[Log In] []

Exploring the science and magic of Identity and Access Management

You can chain me, you can torture me, you can even destroy this body, but you will never imprison my mind. — Mahatma Gandhi

Sunday, December 21, 2014

Fraud and Security in the Cloud

Identity, Information Security
Author: Mark Dixon
Wednesday, December 28, 2011
9:52 am

Buffer

This should be an timely and relevant webcast for those of us involved with information security: ”Key Fraud and Security Considerations for Confidence in the Cloud.” It will be held Tuesday, January 17, 2012 at 10 a.m. PST.

This executive panel webcast will explore how leading IT organizations are moving to the cloud with confidence. The following items will be addressed:

  • Maintain control of your data across multiple on-premise and cloud environments
  • Evaluate cloud providers to meet your specific requirements for security and risk management
  • Apply authentication and identity management solutions and expertise from the online banking industry for improved protection and fraud mitigation
You can register for the webcast here.
 

Source Doc: Oracle Reference Architecture – Security

Enterprise Architecture, Identity, Information Security
Author: Mark Dixon
Tuesday, December 20, 2011
10:10 am

Buffer

The Oracle outward-facing website is a virtual cornucopia of valuable information.  Unfortunately, I often just stumble onto valuable gems of knowledge instead of discovering them in an organized fashion.  Today was such a case.  Quite by accident, I found an excellent overview of Information Security issues in “Information Security, A Conceptual Architectural Approach.”  It provides, in an easy-reading 25 pages, a good overview of information security principles and approaches to addressing them.

This document referenced a larger treatise, the Oracle Reference Architecture – Security, which dives more deeply into information security issues and solutions.  In about 130 pages, this reference architecture document provides an excellent treatment of the basic principles of information security and recommended approaches to mitigate security risk.  The introduction aptly states:

Information is the lifeblood of every organization. If this Information is compromised there can be a wide range of consequences ranging from damage to a company’s reputation through to financial penalties such as regulatory fines and cost of remediation. …

Information Security is a strategic approach that should be based on a solid, holistic framework encompassing all of an organization’s Information Security requirements, not just those of individual projects. …

By taking this approach to Information Security, organizations can ensure that the components of their Information security architecture address all business critical Information and are driven by the requirements of the business.

The document is organized as follows:

  1. Introduction to Information Security
  2. Security Concepts and Capabilities
  3. Common Security Standards
  4. Conceptual Architecture View
  5. Logical View
  6. Product Mapping View
  7. Deployment View
  8. Summary
I hope you will find this to be a useful reference.
 

Fellow Facebook Users: We are the product Zuckerberg sells.

Identity, Privacy
Author: Mark Dixon
Friday, December 2, 2011
5:08 pm

Buffer

In my recent post, I made this observation:

[Facebook and Google] are essentially advertising channels, whose real customers are not those of us who visit their sites, but the advertisers who pay them money.

That is where Intent comes in.  The most valuable commodity Google and Facebook can sell to their advertising customers is the Intent of the people who visit their sites – the Intent to explore, to examine, and ultimately, to buy. The better either company can be at determining the Intent of their users, the better they are prepared to rake in the bucks from companies who advertise with them.

From that perspective, I have been fascinated by the recent big news that Facebook has settled charges with the FTC over charges the Facebook deceived users about privacy. As reported by the Daily Beast,

… Facebook promises to stop making “deceptive privacy claims” and get users’ permission before changing the way it shares their information. The social-media company must also submit to privacy audits for 20 years. …

Acknowledging this settlement, Mark Zuckerberg posted a lengthy statement on the Facebook blog:

… I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done. … But we can also always do better. I’m committed to making Facebook the leader in transparency and control around privacy. …

Not all pundits accepted Zuckerberg’s contrite response.  Dan Lyons of the Daily Beast posted a cynical article entitled, “The Truth About Facebook Privacy—if Zuckerberg Got Real.”

The social network just settled privacy charges with the FTC, and its CEO posted a lengthy non-apology on the company blog. But here’s what Mark Zuckerberg might have said if he dared to be brutally honest. …

Let’s skip to the meat of Dan’s article (his view of what an truly candid Zuckerberg would have said:

 … The truth is, we have no interest in protecting your privacy, and if you still believe that we do, then you are stupider than we thought, and believe me, we already thought you were pretty stupid. Think about it. The only way our business works is if we can track what you do and sell that information to advertisers. Did you honestly not realize that?

You are not our customer. You are the product that we sell. For us to say we’re going to protect you is like the poultry industry promising to create more humane living conditions for chickens. Sure, they say that. But you know they don’t mean it.

Same with us. We will never, ever stop trying to pry data out of you. How could we? We’re a business. We’re doing this to make money. And our investors would like it very much if we can make absolutely as much money as possible. It’s simply not in our nature to stop. You know the fable about the scorpion and the frog? Yeah. It’s like that. …

Pretty harsh? Yep! But there are glimmers of truth in there. Just remember the next time you visit Facebook (which I have already done several times already today), “You are the product that we sell.”

 

Reputation, Street Cred and Identity Assurance

Identity
Author: Mark Dixon
Friday, December 2, 2011
5:55 am

Buffer

Reputation is what men say about you on your tombstone; character is what the angels say about you before the throne of God.” (William Hersey Davis)

I find it almost magical how seemingly unrelated events can trigger a cascade of intellectual epiphanies …

A couple of nights ago, I watched an episode of “Cold Case” where a man confessed to three murders to protect his “Street Cred” as a really bad guy.  He hadn’t really killed the people, but for some reason, protecting his reputation, evil as it was, was more important that the truth.

Yesterday, I exchanged some email messages about the new service connect.me with Bill Nelson, an Identity Management colleague.  He suggested that some of the vouches he had received on connect.me were more “Street Cred” than identity-confirming reputation.

Could it be that the same desire for “Street Cred” that motivated the cold case guy to admit to something he didn’t do, would drive people trying to game the system on “Connect.me”?

Last night, I read an article suggested on Facebook by Jamie Lewis and Dave Kearns, “How to Force a Friendship on Facebook in Three Easy Steps.”  The article described how a person used a fraudulent Facebook account to secure enough un-suspecting “friends” to convince a targeted girl to friend him.  My Facebook comment: “So much for the much-ballyhooed ‘Identity Assurance by Reputation’ concept Facebook has touted.”

This morning, Drummond Reed, founder of connect.me, provided a more reasoned response to the Facebook thread started by Jamie and Dave: “nothing is completely foolproof, but the top trust level in the Respect Trust Framework is human trust anchors, and it’s designed to provide much stronger protection against this kind of attack. Happy to discuss in more detail.”

I must admit that I hadn’t yet studied Drummond’s proposed “Respect Trust Framework,” upon which connect.me is based, so I looked it up.  I recommend that you read Drummond’s recent blog post, “Trust Levels and Trust Anchors” and the referenced paper, “Building Lasting Trust: The Game Dynamics of the Respect Trust Framework.”

I found it particularly interesting to read the five basic principles upon which the trust framework is based.  It is clear that the Cold Case guy, the connect.me gamers and the Facebook charlatan had violated at least four of the basic principles:

  1. Promise (We will respect each other’s digital boundaries). Every Member promises to respect the right of every other Member to control the identity and personal data they share within the network and the communications they receive within the network.
  2. Permission (We will negotiate with each other in good faith). As part of this promise, every Member agrees that all sharing of identity and personal data and sending of communications will be by permission, and to be honest and direct about the purpose(s) for which permission is sought.
  3. Protection (We will protect the identity and data entrusted to us). As part of this promise, every Member agrees to provide reasonable protection for the privacy and security of identity and personal data shared with that Member.
  4. Portability (We will support other Members’ freedom of movement). As part of this promise, every Member agrees to ensure the portability of the identity and personal data shared with that Member.
  5. Proof (We will reasonably cooperate for the good of all Members). As part of this promise, every Member agrees to share the reputation metadata necessary for the health of the network, including feedback about compliance with this trust framework, and to not engage in any practices intended to game or subvert the reputation system.

Respect, Good Faith, Trusted Protection, Freedom and Cooperation.  I agree that these fundamental principles will engender trust among people and allow people to interact in a safe, trusting way.  It reminds me of one of my favorite quotations from one of our Founding Fathers, James Madison:

To suppose that any form of government will secure liberty or happiness without any virtue in the people, is a chimerical idea.

I propose that success of the Trust Framework will be based on essentially the same foundation – the moral virtue of people who participate.

The Trust Anchor concept and Complaint process within the Trust Framework are safeguards against the bad apples who will inevitably try to game the system, just like police officers and the justice system attempt to enforce the rule of law in our society.  However, as there will never be enough police officers, lawyers and judges to enforce the law unless the people of our society are largely trying to act, on their own accord, in civil, moral ways, I suspect that success of the Trust Framework will depend on the vast majority of people voluntarily acting in accordance with the basic principles outlined above.

So, what about Reputation, Street Cred and Identity Assurance?  A few parting thoughts.

  1. I like the idea of connect.me.  It would nice to have some sort of badge on my blog that shows my connect.me “score” – my living tombstone, as it were – an indicator of my reputation.
  2. I will always try to abide by the foundation principles of the Trust Framework, just like I try to live the underlying moral principles of our civil society. I like to think that someday, angels will declare that Mark Dixon was an upright kind of guy.
  3. I will always be wary of the “Street Cred” or so-called reputation of someone I don’t know, unless I receive a positive assurance from “Trust Anchors” that I personally know and trust.
  4. I will keep my eyes wide open for people who try to game the system.
  5. Will connect.me emerge as a viable solution to the elusive demands of a universal Identity Assurance system?  We’ll wait and see.

My two cents for the day …

 

Your Favorite Error Message?

Identity
Author: Mark Dixon
Thursday, December 1, 2011
7:46 pm

Buffer

My son-in-law Garry Bartle tweeted a link to a fun article today, “A Gallery of Goofy Error Messages.”

This led me to remember the best error message I ever encountered: “This should never happen – Call Tom Sanders.”

Early in my engineering career, I was debugging some computer hardware and software issues late one night, when that error message came up on the screen. As good fortune would have it, I only had to walk down the hall a few steps to where Tom was also working late. We both had a good laugh, and he fixed the bug. Great memories!

That is my favorite error message.  What is yours?

 

Intent: Critical to the New Identity world

Identity
Author: Mark Dixon
Thursday, December 1, 2011
7:24 am

Buffer

Intent: “something  to be done or brought about”

Back in November, 2005, I began blogging about a concept I referred to as “Core Identity“:

A fundamental premise undergirding the Identity Map is that each person is unique. This unique “Core Identity” can be identified or described by attributes categorized into Names, Characteristics, Relationships, Roles, Location, Experience, Knowledge and Reputation. Each attribute adds to the fundamental uniqueness of each individual.

I still believe that fundamental premise is sound, and that the categories of Identity attributes are still relevant.   However, I believe a ninth category should be added: “Intent.”

This concept began to crystallize in my mind as I was listening to a podcast by Robert Scoble, referenced in his blog post, “The game of all games: content and context (why Mark Zuckerberg, Marc Benioff, and Larry Page are carving up the social world).” Thanks to Johannes Ernst for sharing this link on Facebook.

The basic premise of Robert’s post and podcast is that Google and Facebook are fighting to become the premier Identity providers in the world – but not primarily for authentication and authorization services, as we Identity Management professionals commonly think of Identity – but as a means to addictively capture the hearts and minds of the people in the world in order to sell advertising. After all, both companies are essentially advertising channels, whose real customers are not those of us who visit their sites, but the advertisers who pay them money.

That is where Intent comes in.  The most valuable commodity Google and Facebook can sell to their advertising customers is the Intent of the people who visit their sites – the Intent to explore, to examine, and ultimately, to buy.  The better either company can be at determining the Intent of their users, the better they are prepared to rake in the bucks from companies who advertise with them.

Intent, therefore, is a critical component, perhaps the most important component, of Identity, from the perspective of Google and Facebook.

But Intent is rarely overtly declared by a user.  Intent is predicted, based on a relentless, real time examination of all other aspects of a person’s identity – their Names, Characteristics, Relationships, Roles, Location, Experience, Knowledge and Reputation.  All of these are more historical in nature – attributes that may be accumulated and studied in a more historical context.  But Intent is more real time. Intent is what a person wants to do right now or in the near future.  It is more a prediction of things to come than what happened in the past.

So how do companies like Google and Facebook determine Intent?  More and more, it is by capturing and analyzing how individuals interact with the online world.  The “verbs” of online interaction are particularly telling:  search, post, comment, share, like, tag, read, watch, encircle, listen, play, visit.  If Google or Facebook can capture how you do all those things, they can infer your intent and deliver to you the content and advertising that are most aligned with your current intent.  That will enable their advertising revenue to increase (which is their real motive).  That is why both Google and Facebook are aggressively rolling out new features along the lines of those verbs – the more they know about your online actions (evidenced by how you use those verbs), the better able they are to predict your Intent, and consequently enable advertisers to capture your money.

Predicting the future is never easy. But that is exactly what Google and Facebook are trying to do – by predicting our Intent, based on how we interact with them. Facebook and Google covet your eyeballs, your fingertips and your pocketbooks, and intend (pun intended) to capture all of them.

My advice:  Be aware! Keep your eyes wide open, your fingertips constrained, and your wallet firmly in your pocket.

 

 
 
 
 
 
Copyright © 2005-2013, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.