The natural first question to ask when discussing Identity auditing is,

Who has access to what?

This question is naturally followed by,

Who granted those access rights, when?

More of my customers are asking a third question,

Who used those access rights, how?

The first two questions address the assignment of access rights to individuals; the third question addresses actual use of access rights after assignment.

Oracle has excellent tools to address the first two questions, but we currently lack a good solution for the third.

Why is this third category important?  Some things my customers ask for are:

1. Which users did not use an access right during the past quarter?  They may not need that right at all.
2. What patterns of access can we find?  This may help discover roles for provisioning and attestation.
3. What access attempts are anomalies?  This may help identify and remediate fraudulent use.
4. Where are potential vulnerabilities in my identity administration and access control methods?

So, where can we find solutions?

I have been impressed with a small startup, Veriphyr, that provides:

“an on-demand, pay-per-use analytics service that discovers user access vulnerabilities and privilege abuse on mainframe, midrange, Linux/Unix, and Windows servers. … Veriphyr analyzes identities, activity, and privileges to expose access weaknesses that enable insiders and intruders to capture, leak, or alter data through breach of systems, applications, databases, and networks.”

There is a broad category of Security Information and Event Management (SIEM) systems that address this area. In the Gartner Magic Quadrant report for SIEM systems that I downloaded from Q1Labs website, Gartner defines this market segment as:

Security information and event management (SIEM) technology provides two major functions for security events from networks, systems and applications:

• Security information management (SIM) – log management and compliance reporting
• Security event management (SEM) – real-time monitoring and incident management

SIEM deployments are often funded to address regulatory compliance reporting requirements, but organizations should also use SIEM technology to improve threat management and incident response capabilities.

Three companies in the leader quadrant of the Garter report are ArcSight, RSA and Q1Labs, but a total of 20 companies were covered in the report.  I am by no means a SIEM expert.  I have no idea whether Oracle will get in the SIEM game (and I couldn’t tell you if I did know), but I believe this is an important area for our customers.  It will be interesting to see what transpires.

Stephen Wilson of The Lockstep Group in Sydney, Australia, is scheduled to present an interesting paper, Why Federated Identity is easier said than done, at the AusCERT2011 conference in May.  Based on the abstract, the complete paper should be really interesting.

Stephen states that despite,

“near universal acceptance of the idea of Federated Identity … higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.”

He further asserts that lingering resistance to full adoption results from the fact that,

“Federated Identity is in fact a radical and deeply problematic departure from the way we do business.  … Thus the derided identity “silos” are a natural and inevitable consequence of how business rules are matched to particular contexts.”

Stephen’s final comment:

“If we focused on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.”

If Identity Federation really doesn’t match the way we do business, it will be interesting to see how Stephen expands on and clarifies that final statement in the full paper.

Oracle: “In Classical Antiquity, an oracle was a person or agency considered to be a source of wise counsel or prophetic opinion, predictions or precognition of the future, inspired by the gods.”

Thanks to Nishant Kaushik for pointing out Anil John’s thought-provoking article, Identity Oracles and their role in the Identity Eco-System.” In his introductory tweet, Nishant suggested, “Some thing for @trulyverified to think about.”

Since I recently signed up for the Tru.ly service, I thought Nishant’s advice was timely.

It was interesting to review the four characteristics of an Identity Oracle outlined by Bob Blakley, currently the Gartner Research VP for Identity and Privacy

• An organization which derives all of its profit from collection & use of your private information…
• And therefore treats your information as an asset…
• And therefore protects your information by answering questions (i.e. providing meta-identity information) based on your information without disclosing your information…
• Thus keeping both the Relying Party and you happy, while making money.

Some emerging companies fit part of this definition.  Certainly Tru.ly relies on information I provide and they verify, as an asset, and have based their business plan on such assets.

However, others come at it from different direction:  Axciom and LexisNexis offer Identity Verification and Authentication services based on publicly-available information.  Neither company has asked me whether they can use my information, but Axciom claims, “Acxiom’s identification platform utilizes demographic and geographic data in challenge questions with nearly 900 data elements for more than 300 million individuals.” LexisNexis claims, “Access to vast data resources – more than 20 billion public and proprietary records.”

Axciom and LexisNexis customers pay for the privilege of tapping into those vast stores of personal information to provide authentication and validation services.

Does this make Axciom and LexisNexis Identity Oracles?  What about Tru.ly or Trufina, or similar companies? Do the the three major credit bureaus qualify?  Perhaps none are complete Identity Oracles in the true sense of Bob Blakley’s definition.  But they are getting close.

Yesterday, my Identity was verified by the Tru.ly identity validation service.  With that in place, if your browser is equipped with a Tru.ly browser extension, you can visit me on Facebook or LinkedIn and see that I am tru.ly verified.

I think tru.ly faces an uphill battle to build critical mass both of people with tru.ly validated identities and of people who really care.  While that battle progresses, I’ll keep you updated as I learn more.

The Wall Street Journal reported today:

The Supreme Court ruled unanimously that personal-privacy rights don’t apply to corporations under the Freedom of Information Act.

Tuesday’s ruling was a defeat for AT&T Inc., which was seeking to block the disclosure of emails and other potentially embarrassing documents it provided to the Federal Communications Commission during a 2004 investigation by the agency of whether the telecommunications giant overbilled the New London, Conn., public schools.

I am not a legal scholar by any means, but it seems that the courts often split hairs, sometimes treating corporations as persons and other times as non-persons.  In this case, non-personhood prevailed.

The court, in an opinion written by Chief Justice John Roberts, said corporations don’t get to enjoy certain personal-privacy exemptions included in FOIA, a disclosure law that allows the public to gain access to some documents filed with the government.

"The protection in FOIA against disclosure of law-enforcement information on the ground that it would constitute an unwarranted invasion of personal privacy does not extend to corporations," Chief Justice Roberts wrote. "We trust that AT&T will not take it personally."

That last comment by Chief Justice Roberts is an interesting play on words.  According to his judgment, AT&T couldn’t take it “personally”.  They had to take it “corporately.”

How will it affect us?  Opinions vary:

News-industry groups and open-government advocacy organizations argued that AT&T’s position could place a wide range of records on corporate-behavior off limits to the public.

Several business groups backed AT&T. The U.S. Chamber of Commerce said the threat of public disclosure could have a chilling effect on corporations’ willingness to cooperate with law-enforcement authorities.

It will be interesting to watch where this leads.

Last Thursday, I tried unsuccessfully to register for the new Identify Validation service provided by Tru.ly.  On Friday, I got a nice email from a Tru.ly representative, responding to my blog and Twitter posts, thanking me for my access attempt and inviting me to try again.

This afternoon, my registration effort was successful.  Tru.ly verified the bits of Identity information I provided, and issued my very own Tru.ly URL – tru.ly/mgd – plus the QR code included in this post and on the blog sidebar.

You can see my verification information by visiting tru.ly/mgd, by clicking on the QR code or by scanning the QR code with your mobile device.  It worked just fine on my iPhone using the QRReader app.

What does a Base Hit have to do with Identity Verification?

Since Spring Training has started in Arizona, baseball analogies came to mind.  I assigned my first failure at Tru.ly registration “Strike 1.”  I’ll call my current success a “base hit.” The registration worked, but I’m not really sure what its real value is yet.  We’ll have to wait awhile to see what brings me across home plate.

TNW Gadgets reported today that Rolls Royce has launched a one-of-a-kind Rolls Royce 102EX Phantom Experimental Electric:

The car will be used to gauge the opinions and reactions to alternative means of power in Rolls Royce cars, amongst of a range of stakeholders including owners, enthusiasts, members of the public and the media.

Phantom EE features an aluminium frame, replacing the 6.75-litre V12 petrol engine and 6-speed gearbox with a Lithium ion battery pack and two electric motors. The motors are connected to a single speed transmission, each kicking out 145kW, giving Phantom EE a maximum power output of 290kW and torque of 800Nm. …

It’s a considerable achievement when you compare this with the 338kW output for standard Phantom with maximum torque of 720Nm. Apparently the Phantom EE has a range of up to 200km and can achieve 0-60mph in under eight seconds with top speed limited to 160kph.

I like the comment about electric luxury from the video: “is it compromise, or is it perfection?”

I have never been too successful as an entrepreneur.  I guess my brain doesn’t look quite like this delightful rendition from the Grasshopper Group:

Today, the US Air Force awarded a $35 billion contract to build the next generation of air refueling planes to Chicago-based Boeing Company.  The contract calls for producing 179 new tankers based on the 767 aircraft.

I find it ironic that the new Air Force tanker will be based on the same airframe as that of the Gimli Glider, an Air Canada airliner that ran out of fuel over Canada in 1983. 

From Wikipedia:

The Gimli Glider is the nickname of the Air Canada aircraft that was involved in a notable aviation incident. On 23 July 1983, Air Canada Flight 143, a Boeing 767-200 jet, ran out of fuel at 26,000 feet (7,920 m) altitude, about halfway through its flight from Montreal to Edmonton via Ottawa. The crew was able to glide the aircraft safely to an emergency landing at Gimli Industrial Park Airport, a former Canadian Air Force base at Gimli, Manitoba.

I hope the Air Force remembers correctly whether to measure fuel in liters or gallons (which goes to the root cause of the Gimli Glider fiasco).

I guess this all goes to prove that even old things (and people) can arise from the dust and be reborn into something great.

Over the past few years, I have been intrigued with the subject of Identity Validation – being able to determine, which a high degree of confidence, that a person is whom he says he is, prior to issuing Identity credentials to him.

Today, I became aware of Tru.ly, that promises to “[maximize] personal privacy by providing users with a single, verified identity on the internet.”  A lively Twitter conversation among Identity experts @dak3 @NishantK @paulmadsen and @iglazer convinced me that I should check it out.

But alas, when I tried to join Tru.ly (twice), I got this nasty error message:

My only comment is ARRGGGGGH! I guess I’ll try again tomorrow to join the latest service that promises to save the world.