My
good friend Brent Jensen alerted me to a humorous, but thought provoking article
by Marcus Ranum entitled "The
Six Dumbest Ideas in Compute Security."

Marcus proposes: "These dumb ideas are the fundamental reason(s) why all
that money you spend on information security is going to be wasted, unless you
somehow manage to avoid them."

May I offer a sound bite from each of the Dumb Ideas to entice you to read
the whole article:

1. Default Permit. "Systems based on ‘Default Permit’
are the computer security equivalent of empty calories: tasty, yet fattening."

2. Enumerating Badness. "It’s a dumb idea because sometime
around 1992 the amount of Badness in the Internet began to vastly outweigh the
amount of Goodness."

3. Penetrate and Batch. "The primary dumb idea behind
the current fad (which has been going on for about 10 years) of vulnerability
disclosure and patch updates."

4. Hacking is Cool. "The Internet has given a whole new
form of elbow-room to the badly socialized borderline personality."

5. Educating Users. "The Anna Kournikova worm showed
us that nearly 1/2 of humanity will click on anything purporting to contain
nude pictures of semi-famous females."

6. Action is Better than Inaction. "It really is easier
to not do something dumb than it is to do something smart."

Enjoy!

Tags: Security
Information Security
Marcus Ranum
Brent Jensen

Phil
Windley justified eBay’s purchase of Skype by stating today that both "eBay
and Skype were both huge repositories of identity data." I understand that
Skype has 53 million registered users. Based on eBay’s offer of $2.6 billion,
each Skype identity is worth 49 bucks. That’s a lot of free phone calls.

Tags: Identity
Digital Identity
Identity Management
eBay
Skype
Phil Windley

Thanks to my colleague Sean O’Neil for spotting this jewel.

Tags: Identity
Digital Identity
Identity Management
Dilbert
Sean O’Neil

In Sun’s Network
Computing event this morning, when the new Galaxy
servers were announced, Jonathan Schwartz defended Sun’s acquisition
of StorageTek as positioning Sun at the "intersection of Network
Identity and Data." He emphasized that management of data is at the
core of every enterprise – core functionality that will not be commodotized
because it represents the very heart of the enterprise. The intersection of
data and identity positions Identity Management as the gateway to the core of
the enterprise.

Tags: Identity
Digital Identity
Identity Management
Sun Microsystems
Galaxy
StorageTek
Data Management
Jonathan Schwartz

I
had an illuminating discussion yesterday with Dan Greff and Jess Moore regarding
Neogent’s Velocity
Identity Package (VIP) methodology and technology for accelerating deployment
of Sun’s Identity
Manager product. I had seen an earlier presentation and demonstration of
the system, but the vision began to click during our discussion at the Phoenix
Airport Marriott hotel. (By the way, the cobb salad is excellent.)

We all know that implementing Identity Management systems can be costly and
time consuming. The extreme flexibility of the Sun Identity Manager product
comes with a price – skilled, experienced engineers are required for system
definition, configuration and deployment. That fact begs at least three questions
for customers: How can deployment be simplified? How can known best practices
be re-used? How can a mid-market company reap the rewards of Identity Management
without paying a large-market price?

Neogent was one of Waveset’s
earliest integration partners. With many successful Identity Manager implementations
under their belts, they kept asking themselves a couple of important questions:
How can we leverage our expertise to produce more systems more quickly? How
can we open the mid-market to effective Identity Manager deployments?

The Neogent VIP system blends methodology and technology to bring the Identity
Manager product to mid market companies by leveraging known best practices discovered
through in the trenches experience.

Using the VIP methodology, Neogent consultants lead customers through a modelling
exercise, using a familiar actor and use-case paradigm. Customers select from
a set of standard actors and use-cases and specify appropriate configuration
attributes. Rather than conducting traditional open-end requirements analyses
that frequently define complex and expensive systems, the VIP approach constrains
the requirements definition to variations of known best practices.

The VIP technology then uses the captured requirements to generate the XML
objects that form the core configuration of the Identity Manager system. This
jump-starts the configuration effort and sharply reduces implementation time.

Using the VIP methodology/technology blend, Neogent can offer full Identity
Manager implementations on a fixed price basis at significantly lower price
points than allowed by traditional methods.

What’s the catch? If your company isn’t willing to bend its business practices
to fit within the standard constraints defined by Neogent, you will still wind
up requiring significant custom configuration work anyway. If you want to take
advantage of the extreme flexibility of the Identity Manager product, you will
need to follow a more traditional approach.

However, if you need rapid deployment with a prescribed set of best practices,
the VIP methodology and technology shows interesting promise.

Tags:
Identity
Digital Identity
Identity Management
Sun Microsystems
Neogent
Dan Greff
Jess Moore
Waveset
Nethodology

In
his blog yesterday, Masood
Mortazavi offered new perspectives on Trust.

He highlighted two related thoughts:

1. Trust is based on two parties making "credible commitments"
   to each other.
2. Trust is based on two parties mutually "exposing vulnerabilities."

Both viewpoints are valid:

In any trust relationship, each party exposes vulnerabilties in the process
of establishing that relationship. For example, if I share any of my Identity
attributes with you, I am vulnerable because I run the risk of you exploiting
that attribute in some devious manner. You run the same risk if you share any
element of your Identity with me (although I hope you’ll find me trustworthy.)

In the world of Digital Identity, as vulnerabilities are mutually exposed,
credible commitments are also exchanged.

As a consumer, I can "credibly commit" to pay $1000 for a television.
That "claim" is subject to verification through my credit card company.
In return, a manufacturer can "credibly commit" that the television
is worth $1000. I may choose to authenticate that "claim" by reading
Consumer Reports or some other reputable information source. Mutual trust arising
from the exchange of credible commitments forms the basis for a transaction.

In establishing a trust relationship with another party over the Internet,
I must "credibly commit" or "claim" that my credentials
are authentic. My claim is subject to verification through a trusted third party.
In return, the party with whom I wish to connect must also present credentials
with validity I accept. This exchange of credible commitments forms a trusted
relationship in cyberspace.

p.s. Through Masood, I was also introduced to the Trust
Blog. I was particularly intrigued by the concept of Assymetric
Trust. Stuff worth reading.

Tags: Identity
Digital Identity
Identity Management
Trust
Masood Mortazavi

Today is Day One of
the combined Sun and StorageTek
company.

Sun’s executive leadership stressed again today that the Sun
Identity Management product line will be a key enabler in capturing the
potential of the merged companies. It’s great to be at the forefront of Sun’s
strategic direction!

Tags:
Identity
Digital Identity
Identity Management
Sun Microsystems
StorageTek

Perhaps the Wizard of ID should be the official comic strip of Identity Management!

Tags: Identity
Digital Identity
Identity Management
Wizard of ID
Identity Theft

Wednesday’s Non Sequitur
comic reminded me of one of my favorite jokes:

How does a dyslexic, agnostic insomiac spend his time?

He lies awake all night wondering if there is a Dog.

Question: Does God have an Identity?

Tags: Identity
Digital Identity
God
Non Sequitur

Trust:
"assured reliance on the character, ability, strength, or truth of
someone or something."

Currency:
"a medium of exchange."

Last Sunday, Sun announced
a project called the Open Media Commons
initiative aimed at creating an open-source, royalty-free digital-rights management
standard. I was intrigued that the header to the Open Media Commons web page
featured the words, "Trust is the currency of the participation
age."

This coincides with a prevalent theme in current Identity Management thought
that trusted Identity Relationships enable interaction
between subjects represented by Digital Identities. In a recent
blog I proposed, "Identity technologies will transform computing into
the next paradigm, the Participation
Age, because trusted Identity Relationships between all types of online
participants will become ubiquitous and highly available."

Considering trust to be currency, or a medium of exchange, captures this concept
nicely. Each day, we use standard currency as a medium of exchange representing
our ability to pay and the government’s ability to stand behind the currency. Such currency is both ubiquitous and highly available.
In each financial transaction, we not only express faith or trust a dollar bill
or credit card as a representation of wealth, but we place trust in the government
that issued the money or the credit card company that issued that card. This
is a good example of a

trusted third party validating or standing behind a transaction.
In the Participation Age, a higher level of on line interpersonal interaction
will be enabled by the digital embodiment of such trust.

So, each time you conduct a transaction on line, think not only of the money
you spend, but think of the trust that acts as a medium of exchange – Currency
of the Participation Age.

p.s. Isn’t it ironic that the designs for US currency and coin include the
words "In God We Trust?"

Tags: Identity
Digital Identity
Identity Management
Trust
Currency
Sun Microsystems
Open Media Commons
Digital Rights Management
Participation Age