[Log In] []

Exploring the science and magic of Identity and Access Management
Tuesday, July 23, 2024

User Attributes – Part of Identity?

Author: Mark Dixon
Saturday, October 8, 2011
7:59 am

I recently participated in an Identity and Access Management architecture session where I was asked a direct question, “Do you consider user attributes not stored in the main directory a part of user Identity?”  When I said yes, a few people seemed somewhat perplexed.  Please let me explain my point of view.

I think there is a propensity to think that “Identity attributes”  are strictly limited to those stored in a directory user object.  That focus is too narrow.  While it may be that the “Identity Management System” only knows about those attributes, the sum total of real Identity information can be much broader.  This broader view of Identity is essential if we hope to leverage Identity Management to enable innovative business models.

For example, if I am an online vendor hoping to leverage user Identities to provide a highly personalized user experience for my customers, I must not rely only on the user object in the authentication directory.  A more rich set of Identity data comprising history, preferences and real-time context must be considered. This information may reside in multiple repositories.

Just my thoughts.  What do you think?




Gartner IAM Summit: Amit Jasuja on “Bridging the IT and Business Divide with Identity Intelligence”

Author: Mark Dixon
Tuesday, November 16, 2010
6:03 am

As a holder of a lowly exhibit pass at the Gartner IAM Summit, the only conference session where I was officially welcomed was the Oracle vendor session, where Amit Jasuja, Vice President, Oracle Identity Management, addressed the subject, “Bridging the IT and Business Divide with Identity Intelligence.”

Some of the the key points Amit stressed include:

  1. A major Identity and Access Management problem is having only a partial view of Identity information that doesn’t give you the complete picture.
  2. Correlating identity data can be difficult, because the data resides in multiple identity data silos.
  3. The solution is to collect, compile and correlate identity into an Identity Warehouse.
  4. Many applications can access and leverage the the Identity Warehouse, including role governance, change management,  IT Audit Policy Monitoring, risk assessment, configuration analysis and access certification.
  5. A business glossary, which assign business terms to cryptic technical terms, helps an Identity Warehouse deliver real business value.
  6. The Identity Warehouse and related applications help an organization go beyond compliance and build trust in the organization.
  7. The Identity Warehouse can provide a complete view of your environment today.
  8. Oracle’s solution to tackle these issues is Oracle Identity Analytics.

I like the term “Identity Intelligence.”  Using analytical methods to extract intelligence from massive amounts of identity data is a smart thing to do.

I had a brief discussion last night with a customer who basically said, “We have the data. We just need the ability to manage it and extract the value.” 

Well said.  That’s what Amit’s talk was all about.

Comments Off on Gartner IAM Summit: Amit Jasuja on “Bridging the IT and Business Divide with Identity Intelligence” . Permalink . Trackback URL

Identity Management for Zombies?

Humor, Social Media
Author: Mark Dixon
Thursday, August 26, 2010
2:36 pm

Note: This little post chronicles my favorite social media exchange in a long time.  You need to see the embedded images to get the gist of an intriguing conversation.


The intrigue began Wednesday afternoon when I was waiting in the Chicago O’Hare airport for a flight to Central Wisconsin Airport, near Wausau, WI.  I tweeted my intentions:


Within a few minutes, I was being followed on Twitter by Wausau Loner:


I had never heard of the Zombie Apocalypse, so I started poking around the web.  I thought, “Do Zombies need Identity Management?”

I found that my tweet was listed on the Wausau Wisconsin Best Blogs and Tweets …


… along with my new follower, the Zombie Apocalypse expert, Wausau Loner.


This morning (Thursday), I received a nice thank you note from Wausau Loner:


I pinged him back and got this reply:


I posed the big question:  Do zombies have unique Identities?  Do they need Identity Management?

Sadly, the answer was negative:


imageWell, there are still many unanswered questions.  May be next time I visit Wausau, I’ll get together with Wausau Loner and get more details!   I’ll let you know.

Comments Off on Identity Management for Zombies? . Permalink . Trackback URL

Want to Steal $11 million? Use Orphan Accounts.

Identity, Information Security
Author: Mark Dixon
Thursday, August 19, 2010
11:32 am

image I first met Alan Norquist back in 2000 while we worked together at Ponte Communications, a dot-com startup that lured me away from my first stint at Oracle.  Ironically, Alan came to Ponte directly from Sun Microsystems; I would later join Sun. At Ponte, we developed and sold technology to provision and configure a wide range of network infrastructure devices.  The company didn’t succeed, but it allowed me to focus for awhile on the issues involved in using a centralized application to provision multiple connected devices – a capability that was central to the growth of Identity Management Provisioning market a few years later.

In the ensuing ten years, Alan has been a successful serial entrepreneur. He is now Founder and CEO at another emerging company, Veriphyr, which uses advanced data analytics to automatically discover user access policy exceptions.

Again, our lives have converged because of common professional focus on Identity Management and Information Security.

In a recent blog post, Alan pointed out a recent Colorado legal case:

“A three person process for approving payments did not stop a lone insider from stealing $11 million by playing puppet master. The thief’s unauthorized access to the unused computer accounts of two other employees allowed her to pull the strings and make it appear financial payments had the necessary three ‘independent approvals.’”

A report from TheDenverChannel.com further elaborated:

Michelle Cawthra, who was a supervisor at the Colorado Department of Revenue, had testified that during the scheme, she deposited unclaimed tax refunds and other money in [her boyfriend’s] bank accounts by forging documents and creating fake businesses.

How did she do it?  Rather than de-provisioning access for a few employees who had reported to her, she allowed the orphan accounts to hang around.  Ms. Cawthra had convinced the departing employees to share their passwords with her, so she had multiple unfettered channels of access to complete her nefarious schemes.

Interestingly enough, preventative Separation of Duties (SOD) controls were in place.  But with appropriate orphan accounts within her grasp, Ms. Cawthra was able to circumvent those controls and complete her work.  In addition to preventative controls, a method to detect illicit use before the case got out of hand was really needed.

So if you want to steal $11 million, perhaps you can leverage orphan accounts.  However, if you are on the right side of the law, I’m sure Alan would be delighted to discuss how Veriphyr can help catch schemes like Ms. Cawthra devised.

Comments Off on Want to Steal $11 million? Use Orphan Accounts. . Permalink . Trackback URL

Data Breach Threats Beg For Better Access Control

Identity, Information Security
Author: Mark Dixon
Wednesday, August 18, 2010
9:39 pm

image Dave Kearns of Network World posted a thought-provoking article today,  “Data breach demonstrates need for access control policies.”

Highlighting a case where a tax collector in British Columbia, Canada, used government computers to look up “private tax files of hundreds of high-income individuals, apparently in the hopes of hitting them up for a business she ran on the side,” Dave observed:

There are so many things wrong here.

  1. Why weren’t controls in place to prevent, or at least raise a flag, when an agent accessed files randomly? Were they at least audited?
  2. Why did it take four years for someone to realize that there were shady dealings going on?
  3. How did CRA determine the "risk of injury"?
  4. Why aren’t the affected parties notified whenever there’s a breach?

In light of increasing government regulations covering data breaches, and hard evidence that the number of data breaches continues to grow, companies can be well-advised to

“review your governance, oversight and access control policies now — before your organization features prominently (and ashamedly) in a newspaper headline!”

Comments Off on Data Breach Threats Beg For Better Access Control . Permalink . Trackback URL

Source Doc: Open Trust Frameworks for Open Government

Author: Mark Dixon
Tuesday, August 17, 2010
9:51 pm

This document, Open Trust Frameworks for Open Government, is about a year old, but still provides an excellent overview of how OpenID and Information Card technology are being applied to provide citizen access to government websites:

Open government requires a way for citizens to easily and safely engage with government websites. Open identity technologies—specifically OpenID and Information Cards—fit this bill. They make it easier and safer for citizens to register, login, and when necessary share personally identifiable information across different websites and services. To bring open identity technologies and open government together, the OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

image  image

Comments Off on Source Doc: Open Trust Frameworks for Open Government . Permalink . Trackback URL

Source Doc: XACML 3.0 Enhancements

Identity, Information Security, Source Doc
Author: Mark Dixon
Saturday, August 14, 2010
7:54 am

Presentation by Gerry Gebel of Axiomatics at Kantara workshop. Includes good overview of XACML and coverage of v3.0 enhancements.


Comments Off on Source Doc: XACML 3.0 Enhancements . Permalink . Trackback URL

Source Doc: OpenID Security Issues

Information Security, Source Doc
Author: Mark Dixon
Saturday, August 14, 2010
7:16 am

Presentation by Ashish Jain, Andrew Nash and Jeff Hodges of PayPal Information Risk Management at OpenID Summit, 2 November 2009.



National Strategy for Trusted Identities in Cyberspace

Author: Mark Dixon
Thursday, July 15, 2010
8:52 am

imageOn June 25, 2010, the US Federal Government released a draft document entitled, “National Strategy for Trusted Identities in Cyberspace.” This document proposes a strategy that:

… defines and promotes an Identity Ecosystem that supports trusted online environments.  The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities. 

The Identity Ecosystem enables: 

  1. Security, by making it more difficult for adversaries to compromise online transactions;   
  2. Efficiency based on convenience for individuals who may choose to manage fewer passwords or accounts than they do today, and for the private sector, which stands to benefit from a reduction in paper-based and account management processes; 
  3. Ease-of-use by automating identity solutions whenever possible and basing them on technology that is easy to operate with minimal training;
  4. Confidence that digital identities are adequately protected, thereby increasing the use of the Internet for various types of online transactions; 
  5. Increased privacy for individuals, who rely on their data being handled responsibly and who are routinely informed about those who are collecting their data and the purposes for which it is being used;
  6. Greater choice, as identity credentials and devices are offered by providers using interoperable platforms; and  Opportunities for innovation, as service providers develop or expand the services offered online, particularly those services that are inherently higher in risk;

The strategy proposes four primary goals and nine actions to implement and promote the Identity Ecosystem:


  1. Develop a comprehensive Identity Ecosystem Framework
  2. Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
  3. Enhance confidence and willingness to participate in the Identity Ecosystem
  4. Ensure the long-term success of the Identity Ecosystem


  1. Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated
    with Achieving the Goals of the Strategy
  2. Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
  3. Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with
    the Identity Ecosystem
  4. Work Among the Public/Private Sectors to Implement Enhanced Privacy
  5. Coordinate the Development and Refinement of Risk Models and Interoperability Standards
  6. Address the Liability Concerns of Service Providers and Individuals
  7. Perform Outreach and Awareness Across all Stakeholders 
  8. Continue Collaborating in International Efforts 
  9. Identify Other Means to Drive Adoption of the Identity Ecosystem across the

The Strategy Document doesn’t discuss any specific technologies, but rather, addresses the needs and general concepts required for a national Identity Ecosystem.

If you would like to make public comments on the strategy, a good place to visit is this IdeaScale page hosted by the Department of Homeland Security. Reading comments from other parties on that page is quite interesting.

In other areas of Cyberspace, the reactions to this strategy are mixed.  For example, an active proponent is my friend Dazza Greenwood, who encourages everyone to become familiar with the strategy and actively give feedback:

At the other end of the spectrum is a blogger, Arnold Vintner, whom I do not know, who shares a much more pessimistic view. In his post, “Obama Administration Moves to Reduce Online Privacy,” Mr. Vintner opines:

The Obama administration is proposing a new identity management system for the Internet which is calls “Identity Ecosystem.” This new system will replace individually managed usernames and passwords with a taxpayer-funded federally-managed system.

The scheme is outlined in the National Strategy for Trusted Identities in Cyberspace. The planned system will tie together all of your accounts into one national online identity.  This will enable the federal government to easily track all online activity of every American.

The system will start with the federal government requiring the ID’s for use in accessing federal web sites — such as for filing your taxes online.  The federal government will then force businesses to adopt the system, starting with banks and credit card companies and slowly spreading to encompass the entire online environment. Once fully implemented, Internet users will no longer be able to comment anonymously on blogs or web forums, because all online identities will be verified with the U.S. government.

Where do you stand?  I personally like the idea of public dialog on this issue and the call for public and private entities to participate in a solution.  I look forward to giving feedback and tracking progress.


Introducing Oracle Identity Management 11g

Author: Mark Dixon
Tuesday, July 13, 2010
12:58 pm

I am pleased to announce the official public webcast introducing Oracle Identity Management 11g:

Date: Wednesday, July 21, 2010
Time: 10:00 a.m. PT / 1:00 p.m. ET


Amit Jasuja,  Oracle’s Vice President Identity Management and Security Products, will lead the discussion, as he and other Oracle executives:


“… introduce a new and revolutionary approach in application security – Oracle Identity Management 11g.

“Modern enterprise architectures are evolving rapidly, yet many security solutions in use today represent decade old technology. Businesses must adapt swiftly to stay competitive, yet bolted-on security controls impede IT agility. Compliance mandates continue to grow in number, while organizations continue to struggle with their staggering costs and complexity.

“Oracle Identity Management 11g redefines the architectures that secure the modern enterprise, ushering in a new era of agile security, rapid ROI, and sustainable compliance. Join us to learn more about the exciting new developments.”

I’m looking forward to this event.  We hope you can join us, too.

You can register by clicking here.

Technorati Tags: ,
Comments Off on Introducing Oracle Identity Management 11g . Permalink . Trackback URL
WordPress Tags: ,
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.