lunedì lug 19, 2010

Oracle Community for Security at Security Summit 2010

The last 10th of June (after 10 days since I've been joined at Oracle :) I've presented at Security Summit Rome 2010, where I've delivered a speech about Oracle Identity Management towards Cloud Computing. 

Security Summit is organized by CLUSIT (Italian Information Security Association) which was born based on the experiences of other European Information Security Associations such as CLUSIB (B), CLUSIF (F), CLUSIS (CH), CLUSSIL (L) to be the reference regarding Information Security.

Oracle has participated at the Security Summit (Rome 2010) through the Oracle Community for Security, managed by Alessandro Vallega (Business Development at Oracle), which goal is to create partner community on security to extend competences, and share experiences on security, including Identity Management, Data Protection, Compliance, IT Risk Management, Biometry and Strong Authentication. 

My presentation (Slideshare) has outlined how to leverage existing Identity and Access Management infrastructure, and how to extend Service-Oriented Security and standards-based interactions to successfully secure assets in the cloud.

You can find all conference proceedings here. (Don't forget photos :)

mercoledì mag 19, 2010

User-Managed Access to Web Resources

As leadership team member at Kantara UMA WG I have served as co-author in the paper "User-Managed Access to Web Resources", published at Newcastle University (School of Computer Science), along with Eve Maler, Maciej Machulak and Aad van Moorsel. Publication (PDF) here.

lunedì feb 15, 2010

Securing Web Service using Secure Token Service

A web service is an application that exposes some type of business or infrastructure functionality though a callable interface that is both language-neutral and platform-independent. The Web Services Security is widely available via two major specifications – WS-Security and Liberty ID-WSF Security. WS-Security specification is developed by the OASIS Security Committee and it is developed along with other WS-\* specifications such as WS-Trust, WS-Policy. Web Services Trust Language (WS-Trust) uses the secure messaging mechanisms of WS-Security to define additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains.

WS-Trust defines mechanisms for delegating authentication, authorization and user identity mapping/management to an authority called Security Token Service (STS) for a requestor to access a Web Service.

OpenSSO Enterprise implements security for web services as well as a Security Token Service to issue and validate security tokens to any third party clients.

This presentation gives an overview about Web Service Security and OpenSSO STS architecture.

venerdì ott 16, 2009

The Cube of Identity

Next week there will be the ICT Security Forum at Rome, and I'm preparing a speech for this event about "Identity in the Cloud: what's next trust level", where I'm going to talk about how the new paradigms as Web 2.0, Software as a Service (SaaS) and cloud computing have introduced new needs related the security and the privacy of the information and how digital identity is critical and success factor to manage authentication and authorization complexity in a distributed environment, and what kind of level of assurance can be reached.

With the prospective to give to the audience an harmonized unique graphic view of the most important open identity standard technologies, I've created a Cube.

The idea to use a Cube as representation of open Identity technologies was borne when I've studied the Venn of Identity with the goal to introduce OAuth protocol in the Venn graph. Discussing with Eve Maler about this opportunity, she suggested the need to separate the front-channel from back-channel, she also mentioned that she hadn't found a way to combine OAuth with the original Venn in a way she was happy, as you can see in the her recently publishing a Venn of Identity in web Service. I thought, this can be reachable with the front-face and back-face of a Cube!!  

As you can see in the above cube picture, each front-face have a corresponding back-face (i.e. OpenID->OAuth, SAML->Id-WSF, InfoCard->WS-\*) or if you rotate (imagine) the cube you can have different prospectives (inter-enterprise/SaaS, consumer, ect.).  There are also some other interesting aspects as adjacent property, related to create an hybrid system (See bootstrapping the Identity metasystem), that is, combining or chaining systems and enabling transaction between them (i.e SAML -> OpenID, InfoCard -> ID-WSF, SAML->OAuth). Is this a magic cube of Identity? Comment it ;)

These models/systems could open interesting opportunity for the Italian National Centre for IT in Public Administration (CNIPA) which is involved in defining a National Federated Identity Management system based on SAML2.0, implementing a user-centric mechanism used to authorize and control the access to application services over SPCoop (Public Cooperative System). 

domenica dic 07, 2008

Il futuro del Web Access Management: OpenSSO Enterprise 8.0

A circa un mese dal rilascio della nuova componente di Web Access Management, con OpenSSO Enteprise 8.0, Sun ha rivoluzionato il concetto del controllo accessi ai servizi web, introducendo la prima soluzione basata interamente sul progetto open source OpenSSO, altamente performante che unifica le capacità di access management, federation e sicurezza dei Web Services (Web Service Security) per indirizzare le funzionalità di Single Sign-on (SSO).

OpenSSO Enterprise deriva dalla combinazioni delle soluzioni Sun Access Manager e Federation Manager con le seguenti interessanti novità:

  • Fedlet - una modalità semplificata di creare un federazione ed abilitare un service provider di federarsi con un Identity Provider (SAML 2.0).
  • Multi-Protocol Hub - permette alle organizzazioni che sono membri di un circle of trust di comunicare con differenti protocolli di federazione (SAML, Liberity, WS-Federation).
  • Identity Service - Consente d'invocare servizi AAA (Authentication, Authorization, Accounting) usando l'ambiente di sviluppo (IDE) o qualsiasi linguaggio di programmazione (es. Java, .NET, Ruby, PHP, ect).
  • Facilità d'uso - una nuova User Interface per le operazioni relative alla gestione dei processi di federazione.
  • Gestione e configurazione centralizzata degli agent (Policy Enforcement Point).

Ecco i bit:

giovedì feb 07, 2008

Privacy ed intercettazioni

Recentemente è stato pubblicato un articolo dal titolo "Risking Communications Security: Potential Hazards of the Protect America Act", da IEEE Computer Society, a cura di Steven M. Bellow (Columbia University) Whitfield Diffie (Sun Microsystems), Susan Landau (Sun Microsystems), Matt Blaze (University of Pennsylvania), Peter G. Neumann (SRI International) e Jennifer Rexford (Princenton University). L'articolo evidenzia i rischi relativi alla violazione della privacy nell'ambito dell'infrastrutture per intercettazioni legali delle telecomunicazioni negli USA. Naturalmente, l'articolo riporta il caso Telecom Italia relativo all'uso illegale dell'intercettazioni, avvenuto lo scorso anno.

Federated Identity Management, Security, Service Oriented Architecture


« giugno 2016