Blue Ocean

The Virtualization of Security and the Rise of Security as a Service

2012-02-06T00:27:37Z

In the same way, the cloud emerged from software virtualization, cloud security can only emerge from the process of virtualizing security itself. As virtualization separated software from hardware, allowing enterprise software to freely move first across servers and eventually to external cloud infrastructures, security must now be separated from enterprise applications so themselves can be replaced with new cloud applications and eventually move to specialized clouds. Enterprises worldwide are already embracing the cloud for email, CRM, file sharing, collaboration, HR and other functional business applications. To properly manage cloud risk and compliance, IT needs a consistent way to inject its own security policy across cloud applications. Since these applications are operated by different cloud providers with different security capabilities, distinct security frameworks and diverse APIs, the security needs to be implemented outside these cloud applications.

That separation or virtualization of application security is the raison d'etre of Symantec O3: the creation of a security control point outside the application and under the governance of IT. The cloud security gateway integrates with the legacy security infrastructure that it fully leverages to externalize application security. In doing so, the cloud security gateway separates the security infrastructure from the application infrastructure. The application software is then free to move to the cloud. The complex security infrastructure does not need to follow it. All IT security controls remain in place. This approach of security virtualization can be applied to any type of application, internal or external, whether it is running on a private or a public infrastructure. This allows CIOs to morph their cloud strategy overtime. An enterprise can start with SaaS and virtualized application running on a private corporate cloud. These private clouds can then transform into semi-private clouds (virtual private clouds or hybrid clouds). Eventually the whole IT infrastructure for application can be replaced with public clouds such as IaaS or PaaS. The security infrastructure, on the other hand can persist. The same security policies can be enforced. There lies the true benefit of cloud security virtualization: a single security infrastructure independent of the cloud providers.

What happens next? As CIOs become increasingly comfortable with not running the infrastructure, the complex security infrastructure must also go to the cloud. Security becomes its own cloud. The cloud transformation is complete. First the cloud security gateway, then security infrastructure as a service. Like virtualization was the catalyst for infrastructure as a service, the application security gateway becomes the catalyst for security as a service.

Can it mean that security companies must become specialized security infrastructure providers? Is their fate to become exclusive arm dealers to enterprise cloud builders, instead? Interestingly, security may well be the only viable answer to the infrastructure commoditization strategy embraced by the likes of Amazon and Google. This fact alone will make it worthwhile watching the enterprise security and infrastructure markets. So let us stay tuned. The security revolution is being televised. In fact, it appears that it will be streamed straight from the cloud.

The Four Horsemen of Cloud Brokering

2012-01-02T04:43:36Z

The concept of cloud brokering had been drawing more attention lately. In particular, Gartner has developed quite a bit of market analysis on the topic. Most of these analyses tend to focus on the business of cloud brokering. However, I find it insightful to consider the potential technology platforms associated with cloud brokering. Very often, the largest and most durable technology businesses are strongly intertwined with differentiated, scalable, hard to replicate technology platforms (i.e. databases, operating systems, search engines) By nature, these platforms provide a long-term sustaining competitive advantage. Furthermore, when it comes to corporate strategic investment or VC funding, the ability to articulate breakout platform opportunities can prove invaluable. Platform envy can significantly increase investors' belief into a new and unproven business model such as the one we will be discussing here.

So, let us try to identify the four most compelling cloud brokering platforms, capable of fueling and sustaining large revenues within the emerging market of enterprise cloud services.

Security Brokers - The Cloud Firewall

The first platform candidate is the security broker. Security is certainly a key concern of enterprises contemplating the adoption of cloud services and infrastructures. CIO and CSO need a coherent security strategy to manage risk and compliance across cloud providers and architectures (private, public, semi-private clouds). Because of the heterogeneous nature of clouds, the proposed solution is to unify external security under a single security control point, the cloud security broker. Security cloud brokers become security hub across multiple enterprises (tenants) and cloud services, allowing enterprises to harmonize security despite differences in cloud providers' security frameworks, capabilities and APIs. The strategic technology underpinning platform is the cloud security gateway [link to previous blog]. This cloud firewall becomes the security control point for cloud. Security brokers operate or manage them. Initially, security brokers may get pinned down as identity and access brokers but as SSO and access management quickly commoditize, information security and information management become the predominant value of cloud security brokering (e.g. encryption, data loss protection, rights management, backup, archiving, eDiscovery). For cloud security brokering, large security companies such as Symantec [Link to O3] should play an important role since the platform becomes an essential delivery mechanism for security across mobile devices and cloud services. In addition to the emergence of cloud security brokers implemented as web security gateways, one should anticipate security to be increasingly delivered at the edge of the network by specialized cloud providers, a little bit like content is increasing delivered through CDN. This means that large network infrastructure providers such as Telcos and Internet infrastructure companies such as Akamai should also play an important role, especially in the SMB segment that already prefer a "no software" delivery model.

User Management Brokers - The Cloud Identity Hub

The second large cloud brokering opportunity is the "identity hub". The identity hub is identity management as a service. In the long run, the identity broker replaces traditional enterprise IDM. In the short run, the cloud identity broker supplements existing IDM systems by enabling the provisioning and life-cycle management (profile mgmt, credential reset, etc) of users across external cloud services. In that sense, the identity hub is a virtual directory in the cloud. It brokers identity from the enterprise to external clouds providers. In today's early days of cloud, legacy user repositories such as Active Directory or LDAP stores remain the enterprise authoritative identity stores. Over time, as the center of gravity of IT shifts from in-premise to cloud, the identity hubs becomes authoritative and start governing identities across both internal and external applications. On top of these multi-tenant cloud directories, user management self-services, workflow and governance services emerge, making the cloud identity broker the natural heir of today's identity management platforms. One should expect IDM companies to eventually dominate the space. However, many of these companies will be slow to embrace the cloud due to lack of cloud DNA or fear of cannibalizing their legacy business. Hesitations may leave the barn door wide open for large SaaS vendors that already think of themselves as platforms and already host house important elements of enterprise identities. CRM, collaboration services, HR SaaS such as Salesforce, Google, Box.net, Workday or SuccessFactor (now SAP) come to mind as legitimate candidates to occupy the enviable position of identity broker within the cloud eco-system.

Service Management Brokers - The Cloud & SaaS Marketplace

The third obvious cloud brokering platform opportunity is the cloud and SaaS marketplace. This cloud exchange is to the enterprise and cloud services what the Apple store is to consumers and their beloved device: the mission-critical broker service that integrates, manages, fulfills and bills cloud services. This cloud broker is essential to the transformation of IT into a business enablement function (i.e. IT as a Service). As IT transforms into a service organization focused on agile business enablement some primitives capabilities become foundational: automated procurement of cloud services, on-demand provisioning of users and elastic deployment of applications. The enterprise SaaS marketplaces become the metaphor for business functions and employees to access the new IT capabilities in self-service. IT itself become the ultimate broker but it needs a specialized technology platform. The broker makes IT truly capable of enabling heterogeneous services while ensuring capacity, monitoring SLAs, and usage-based billing across the different groups and functions that comprise a large enterprise. Integration is another critical value-add of the SaaS service broker. SaaS marketplace therefore must be more than simple SaaS stores, they must be thought as end to end platforms that can support the dynamic meshing and flexible workflow composition of external cloud services across multiple providers. They need to be tightly integrated with corporate identities and corporate information as well. These are the characteristics of a true cloud platform and potentially very large enterprise business. Cloud and SaaS marketplaces should be the promise land of the traditional middleware and system integrators such as Oracle, HP, IBM, Microsoft or Dell; unless the dominant SaaS platforms manage to "force" their way into the new market to beat the incumbents.

Data Integration and Intelligence - The Cloud Datamart

The last and maybe the largest cloud brokering platform may turn to be the cloud data mart. Son of Haddoop and Cassendra, this cloud broker rules the cloud data integration and intelligence markets. The business problem it will solve is the age-old IT challenge of business data integration and business intelligence. When corporate data actually resides across distributed cloud services and databases (HR, CRM, finance...) this old problem becomes a whole new ball game. The technology cornerstone is a cloud database, multitenant, distributed yet capable of integrity. Think of it as an intelligent data warehouse infrastructure at the edge of the network, capable of logging, aggregating, and intelligently analyzing corporate information stored across multiple enterprise SaaS services. It is both a big data challenge and a cloud integration challenge. The cloud datamart need to integrate with the CRM, HR and ERP systems of tomorrow. We already know that these systems and their data stores will no longer stand in-premise. A cloud database is a fairly thorny technical problem in itself. Cloud data integration is its business killer app. The technical and business requirements are extremely ambitious but rewarding. Can you imagine the next generation Oracle, Splunk and Business Objects as a single cloud offering?!

Business and technology predictions are of good form at the beginning of a new year. Of course, these predictions will often be defeated by the devils of execution. Most are soon forgotten. Yet, there should be little doubt that the heterogeneous and distributed nature of the cloud creates large business opportunities for cloud brokers. The shift to the cloud screams for changes in technology platforms. With changes come land grab opportunities. As product people and architects, it is thought-provoking to imagine the lands we should lay course to, in order to find the new gold. Eldorado or fool's gold, that is the only question.

The Perimeter is Dead, Long Live the Cloud Firewall.

2011-10-04T21:41:27Z

Today, we are announcing Symantec O3 early access program, a new approach to securing enterprise clouds. But what is Symantec O3 really about? No doubt, cloud is an inexorableIT trend. However, CIOs and CISOs often cite security as a major concern. That is not to say that the new cloud platforms are fundamentally more insecure than the computing platforms that preceded them. Quite the opposite, cloud-oriented architectures have the potential to provide stronger security than most IT organizations can achieve today.

Nevertheless, SaaS applications and cloud infrastructures challenge in their own way IT's fundamental function of defining and enforcing consistent security policies across devices, users, and information. The new cloud platforms directly conflict with the need for enterprises to establish consistent risk profiles and compliance postures. The shift to the cloud is eroding our traditional controls. Network-based security is no longer as effective since the network is no longer ours The network and its controls now belong to Salesforce, Amazon or Google.

The shift to the cloud raises a fundamental question regarding the role of tomorrow's IT. If IT can outsource desktops, applications and infrastructures operations, can IT also outsource the governance of corporate digital policies? The answer is simple. IT should no have to embrace the cloud at the cost of renouncing its "raison d'être"! We ought to be able to embrace the clouds without relinquishing the control of our own security policies.

This need to layer IT driven security independently of cloud providers drives the emergence of a new security control point. The new control point must act as a "cloud firewall." Unlike it sibling, the cloud firewall inspects outbound traffic. It is not network-centric but web-centric since Web protocols are the clouds lingua franca. The security gateway leverages identity and access control to initiate itself between all user devices (fixed or mobile) and clouds infrastructures (private or public). It creates a new layer of IT security and governance. By virtue of being inline with cloud traffic, the cloud firewall is context aware (identity, device type, location, time, etc). It is also be content-aware, providing information security through the deep inspection of HTTP streams and the application of DLP, encryption and tokenization technologies. Indeed, the cloud firewall has complete visibility. It feeds cloud access and information events into log management systems that can now correlate security information across internal and external systems across managed and unmanaged devices.

At a time where pundits are claiming the deperimeterization of the network, it is time to reinvent a new form of perimeter for the cloud. Delivering on such vision will take no less than the leading security company. The cloud firewall is the cornerstone of tomorrow's IT security. So, long live Symantec O3, the catalyst for a new form of perimeter security, a perimeter for the cloud.

Why mobile and cloud security eventually converge

2011-07-28T23:04:54Z

The two hottest areas in enterprise security are undeniably mobile and cloud. As small and large security companies go after the fast growing markets, few seems to understand that both markets will rapidly converge to be serviced through a single solution. Yet, it should not come as a surprise since both enterprise cloud and mobility are about enabling employees to access corporate resources and information from anywhere, any time.

Beyond the simple fact that mobile is about the cloud and the cloud needs to be mobile, there are profound technology-driven drivers for mobile and cloud security solutions to become one. Unlike the PC platform that preceded them, IOS and Android heavily sandbox application and data, making them very poor platforms for security software developers to replicate yesterday's agent-based security approach. Turn yourself now to the cloud and it is the same dilemma. Since an enterprise does no longer run the applications and infrastructures that host corporate data and services, it is no longer possible for security vendors to leverage traditional infrastructure hooks to provide consistent security. In particular, the network-based security controls are outside of reach since cloud vendors will not expose them.

Where does it leave us? The answer is as simple as it is obvious. Both mobile and cloud require the emergence of a new security control point that stand below mobile devices and above cloud providers. Think of it as a new layer of security. That layer of security will control and police service and data access across mobile devices, cloud data and services. It is an identity security service. It will have to control and protect the flow of information between mobile devices and cloud storage. It is an information security service. It needs to enable audits of event across mobile and cloud access . It is a log and event management solution.

Indeed, mobile and cloud security are the two faces of one and the same security, and compliance solution. The perimeter is dead, but the age of "security in the middle" only begins

From Windows to the Cloud: "Nothing is created, nothing is destroyed, everything transforms."

2011-07-11T20:50:09Z

Every so often in technology, new trends emerge to drive large changes to society by transforming our established computing paradigms. Cloud as a computing pattern is certainly not dissimilar. The cloud carries in itself all the genes of disruption that the PC, client-server and Web revolutions embodied before it. For many, cloud computing is the logical evolution of information technology towards the utility model. From an economic standpoint, it signals the great commoditization of IT.

When large technology shifts occur, opportunities arise for new and innovative companies to displace the large and sleepy incumbents within their core markets. To understand the cloud tectonic shift, and the potential losers and winners, I devised a simple visual representation that captures the competitive landscape of cloud computing. If one thinks of the traditional computing world as the "primordial Pangea", the old world appears as a highly coupled stack with devices on top, infrastructure at the bottom and applications and development platforms snugged in-between the two dominant businesses. Although simplistic, this representations has the merit to capture the market significance of companies such as Microsoft/Intel, Oracle, SAP, HP, IBM, Cisco and EMC (the device and infrastructure incumbents).

When the shift to the cloud happens, the old continents spread apart, and the original Pangea morphs into a "cloudscape". New major classes of devices platforms appear (mobile platforms in particular). The old core platforms have transformed and taken new names (SAAS, PAAS and IAAS). The four strongholds drift apart creating "seas" of opportunities for new intermediaries (the cloud brokers). who can integrate, secure and harmonize these new heterogeneous environments. Many of these new markets are still up for grab, but a few enlightened companies have already moved in a an attempt to capitalize on explosive growth as old budget money shifts towards the new models.

The four strongholds

The cloudscape shows the four old strongholds as four new distinct and decoupled markets. Furthermore, a new generation of cloud-enabled device platforms have emerged (IOS, Android...). SAAS are rapidly replacing traditional applications in the eyes of corporate users and consumers. For developers, PAAS are becoming the environment of choice for custom web service development and deployment. At the bottom, infrastructure is becoming a commoditized utility service. The four strongholds are still differentiated markets. No real consolidation has occurred yet, as the new players are too busy battling for supremacy within their own market. Each of the four platforms appear to present a significant business model with large ecosystems acting as powerful "moats" or barrier to entry.

IAAS and the commoditization of I.T. infrastructures

The most powerful stronghold may prove the IAAS since the business model is based on very large economy of scale with razor thin margins and high volumes that cannot be realized by new entrants who may lack the CAPEX muscle or the home-grown commodity technology to enter. The IAAS vendors are rapidly commoditizing the compute and storage stack. They are now walking up the stack to subsume middleware such as RDBMS (database.com, BigTable and the No SQL movement). The next target is the network infrastructure. Large virtual private clouds soon emerge that allow enterprises to create complex segmented networks without having to buy expensive networking gear. Corporate networks are built using virtual switches. They are secured by commoditized software appliance (virtual firewall, virtual IDS and virtual IPS) sold on a usage basis. As the IAAS market consolidates around Amazon, Google, a few large global Telcos, the old IT power houses (Cisco, HP, IBM) may still be able to carve out some land for themselves. Unfortunately, some of them have lost their strategic compass lured by the temporary gold rush of the so-called private cloud market, a desperate attempt to re-invent yesterday's "build-it-yourself" model of information technology.

The battle for Development as a Service (DAAS)

The cloudscape identifies and positions the main platforms tenants and their strongholds. For example, Amazon has a strong position in infrastructure as a service (IAAS), while Salesforce is a dominant SAAS vendor. Like OS vendors before them, both are vying to leverage their strength position to become the application development platform of choice. Amazon is betting on infrastructure for their unfair advantage. Salesforce is betting on corporate business data such as customer info and collaboration artifacts. Google's bet is on becoming "Office" for the cloud, thus owning corporate unstructured data. For new businesses like Zynga, infrastructure is king. For enterprises who need to build mission-critical business applications, data is queen. Google+ is more innovative than Chatter but Google needs to become enterprise-friendly (new DNA and a large M&A likely required).

The cloud brokers and the rise of the middle-man

Nevertheless, in between these giants, there is still ample room for trusted cloud brokers who can integrate business data across multiple cloud sources and provide business intelligence across all SAAS services. In fact, the map identifies very large intermediary opportunities. Cloud brokers can become significant disintermediation businesses. The distant and heterogeneous nature of the four large cloud markets creates a real opportunity for cloud middle-men to reduce the complexity of integrating, securing and brokering the capabilities of the new cloud platforms through a unified management interface. The "device management as a service" layer (e.g. VDI in the cloud) or user and SAAS management (e.g. SAAS marketplaces and SAAS data integration as a service) are examples of these new intermediaries seeking to capitalize on the plurality of devices and SAAS platforms.

Security as a fundamental ingredient (says the wishfully-thinking security guy)

Interestingly, Security emerges as a fundamental enabler. If one considers availability as a form of security, security is in actually relevant to all forms of cloud brokering. This leads us to believe that security companies could benefit from the new world balance if they can establish partnerships with the strongholds who are about to significantly impact the distribution of security services. Moreover, security assets provide a natural beachhead for security companies to extend into cloud brokering opportunities. Conversely, security M&As could become increasingly important to cloud platform vendors or cloud platforms wannabes in search of differentiation and higher margins.

Eventually, what the cloudscape demonstrates is that in the long run, information technology is not immune to the fundamental laws of physics. Cloud computing is undeniably disruptive technology. But, in the end, the four core business strongholds still exist, granted, under new names, forms and shapes. Under the tectonic shift of cloud computing, the whole industry landscape of information technology is about to radically transform under our eyes, reminding us once again of what an old French chemist taught us a few centuries ago: "Nothing is created, nothing is destroyed, everything transforms." -Lavoisier

Trusted Identities in Cyberspace

2011-04-20T22:52:30Z

Last week, the White House announced its official National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC is the largest-ever effort by the federal government and private sector partners (including Symantec) to develop a secure, standards-based and interoperable online identity system. The goal: Improve the security and privacy of online interactions and more effectively fight cybercrime. Today's announcement marks the culmination of two years of effort by VeriSign (first as an independent company and later as part of Symantec) to help bring this important initiative to life.

At the heart of NSTIC is the concept of an Identity Ecosystem based on trusted identity frameworks. Trusted identity frameworks are the lynchpin to trusted interactions online, for everything from e-commerce to electronic health records to online voting. These frameworks will require all participating service providers to ensure the credentials they offer adhere to the same standards for identification, authentication, security and privacy. This wouldn't be a "national online identity" setup, but rather interoperability among many market offerings.

The initiative recognizes that public-private partnerships are essential for success. Symantec and other private sector companies have already created the technology for strengthening and sharing high assurance identities. Government leadership will promote, facilitate and coordinate industry to further NSTIC goals.
The government can also help overcome the three big impediments this kind of initiative faces:

1. Privacy concerns: The government can define and deploy standardized trust frameworks that help ensure citizens privacy (e.g. by working through the private sector, leveraging organizations such as the Online Identity Exchange).

2. Liability concerns: Data breaches involving personally identifiable information (PII) can easily run into the tens or hundreds of millions of dollars, depending on the number and kind of records affected. Once trust frameworks are in place, Congress can pass legislation to cap liability for organizations certified under those frameworks.

3. Business concerns: The federal government can create business incentive for trusted identity providers to join the eco-system by becoming the initial customer. That would basically prime the pump for a trusted identity service business model.

NSTIC's goals for FY11 include:

• Convene the private sector by hosting workshops on governance, privacy and technology
• Establish a governance model, standards and models for addressing liability
• Develop criteria, assess potential programs and prepare for formal funded pilot launches in FY12

These plans are ambitious, certainly, but are necessary given the escalating data breach and cybercrime threats people face every day. NSTIC will provide the means to dramatically improve online authentication and the security, privacy and business benefits it provides.

Identity Proofing - the Next Mobile Business Opportunity?

2010-09-06T20:25:07Z

It is clear that high assurance identity on the internet is going to require identity proofing. With more than 1 Billion Web users, and 3 Billion mobile users increasingly connected to the Internet, scalability is going to be essential. If high assurance identities become the norm, digital identify verification services that do not require in-person proofing could therefore turn into a significant market opportunity

Most folks in the industry would tell you that credit bureaux, and financial institutions ought to be primary beneficiaries as the new business emerges. However, the convergence of Internet, mobile and telecommunication driven by iPhone and Android could attract new market players. Mobile network operators (MNOs) have a wealth of identifiable data about us. They are also uniquely positioned to bring to market multi-channel solution. In fact, an MNO-operated ID proofing service could easily support voice and web, for brick and mortar as well as online service providers.

Them comes the unfair advantage: the mobile handset. Obviously, the biggest challenge of "person not present" identity proofing lies in the processor ability to match the person on the other side of the communication channel to the identity data. A personal mobile device provides a unique link between my digital and physical me (there is a long history that links my mobile device to my identity). For the web, it supports an out of band channel that considerably adds to the security of the verification process. From a privacy and control standpoint, the mobile phone enables a user-centric approach where the user can approve the transfer of her personal information (a sort of out of band OAUTH dance). Last but not least, location (somewhere I am) may prove of strategic importance, since an embedded GPS can correlate the proofing event to a verifiable personal location (e.g. my home). Location verification for proofing could happen "just in time" or as a post-process step. In any case, it would greatly strengthen the overall process.

There is little doubt that the combination of wireless data and handset constitute a unique recipe for enabling high-assurance identity proofing systems. The OIX will soon get to the bottom of this theory since it has recently announced the formation of a working group for telecom data. Early next month, OIX members will explore the development of a trust framework that would support the secure exchange of identity data between MNOs and relying parties while ensuring the privacy and trust of consumers. This could well be a significant step towards high-scale, high-assurance identity systems. So, good luck to new working group; we will be watching closely.

Cloud Identity, Trust and the Liability Elephant.

2010-06-02T21:45:23Z

I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on the Open Identity stack. The second is more enterprise cloud focused; it is driven by the Cloud Security Alliance (CSA). The CSA is developing a more SAML-oriented technology blueprint within OASIS. The technology protocols are different but the risk controls are similar. Therefore, I am hopeful that both trust frameworks will converge (I will certainly try to help them converge).

But let us re-hash the motivation of the industry that sponsors these efforts. A trust framework is necessary to enable policy makers across vertical markets (healthcare, enterprise SAAS, mobile payment, digital content) to set the security and privacy bar for identity providers, identity brokers and relying parties. For sure, across all vertical markets, the sharing of identity requires a baseline of best practices for security, and privacy as it facilitates customer adoption of cloud identity services by providing a foundation for trust.

However, there is another motivation to develop certification programs for identity services. The true 'raison d'être' for identity trust certification is that it will allow private consortia or legislators to govern liability in a multi-party transaction. In particular, one can shift the liability away from accredited identity providers on the basis that they have demonstrated the proper privacy and security controls through certification. In other words, trust certification can be used to kill the liability elephant that has been haunting the federated identity rooms for so many years.

By capping liability risk through certification, an identity trust framework would make it commercially easier for large Internet consumer, commercial banks and online payment systems to participate as identity providers in high assurance transactions such as health care, eGov services and all new breeds of cloud services. In essence, this not too different from the VISA model, where a consortium of financial institutions establishes the network blueprint, for online payment, defines the necessary security controls and is hen able to shift the liability (in this case, away from the card issuing banks (IDPs) to the merchants (RPs), who are generally responsible for charge back expenses).

Of course, certification does not happen in a vacuum. Certification is about risk management. It needs to define privacy and security controls appropriate to the transaction and information risk levels. This means that identity certification will have to discriminate among different levels of assurance (most likely, the four NIST levels of authentication) in order to adapt across multiple verticals. Howard Schmidt seems to agree with the need for identity trust frameworks and even points to a concrete market: "The president is 'concerned and very committed' to making sure that as healthcare goes electronic that 'we also have the right controls for security and privacy,' Schmidt said at a May 11 conference on privacy and security sponsored by the Health and Human Service Department. "The plan to develop a strategy will focus on ways to improve identity management. As part of that effort, the administration will roll out a 'trust framework' incorporating authentication technologies, standards, services and policies that government, industry and consumers could adopt. The key issue is that we have to instill trust in the system. If we don't trust the system, we won't use it and if we don't use it, we lose its [potential] benefits".

For all of us in the digital identity world, it is certainly encouraging to see that the federal administration is recognizing the importance of identity management and its acute need for trust policy. It is certainly not an easy issue, but it is now getting the visibility that it deserves. There is also plenty of good will in the industry to collaborate and make a trust framework for eHealth a reality. The elephant may not have quite left the building, but at least we can now all see it, and it is a good thing.

Greek Heroes, Facebook and Trust

2010-05-10T14:40:25Z

When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that would make him immortal. Unfortunately, Thetis had held Achilles by the heel which was not washed over by the magic water. Achilles grew up to be a Great War hero, whose apparent invincibility had turned him into a legend. But one day, an arrow shot at him was lodged in his heel, killing him instantly.

When it comes to consumer identity, Facebook looks more and more like the Achilles' of identity. Every day, it is growing more powerful and invincible. Yet, a growing stream of concerns is gradually exposing the social warrior's vulnerability to security and privacy. Nevertheless, as a website, Facebook core usage matrix is mind-boggling:

• More than 400 million active users
• 50% of our active users log on to Facebook in any given day
• Average user has 130 friends
• People spend over 500 billion minutes per month on Facebook

However, Facebook true ambition's may well reside beyond the confine of its own Web site. If one combines Facebook Connect (authentication++), OAuth (authorization) and the Social Graph API, it is crystal clear that Facebook strategy is to become the identity fabric for the Internet. By turning the social network into an identity infrastructure, the Facebook APIs could enable an even larger business opportunity. By extending the Facebook business over external websites, the Social Graph APIs open the door to transactional business models such as Cost per action advertising, eCommerce and payment. There again, when it comes to numbers, the social network hero is showing Homeric promise:

• More than 80,000 websites and devices (including iPhone and Xbox) have implemented Facebook Connect since it launched in December 2008
• More than 60 million Facebook users use Facebook Connect each month.
• Two-thirds of ComScore's US Top 100 websites and half of ComScore's Global Top 100 websites have implemented Facebook Connect.
• Sites like the Huffington Post have seen a 500% increase in Facebook referrals after implementing Facebook Connect.
• 500,000 applications have been built on Facebook and the growth of social gaming (playdom, Zynga, Playfish, etc) is still in its infancy.

So, what could go wrong? Where could the enemy arrow strike its fatal blow to our hero? Could it be over this security glitch that exposes our chat messages to friends? Perhaps, these controversial default privacy settings that leaves our identity increasingly public? Will the threat arise from a growing reputation as a corporation trying to take advantage of our personal data to 'help itself -- and its advertising and business partners'? If there is something that could stand in the way of Facebook, it is probably Facebook itself. Indeed, the growing controversy and erosion of consumer trust surrounding Facebook privacy and security nonchalance may eventually become the Achilles' heel of the young identity giant.

Facebook is clearly an extremely innovative company and a successful platform. Of course, it must keep on running fast against the agile Twitter and the powerful Google of the world who are certainly eying with envy its privileged position as the leading Internet social platform. No doubts that the investors are placing tremendous pressure on management to drive revenue growth. Nevertheless, Facebook needs to slow down and consider the long terms implications of being the de-facto custodian of our digital lives. It must start fulfilling the responsibility that comes with millions of digital identities under management. If it is true that today's Internet generation may have less privacy concern than their elders, in the long run, consumers will not allow Facebook to manage and control their identities unless they can trust the platform.

Eventually, Facebook will have to "do the right thing" for the consumers, sometime in spite of their ignorance digital risks, and surely, despite a business model that encourages Facebook to look the other way when it comes to privacy and security. Yes, the Achilles' heel is very real, it is being exposed every week in the press, and the temptation is growing for privacy zealots and regulators who are assiduously watching the missteps. Good common business sense aside, it is time for Facebook to take responsibility and leadership for the immense security, privacy and trust challenges that our digital identities require. Maybe, it is even time for the social network to start promoting elements of security, privacy and trust within its core platform.

PCI for the Cloud

2010-04-21T02:41:25Z

For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us are still wondering how much IT budget is actually going to be thrown at the so-called private, hybrid and public clouds in 2010. So what is in the way of the big shift?

We had a good discussion on this topic at AlwaysOn today. At least, it seems that everyone agrees on the main challenges: integration is harsh, security is dicey and compliance seems out of reach. So, where do we start? I am starting to believe that there too, we need to provide a baseline for cloud security and trust. Like PCI for e-commerce, a certification for the cloud will not make the cloud completely secure, but it will at least provide a set of common definitions and best-practices for cloud security and trust. It will also make it much easier for enterprise customers to evaluate and rationalize the security of any cloud vendor. In fact, prospective cloud customers will be able to contractually commit cloud vendors to well documented certification levels and build additional SLA and security contractual requirements on top.

So whether you are a security vendor, a cloud provider or an enterprise, there is one more thing that we may be able to agree with: trust certification could drive cloud adoption by simplifying the definition, evaluation and contracts for cloud security, compliance and trust. Of course, it starts with identity, so time to get to work.

Open Identity: the end of childhood, the age of assurance

2010-04-06T02:39:21Z

This week is the week of the OpenID summit in Mountain View, California. We are all hoping that 2010 will be another pivotal year for open identity. There seems to be a combination of market forces that are making federated identity more attractive. In fact, we are hearing new compelling use cases for federation. A first example is cloud access and identity management. As enterprises shift their IT infrastructure and information to the cloud (as in IAAS, PAAS and SAAS applications), CIOs need to federate corporate identities with cloud service providers. For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties (and if you don't have a directory or don't want to use it for federation, Google is in the pole position to be your OP). Another interesting vertical ripe for federation is healthcare. Now that the Obama bill for healthcare has passed, one should expect a revival of health information networks (remember the RHIOs). Finally, payment, the mother of al federation, online payment, is seeing a lot of innovation too. From mobile to social games, to high assurance open identity networks led by modern payment systems such as PayPal, Amazon or Facebook could sway consumers, curb fraud and shift merchant liability where Verified by Visa has fumbled to-date.

So, what do the trusted cloud initiative, Obama's new health care bill, and next generation online payment have in common? They all require federation and stronger forms of authentication to enable trust and protect against fraud. These transactions are complex and risky. They are complex because they involve multiple independent, sometime competing organizations. Federation is needed. These transactions are also too risky because the current Internet authentication system based on name and password is too weak. High assurance identity is needed. As government and vertical industries worldwide come to the realization that their cyber security and business agenda require them to enable high assurance online transactions, federation and strong authentication will converge into new compelling trust infrastructures deployed across vertical markets.

The need for high assurance federation may provide a much needed boon for open identity technologies such as OpenID and OAuth. The point is that the adoption of a new identity management model on the Internet by consumers may require much more than single sign on, attributes exchange and authorization. As Dick Hardt put it many times, these traditional identity features are only vitamins. Most people won't go for vitamins alone. Consumers want enablement. Facebook figured that one a long time ago but tying friends discovery and activity streams to Facebook Connect. So, what is Open Identity's mojo then? I dare to suggest that the opportunity for open identity is new transaction enablement. If open identity networks can enable complex and risky transactions that are not possible online today, massive adoption will follow and altering the digital identity experience becomes palatable.

Of course, it is a security guy talking but let us consider the business model too. The business of security and trust is well understood. Credit bureaus, security companies and VISA/Mastercard have clear and compelling transactional business models. Transactional revenue model are also more compelling than advertising. The profit margins for standing in the middle of transactions as neutral third-party and enable high assurance are fairly high. Compare the addressable market to the currently minuscule market size of open identity as it stands today. Whether you look at it from a product, deployment or economic standpoint, I continue to believe that the future of open identity on the Internet rapidly is intimately linked to high assurance identity.

And the Oscar goes to

2010-03-16T16:01:23Z

I could not resist the temptation. Trust Seal, the Trilogy is now on Youtube.

The first act is strictly business, but you may not want to miss act II and act III with Snikko the hacker. Rest assured. I have already promised the marketing team that there would not be a sequel.

Open Identity Exchange: enabling all the VISAs of identity

2010-03-03T17:18:33Z

The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards and roll out open identity services to US citizens. For example, the National Institute of Health can now move out of pilot phase and support accredited OpenID providers.

So, what is the Open Identity Exchange (OIX)? The OIX aims at enabling specialized trust frameworks or certification programs within a vertical community (e.g. US government, health care, financial services). Certification requirements for shared identity can be diverse and complex depending on the level of assurance required. Simply said, when it comes to trust, one size does not fit all.

You can think of a trust framework as the policy sibling of technical standards for identity. Identity policies must be set to deal with privacy, security, and liability. Once policies have been defined, certification can emerge as the foundation for trust between all parties exchanging information. However, the type of policy needed greatly depends on the sensitivity of this information, the security risks, and many other factors, including geo-political sensitivities. Indeed, the level of trust assurance required to protect access to the energy grid, electronic health care records or social web pages is clearly not the same.

The open approach that the OIX take is attractive. The OIX does not try to set the policy rules. Instead, it creates a common framework, a shared approach that will enable different communities to create their own certification rules. It is not an easy problem. But because cyber security and key governmental initiatives depend on high assurance identity management, OIX is an important first step to get there.

Rethinking Internet Trust and Reputation

2010-02-23T19:57:52Z

Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the last 15 months. It is always a thrill to release a new product. It is even more exciting when there is a compelling and long term vision behind the initial release of a new Internet service.

Setting the standard for websites trust
The goal behind this new trust service is as simple as it is lofty. Is it possible to create a blueprint for trust on the Internet? Can we increase safety and trust on the web by raising the bar of security best-practices? Can we communicate trust in such simple visual way that any consumer would understand? Can we promote trust between consumers and websites as an engine for economic growth?

Trust brokering as a network service

From the late 13th century Italian Renaissance, to the early 21rst century global economy, trust has always been a fundamental tenet in the development of commerce and trade. In a world that is increasingly leveraging the web as a channel for customer acquisition, transaction and fulfillment, trust brokering is a critical yet missing network primitive. For enterprises to embrace SAAS applications, suppliers to join Internet marketplaces or consumers to select businesses on the web, the network needs trust brokering services that can certify and assert trust among parties with little prior knowledge of each other.

A pragmatic starting point for website trust
Web site trust is a multi-faceted problem. Authenticity, security, reliability, assurance, privacy and reputation are all important dimensions to ensuring trust. Therefore, setting the initial bar for Web trust is a significant challenge. Set the bar too low and the lack of substance in the attestation of trust make it irrelevant to consumers. Set the bar too high and the economic barrier to entry makes the standard irrelevant for websites. Unless a pragmatic balance is achieved, the end goal of a complete standard for trust can never be achieved. Trust Seal is VeriSign's initial step to providing an end to end solution to this challenge. We hope to have achieved such initial balance of pragmatic relevance to continuously raise the bar for trust on the Web in the years to come. So, on February 24th 2010, what does it mean for a website to be VeriSign trusted?

Authenticity with business authentication
First it means that we have verified that the web site is authentic. Basically, we verify that the website is really who they say they are. We call this process business authentication. We make sure that the business owner owns the domain name and that the business is a legitimate business. Because bad guys can easily hide between the façade of a professional web site, this is a very important step to establishing Web trust. By verifying the true identity of the website and the business behind it, accountability can be achieved. This is similar to what certificate authorities (the good ones) do when they validate an organization before issuing an SSL certificate for e-commerce. What we have done is extend a fundamental principle for trust in ecommerce to any Web domain, to any web site on the World Wide Web.

Safety with malware detection in the cloud
The second check is to evaluate how safe it is for a consumer to visit the website. We contemplated many different approaches. However, the last two years have taught us that the most dangerous thing that can happen to consumers on the Web is to be infected with malware. For that reason, we decided to tackle this significant safety issue of web malware first. The new VeriSign trust seal is dependent on a successful drive-by download malware scan. Each website is scanned daily. The seal display is automatically turned off when malware is detected. Remediation instructions are provided to the website to remove identified exploits.

Trust Signaling for the Web
consumers, we are reducing the trust signal to its simpler expression. The seal displayed on the site web pages attests that the site is authentic and safe. This is where the VeriSign heritage comes into play. Millions of consumers are already familiar with the VeriSign Secured seal for SSL. We are maintaining the brand, but extending the scope and meaning of our trust mark. The VeriSign seal becomes a simple yet powerful visual cue for consumers to assess whether a website meets transparent criteria for authenticity and safety. Trust marks for ecommerce web sites are not new. However, we believe that any commercial website, transactional, non-transactional or social Web outlets of small and medium businesses could greatly benefit from trust marks moving forward.

Beyond the web site: trust signaling in search and directories
In the long run, trust and reputation assessment should become part of the discovery process of online businesses. Popularity and page ranks are one dimension of search. How much a site can be trusted ("trust rank") is important measure as well. In fact, in the last years, safe search has emerged as an important feature for search engines and end-point security clients. Both have already integrated features to detect, signal and block drive-by malware infected websites. "White lists" of trusted sites should prove an important complement to black lists for search and navigation. Therefore, we have been working to integrate the new seal as a trust indicator in search and directory services (more on that in a future post).

As you can see, the VeriSign trust Trust seal encompasses many new features and the roadmap should keep the product and development teams busy for a while. We are thrilled to tackle one of the most critical and challenging Internet issue. So, give the new service a test run and let us know what you think.

Google Hacked or Why the Cyber World Could Get M.A.D**

2010-02-16T16:29:24Z

As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were essential to the exploit.

For security folks, this was a meaningful event. The level of sophistication of the attacker was unprecedented. The attack was carefully crafted. The breach was severe. For tomorrow's cyber historians, however, the breach may prove to be a tipping point. In fact, it may even change the way the world approaches cyber security and cyber warfare. So, what makes the Google hack such a game-changer? Could it be the magnitude of the attack, the significance of the targets or even the rumored origins of the perpetrators?. No, we must look somewhere else.

Start with Google. I have personally met members of the Google security team. There is no doubt that Google has a world class security team. So, if it happened to Google, it could have happened to any organization, be it private, governmental or foreign. This exposes a fundamental truth of cyber security: attackers always have the advantage. Indeed, there will always be next zero day vulnerability, the weak social engineering link or the unsuspected insider loop-hole. The Google hack simply makes the reality of cyber security more blatantly obvious and more public than any other attacks before. In cyber world, the old adage still prevails: "si vis pacem, para bellum".

This may leave governments and intelligence agencies worldwide with a difficult consideration. If the advantage lies on the attacker side, the only pragmatic cyber defense may well be cyber offense. Under this scenario, the most solid hope for protection becomes fear of retaliation. This is the old Mutually Assured Destruction (M.A.D) principle of the cold war. In tomorrow's world, the nuclear truth of yesterday takes a new meaning: do not take my smart power grid down as I will shut down yours within seconds. Do not collapse the transactional backbone of my financial institution or yours will instantly follow the same fate. Yes, if the Google teaches us something is that cyber security agencies around the globe may soon have to consider M.A.D strategies.

Disturbing thought, flawed interpretation, or irrational conclusion? I certainly hope so since the comparison with nuclear warfare does not bode well for the good cyber security guys. With nuclear threats, at least, the public opinion could find some illusion of comfort. The complexity of assembling nuclear weapons of mass destruction meant that only a handful of belligerent nations would be regarded as real threats. But here lies the second inconvenient truth of cyber warfare. When it comes to cyber terrorism, the barrier to entry is extremely low. In fact, it does not take much to build an effective cyber swat team. Training is cheap, fast and effective. Some say that it is already being done on the Internet. For sure, training material is available for free on the Web. The ultimate irony is that you can probably Google it.

**M.A.D: Mutually Assured Destruction