[Log In] []

Exploring the science and magic of Identity and Access Management

The competitor to be feared is one who never bothers about you at all, but goes on making his own business better all the time. — Henry Ford

Thursday, April 24, 2014

National Strategy For Trusted Identities In Cyberspace – My Take

Identity, Information Security, Privacy
Author: Mark Dixon
Friday, April 29, 2011
5:54 pm

Buffer
 
When I hear a message that begins, “We’re from the government, and we’re here to help,” I am naturally suspicious.  My political philosophy, based on personal freedom, individual responsibility and natural consequences, is all too often infringed upon by over-reaching, even if well-intentioned, government mandates.  So, when I first learned of the “National Strategy For Trusted Identities In Cyberspace,” I quite naturally envisioned the typical government movement towards stronger control, greater regulation and reduced freedom.
 
However, rather than leave interpretation to others, I actually read the 45-page National Strategy For Trusted Identities In Cyberspace document that was officially released on April 15th.  Based on what I read, this initiative seems more like guidance for a national Interstate Highway system than a mandate for socialized health care.
 
On page 29 of the document, speaking of the goals for this initiative, we read:
These goals will require the active collaboration of all levels of government and the private sector  The private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem, which will succeed only if it serves as a platform for innovation in the market. The Federal Government will enable the private sector and will lead by example through the early adoption and provision of Identity Ecosystem services. It will partner with the private sector to develop the Identity Ecosystem, and it will ensure that baseline levels of security, privacy, and interoperability are built into the Identity Ecosystem Framework.
If indeed the Federal Government can act as a catalyst, in cooperation with the private sector, to accelerate progress toward a secure, convenient, easy to to use, interoperable and innovative framework for trusted identities, without exercising control and exploitation over participants, I can strongly support the initiative.
 
However, it is the nature of most people in areas of concentrated power to abuse the power with which they have been entrusted.  This natural tendancy, both in the public and private sector, may lead to unintended bad consequences as a result of this inititiave.  As the Trusted Identities initiative moves forward, we must be vigilant to make sure public or private power is not abused.

That said, I include here some key points from the document.  A user-centric “Identity Ecosystem” is proposed – an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices. 

The Identity Ecosystem, as envisioned here, will increase the following:
  • Privacy protections for individuals, who will be able trust that their personal data is handled fairly and transparently;
  • Convenience for individuals, who may choose to manage fewer passwords or accounts than they do today;
  • Efficiency for organizations, which will benefit from a reduction in paper-based and account management processes;
  • Ease-of-use, by automating identity solutions whenever possible and basing them on technology that is simple to operate;
  • Security, by making it more difficult for criminals to compromise online transactions;
  • Confidence that digital identities are adequately protected, thereby promoting the use of online services;
  • Innovation, by lowering the risk associated with sensitive services and by enabling service providers to develop or expand their online presence;
  • Choice, as service providers offer individuals different—yet interoperable—identity credentials and media
The Trusted Identity Strategy specifies four Guiding Principles to which the Identity Ecosystem must adhere:
  • Identity solutions will be privacy-enhancing and voluntary 
  • Identity solutions will be secure and resilient
  • Identity solutions will be interoperable
  • Identity solutions will be cost-effective and easy to use
The document spends over 40 pages explaining and exploring these goals and guiding principles.  Many more pages in many more documents will be produced before these objectives are achieved.
 
I look forward to following the progress of this initiative.  If this helps focus attention and resources on resolution of some difficult identity issues we face, it will be a good thing. Let’s work together to make that happen.
 
 

Where are Abby and Tim when we need them?

Information Security
Author: Mark Dixon
Friday, April 29, 2011
4:02 pm

Buffer
 
Where are Abby Sciuto and Timothy McGee when we need their help?  It would seem that their almost supernatural skills in cybersecurity and good-guy hacking are in great demand.  As reported by Josh Smith in NextGov:
Many of the FBI field agents assigned to combat cyber threats say they do not have enough expertise to do it, according to a new report from the Justice Department’s inspector general.
 
Justice Department officials found that more than a third of the 36 FBI agents surveyed said they don’t have the networking or counterintelligence expertise needed to effectively investigate national security breaches. The report also said that field offices lacked the forensic and analytical capabilities to take on national security investigations.
Recent high-profile cases such as the Sony PS3 Network breach have raised the level of national awareness.
Sen. Susan Collins, R-Maine, who has proposed cybersecurity legislation on Capitol Hill, said the need for a capable cybersecurity work force is “more urgent than ever.”
“The threat of cyber attacks continues to grow every day,” said Collins, ranking member on the Homeland Security and Governmental Affairs Committee, in a statement. “That is why it is so troubling that the federal government has not adequately trained its cyber professionals to combat these threats.”
 
A dearth of trained cybersecurity professionals is plaguing government and industry efforts, with some analysts estimating that the U.S. needs 20,000 to 30,000 more people to adequately defend cyberspace.
 
 
Of course, if Abby and Tim are to help the FBI solve its problems, Jethro and Tobias might need to lighten the NCIS/FBI rivalry up a bit. 
 

Are We Addicted to Broadband Internet?

Humor, Social Media
Author: Mark Dixon
Friday, April 29, 2011
3:33 pm

Buffer

Jeremy Duncan seems to be addicted.  Are you?

I thing my family would rather have a full-scale electrical blackout that an Internet interruption.

 

 

Sony PlayStation Security Breach – High Profile

Information Security
Author: Mark Dixon
Friday, April 29, 2011
3:11 pm

Buffer
 
The recent security breach affecting Sony Corp’s PlayStation network, is receiving high profile attention. As reported by Nick Wingfield in today’s Wall Street Journal:
Two U. S. Congress members are asking Sony Corp. to explain its handling of the recently disclosed data breach involving its PlayStation Network, one of the largest data thefts in history.
 
On Friday, Rep. Mary Bono Mack (R., Calif.) and Rep. G.K. Butterfield (D., N.C.), members of a Congressional subcommittee on commerce, manufacturing and trade, asked Kazuo Hirai, the head of Sony’s videogames division, to address their concerns. The letter asked when Sony first learned of the recent breach, why it waited days to notify its customers, and how Sony intends to prevent further breaches in the future.
The scope of the data theft and and probable cost of remediation are immense:
Sony has said the breach occurred earlier this month and resulted in the loss of names, addresses and possibly credit card numbers associated with 77 million accounts on its online game network. While Sony and law enforcement officials haven’t addressed whether they have any suspects in the intrusion, one prominent target of a past Sony legal attack over a hacking incident denied any involvement in the data theft.
 
Sony hasn’t said what the financial impact from the data intrusion will be. Larry Ponemon, founder of a firm called the Ponemon Institute that analyzes the costs of data breaches, estimated it could run as much as $1.5 billion, including everything from Sony’s own forensic investigation, to the diversion of Sony personnel from their regular responsibilities to the cost of making amends to customers with free offerings.
Since I don’t use the PlayStation network, I am probably not affected personally by this breach, but I know a lot of folks who are.  The fact that Congress is getting involved shows what a high profile information security is attaining in today’s battles between the good guys and the bad guys.
 

Gartner names Veriphyr “Cool Vendor in Identity and Access Management”

Identity
Author: Mark Dixon
Friday, April 29, 2011
11:18 am

Buffer

Congratulations to my good friend Alan Norquist, whose company Veriphyr was named a “Cool Vendor in Identity and Access Management” by in a recent Gartner report.  Veriphyr offers an on-demand SaaS service that “analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data.” 

I received Alan’s email informing me of this recognition earlier today – ironically just two days after I posted an article about the business benefits of Identity and Access Intelligence.  Here is Veriphyr’s definition of Identity and Access Intelligence:

Identity and access intelligence (IAI) is a new category of SaaS application that uses advanced data analytics to mine identity, rights, and activity data for intelligence that is useful not only for IT operations, but also for broader business operations. What is new about IAI is its focus on the needs of the business manager, who typically has the best knowledge of what resources their direct reports should or should not be accessing, when they should be accessing it, and how much resource utilization is appropriate. IAI informs the identity and access management process (IAM) in a way that provides rapid value to business managers and generates the buy-in from business stakeholders that is needed for a successful project implementation.

I predict that this segment of the Identity and Access Management market will grow rapidly, as enterprises seek to gain actionable intelligence from their growing mountains of available Identity and Access data.

 

Business Value from Identity and Access Intelligence

Business, Identity
Author: Mark Dixon
Wednesday, April 27, 2011
4:27 pm

Buffer

It was almost two months ago when I first mentioned on this blog the term coined by Gartner, “Identity and Access Intelligence.”  I have been thinking much lately about the real business value enterprises can derive from this discipline, and will attempt in this post to enumerate and comment on such benefits.

As good fortune would have it, my Oracle Colleague Nishant Kaushik shared with me a copy of a presentation deck he used recently, entitled, “Identity Intelligence to Drive Business Objectives.”

For the purpose of this discussion, we will use the term “IAM Intelligence” to refer to “Identity and Access Intelligence” or “Identity Intelligence”. Furthermore, we will regard IAM intelligence to include tools for IAM data collection, aggregation, analysis, presentation and automated action, coupled with the human processes for seeking to understand, present and act on that data – the transformation of data into actionable intelligence.

Earl Perkins of Gartner put it this way:

IAM intelligence is more than knowledge for IT users to make IT users’ lives easier. IAM intelligence can be part of the business intelligence realm if properly analyzed and presented to the right audiences.

 

Primary Business Benefits

The following major business benefits can accrue from IAM intelligence.  These are roughly the same as Nishant used in his presentation, in a slightly different order.

  1. Enable Visibility and Transparency.  If an enterprise is to effectively answer the compelling questions, “Who has access to what?”, “Who granted that access?” and “How were such assess rights used?”, a great degree of information visibility and transparency is needed.   The questions are simple; the process of answering them is not.  IAM intelligence seeks to answer these questions quickly and accurately, in a manner that reduces business risk and increases regulatory compliance at a resonable cost.
  2. Support Business Decisions.  Good business decisions should be based on reliable information, not on supposition.  A client recently remarked,”We need to base our decisions on facts, not just on what we think those facts are or should be.”  IAM intelligence provides the foundation for making good business decisions based on reliable information.
  3. Turn Data into Insight, and Insight into Action.  With the expansion of IAM infrastructure for administering user, role and entitlement life cycles and enforcing access policy, the amount of relevant Identity and Access data is immense.  That raw data does little good unless we can effectively organize and analyze such data so effective business decisions can be made and intelligent action can be taken as a result.  IAM intelligence enables the transformation of raw data into actionable insight.
  4. Strengthen Identity & Access Governance. The structured method for managing IAM systems, or IAM Governance, can be made more effective if accurate, reliable, timely and actionable information is available for IAM stakeholders to make good decisions.
  5. Identify, Measure and Manage Risk.  To effectively manage risk, an enterprise must accurately identify what risks exist, create policies for dealing with such risks, and implement effective controls for enforcing those policies.  Actionable information provided by IAM Intelligence can enable enterprises to correctly identify, understand and control risk.
  6. Contain Costs. Gathering and evaluating data through manual means can be very expensive, including initial data collection, manipulation, analysis and presentation.  Automated Identity Intelligence methods can minimize costs by taking labor out of the process.
  7. Build Trust. In order for any information system to become an effective foundation for business execution, business leaders must implicity trust the tools and processes that comprise the the system.  An effective IAM Intelligence system will provide that trusted foundation that a business leader can use to guide his or her business activities.

 

Benefits from Automation

Why can’t we just use some smart people armed with spreadsheets to accomplish the same objectives?

  1. Accuracy. Manual methods of data collection and organization inevitably introduce errors, which at best are difficult to find and correct, and at worst, alter business decisions in unfortunate ways.
  2. Timeliness.  Manual methods often take a lot of elapsed time, causing business decisions to be delayed and needed actions to be postponed.
  3. Presentation.  While much can be done with spreadsheet graphics and reports, more powerful reporting, dashboard and presentation facilities may be available with an automated system.
  4. Repeatability.  Manual methods may vary as different people become involved at different parts of the process, causing variabiltiy in results from cycle to cycle.
  5. Auditability.  Manual methods are more difficult to audit, because of the variability in the human part of the process.
  6. Cost control.  The costs of manual methods often exceed automated processes, because the labor content of the process recurrs in every cycle. Automated methods can reduce these costs

 

The Bottom Line?

The overall benefit we realize from IAM Intelligence is the ability to take effective business action, based on intelligent business decisions … leading to faster, stronger business success.

 

World Intellectual Property Day

General
Author: Mark Dixon
Tuesday, April 26, 2011
1:23 pm

Buffer

My son Ryan is studying Industrial Design at Arizona State University.  He regularly updates us about interesting points related to his chosen profession. Yesterday, he alerted me via Twitter that today, April 26th, would be World Intellectual Property Day:

An event established by the World Intellectual Property Organization (WIPO) in 2000 to “raise awareness of how patents, copyright, trademarks and designs impact on daily life” and “to celebrate creativity, and the contribution made by creators and innovators to the development of societies across the globe”. (Wikipedia)

On the WIPO Website, speaking about the role of design, WIPO Director General Francis Gurry describes design as “the language of communication of objects,” helping to communicate both function and esthetics. (I can’t figure out how to link to or embed the video featuring Mr. Gurry, but you can access it via a link in the second paragraph of this page)

As an active participant in an industry whose value is primarily based on intellectual property, I’m pleased to raise my voice in support of intellectual property and the art and science of design that plays such a crucial role in creating such value.

 

Computerworld: What happens when your cloud provider evaporates?

Information Security
Author: Mark Dixon
Tuesday, April 26, 2011
12:46 pm

Buffer

Besides the punny article title, Computerworld’s Lucas Mearian offered a provocative opening line in his article, “What happens to data when your cloud provider evaporates?

Over the past year, four cloud storage service providers have said they’re shutting down and Amazon’s cloud services have been problematic since Thursday.

Does that scare you away from Cloud Computing? What does a company do if its cloud storage provider goes out of business?

Currently, there’s no way for a cloud storage service provider to directly migrate customer data to another provider. If a service goes down, the hosting company must return the data to its customer, who then must find another provider or revert back to storing it locally, according to Arun Taneja, principal analyst at The Taneja Group.

Is help on the way?

The Storage Networking Industry Association’s Technical Work Group is developing an API called the Cloud Data Management Interface that would allow providers to migrate customer data from one vendor’s cloud to the next — a move aimed at alleviating vendor lock-in.

That API, if adopted by the industry, will become more important over the next several years as nearly three out of four cloud storage companies that cropped up in recent years whither and die, according to Taneja.

It seems that the Amazon cloud troubles has caused a fair bit of introspection into the cloud services industry. Given the unabashed hysteria about cloud computing in the past several months, I think deep instrospection is very healthy.

 

Computerworld: Security still top concern with cloud

Information Security
Author: Mark Dixon
Tuesday, April 26, 2011
12:27 pm

Buffer

Today, in a Computerworld article entitled, “Security still top concern with cloud, despite Amazon outage,” Jaikumar Vijayan stated,

Despite the heightened focus on cloud availability and uptime caused by Amazon’s prolonged service outage last week, security will likely remain the bigger long-term concern for enterprises.

Kyle Hilgendorf, a cloud computing analyst at Gartner reminded us that we need to plan for emergencies:

Amazon portrays an aura of invincibility, whether intentional or not, and this outage is going to remind enterprise customers that nobody is perfect and increased due diligence is required.

However, Hilgendorf said that security is really the more pressing concern.

I still consider it to be the bigger, long-term concern. Enterprises I speak to are more concerned about security than they are about availability, reliability or performance.

Jonathan Penn, an analyst at Forrester Research, said that last week’s Amazon outage is sure to stoke enterprise anxiety about cloud performance and uptime, but security is still going to be the bigger worry for most enterprises.

Companies that are looking to move applications to a hosted cloud environment are going to want even more availability assurances from their vendors now.

Ultimately though, enterprises need to realize that there can never be 100% uptime in a cloud environment, just as there can never been continuous availability within an enterprise data center.

Failures of the sort that happened last week will happen again, and it’s up to enterprises to ensure that they have measures in place to mitigate any resulting service disruptions.

Over the longer term, the thornier issue for most companies will continue to be data security. Forrester’s clients have consistently rated security as their top concern with cloud computing, ahead of other issues such as performance and availability.

It looks like we in the information security industry still have our work cut out for us.

 

 

 

Hey Steve! Why are you tracking me?

Information Security, Privacy, Telecom
Author: Mark Dixon
Friday, April 22, 2011
4:05 pm

Buffer

I first read the news about Apple’s secretive location tracking capability in the Kaspersky Labs Threat Post article, “Secret iPhone Feature Tracks Owners’ Whereabouts“:

Security researchers have discovered a hidden iPhone feature that secretly tracks and saves the meanderings of the phone – and presumably its owner.

The tracking feature was described in a presentation at the Where 2.0 Conference in San Francisco on Wednesday. According to the researchers, Pete Warden, founder of Data Science Toolkit and Alasdair Allan a researcher at Exeter University in the UK, the tracking feature records the phone’s movements, including what cell phone towers and Wifi hotspots it connects to, when and where. While that information isn’t shared with Apple, it is retained even when iPhone users update their hardware, suggesting that Apple had plans to use the data at a later time.

Was I surprised?  No.  Irritated?  Yes.  We have one more piece of evidence, that when power is concentrated in the hands of a few, abuses tend to occur.

After reading the O’Reilly Radar article, “Got an iPhone or 3G iPad? Apple is recording your moves“, I followed a link to an application to see for myself:

How can you look at your own data?

We have built an application that helps you look at your own data. It’s available at petewarden.github.com/iPhoneTracker along with the source code and deeper technical information.

The broad view clearly showed the four states in which I have used my month-old iPad:

But the real interesting view was of my supposed meanderings in Arizona:

I can easily explain three of the four major clumps of usage in the Phoenix metropolitan area – my home, the Phoenix airport, and a client site. But I have never taken my iPad to the fourth area of supposed heavy use.

All the outliers are even more problematic.  I used the iPad once in a mountainous area northeast of Phoenix, but all the other outliers?  My only explanation is that I must have forgotten to place the iPad in “Airplane Mode” on one or more more of my flights (heaven forbid!).  The iPad must have connected with dozens of cell towers as we flew over.

My message to Steve Jobs?  Please, just call. I’d gladly invite you over for dinner or take you to my favorite restaurant, where we could discuss the things that are important to me in my life.  But these shenanigans?  Really tawdry for a supposely high class company.

 
 
 
 
 
Copyright © 2005-2013, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.