Enterprise Identity - my 2.0 cents

After James McGovern, kicked off the discussions around Identity Federation, Pat's response was quite a detail. Johannes Ernst, Shekar Jha, Tom Gordon, Radovan Semančík & Mark Dixon and a lot more chimed in with their perspectives, and I thought that my 2.0 cents on the subject was worth posting.
Identity Bloggers pretend that notions such as Sarbanes Oxley don't exist (or at least never mention them).
Well, I believe that all bloggers who speak on identity management are very well aware of SOX and it's likes. Why in this day and age do we believe that compliance is not critical. I think that it would be foolish to believe that identity bloggers ignore SOX.
SAML 2.0 is a good move to increase interoperability and should be implemented in all security oriented products. Maybe you can tell us why within the enterprise we should use SAML 2.0 between say Active Directory and RACF vs. sticking with tried and true approaches such as Kerberos?
I'd like to re-iterate Pats' comment once again here : You use the appropriate tool for the job. Where there is a tried and true approach then use it. What more could I add to it ??
Do you think that enterprises are well-served by consolidating identity stores vs keeping them spread all over the place and doing SAML?
There was a time period where the entire industry was thinking in terms of consolidating the disparate authentication systems into one huge repository for authentication data. Well, it was not a easy task. Consolidation has it's own pro's and cons. I guess I'm missing out on something here. Consolidation between user identities that are owned by 2 seperate organizations ?? Aint federation the topic of discussion here ? OR is James referring to a "passport" structure ?
If you want corporations to embrace the notion of federated identity, wouldn't it require more than simple "look at me" interoperability demos and for all the vendors in this space to create some publicly available notion of "reference architecture" above and beyond what exists in Project Liberty?
I believe that there was more than just a "look at me" kind of a demo done by Gartner sometime ago. But hey ! I believe that this would be a great opportunity for me to utilize my resources and contacts to put together a real live network of federated systems that use various dispare systems like sxip, netmesh, shibboleth, Sun Federation Manager and throw a live federated infrastructure out there.
How should we think about SmartCards within our own infrastructure and how it plays with federated identity? I know MS is doing this for their own employees.
I'm surprised that James mentioned MS and forgot all about JavaCards. Mary Has one too ;-)
How come pretty much all of the identity bloggers don't support trackback in their blogs? Is it because they haven't yet figured out how to protect their own identity or that of others?
C'Mon James, You didnt need Pat to tell you about trackback spam. Guess we all have a long way to go. But hey !! here's a thought. While we all think in terms of authenticating user identities, we forget that authenticating devices (device identities) is as critical as user identities. IP address and MAC addresses can be spoofed easily. But by embedding a unique security key in a device (something that cannot be spoofed) we could embark on authenticating and authorizing a device prior to letting the device on any network. I liked it when in the good old days, an IP address was granted to a device AFTER the fact that authN was succesful. In todays world regardless of authentication; a device is granted an IP and is placed onto a network. Well, we've made the life of a unauthorized person a lot more easier by letting him in. If we could authenticate and authorize devices prior to granting IP addresses or placing devices on a trusted subnet by using some form of secure key identifier, we'd be closer to being in a more secure environment. I have done some work on this forefront; but poor me, I'm not a sales guy and am having a hard time selling the thought. maybe someday

Post a Comment:
  • HTML Syntax: NOT allowed

for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....

[this is a group blog]


« February 2015