Talking Identity

Boy, it was an exhausting September. There was a lot going on between work, Digital ID World, Oracle OpenWorld and the Burton Identity Services Working Group. Unfortunately, this left me little time to write on this blog. But hopefully all of you were able to follow my real-time thoughts on Twitter. If you are interested, check out my DIDW tweets and my OpenWorld tweets.

It was interesting to see the amount of discussion going on around the topic of Identity Services. At DIDW, there were a number of different sessions that looked at different parts of the Identity Services challenge. Kim Cameron talked about claims-based identity transactions in his keynote. All the different discussions on Liberty's Identity Assurance Framework were trying to deal with improvements needed in the authentication service. Some of the necessary standards discussions came up in the session on "Bootstrapping Identity Protocols". And of course Jamie Lewis talked about it in his keynote.

At OpenWorld I once again took on the task of trying to illuminate the masses on identity services. It isn't a topic that usually gets a lot of interest at OpenWorld, since the attendees are mostly interested in figuring out real world implementation issues. So the sessions most attended were the ones that looked at best practices and customer case studies. Also, being scheduled for the first session of the day at 9am didn't help drive up my attendance numbers.

But I did get a pretty decent crowd, all things considered, and got some good questions and very good feedback and validation on the content of my presentation. I did try to spice it up by throwing in a bit of humor centered around "The Love Guru" (since identity services is all about achieving identity nirvana); not sure if that helped or hurt. I wanted to post the presentation here for all of you, but OOW presentations are paid content controlled by Oracle, so I can't. But I will be adapting that presentation for some talks I am giving to customers on the topic of Identity Services, and I will post that presentation, along with a discussion of how my architecture has evolved, in an upcoming blog post.

October is looking to be just as busy. Of course there is all the usual stuff going on at Oracle. Tomorrow I'll be doing a quick dash across the border and back for the second all-day workshop of the ISWG. Then later this month I will be heading to Europe, where I will be meeting with some customers and attending Burton's European edition of the Catalyst Conference. I will be part of a panel that includes other ISWG members from TD Bank, BT, Credit Suisse, IBM, Sun, Novell and, of course, Burton that will be talking about Identity Services and presenting some of the work we have done in the working group. Catalyst Europe is in Prague, which is a city I absolutely love, so I am pretty excited about that too. Should be a fun month.

One of the big buzzwords this past month or so has been "Identity Assurance". Liberty Alliance made a big push for the Identity Assurance Framework (IAF)at DIDW last month, conducting a number of sessions/workshops introducing it to the masses. Our old friend Frank Villavicencio, who is a co-chair of the IAEG, was a star at the show, even collecting a Liberty Alliance IDDY award. At OpenWorld, Oracle announced the formation of the Oracle Identity Assurance Partner Alliance, an initiative focused on extending our identity and access management offerings with comprehensive and proactive identity fraud prevention solutions from strategic partners (you can read the press release for details).

So what exactly is Identity Assurance? Simplistically, Identity Assurance is the ability to determine, with some level of certainty, that the person (identity) presenting themselves in an identity transaction is who they are claiming to be. The level of certainty one can have about the presented identity is what is referred to as the "Assurance Level". Identity Proofing is another term that is used in this context (and that I have used in the past), though it is more commonly associated with the verification of ones real world identity during the registration process.

So what are these two initiatives, and how are they related?

Identity Assurance Framework - Think TRUSTe for IdPs

The IAF is coming at the Identity Assurance discussion purely from the authentication angle, especially within federation contexts. It is based, in part, on the Electronic Authentication Partnership Trust Framework and the US E-Authentication Federation Credential Assessment Framework, initiatives designed for the sole purpose of enabling interoperability among electronic authentication systems. As such, it attempts to define a trust framework around the quality of claims issued by an IdP based on language, business rules, assessment criteria and certifications. 

The IAF has published a standard set of assurance levels regarding the authentication of the user (Level 1 means low assurance, Level 2 means medium assurance, and so on. As of today, there are only 4 levels of assurance, Level 4 being the highest level). When a digital token is issued, it states the level of assurance at which the user was authenticated - Level 1 through Level 4.

The IAF defines a certification process through which an independent auditor assesses whether the issuers interpretation of Level 1-4 meets a standard assessment criteria established by IAF. So one issuer may have used a RSA SecureID token in combination with Username-Password to issue a Level 2 token, while a second issuer may have used a biometric challenge in addition to a UserID-PIN to issue a Level 2 token. The RP receiving the token from both issuers simply knows that both tokens are Level 2, and doesn't know/need to know what the actual mechanics were, simply that an audit process certified that the mechanism for generating the token meets the criteria laid out by Liberty IAF.

The IAF is NOT defining any technology or standard protocols. In this sense, the IAF is trying to set up something analogous to the way TRUSTe verifies and asserts through their web seal that an eCommerce site is trustworthy.

Oracle Identity Assurance Partner Alliance - Tools of the Assurance Trade

Oracle IAPA aims at extending Oracle’s Identity Management Suite with partner technologies that offer capabilities such as identity proofing, internet geolocation, multi-factor authentication, out-of-band authentication, endpoint security and secure remote access. As such, its charter is pretty broad in combating identity fraud and providing context-aware security, and this encompasses identity assurance.

The solutions in the IAPA can provide the underlying mechanism by which an IdP can support the main tenet in the IAF, wherein an assertion can be trusted (at varying levels of assurance) to really belong to the entity represented. The IAPA steps in as a way for Oracle IAM to leverage technologies that enhance an authentication process with additional "challenges" that up-level the authentication assurance to the appropriate level - whether it be by using a biometric challenge, a voice challenge, a knowledge challenge based on external data aggregators, etc. So Oracle IAM + IAPA is positioned nicely to be the execution/implementation arm of an IdPs IAF compliance efforts.

Looking To Tie Them Together

One thing I will be exploring is the possibility of having the IAPA stack go through the Liberty IAF audit process. Then any customer deploying Oracle Access Management in conjunction with one of our partners would immediately know the IAF assurance levels of the authentication tokens being issued. Conversely, a customer that is targeting being able to issue credentials of certain assurance levels will be able to identify the solutions that will meet their need.

A college student was arraigned on Wednesday for allegedly breaking into Gov. Sarah Palin's private e-mail account last month. Political leanings aside, I  read the news article with great interest for the inherent security implications. Reading it, this line jumped out at me:

The F.B.I. said that the younger Mr. Kernell allegedly hacked into the account in mid-September by resetting Gov. Palin’s password.

I obviously don't know the specifics of how the F.B.I. says the password was reset. But for the sake of our discussion, let's assume that the email system relied on a typical challenge response mechanism (currently the norm in most free email systems). The hacker obviously didn't know the password, but was able to reset the password to something of his/her choosing by successfully answering the challenge questions. In the age of Google, how hard is it to find out the the first school, the first car, the mother's maiden name or the pets name of a famous public personality like Sarah Palin?

As Bob Blakely likes to point out, there are no secrets any more therefore any system that relies on secrets is inherently flawed.

In a completely separate conversation, a colleague of mine sent me the following thought:

All the banks and merchants I do business with online have been increasing their level of security, especially with password complexity requirements.  Historically I have limited all my passwords down to 3 based on the type of site so I had no need to write them down.  Now because of all the different password complexity requirements, especially the password history requirement, I can no longer do that.... so I'm now forced to write them down :( 

In some sick way, more security by merchants is now leading to worse security for me, the user.  I'm forced back to the sticky note.

From the Good News/Bad News Department

The bad news in all this is that we seem to be going through a phase where additional mechanisms introduced to secure the systems in a user-friendly manner have actually exacerbated the problem because they rely on flawed assumptions. The above issues are clear illustrations of this. The mechanisms deployed (challenge response, password complexity requirements) would have been fine on their own for the system they are meant to protect. But these solutions did not anticipate how they would be impacted by the reality of their users online environment. The aggregation of multiple such systems for a user actually ends up degrading the effectiveness of these solutions, to the point where they end up becoming liabilities instead.

The good news is that new technologies and solutions are emerging that (hopefully) will address these problems. OpenID and Information Cards aim to rid us of the multiple password problem by promising a world of reduced sign-on built on trust. Identity assurance technologies (like the ones in Oracle's Identity Assurance Partner Alliance) provide safer, more reliable means to verify the interacting parties identity than traditional challenge response mechanisms, thus preventing the kind of attacks described above.

So better days are coming. The real challenge ahead of us is getting all involved parties (consumers, online enterprises, vendors) educated on how these solutions can be used to make our online lives more secure.

The last 3 months or so has been really good to my work defining our vision for Identity Services. I've gotten valuable input from my colleagues in the IdM business, and my participation in Project Fusion and Burton's Identity Services Working Group has helped crystallize some key aspects of the architecture. Below is the latest architecture diagram for the Identity Services Platform.

It doesn't look remarkably different from what I have presented previously on this blog, but it do want to point out some of the evolving ideas captured in the diagram above:

• Some of the ongoing discussions that I have blogged about previously have led to a clearer definition of the service called the Identity Hub . In fact, we just put out an Oracle whitepaper talking about the Identity Hub in detail.
• It has become clear that the API Interfaces that the applications rely on to consume these services should be coming from the container that the applications are built on.
• The provider model by which various IdM products plug into the architecture as Service Providers (within the container) is starting to take shape, thanks to good discussion happening in the standards and vendor communities. Consuming applications will not know or care about the specifics of the deployment. This also provides a way for the existing IdM investments to be leveraged (provided we can get all IdM vendors to agree to the requirements of being an Identity Service Provider).
• Authentication and Authorization are both going to have to support contextual and risk-based decisions. This will require greater communication from the applications into the services, and vice-versa.

You can check out a presentation I have put together on how the various IdM products in Oracle Identity Management can be used to create an initial version of this Identity Services Platform. This is an adaptation of my OpenWorld presentation that I will be using in discussions with some customers that are interested in working with us to define their identity services strategy. As always, input and feedback is welcome. And feel free to tell me specific portions that I should talk about in detail in this blog.

Remember, you can find all my published materials (the presentation referenced above, all the Oracle whitepapers on Identity Services, and more) on the downloads page of my blog.

Spreading the Word on Identity Services at Catalyst Europe

My exciting fall season continues as I head to Europe next week. My trip starts with a brief stopover in London for some meetings, after which I head to Prague for the Europe edition of Burton Group's Catalyst Conference. I've been to Prague before (for pleasure, not business), and I absolutely love that city. So that is as good a reason to go as any.

My participation in Catalyst Europe is to continue to spread the gospel of Identity Services. On Thursday, Kevin Kampman will be presenting the results of the work that has been done so far in the ISWG. Following that, I will be on stage as part of a panel discussion involving both customers (TD Bank, BT, Credit Suisse) and vendors (IBM, Novell, Sun and of course Oracle) that are part of the ISWG.

Title: Identity Services Roundtable: Aligning Vendor Strategies with Customer Needs
Date: Thursday, 23 October 2008
Start time: 11:55 am
End time: 12:45 pm
Room: Congress Hall 2

Should be an interesting discussion. We've had some very good workshops in the working group, and we are anxious to put the results out there for people to see and comment on. It is very much a work-in-progress, so lots of feedback is expected. If you are going to be at Catalyst Europe, then please stick around for this roundtable (unfortunately, it is scheduled as the last session in the conference) and participate. And remember to follow me on Twitter for real-time updates on my Europe trip and the proceedings at Catalyst Europe.