key to establishing context for what we are doing, and even more important in keeping different contexts that we want to keep separate apart. While the ability to link disparate personae is getting easier every day based on complex data analysis on publicly available data becoming cheaper (I would point you to Bob Blakley‘s excellent “The Death of Authentication” talk if it ever makes it’s way online, but read commentary here), it is still not possible for the casual observer that we care about in a social sense (the one that would care if you are a gay rights activist who also happens to teach in their son’s school). These contexts also allow the building and establishment of reputations that would get diluted by all the extraneous noise that would come from combining them.

It is true that as commercial entities, Google and Facebook are well within their rights establish any sort of policy that they want, and that as consumers we are free to take our business elsewhere. But that argument misses a much larger reality. As much as we may want to deny it, Google and Facebook are an increasingly large part of the very fabric of our online existence, and exert huge sway over how the business of the internet is being shaped. When Randi Zuckerberg throws out ridiculous ideas that “anonymity must be eliminated online” (not just on Facebook, but everywhere on the internet), she’s not viewed as just another marketing executive, and it unfortunately has a great deal of influence. Eliminating pseudonyms on networks where “most of” the people are will exclude from these spaces the very people that need the social benefit of their network effects, as Danah Boyd (or should I say @zephoria) so passionately articulates. Being a social network comes with some social responsibility too, and as Paul Carr recently reminded us it would behoove all of us (in the tech industry) to remember that. Because “Real Names” isn’t about eliminating spam and increasing civility. It’s really about ensuring that the data we have online is as real as possible for the benefit of the advertisers who are paying for accurately profiled targets. And I’d argue that even that is a false premise.

Tags: Digital Identity, Face, Google Plus, Google+, Identity Fallacies, NymWars, Privacy, Pseudonymity, Real Names, RealName