Stephen Wilson of The Lockstep Group in Sydney, Australia, is scheduled to present an interesting paper, Why Federated Identity is easier said than done, at the AusCERT2011 conference in May.  Based on the abstract, the complete paper should be really interesting.

Stephen states that despite,

“near universal acceptance of the idea of Federated Identity … higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.”

He further asserts that lingering resistance to full adoption results from the fact that,

“Federated Identity is in fact a radical and deeply problematic departure from the way we do business.  … Thus the derided identity “silos” are a natural and inevitable consequence of how business rules are matched to particular contexts.”

Stephen’s final comment:

“If we focused on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.”

If Identity Federation really doesn’t match the way we do business, it will be interesting to see how Stephen expands on and clarifies that final statement in the full paper.

Oracle: “In Classical Antiquity, an oracle was a person or agency considered to be a source of wise counsel or prophetic opinion, predictions or precognition of the future, inspired by the gods.”

Thanks to Nishant Kaushik for pointing out Anil John’s thought-provoking article, Identity Oracles and their role in the Identity Eco-System.” In his introductory tweet, Nishant suggested, “Some thing for @trulyverified to think about.”

Since I recently signed up for the Tru.ly service, I thought Nishant’s advice was timely.

It was interesting to review the four characteristics of an Identity Oracle outlined by Bob Blakley, currently the Gartner Research VP for Identity and Privacy

• An organization which derives all of its profit from collection & use of your private information…
• And therefore treats your information as an asset…
• And therefore protects your information by answering questions (i.e. providing meta-identity information) based on your information without disclosing your information…
• Thus keeping both the Relying Party and you happy, while making money.

Some emerging companies fit part of this definition.  Certainly Tru.ly relies on information I provide and they verify, as an asset, and have based their business plan on such assets.

However, others come at it from different direction:  Axciom and LexisNexis offer Identity Verification and Authentication services based on publicly-available information.  Neither company has asked me whether they can use my information, but Axciom claims, “Acxiom’s identification platform utilizes demographic and geographic data in challenge questions with nearly 900 data elements for more than 300 million individuals.” LexisNexis claims, “Access to vast data resources – more than 20 billion public and proprietary records.”

Axciom and LexisNexis customers pay for the privilege of tapping into those vast stores of personal information to provide authentication and validation services.

Does this make Axciom and LexisNexis Identity Oracles?  What about Tru.ly or Trufina, or similar companies? Do the the three major credit bureaus qualify?  Perhaps none are complete Identity Oracles in the true sense of Bob Blakley’s definition.  But they are getting close.

Yesterday, my Identity was verified by the Tru.ly identity validation service.  With that in place, if your browser is equipped with a Tru.ly browser extension, you can visit me on Facebook or LinkedIn and see that I am tru.ly verified.

I think tru.ly faces an uphill battle to build critical mass both of people with tru.ly validated identities and of people who really care.  While that battle progresses, I’ll keep you updated as I learn more.

Last Thursday, I tried unsuccessfully to register for the new Identify Validation service provided by Tru.ly.  On Friday, I got a nice email from a Tru.ly representative, responding to my blog and Twitter posts, thanking me for my access attempt and inviting me to try again.

This afternoon, my registration effort was successful.  Tru.ly verified the bits of Identity information I provided, and issued my very own Tru.ly URL – tru.ly/mgd – plus the QR code included in this post and on the blog sidebar.

You can see my verification information by visiting tru.ly/mgd, by clicking on the QR code or by scanning the QR code with your mobile device.  It worked just fine on my iPhone using the QRReader app.

What does a Base Hit have to do with Identity Verification?

Since Spring Training has started in Arizona, baseball analogies came to mind.  I assigned my first failure at Tru.ly registration “Strike 1.”  I’ll call my current success a “base hit.” The registration worked, but I’m not really sure what its real value is yet.  We’ll have to wait awhile to see what brings me across home plate.

Over the past few years, I have been intrigued with the subject of Identity Validation – being able to determine, which a high degree of confidence, that a person is whom he says he is, prior to issuing Identity credentials to him.

Today, I became aware of Tru.ly, that promises to “[maximize] personal privacy by providing users with a single, verified identity on the internet.”  A lively Twitter conversation among Identity experts @dak3 @NishantK @paulmadsen and @iglazer convinced me that I should check it out.

But alas, when I tried to join Tru.ly (twice), I got this nasty error message:

My only comment is ARRGGGGGH! I guess I’ll try again tomorrow to join the latest service that promises to save the world.

A lot of water has passed under the proverbial bridge since I first blogged about Cardspace in June 2006.  You’ve gotta love Paul Madsen’s commentary on Cardspace’s current status:

This reminds me of my favorite quote from the novel and movie, The Scarlet Pimpernel:

We seek him here, we seek him there,
Those Frenchies seek him everywhere.
Is he in heaven? — Is he in hell?
That damned, elusive Pimpernel.

Makes you wonder … just how will we remember Cardpace and all that was said about it?

Obama Eyeing Internet ID for Americans – Tech Talk – CBS News.

Do we really want the President – or any federal official – establishing our personal Internet ID’s?  Sounds like government over-reach to me.

As a holder of a lowly exhibit pass at the Gartner IAM Summit, the only conference session where I was officially welcomed was the Oracle vendor session, where Amit Jasuja, Vice President, Oracle Identity Management, addressed the subject, “Bridging the IT and Business Divide with Identity Intelligence.”

Some of the the key points Amit stressed include:

1. A major Identity and Access Management problem is having only a partial view of Identity information that doesn’t give you the complete picture.
2. Correlating identity data can be difficult, because the data resides in multiple identity data silos.
3. The solution is to collect, compile and correlate identity into an Identity Warehouse.
4. Many applications can access and leverage the the Identity Warehouse, including role governance, change management,  IT Audit Policy Monitoring, risk assessment, configuration analysis and access certification.
5. A business glossary, which assign business terms to cryptic technical terms, helps an Identity Warehouse deliver real business value.
6. The Identity Warehouse and related applications help an organization go beyond compliance and build trust in the organization.
7. The Identity Warehouse can provide a complete view of your environment today.
8. Oracle’s solution to tackle these issues is Oracle Identity Analytics.

I like the term “Identity Intelligence.”  Using analytical methods to extract intelligence from massive amounts of identity data is a smart thing to do.

I had a brief discussion last night with a customer who basically said, “We have the data. We just need the ability to manage it and extract the value.” 

Well said.  That’s what Amit’s talk was all about.

According to a CNNMoney.com article today,

“An international cybercrime ring was broken up Thursday by federal and state officials who say the alleged hackers used phony e-mails to obtain personal passwords and empty more than $3 million from U.S. bank accounts.

“The U.S. Attorney’s Office charged 37 individuals for allegedly using a malicious computer program called Zeus Trojan to hack into the bank accounts of U.S. businesses and municipal entities.”

Isn’t it interesting that this sophisticated cybercrime tool was named for Zeus, the Greek "Father of Gods and men" and the Trojan Horse, which allowed Greeks to surreptitiously enter the city of troy and end the Trojan War?

It is as if God and the Greeks have ganged up on the rest of us!

I’m sure God and the Greeks aren’t really conspiring against us, but the Zeus Trojan case underlines the tragic reality that bad guys are  becoming extremely sophisticated in their attacks, and that the cost to us all is rapidly increasing.

I first met Alan Norquist back in 2000 while we worked together at Ponte Communications, a dot-com startup that lured me away from my first stint at Oracle.  Ironically, Alan came to Ponte directly from Sun Microsystems; I would later join Sun. At Ponte, we developed and sold technology to provision and configure a wide range of network infrastructure devices.  The company didn’t succeed, but it allowed me to focus for awhile on the issues involved in using a centralized application to provision multiple connected devices – a capability that was central to the growth of Identity Management Provisioning market a few years later.

In the ensuing ten years, Alan has been a successful serial entrepreneur. He is now Founder and CEO at another emerging company, Veriphyr, which uses advanced data analytics to automatically discover user access policy exceptions.

Again, our lives have converged because of common professional focus on Identity Management and Information Security.

In a recent blog post, Alan pointed out a recent Colorado legal case:

“A three person process for approving payments did not stop a lone insider from stealing $11 million by playing puppet master. The thief’s unauthorized access to the unused computer accounts of two other employees allowed her to pull the strings and make it appear financial payments had the necessary three ‘independent approvals.’”

A report from TheDenverChannel.com further elaborated:

Michelle Cawthra, who was a supervisor at the Colorado Department of Revenue, had testified that during the scheme, she deposited unclaimed tax refunds and other money in [her boyfriend’s] bank accounts by forging documents and creating fake businesses.

How did she do it?  Rather than de-provisioning access for a few employees who had reported to her, she allowed the orphan accounts to hang around.  Ms. Cawthra had convinced the departing employees to share their passwords with her, so she had multiple unfettered channels of access to complete her nefarious schemes.

Interestingly enough, preventative Separation of Duties (SOD) controls were in place.  But with appropriate orphan accounts within her grasp, Ms. Cawthra was able to circumvent those controls and complete her work.  In addition to preventative controls, a method to detect illicit use before the case got out of hand was really needed.

So if you want to steal $11 million, perhaps you can leverage orphan accounts.  However, if you are on the right side of the law, I’m sure Alan would be delighted to discuss how Veriphyr can help catch schemes like Ms. Cawthra devised.