It is quite amazing to me how many customers I visit who are really struggling with how to handle mobile devices, data and applications securely. This week, the following cartoon came across my desk. the funny thing to me is that the cartoon was published in 2011. Here is is 2015 and we still struggle!
Martin Kuppinger, founder and Principal Analyst at KuppingerCole recently spoke in his keynote presentation at the European Identity & Cloud Conference about how IT has to transform and how Information Security can become a business enabler for the Digital Transformation of Business.
He presented eight “Fundamentals for Digital Risk Mitigation”
- Digital Transformation affects every organization
- Digital Transformation is here to stay
- Digital Transformation is more than just Internet of Things (IoT)
- Digital Transformation mandates Organizational Change
- Everything & Everyone becomes connected
- Security and Safety is not a dichotomy
- Security is a risk and an opportunity
- Identity is the glue and access control is what companies need
I particularly like his statements about security being both risk and opportunity and that “Identity is the glue” that holds things together.
Wish I could have been there to hear it in person.
Author: Mark Dixon
Monday, May 4, 2015
Recently I heard a executive who had been newly hired by a company describe their current Identity and Access Management System as an “Opportunity Rich Environment”. Somehow that sounds better than “highly manual, disjointed, insecure and error-prone,” doesn’t it?
I have been using the TSA PreCheck service since soon after its inception in 2011, without paying an enrollment fee, after being invited by US Airways to participate. This has allowed me to use the simpler and faster TSA PreCheck lane at airport security, rather than joining the majority of fliers in regular security lines. However a couple of weeks ago, I received a notice from American Airlines, which is merging with US Airways, that I now needed to register for a “Known Traveler Number” (KTN) so I can continue to use the PreCheck service. I don’t really know why my gratis status is no longer acceptable, but it apparently it is.
So, I filled out a pre-registration form at Universal Enroll last week, booked at a screening appointment at a registration center a few miles from my house, and went through the final process today.
Today’s registration process was unexpectedly painless. It took less than 15 minutes, including a short wait in the lobby, fingerprinting, stepping through a series of Identity Proofing steps and paying the $85 fee. Alas, I still don’t have a KTN. That is supposed to be issued in a week or two after some big computer in the sky processes my information. Then, I am supposed to be set up to use the PreCheck lane every time.
The downside? The government has me in yet another identity database. My KTN will be linked to my SSN, as well as to my fingerprints and other personal identification data. Big Brother seems closer than ever before!
Next step after the KTN? I will need to get a new Arizona drivers license that is Real ID compliant before January if I want to continue flying. Yet another Federal tentacle into my life!
Author: Mark Dixon
Wednesday, December 3, 2014
I heard my first speech from Cory Doctorow at the Gartner IAM Summit this morning. He gave an interesting overview of the history of digital copyright law and attempts to enforce limited access by schemes such as Digital Rights Management and encrypted data streams. He expanded beyond this basic overview to discuss how current laws make it illegal to reveal hidden flaws in software and devices. Some points I found particularly thought-provoking include:
- The 1998 Digital Millennium Copyright Act which criminalized breaking Digital Rights Management methods, wasn’t very effective, because people who were willing to break existing laws to steal content didn’t mind breaking another law.
- Current copyright laws designed to make it illegal to know how DRM or encrypted streaming video devices work (e.g. Netflix player devices) also make it illegal to reveal flaws in our computers.
- These laws may stop honest people, but support bad guys’ efforts to discover and weaponize vulnerabilities.
- The NSA and its British equivalent spent billions of dollars per year to find vulnerabilities in devices, but don’t reveal what they have found.
- Back doors to systems (such as government-requested back doors to encryption algorithms) have no allegiance. We must assume that such back doors will be used for evil as well as good purposes.
- Be suspicious of any software you cannot audit or inspect. How else can you know what lurks therein?
- Remember – the capacity for human self-deception is bottomless. Will technology set us free or enslave us?
Interesting ideas worthy of further investigation. The concept of unintended consequences certainly applied here.
Author: Mark Dixon
Wednesday, December 3, 2014
Yesterday, at the Gartner Identity and Access Management Summit, Earl Perkins, Gartner’s Research Vice President in Systems, Security and Risk, gave a thought-provoking talk, proposing that Identity and Access Management as it is today is not going to cut it for the Internet of Things. Some the highlights include (filtered through the lens of my interpretation):
- IoT can be described as as set of devices that can sense and interact with the world around it. Such devices can sense, analyze, act and communicate.
- Devices, services and applications are creators or consumers of information, and must join humans in having identities.
- Architectural concepts of IAM may still hold, but the scale will be vastly larger and must accommodate more than human identities.
- Perhaps the word “thing” should be replaced by the term “entity”
- Every entity has an identity
- We need a model of entities and relationships between these entities.
- We must address layered hierarchies of identities.
- We should not separate device management and identity management systems.
- Identity Management and Asset Management systems will likely converge.
- Identity and Access Management may become:
- Entity Relationship Management
- Entity Access Management
- We may think of architectures in four levels: things, gateways/controllers, connectivity, applications and analytics.
- Two major camps of consumption: Enterprise (where more money is currently being spent) and Consumer (which is hot and sexy, but not currently making much money).
- Strong year-over-year IoT growth is happening in four industry sectors:
- Automotive – 67% CAGR
- Consumer – 32% CAGR
- Vertical specific – 24% CAGR
- Generic business – 44% CAGR
- Companies are “throwing jello against the wall” to see what sticks.
I really like Earl’s ideas about convergence of “entities” and “relationships” between entities. Please note my blog post Identity Relationship Diagrams posted in March 2013.
I also favor his view that identity management should not be separate from device management.
It will be interesting to see how architectures are transformed and what “jello sticks to the wall” in the coming years.
Last Wednesday, a dreaded First World Fear was realized. During a tight connection between flights at the Dallas – Fort Worth airport, I left my iPad in the seat pocket on my first flight. I didn’t realize what I had done until I reached into my briefcase for it on my next flight. My heart sank. I use the IPad for so many things. To lose it was a huge disruption in my day to day life, not to mention the cost and hassle of replacement
A call to the DFW lost and found department was not reassuring. I was instructed by the telephone robot to leave a message with contact information and lost item description, and wait. I dutifully complied, but had real doubts about whether I’d ever see my iPad again. A conversation with an American Airlines gate agent gave a little bit of hope. She assured me that every lost item was investigated, and that I should be patient for the process to take its course.
My Monday morning, I had about given up hope. But then – the phone call – my iPad had been found! I had activated the “Find my iPhone” feature, which caused my phone number to be displayed when ever the device was turned on. The lost and found agent called me, verified that the device was indeed mine and arranged for it to be returned to me by Fedex. Then things got interesting …
Soon after I received the happy phone call, I received an email, also informing me that the iPad had been found – another nice feature of Find my iPhone.
Apparently, when a device is in the “lost” mode, it will continue to wake up periodically and attempt to send its location via email. I have received 18 emails to that effect since the iPad was first found yesterday morning, each with a little map pinpointing its current location.
I really enjoyed tracking the iPad’s progress as it found its way back to me via my iPhone’s Find My iPhone app. In the photos below, you can see my iPad’s circuitous journey around DFW yesterday, its flight to the Fedex hub and back to Phoenix overnight, and the fairly direct route to my home by 7:33 this morning!
So, in addition to getting my treasured iPad back, I received an object lesson in the value of mobile location services! We live in wonderful times!
Ready to monitor, track and analyze employee behavior using the latest IoT technology? Just ask Dilbert (aka Employee 3452378).
Author: Mark Dixon
Thursday, December 19, 2013
Kuppinger Cole just released an insightful Advisory Note: “Information Security Predictions and Recommendations 2014.” The introduction stated:
Information Security is in constant flux. With the changing threat landscape, as well as a steary stream of new innovations, demand for Information Security solutions is both growing and re-focusing.
I like both the predictions and recommendations in this report. Here are a few excerpts from my favorite recommendations:
Cloud IAM (Identity and Access Management)
Define an IAM strategy for dealing with all types of users, devices, and deployment models that integrates new Cloud IAM solutions and existing on-premise IAM seamlessly.
Before entering this brave, new world of the API “Economy”, define your security concept first and invest in API Security solutions. Security can’t be an afterthought in this critical area.
IoEE (Internet of Everything and Everyone)
Before starting with IoEE, start with IoEE security. IoEE requires new security concepts, beyond traditional and limited approaches.
Encryption only helps when it is done consistently, without leaving severe gaps.
The whole paper is well worth reading. Hopefully, this post whetted your appetite a little bit.
This evening, I finished reading a fascinating book, “Age of Context: Mobile, Sensors, Data and the Future of Privacy,” by Robert Scoble and Shel Israel.
Scoble and Israel propose that we are in the midst of a perfect storm:
Our perfect storm is composed not of three forces, but five, and they are technological rather than meteorological: mobile devices, social media, big data, sensors and location-based services. … they’re already causing disruption and making waves. As discrete entities, each force is already part of your life. Together, they have created the conditions for an unstoppable perfect storm of epic proportion: the Age of Context.
I have long been fascinated with the concept of context. I first mentioned context as an important factor in Identity Management in July, 2005, as I blogged about the Catalyst Conference. During my years with Sun Microsystems, we often spoke about “context-aware, blended services” being delivered via mobile devices. For example, in September, 2008, one of my blog posts entitled, “Sensor-triggered Personalized Services,” stated, in part:
Project Destination, an initiative I lead for Sun, is all about providing the infrastructure to deliver highly personalized, context-aware, blended services to online users across the “screens of your life.” When you couple sensor technologies with Identity, personalization and service orchestration techniques, you can get some powerful results.
It is great to see the progression and refinement of that concept. I sense we are barely scratching the surface of possibilities in this arena. Lot of fun ahead!