« June 2007 | Main | August 2007 »

July 2007 Archives

July 6, 2007

Catalyst Conf. Notes: Wrapping Up

By Nishant Kaushik on July 6, 2007 1:34 PM

Catalyst 2007 has been a good conference for me simply because of the intangibles - Good conversations, stimulating discussions, and loads of fun. Here is a wrap up of a hodge-podge of thoughts from the conference.

Identity Services, Where Art Thou?
The second half of day 2 was dedicated to the subject of identity services. While Burton has been leading the discussion on the subject, they have encountered similar obstacles as the rest of us in trying to define a vast, amorphous area that is constantly being pulled apart by different parties. Whether it be vendors or customers, identity services tends to get defined either by what they need most, or can do the best. So arriving at one clear definition is difficult, leaving us with the very abstract, high level view that we have been stuck with for a while.

One of the interesting things I found out was that Burton has formed an Identity Services Working Group (ISWG) consisting of 9 of their customers. It is much more formal than I was expecting, collaborating via members-only wiki and following the Chatham House Rule. It will be interesting to see what comes out of the effort.

Meanwhile I, Prateek and Phil had some good conversations with colleagues at other vendors on the possibility of collaborating on defining identity services. There is recognition of the fact that a good identity fabric can only defined through a collaborative effort.

It is also interesting to see that the most recent entry into the IdM space is also the one gaining most traction as a true identity service - authorization service (aka entitlement management).

Oracle Had A Busy Catalyst
Catalyst turned out to be a really busy time for Oracle, with the IdM division making some major announcements around a major expansion of the Extended Identity Management Ecosystem. The Ecosystem is a set of ISVs that provide value-added integrations to Oracle's IAM offering, delivering comprehensive identity management solutions to customers. In all 8 new members were added to the eco-system, providing new capabilities in the following areas:

  • Strong Authentication: Arcot, Imageware, TriCipher
  • Physical Access Control: Quantum Secure
  • Network Access Control: Juniper Networks, ForeScout
  • Privileged Accounts Management: Cyber-Ark Software
  • Federated Identity: Pay By Touch
You can read the press release here.

The solution that I found interesting was the one offered by Cyber-Ark. I'll follow up on that solution in a future post.

Oracle and Wipro also announced an offering in the area of outsourced identity management services, called Managed Identity Services. It uses the various components in the Oracle IAM suite to deliver a set of managed services in the areas of provisioning, access control, federation, etc. Seems like Identity has arrived in the world of SaaS. You can read that press release here.

And We Had Some Fun Too
What I value most at these conferences is the opportunity to meet face-to-face with the people that shape and influence not just my approach to the space, but the very space itself. And this conference presented a host of such opportunities. Besides having some very interesting conversations with the Burton guys, I had the chance to meet up with a bunch of folks (some for the first time in person) at dinner, courtesy of good ol' Mark MacAuley. The dinner had way too many Mark's for one table, but proved to be a fun evening nonetheless, with some good banter. It was interesting to be sitting next to ex-Waveset and ex-Access 360 folks (Mark McClain and Ian Glazer respectively), folks who at one time probably had their faces painted on dart boards in the ex-Thor offices (I kid, I kid). But as Ian points out on his blog post about it, there is a thread that ties us all together, and it is good that we can sit down to laugh over our experiences in this industry.


Photo from Ian Glazer's blog at TuesdayNight
And the hospitality suites at Catalyst also offer a different way to connect with customers. Outside the usual confines of an exhibition hall booth, you get the opportunity to chat with them in an informal, fun atmosphere. And I think the casual atmosphere serves to loosen folks up a bit, because you definitely find yourself having a much more open discussion with folks.

And of course, many of the customers implementing OIM make an appearance at Catalyst as well, giving me a chance to talk with them about much more mundane, yet practical, matters.

And now, back to the drawing board.

Tags:

| Comments (0) AddThis Social Bookmark Button

July 9, 2007

How Facebook is changing the world of identity

By Nishant Kaushik on July 9, 2007 3:24 PM

Okay, so the days of questioning the impact of social networking websites on our digital lives is long gone. But the nature of the impact is still being understood, and this is producing some interesting findings. While the world of sociology is trying to make sense of the seeming divide between Facebook and MySpace users (see ), it is the world of identity and privacy that is seeing some interesting side effects. We all know how concerns about child predators on the web is leading to potential litigation on the need for identity vetting by social networking sites. But the recent opening up of Facebook to the public seems to have let loose a barrage of investigative reports. Two recent articles about Facebook caught my eye:

Both illustrate how the world that identity management operates in is changing rapidly, and that IdM needs to keep up.

The first article clearly points to the behavioral patterns that those entrusted with protecting users identity and privacy should understand. You can't rely on users to protect themselves when they don't know that they are at risk. Teenagers growing up with these technologies will have an inherent trust in these systems, and so the technology must learn to empower the user, not by giving them enough rope with which to hang themselves, but rather by giving them the right controls to determine correctly how they want to handle their information. In other words, adopt a more user-centric model (boy, I can hear the flames coming for that one).

The second article points to a far more subtle but important fact of digital life. The nature of "identity secrets" is changing. Once commonly accepted secrets for verifying a persons identity (like "mothers maiden name", "city you were born in" or "the first car you ever drove") are no longer secret in the age of blogging and tell-all MySpace pages. Bob Blakely put it out there pretty bluntly in a talk he did at Catalyst called The End of Secrecy - "You have no secrets anyway, get over it". While he was talking about the nature of privacy, it also applies in a much more mundane way to the identity systems in play today - reliance on the same old model of individual secrets is not only passe, it is downright dangerous.

The new model being proposed nowadays is commonly encapsulated in the phrase "What I Have, What I Am, What I Know". What I Have usually refers to some kind of strong authentication token (smart card, token, USB key). What I Am is an extension of the previous in the form of some biometric identifier (fingerprint, retinal scan, voice recognition). What I Know is a secret (password, PIN, mothers maiden name). As can be seen, the model still relies on a secret, but that has been bolstered by two other factors of authentication. While this is good enough for now, it does seem that new techniques will need to be discovered as increasing computation power and better technology weaken the other two factors over time.

Who knows, maybe the next big thing in identity management will be behavioral pattern analysis ("What I Will Do") as a form of authentication (see the work being done at the University of Ottawa on a technology they call 3D Password).

Tags:

| Comments (0) AddThis Social Bookmark Button

July 14, 2007

Talk about the need for Complex Passwords

By Nishant Kaushik on July 14, 2007 12:21 PM

I read this post on the Wired blogs about an ATM heist in which the culprit re-programmed the ATM to think it was dispensing dollar bills when it was actually dispensing twenties, thereby allowing the guy to clean out the ATM. How did he do the re-programming? Because he knew the Master Passcode for the machine, which was still set to the factory default of "123456".

About changing the passcode, the owner said "Oh yeah. I've change it twice since then. I'm paranoid now. I'll probably do it again tonight."

Talk about the need for complex passwords and privileged account management.

Tags:

| Comments (0) AddThis Social Bookmark Button

July 18, 2007

Oracle moves into Risk-based Access Management by acquiring Bharosa

By Nishant Kaushik on July 18, 2007 3:12 PM

So the big identity management news coming out of Redwood Shores today (where I happen to be this week) is the acquisition announcement of Bharosa by Oracle. Bharosa is a global provider of proactive, real-time fraud detection and multifactor online authentication security solutions for the enterprise. (Read the press release here).

By agreeing to acquire Bharosa, the access management capabilities in the Oracle IAM suite will now expand to add risk profiling to the mix of criteria for making authentication and authorization decisions. This means that it will be possible to look at the activity being done by a user and assign that activity a risk score, which can then determine the level of authentication needed to continue, or make authorization decisions that take the risk score into account.

Bharosa would also bring real-time fraudulent activity detection and prevention to the suite, and protect against common identity theft techniques like phishing, MITM attacks and keylogging trojans.

Tags:

| Comments (0) AddThis Social Bookmark Button

July 25, 2007

More on the Bharosa Acquisition

By Nishant Kaushik on July 25, 2007 6:27 PM

There has been quite a bit of interest in the announcement Oracle made last week regarding the acquisition of Bharosa (some interesting posts can be found here, here and here). Here is an overview of what the acquisition adds to the Access Management capabilities of our IAM suite.

Contextual & Software-based Strong Authentication & Authorization
Oracle Access Manager is the SSO solution already available in the suite to provide username-password (1-factor) authentication capabilities. The Bharosa acquisition bolsters that area of the suite by adding contextual authentication and authorization plus software-based strong authentication (2nd and 3rd factor).

Strong Authentication has traditionally been equated with hardware based mechanisms like one-time password (OTP) tokens, biometric devices or smart cards. All of these come with significant deployment cost and an impact on application usability by changing end-user behavior. A new generation of solutions (including those by Bharosa) is providing strong authentication using software based mechanisms that are easier to deploy and manage, and offer minimal end-user impact.

The Bharosa Tracker product does this by relying on real-time risk analysis and rule-based intervention. It sits in the background, monitoring user activity to build up a per-user profile of what is considered normal behavior. This profile consists of user specific characteristics like device forensics (authorized computers or personal devices), IP geolocation, time of day, normal workflow patterns, etc. It then compares any user activity against this profile to build a risk score of that activity in real-time (which is the only way to go, and so cool).

Customers can configure Tracker with a set of rules that define the actions to be taken based on the risk characteristics and on the context of the activity being done. These actions can cover the gamut, prompting the user for re-authentication, requiring stronger authentication, prompting for answers to challenge questions, or even preventing the transaction from proceeding altogether. This is what we call contextual authentication & authorization based on risk characteristics.


Bharosa Tracker Real-Time Interaction
Another aspect I found interesting is that the use of Tracker does not
preclude hardware-based strong authentication from playing a role.
Tracker can be integrated with other strong authentication mechanisms
like OTP tokens to pull them in at key points in the workflow as
configured in the rules. In fact, this flexibility is particularly compelling for organizations seeking to deploy a hybrid of different authentication mechanisms that cater to different user/application populations.


Activity Monitoring and Fraud Detection
The activity monitoring and analysis capabilities in Bharosa Tracker are also leveraged to do fraud detection. Based on the workflow patterns and rules configured in the system, it can identify user behavior that deviates from the norm. It can then prevent any transactions from proceeding while firing off notifications to administrators when it detects potential fraudulent activity. And of course, it audits all activity, providing forensic analysis capabilities of the audited data.

Identity Theft Prevention
The Bharosa Authenticator product provides some pretty interesting ways to prevent identity theft, some of which you may have already seen in action at a website near you.

It provides a way to do Mutual Authentication between the site and the user. Most authentication schemes allow the site to validate who the user is, but not the other way round. The user cannot necessarily detect whether they are interacting with the actual site, or a fake site put in the middle to pharm PINs and passwords. Mutual authentication introduces a mechanism by which the user can verify that they are interacting with the site that they mean to interact with.

The mechanism that Bharosa Authenticator provides is starting to become fairly commonplace (3 institutions that I have credit cards with use it today). It is called the personalized image authenticator. During a fully validated session between a user and the website, the site asks the user to select an image of their choice from what is usually a large set. From that point on, every time the user wishes to authenticate to the site, they will be displayed the image, to prove that they are indeed interacting with the site they originally set up the image with. It is a simple, cost-effective way of providing mutual authentication.

Authenticator also includes a set of secure Virtual Authentication Devices that protect PIN/password entry from keyloggers, OCR programs and other malicious trojans. These devices provide a number of different ways to enter passwords, the most interesting of which render a completely randomized PIN pad or keyboard on the screen that the user clicks on using their mouse in order to enter their PIN or password. In this way, a key logger cannot read the password based on the keystrokes entered by the user since it is all mouse clicks. The really neat thing is that because the placement and order of the keys on the screen is randomized each time, there is no way for a trojan to steal and remember the mouse click pattern either, since it is forever changing. It really is kind of cool.

Bharosa Authenticator Virtual Authentication Devices
Voice-based Authentication
Bharosa also has a product called VoicePad that enables out-of-band authentication based on a "Voice Token", which combines phone device recognition with biometric voiceprint recognition of the user pre-registered to the phone. But I know a little less about this product and its usage, so I won't go too much into it.

You can get a lot of information about the acquisition and its value (including FAQs and white papers here).

Tags:

| Comments (2) AddThis Social Bookmark Button

About

Nishant Kaushik

An exploration of the world of Identity Management with me, Nishant Kaushik, architect for IdM products at Oracle. More...

Downloads | Speaking | Contact Me

About July 2007

This page contains all entries posted to Talking Identity in July 2007. They are listed from oldest to newest.

June 2007 is the previous archive.

August 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Archives

Google Search


Only search this blog

Syndication

Subscribe to this blog's RSS feed
subscribe by email Subscribe to this blog by Email

Socialize

View Nishant Kaushik's profile on LinkedIn
Add to Technorati Favorites
twitter_icon.jpg
Powered by
Movable Type Enterprise and Oracle