A friend from an Oracle system integrator partner shared this video with me today – a bit of humorous, unabashed promotion for the Oracle Enterprise Single Sign-On product.

So, please learn your password … or try out Oracle ESSO!

In the past few days, I became aware of innovations at Amazon Web Services that show how AWS continues to lead the industry in cloud computing.

The first product offering is the addition of Identity Federation to AWS Identity and Access Management Services, which gives customers:

the ability for you to use your existing corporate identities to grant secure and direct access to AWS resources without creating a new AWS identity for those users. This capability enables you to programmatically request security credentials, with configurable expiration and permissions, that grant your corporate identities access to AWS APIs and resources controlled by your business.

The second offering, “AWS GovCloud,” offers:

a new AWS Region designed to allow U.S. government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements.

I find it intriguing that the same company that pioneered the industries of online book retailing and ebooks, is so innovative in cloud services and Identity Management.  Plus, I was able to order an new cordless drill from the comfort of my hotel room in San Mateo last night!  Thanks to Amazon and UPS, I think the drill will arrive Arizona before I do this week.

I always enjoy learning about a new Identity Management blog. Today, please joining me in welcoming Chad Russell, an Oracle colleague and good friend who hails from the great state of Arkansas, into the blogsphere.  He recently launched a new Identity Management blog, “Brave New Identity – Identity Happenings from the Field.”  His last four posts are both relevant and interesting:

• 3 Hot Trends in IDM (Part 1 of 3)
• Why Provisioning Is Really An Authorization Problem
• Auditing the Cloud
• Amazon boosts IdM offering for cloud

I’m particularly looking forward to learning what Hot Trends 2 and 3 are.

You can also follow Chad on Twitter at @chadrussell_idm.

By the way, the young man up in the corner is Chad’s son, proclaiming, “Love the site, Pops!“

One of the big questions in modern Identity and Access Management continues to be: “Is it better to choose individual point solutions and integrate them in my enterprise, or should I choose a complete IAM platform?

I recently learned of an intriguing Research Brief published by the Aberdeen Group, entitled, “IAM Integrated: Analyzing the ‘Platform’ versus ‘Point Solution’ Approach.” Aberdeen’s conclusion:

Based on more than 160 respondents from its Managing Identities and Access study (February 2011), Aberdeen’s analysis of 32 enterprises which have adopted the vendor-integrated (Platform) approach to identity and access management, and 39 organizations which have adopted the enterprise- integrated (Point Solution) approach, showed that the vendor-integrated approach correlates with the realization of significant advantages.

The most significant advantages realized by organizations adopting the Platform approach to Identity and Access Management, as compared to those adopting the Point Solution approach, include:

• Increased end-user productivity
• Reduced risk
• Increased agility
• Enhanced security and compliance
• Reduced total cost

Aberdeen’s research also confirmed the merits of a pragmatic “Crawl, Walk, Run” approach as the basic template for successful enterprise-wide initiatives involving Identity and Access Management, similar to what I have been recommending for years.

• Adopt a primary strategic focus.
• Put someone in charge.
• Prioritize security control objectives as a function of requirements for risk, audit and compliance.
• Establish consistent policies for end-user identities and end-user access to enterprise resources.
• Standardize the workflow for the IAM lifecycle, including workflow-based approval for exceptions.
• Standardize audit, analysis and reporting for IAM projects.
• Evaluate and select IAM solutions.

Do you have a secret Identity, an alter-ego, a second (or third) personality manifesting itself secretively in cyberspace?  If so, you must be a superhero, according to Ziggy (aka Zigmeister), our ever-erudite philosopher.

On December 10, 2009, I posted a short piece on this blog about Trufina, a company providing online identity verification services.  For a long time, I had a visible Trufina badge on the blog, so someone could click on it to verify that I was, indeed, the very Mark Dixon I claimed to be.  Since no one expressed interest, I took the badge off my main page.

Just this week, over 18 months later, one person actually clicked on the link in my December 2009 post and requested verification of my identity – not so much that he was interested in my identity as he was in the process of validating online identities.

I have concluded that this dearth of activity must have something to do with the following:

1. My blog is rarely read.
2. People aren’t interested in Trufina.
3. People just don’t care about validation of online identities.
4. A combination of the above.

By the way, I have never received a single request from someone via Tru.ly, the similar service whose badge I now display on the right most column of this blog. But I must be patient.  I just signed up for Tru.ly in March, 2011.  I have 14 more months before I can really compare the popularity of Tru.ly and Trufina.

Last week, I attended a week-long training session focused on Oracle’s new directory services product, Oracle Unified Directory.  A direct descendant of the Sun Microsystems OpenDS project, OUD is the next-generation Java-based directory product we have been anxiously anticipating for a long time.  This webinar is the first public unveiling of this exciting new product.

I had an interesting Twitter conversation recently with @steve_lockstep and @NishantK about Identity Assurance.  It began with Steve’s comment about how Facebook identities were of little worth, unfit to use with valuable transactions.  Nishant suggested that most Relying Parties (RP’s) are content with “soft” identities that have to with personal likes and interests, while significantly fewer RP’s rely on “hard” identities.

Nishant’s observation about “hard” and “soft” identities made me think of the Mohs Mineral Hardness Scale, which assigns an “absolute” hardness value to different minerals.  Wikipedia’s article uses the following table to illustrate this concept:

Perhaps we could suggest a corresponding mineral and hardness value to each of NIST’s standard four Levels of Assurance (LOA) shown in the following table.

Steve stated on Twitter that “I’m preoccupied with hard identity: doctors, lawyers, bank accts, patients”: scenarios where Facebook just doesn’t work. We could say that Steve is dealing in diamonds (level 4), but Facebook only offers talc (level 1).  Having a tangible example helps illustrate the somewhat ethereal LOA concept.  And over time, perhaps we can come up with a more definitive way to measure just how hard a particular Identity Assurance process really is.

As a parting thought: I have suggested minerals match NIST Assurance Levels 1 and 4.  What would you suggest for the other two?

On June 14th, the PCI Security Standards Council announced publication of the PCI DSS Virtualization Guidelines Information Supplement, which “provides guidance to those in the payment chain on the use of virtualization technology in cardholder data environments in accordance with PCI DSS.”

The introductory section in this document outlines four principles associated with the use of virtualization in cardholder data environments:

1. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.
2. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.
3. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data.
4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.

After giving an overview of virtualization, the report sets forth a detailed review of risks inherent in a virtualized environment and specific recommendations about how to deal with those risks.

The document’s appendix describes in detail how each of the 12 broad PCI security controls that are mandated for logical environments need to be applied in a virtual setting.

I have long thought the PCI DSS specification to be a good example of how an industry regulates itself.  The Virtualization Guidelines document shows once again how the payments industry is in step with recent trends in Information Technology.

An interactive “Provider Guide” provided by JanRain shows what personal profile data maintained by popular social networks is available to applications that connect to these networks.  It is not surprising that Facebook offers the most information; LinkedIn is second in terms of available profile attributes.

With these many attributes about subscriber identities available through published API’s, it isn’t surprising how the stock market placed a huge premium on LinkedIn, and will presumable do the same with Facebook.  Perhaps the most valuable attributes are the connections to other people – friends on Facebook, contacts on LinkedIn.  The Network Effect arising from the interconnectivity of all those online members triggers extreme value momentum, particularly when all those relationships can be exposed to third parties.