[Log In] []

Exploring the science and magic of Identity and Access Management
Friday, March 29, 2024

Security and Compliance in the Cloud

General
Author: Mark Dixon
Tuesday, September 29, 2009
2:06 pm

This morning, I listened to an excellent webinar entitled “Pinning Down Cloud Computing,” hosted by Yankee Group Research.  Yankee Group Vice President Camille Mender and Senior Analyst Agatha Poon explored the popular topic of cloud computing, focusing much on the business details enterprises must pay attention to if they are to successfully harness the promises of cloud computing – important things like uptime/availability, maintenance, penalties for non-performance,  limitations of liability and privacy / data protection, to name a few.

I liked the following diagram used to discuss the different levels or tiers of a cloud “stack” architecture.  The “Security and Compliance” bar to the left is a good way to illustrate the importance of information security and related compliance activities at each tier of the stack.  Of course, Identity Management is a critical underpinning of that security and compliance functionality.

yankeecloudstack (Diagram Copyright © 2009 Yankee Group Research, Inc. All rights reserved.  Used with permission.)

It was pointed out that the top three barriers to cloud computing uptake are:

  • Security (39%)
  • Reliability (35%)
  • IT governance (33%)

The cloud computing market is still maturing.  So far, only a small percentage of enterprises are shifting a large part of their IT budgets to the cloud.  Recognizing the essential role Identity Management plays in security and governance is critical to accelerating that movement.

Comments Off on Security and Compliance in the Cloud . Permalink . Trackback URL
 

Sun Java Communications Suite 7

General
Author: Mark Dixon
Tuesday, September 29, 2009
1:33 pm

Congratulations to the Sun team for today’s release of Sun Java Communications Suite 7.  Did you know that there are over 150 million seats of the Sun Java Communications suite in production?  Telcos and other service providers all over the world use this suite for high scalability and performance in a service provider environment.

convergence

I particularly like the “Convergence” web client that provides a state-of-the-art AJAX Web 2.0 client experience for users.   It’s great to see the innovation rising out of this great group of Sun people.

 

Thanks, Dave!

Identity
Author: Mark Dixon
Monday, September 28, 2009
4:11 pm

I was honored today to have the wise sage of Identity, Dave Kearns, refer to me a “fellow grandfather” and borrow content from my DIDW post (with my permission, of course) in his article about Digital ID World.  It’s always great to share thoughts with Dave.

Comments Off on Thanks, Dave! . Permalink . Trackback URL
 

Identity Management Trends and Predictions

Identity
Author: Mark Dixon
Thursday, September 24, 2009
5:04 pm

crystalball

My Sun Microsystems colleague Dave Edstrom asked me recently to prepare a webinar entitled “Identity Management in 2010: Trends and Predictions” and present it on the weekly “Software Technical Roundtable” he co-hosts for Sun Microsystems employees and partners.  Preparing for this specific event gave me just the right impetus to crystalize my thoughts on this subject, so I thank Dave for giving me the challenge.  I prepared the presentation deck (in OpenOffice, of course) earlier this week and presented the webinar to about 90 people this morning via Webex/teleconference.

I can’t share everything I discussed with our restricted audience this morning, but in this blog post, I’ll briefly describe eleven major trends that I see in the industry.  This is a precursor to more detailed posts I’ll author on each trend over the next several days.

First, a few caveats:

  1. Predictions rarely happen as quickly as we would like.  For example, in 2007 I gave an Identity Trends presentation at the JavaOne conference.  While some of my predictions evolved as expected, several trends have taken longer to develop.  I suppose it will be the same with the trends I describe in this post.
  2. This presentation focuses more on business issues than technology.  I did not attempt to address the trends in specific protocols or products, but chose to focus on the impact of these trends on business.
  3. This list of trends reflects my own opinions, which are not necessarily reflective of Sun Microsystems official positions or product road maps.
  4. This presentation does not represent Oracle in any way.  I have not discussed this list of trends with any Oracle people, nor could I comment on those conversations if I had.

With those caveats, here is my list of the top eleven Identity Management trends for the year ahead.  I really tried to make a nice round list of ten, but I felt it made more sense to separate Authentication and Authorization into separate subjects.

  1. Market Maturity.  The Identity Management market is maturing.  Much focus is being given to best practices of how to maximize enterprises’ investment in these systems.  Rather than focusing on green field Identity implementations,  enterprises are concentrating on system expansion or replacement.  The industry continues to consolidate, as we at Sun are well aware.
  2. Authentication. Demand for strong authentication is growing as enterprises and government agencies seek to deter cybercrime. While some have predicted “death of the password”, the widespread use of UserID/Password as the predominate method for authentication will most likely not go away until we see wide adoption of alternate authentication methods that are both secure and easy to use.
  3. Authorization.  Fine grained authorization is increasingly desirable but difficult to implement.  Policy management standards (e.g. XACML) are also desirable, but not in broad production.  Complexity in adapting applications to take advantage of standard authorization methods will continue to delay adoption.
  4. Identity Assurance.  Answering the question “are you really whom you claim to be?” prior the issuance of Identity credentials continues to be a thorny problem, but is increasingly important in the ongoing battle against fraud. The Liberty Alliance Identity Assurance Framework provides a valuable industry model that defines four levels of assurance, based on confidence in the validity asserted identities and the potential impact of errors.
  5. Roles and Attributes.  There is a growing acceptance of role based access control in production systems.  Governance of the role definition and maintenance process, linked to governance of the Identity Provisioning governance process, is essential.  Enterprises are discovering that the use of roles is potentially broader than RBAC, including use of data analytics to evaluate the effectiveness of organizations.  The use of attribute-based authentication is being hailed in some markets, particularly the public sector, as an alternative to RBAC.  However, a blended approach may be the best solution.
  6. Identity Federation.  In some ways, Identity Federation is a given.  SAML is broadly used a standard protocol and successful business models have been implemented.  However, broader adoption is often difficult because business challenges are larger than technology challenges.  Burning questions swirl around the challenges of using federation in cloud computing.
  7. Regulation.  Government regulations (e.g. SOX, HIPAA/HITECH), which primarily address governance, security and privacy issues, will continue to expand, both on national and state/province levels.  For example, the HITECH Act which became law earlier this year expanded HIPAA security and privacy regulations to address business partners, and added security breach notification to the national statute.  At the same time, industry-driven regulations such as PCI DSS also impose stringent requirements on online merchants.  In all these areas, Identity is a critical enabler for compliance.
  8. Personalization and Context.  Personalization can enhance the value of online user experience.  Both identity and context are essential for personalization.  Concepts such as “persona selection” and the “purpose-driven web” focus on enriching user experience by blending identity and context.
  9. Identity Analytics.  Advanced data analytics will bring value to many identity-based activities such as Authentication (historical “fingerprints” based on your patterns of accessing online resources), Context/Purpose (predicting preferences from your historical activity) and Auditing (who really did what when?).
  10. Internet Identity.  Identity systems for the Internet must efficiently accommodate billions of individual Identities.  User-centric or user-managed Identity technologies such as Infocard/Cardspace and OpenID are trying to address the inherent tension between security and ease-of-use requirements.  Commercial Identity providers are emerging, including the likes of Facebook, Google, Yahoo, PayPal, Equifax and others, both in public and private sectors.
  11. Identity in the Cloud.  Identity as a Service (IDaaS) is a critical foundation for Cloud Computing.  A number of IDaaS companies are emerging to address this specific need.  One of the main barriers to effectively implementing Identity in the cloud is the increased complexity of having to establish effective trust relationships between enterprises and service providers, while protecting the security and privacy requirements imposed by customers and regulations.

So, there is my list of eleven major trends.  Your list or focus on specific topics might different.   Please let me know what you think.  Please also stay tuned to my discussion of these eleven trends in future blog posts.

Comments Off on Identity Management Trends and Predictions . Permalink . Trackback URL
 

Digital ID World – Final Thoughts

Identity
Author: Mark Dixon
Thursday, September 17, 2009
11:14 am

I missed the final sessions of Digital ID World on Wednesday because of commitments in California.  Judging from the Twitter traffic, it sounded like some great stuff was discussed.

As a follow-up to my posts for Day 1 and Day 2, here my top ten final thoughts about the conference (without the benefit of Day 3):

  1. Most Stimulating Information. Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.
  2. Newest Identity Concept. Phil Windley’s proposal to enable contextualized, purpose-based user experiences using the web browser as a point of integration triggers lots of new thoughts about extracting value from the Internet.
  3. Most Reinforced Notion. The Identity Management market is maturing.  Companies are seeking to learn best practices for getting the most out of their investments.
  4. Biggest Question in my Mind. How much validity should we place in Symplified’s claim that “Federation is Dead.  Long Live the Federation Fabric?”
  5. Most Enjoyable Networking Moments.  Meeting folks in person I have only met virtually beforehand.  In person wins every time.
  6. Most-asked Question.  Nearly everyone whom I spoke with asked me something about the Oracle acquisition of Sun.  That happened to be the easiest question for me to answer: “Until the deal closes, we are independent companies.  We must wait until then for details.”
  7. Best Trade Show Giveaway. An LED flashlight from Novell.  Incandescent bulb flashlights seem to be quickly joining buggy whips in the dustbins of history (except for special cases).
  8. Biggest Pet Peeve.  No power strips or WIFI were provided for attendees.  This severely limited note taking and real-time blogging.
  9. Most Entertaining Event.  No, not the parties.  It was the Chinese guy who drove my taxi to the airport.  He chattered non-stop for the whole trip about technology, Maryland, California, Utah, Idaho, Micron, Sun Microsystems, Oracle, potato chips, microchips, stock trading, traffic and dishonest taxi drivers.  What a hoot!
  10. Biggest Disappointment. The show seems to get smaller each year – both in the number of attendees and participating vendors.  Will it survive?

That’s my list.  What do you think?

Comments Off on Digital ID World – Final Thoughts . Permalink . Trackback URL
 

Presentations: A Digital Reckoning of My Value

Humor
Author: Mark Dixon
Thursday, September 17, 2009
10:01 am

Admit it. We’ve all been here …

Comments Off on Presentations: A Digital Reckoning of My Value . Permalink . Trackback URL
 

Digital ID World – Day 2

Identity
Author: Mark Dixon
Tuesday, September 15, 2009
9:37 pm

didw09 Today was really the first “official” day of the Digital ID World conference, but for me – Day 2.  So, here are some short highlights of the sessions I attended.

Cops and Robbers, Las Vegas Style – Jeff Jonas, Chief Scientist, IBM Entity Analytic Solutions

  • Las Vegas is his “laboratory” for identity analytics – resorts typically have 100+ systems and 20,000+ sensors
  • Context engines close the gap between the rapidly increasing amount of digital data and the less rapid growth of “sense-making” algorithms
  • Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people

Context Automation – Phil Windley, CTO, Kyntetx

  • Current focus in web marketing is focused on servers, using the metaphor of “location”
  • Focus on “purpose” from the client’s perspective, using an intelligent, adaptable browser, will bridge between server-based silos to give users a richer, more purposeful experience

The Implications of Privacy on IDM – Larry Ponemon, Founder and Chairman, Ponemon Institute

  • Many cultural differences are evident between nations and areas of the world with regard to privacy, security and identity management expectations.
  • Companies doing business internationally will need to be sensitive to cultural and legal issues in the nations where they do business.
  • People are growing tired of fact-based identity
  • Perceptions of privacy are inextricably linked to identity and authentication

Business Process and Legal Issues in Cross-Org Secure Collaboration – Peter McLaughlin, Foley & Lardner

  • Regulatory language should be treated as a floor, rather than a ceiling
  • Normal industry practices may represent minimum requirements but may not guarantee compliance
  • Make sure your business partners abide by same laws your company is subject to
  • Reputational risk will always stay with your company, but you may seek to share financial risk with partners

Identity Governance Frameworks – Marc Lindsey, Levine, Blazak, Block & Bootby

  • Legal agreements seek to apportion liability – who is responsible for what?
  • Comprehensive frameworks for governing such agreements are emerging
  • Modern federation agreements need to be better than the old EDI agreements

Dealing with International Privacy Laws – Discussion led by Larry Ponemon, Founder and Chairman, Ponemon Institute

  • Complex international privacy laws affecting data transport hamper organizations’ ability to do their legitimate work.
  • Will it be easier or harder to deal with international differences in privacy laws in five years?  (majority of audience said no)

Federation is Dead: Long Live the Federation Fabric – Symplified

  • Federation must move to utility model to overcome issues of costs and complexity associated with one-to-one integration.

Building Good Practices into Your Processes – Edward Higgins, Vice President of Security Services, Digital Discovery Corporation

  • Education of employees on good security practices is critical part of getting value from your IDM investment

 

 

Digital ID World – Day 1

Identity
Author: Mark Dixon
Tuesday, September 15, 2009
9:17 pm

didw09 On Monday and Tuesday this week, I attended the Digital ID World (DIDW) conference held at the Rio Hotel in Las Vegas.  It has been enjoyable to take the pulse of the industry from yet another vantage point and connect with fellow Identity Management practitioners from diverse locations.  Of course, the first question nearly everyone asked  me had something to do with Oracle, but, of course, I can’t talk about that.  So, here are very brief highlights of each session I attended the first day (Authentication and Virtual Directory “Summit Sessions”):

The State of Authentication and its Impact on IDM – Jim Reno, CTO, Arcot

  • “Risk Based Authentication” is a fourth factor of authentication, augmenting traditional factors (what you have, know, and are)
  • Authentication should consider context when assessing risk

Authentication Case Study – Naomi Shibata, former GM/COO, MLSListings

  • Communications with users is essential prior to authentication system rollout

The Future of Authentication – panel including Jim Reno and Naomi Shibata, moderated by Bill Brenner, Sr. Editor of CSO Magazine

  • Business, legal, regulatory and liability issues are more onerous than technical issues when considering an authentication system
  • Authentication technology advances usually occur in response to advances in threats
  • Enterprises should periodically re-verify appropriateness of installed authentication systems in light of advances in technology and threats
  • Identity assurance is increasing in importance

Identity Service Virtualization and Context Management – Michel Prompt, CEO/Founder, Radiant Logic

  • It is difficult to define Identity without understanding the context in which it is used
  • Understanding relationships between identity objects enables a global model that links identities together to enable contextual views
  • Such Identity linking can occur in a virtualization layer between diverse identity repositories and applications which consume those identities

Case Study: Identity Services and Virtualization – Bill Brenner, CSO Magazine and Mohammad Khattak, Booz Allen Hamilton

  • Dynamic Access Control requires consolidate identity repository with many sources of identity information
  • When aggregating data sources, we need to understand the trust level in each source repository

Impact of Oracle/Sun Acquisition – David Rusting, Unisys and Todd Clayton, CoreBlox

Note: I am restricted from commenting on product roadmaps or anything related to the Oracle acquisition of Sun.  The following comments are views expressed by the panelists.

  • The primary discussion focused on how customers should plan for potential changes in either Sun or Oracle directory roadmaps
  • A virtualization layer between director and applications may provide a layer of abstraction to shield customers from changes in vendor roadmaps and reduce tie to single vendor
  • This may be a time to re-evaluate application needs and determine which direction to go with regards to directory technology

Stay tuned for Day 2!

Comments Off on Digital ID World – Day 1 . Permalink . Trackback URL
 

Privacy Principles Depend on Context

Identity
Author: Mark Dixon
Friday, September 11, 2009
12:48 pm

It is an interesting exercise to Google the term “Privacy Principles” and review the different definitions of privacy and different lists of fundamental privacy principles established by various enterprises, organizations and government agencies.  While there are threads of commonality throughout these different lists, it is intriguing to see how different perspectives can emphasize different issues.

For example, at the Burton Group Catalyst Conference in July, Bob Blakley proposed the following list of privacy principles (further described in the white paper, “Privacy” by Ian Glazer and Bob Blakley, which is available by subscription):

  1. Accountability
  2. Transparency
  3. Meaningful choice
  4. Minimal collection and disclosure
  5. Constrained use
  6. Data quality and accuracy
  7. Validated access
  8. Security

In December, 2008, The U.S. Department of Health and Human Services issued guidance on how to conform with HIPAA privacy and security requirements. This guidance consists of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which also sets forth eight Privacy Principles:

  1. Individual Access. Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.

  2. Correction. Individuals should have a way to timely question the accuracy or integrity of their individually identifiable health information and to have erroneous information corrected or to have a dispute documented if their requests are denied.

  3. Openness and Transparency. There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.

  4. Individual Choice. Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.

  5. Collection, Use, and Disclosure Limitation. Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish specified purposes and never to discriminate inappropriately.

  6. Data Quality and Integrity. Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner.

  7. Safeguards. Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

  8. Accountability. The Principles in the Framework should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

You can see both similarities and differences in these lists. 

Ian and Bob observed in their report that privacy is highly dependent on the context in which it is applied:

Privacy is, fundamentally, contextual. Any question about privacy must be understood in the context of:

  • The starting assumptions and principles of the parties
  • The relationship between the parties
  • The interaction between the parties among which private information is shared
  • The domain (e.g., sector, nation, etc.) in which the parties are interacting
  • The societal norms to which the parties adhere

Minor variations in any one of these contextual aspects of the situation can lead to major differences in the
privacy practices that should be applied.

So, while on the surface one might expect that a standard set of privacy principles would apply in all cases, each enterprise, market or agency must view privacy from their own slightly different perspective, based on the context within which privacy principles are applied.  Normalized lists of privacy principles may provide a valuable foundation, but it is critical for each enterprise or organization seeking to implement an effective privacy program to establish their own list, depending on their context.

Technorati Tags: ,
Comments Off on Privacy Principles Depend on Context . Permalink . Trackback URL
 

“Anonymized” Data Really Isn’t

Identity
Author: Mark Dixon
Thursday, September 10, 2009
5:37 pm

I enjoy watching re-runs of the television drama, NCIS, where a dysfunctional little group of crime-fighting superstars often analyze divergent bits of data to solve seemingly unsolvable mysteries.  Last night, Agent McGee correlated data from phone records, automobile registrations and police station activity records to pinpoint a bad cop in collusion with an international drug lord.  Far fetched?  Perhaps not.

I have been spending much of my time recently preparing a white paper addressing the issues of HIPAA privacy and security compliance, particularly in light of expanded regulations emerging from the “stimulus bill” signed into law earlier this year.  As I have explored privacy issues related to electronic health records, I was particularly intrigued by an article by Nate Anderson entitled “’Anonymized’ Data Really Isn’t and here’s why not”, published in Ars Technica earlier this week.

On the surface, it would seem that removing obvious identifiers such as name, address and Social Security Number from a person’s data record would cause that record to be “anonymous” – not traceable to single individual.  This approach is commonly used by large data repositories and marketing firms to allow mass data analysis or demographic advertising targeting.

However, work by computer scientists over the past fifteen years show that it is quite straightforward to extract personal information by analyzing seemingly unrelated, “anonymized” data sets. This work has “shown a serious flaw in the basic idea behind ‘personal information’: almost all information can be ‘personal’ when combined with enough other relevant bits of data.” 

For example, researcher Latanya Sweeny showed in 2000 that “87 percent of all Americans could be uniquely identified using only three bits of information: ZIP code, birthdate, and sex."

Professor Paul Ohm of the Colorado School of Law, in his lengthy new paper on "the surprising failure of anonymization, wrote:

As increasing amounts of information on all of us are collected and disseminated online, scrubbing data just isn’t enough to keep our individual "databases of ruin" out of the hands of the police, political enemies, nosy neighbors, friends, and spies.

If that doesn’t sound scary, just think about your own secrets, large and small—those films you watched, those items you searched for, those pills you took, those forum posts you made. The power of re-identification brings them closer to public exposure every day. So, in a world where the PII concept is dying, how should we start thinking about data privacy and security?

Ohm went on to outline a nightmare scenario:

For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical ‘database of ruin,’ the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Re-identification has formed the database of ruin and given access to it to our worst enemies.

I won’t ask what your “blackmail-able facts” might be, and won’t tell you mine.  But it is sobering to think what abuses might emerge from the continued amassing of online data about all of us.  This certainly casts new light on the importance of privacy and security protections for all of our personal data.

 
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.