Friday Oct 23, 2009

Identity Trend 6: Identity Federation

This post is the sixth in a series of eleven posts I am writing about important trends in the Identity Management industry.

imageIdentity Federation refers to the “technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration.” (Wikipedia – Federated Identity)

At the present time, Identity Federation technology has been well-proved is in production in many enterprises and government agencies.  As the most broadly deployed standard for enabling cross-domain federation, SAML is well supported by a wide array of software vendors.  Several successful business models have emerged to support federation technology, and implementation of this technology is becoming less complex.  This growth in adoption will most likely continue, both within and beyond enterprise boundaries.

For several vertical markets, such as health care, the need for broad, integrated networks comprised of many interrelated enterprises (e.g. National Health Information Network) is accelerating the demand for federation deployment.

However, business challenges associated with federation are often more difficult to address than technology challenges and continue to be the primary impediment to broader adoption of this technology.  Unless understandable and enforceable trust relationships exist between business entities, the technology to support such trust relationships is meaningless.  Just like technology standards have emerged to enable the technical side of federation, I expect that more standardized legal agreements will be developed to simplify the establishment of legal trust relationships.

As cloud computing gains momentum as an alternative or complementary means to deploy systems and applications, federation can be a key technology to enable integration between various cloud systems or components.  Discussion of how employ federation in cloud systems has led to interesting statements such as proposed by Symplified, Inc., at the recent Digital ID World Conference: “Federation is Dead. Long Live the Federation Fabric.”

The essence of Symplified’s argument is that using Identity Federation for point-to-point system integration is too complex and expensive.  Therefore a web or fabric of federation is needed to simplify and extend current federation models.  I expect that we will see “Federated Service Bus” technology to emerge to address this need, much like Enterprise Service Bus technology is currently employed to simplify complex integration challenges within enterprise systems.


To determine how you should address Identity Federation, consider questions such as these:

  • Where have you already employed Federation?
  • Where can federation simplify integration within your enterprise?
  • Where would Federation enable more business value for your customers and your partners?
  • Which of these relationships is highest priority for you?
  • What trust relationships have you already established with other enterprises? 
  • What must you do to establish new trust relationships?

Wednesday Oct 07, 2009

Identity Management Is a Lifestyle

Rolls Royce It is always enjoyable to read advice from those in the trenches of Identity management implementation.  As a recent guest blogger on the Identigral blog,  Tom Ebner outlined and explained ten best practice rules he learned while living the “Identity Management Lifestyle:”

  • Rule #1. Understand the problem and the opportunity
  • Rule #2. Assess the quality of the identity data
  • Rule #3. Create a strategic technical vision
  • Rule #4. Get (and keep) an executive sponsor
  • Rule #5. Build a great team
  • Rule #6. Add great partners to your team
  • Rule #7. Create a strategic technical architecture
  • Rule #8. Deliver something valuable to the business
  • Rule #9. Manage your risk
  • Rule #10. Understand and communicate “What does success look like?”

Thanks, Tom, for excellent advice.  May your continued work in this lifestyle earn you the yacht and Rolls Royce your colleague talked about!

(You’ll have to read Tom’s article to catch the significance of that last statement.)

Identity Trend 5: Roles and Attributes

imageThis post is the fifth in a series of eleven posts I am writing about trends in the Identity Management industry.  

The use of roles for identity provisioning and audit compliance has seen growing acceptance in production systems.  Enterprises are getting more value in both operational efficiency and streamlining compliance efforts by leveraging business  roles.  Role management can support compliance efforts even if full automated provisioning is not in place. 

Experience has shown that using a fairly modest number of roles relative to the size of the user population is most effective, rather than engineering and trying to maintain a large number of roles to take care of all circumstances.  A blend of role- and rule-based provisioning appears to strike the right balance.

As roles are implemented, good governance methods are essential to oversee the entire role management life cycle, just as governance over the complete Identity management life cycle in needed.  The governance structure over both life cycles should be closely integrated.

Some companies are finding a broader use of roles than realized at first.  Roles may have been first engineered to drive role-based access control and compliance enforcement, but can also be used for such things are evaluating organization and infrastructure effectiveness.

Attribute-based access control (ABAC) is emerging as a possible alternative to role-based access control (RBAC), particularly for large, complex organizations such as government entities.  This has led some people to predict that ABAC will replace RBAC.  However, if we consider that roles are really a form of attributes attached to Identities, we could predict that the two methods will converge – with the best approach being a balance that leverages roles where appropriate, and attribute-driven rules where that approach makes sense.


Consider questions such as the following:

  1. Where can roles be leveraged to improve the effectiveness of your Identity provisioning and compliance system?
  2. What is the right balance for your organization in the number of roles and the rules that complement the roles?
  3. How can you effectively govern both the Identity life cycle and role life cycle in your organization?
  4. Are there ways you can leverage the role infrastructure you have adopted in other ways besides RBAC and compliance?
  5. Can emerging methods such as ABAC bring further efficiencies to your operation?

By the way, the stack of hats shown above served to represent different roles or personae a person may possess in a tongue-in-cheek blog post I posted earlier this year: Have a Token: ID Hats and Personae.   I liked Dave Kearn’s perceptive comment to that blog: “Good analogy Mark, but I'm afraid that those of us who understand the phrase ‘to wear different hats’ are getting grayer, plumper and more forgetful every day! People just don't wear a good homburg, Stetson or Panama any more....”

Tuesday Oct 06, 2009

Identity Trend 4: Identity Assurance

imageThis post is the fourth in a series of eleven posts I am writing about important trends in the Identity Management industry.

When you present identity credentials to log into an enterprise system or online Internet site, are you really whom you claim to be?  Do your credentials represent the “real you?”

I published one of my favorite blog posts, entitled “OpenID Credibility: Harry and Bess Truman,” back in June, 2007.  A brief excerpt:

I visited and was issued an identifier for Harry Truman: No validation, no verification of Harry's real Identity. I just plugged in President Harry Truman's birthday and home town. I did use my own personal email address, but it wasn't even validated at the time.

Armed with my new bogus identifier, I marched over to and made a couple of claims: The Buck Stops Here and I Love Bess.

Interestingly enough, the links still work!

This little exercise, where I wasn’t really THE Harry Truman, illustrates the need for Identity Assurance to validate whether my identity credentials really represents who I really am. Identity Assurance can be described as “a means to allow Identity Providers (IdPs), Relying Parties (RPs) and subscribers to determine the degree of certainty that the identity of an entity presenting an electronic identity credential is truly represented by the presented credential.”

With the continual expansion of online fraud and other threats to online security and privacy, the need for Identity Assurance methods are rising.  Being able to certify the that the correct Identity credentials are issue to the correct user before access is attempted is an increasingly critical issue.

The Liberty Alliance Identity Assurance Framework defines four progressive levels of assurance, depending on confidence in the asserted identity's validity, as shown in the following table from the Liberty Identity Assurance Framework document.


By comparing the assurance level against the potential impact of authentication errors, we get a clear picture of how the wide spectrum of online access transactions require substantially different levels of Identity assurance.


My impersonating the late Harry Truman requires minimal assurance because the potential impact for the transactions I conducted is minor.  However, at the other end of the spectrum, identity credentials used to conduct high value financial transactions protected by civil or criminal statute are probably worthy of far more stringent Identity Assurance screening.

So, who is responsible to issue high level credentials?  Should it be the government, who is responsible for issuing validated credentials like birth certificates, passports and drivers licenses?  Should it be private enterprise?   It depends on the two factors illustrated above: Assurance Level and Potential Impact.


Consider these questions for your specific cases:

  1. What level of assurance do you require to match the risk (potential impact) to the cost and complexity of issuing identity credentials?
  2. What different levels may be appropriate for different applications or systems for which you are responsible?
  3. What sources of validation are appropriate to assure that the identity credentials you issue are valid?
  4. What should the role of government or private enterprise have in Identity assurance?

By the way, I still think Harry and Bess look good together.  What do you think?

Monday Oct 05, 2009

Identity Trend 3: Authorization

This post is the third in a series of eleven posts I am writing about trends in the Identity Management industry.

imageOne might say that simple authorization is like permitting entry through the front gate of an amusement park, while fine grained authorization is like granting access to each individual attraction within the amusement park separately, based on some sort of policy.  Following this analogy, the most common method of Identity Management Authorization is like a full-day pass to Disneyland granting access to the front gate as well as every ride in the park.  Similarly, simple Identity Management authorization allows access to all functions within an application.

imageHowever, a trend is growing towards using standards-based, fine grained authorization methods to selectively grant access to individual functions within applications, depending on user roles or responsibilities.  For example, one user could be granted access to only simple data browsing privileges, while another user could be grated data creation or edit privileges, as determined by a policy stored in XACML format.   The definition and enforcement of this fine-grained authorization would be externalized from the application itself.

At the present time, fine grained authorization is desirable but difficult to implement.  It appears to be easier to define and control policies in an Identity system than changing each application to rely on an external system for authorization policy. 

Much is being discussed about policy management standards (e.g. XACML).  Several vendors are effectively demonstrating interoperability based on XACML, but such systems are not yet in broad production.


As progress is being made in both management of standards-based policies and the enforcement of such policies within applications, the following questions could be considered:

  1. Which of your applications could benefit most from fine-grained authorization?
  2. How would externalizing policy management and enforcement streamline your applications?
  3. How could standards such as XACML improve the management of security and access control policies in you organization?

Friday Oct 02, 2009

Identity Trend 2: Authentication

This post is the second in a series of eleven articles I am writing about trends in the Identity Management industry. 

After all is said and done, Authentication continues to be right at the heart of Identity Management.  Determining whether the correct set of Identity credentials is presented, so a person or process can be granted access to the correct system, application or data, is critical to the integrity of the online experience.   Authentication is like the gatekeeper or enforcer who determines who gets in the door. 

  1. Demand for strong authentication is accelerating as the sophistication and sheer numbers of people who would defraud or damage online systems continue to grow.  More effort is being focused on just how to economically, but securely, implement strong authentication methods to protect confidential information.
  2. As the need for strong authentication grows, there has been considerable conversation about whether the pervasive use of passwords is headed for extinction.  Is the password really on its deathbed? In a Network World column posted earlier this year, Dave Kearns equated passwords to buggy whips.  In my response entitled Passwords and Buggy Whips, I challenged “Replace username/password with what?"  Until we get wide acceptance of alternate methods, it is unlikely that passwords will join buggy whips in the dustbin of history.
  3. In a subsequent post entitled, Seat Belts and Passwords ... and Buggy Whips, I proposed that “until ease of use makes passwords irrelevant, people will continue to use buggy whips or drive without seat belts.”  The key issue dogging the industry is how to provide identity credentials that are so easy to use that the technical unsavvy majority can easily use them while providing a level of security commensurate with the rising tide of online threats.


  1. Assess what level of security is needed for different areas of your enterprise.  In some cases, authentication must protect high value information.  In other cases, less strong authentication may be appropriate.
  2. Seek to understand what your users need.  What methods are both secure and easy to use for them?
  3. Is the cost of strong authentication commensurate with the risk of data loss or compromised system access?
  4. What is the best combination of authentication methods to serve my user community and protect my business interests?

Many years ago, while involved in a large physical security project, we joked that you need to invest enough in your security system so it is cheaper to bribe the guard than to breach the electronic system.  The same principle may be true with Identity Authentication.

Thursday Oct 01, 2009

Identity Trend 1: Market Maturity

This post is the first in a series of eleven posts I am writing about trends of key importance to the Identity Management industry.

As the following series of photos shows my son Eric progressing from infancy to young adulthood, the Identity Management market has matured, but still has a bright future ahead.


The Identity Management industry has been building for about a decade.  The market is definitely maturing out of adolescence into young adulthood.  Key characteristics of this maturing market include:

  1. Much focus is being given to best practices of how to maximize enterprises’ investment in these systems.  Rather than focusing on green field Identity implementations, enterprises are concentrating on system refinement, expansion or replacement.
  2. While the industry quite universally agrees that “quick wins” are essential first steps to implementing Identity Management systems, significant additional value can accrue as enterprises expand the reach and scope of their Identity infrastructure.
  3. The importance of Identity governance is becoming entrenched in enterprise culture, as holistic initiatives to address the broad areas of governance, risk and compliance recognize the critical importance of Identity Management in these processes.
  4. Experience has shown that Identity Management is a journey, not a destination.  Enterprises are recognizing that they must approach Identity Management as a long-term program, not a single project.
  5. The industry continues to consolidate, as we at Sun are well aware.  While there are still several emerging niche companies, larger vendors offer complete suites of Identity Management products.
  6. The major business drivers for investing in Identity Management systems still continue to be regulatory compliance, operational efficiency/cost and information security.  However, more focus is being placed on Identity as a key enabler of customer satisfaction through context-aware personalization.
  7. Identity Management is also moving down market, particularly as vendors and systems integrators are addressing the issues of rapid deployment and reduced pricing for smaller businesses.


In light of this maturing industry, I recommend that enterprises concentrate primarily on the business value Identity Management can deliver.  Questions such as these are appropriate:

  1. Where am I on the journey to implement Identity Management in my enterprise?
  2. Where has Identity Management already delivered value to my business?
  3. Where else can Identity Management deliver value?
  4. How can Identity Management enable Privacy and Security?
  5. How can Identity Management enable compliance?
  6. How can Identity Management increase efficiency and reduce cost?
  7. How can Identity Management enable a better user experience to my customers?

Monday Sep 28, 2009

Thanks, Dave!

I was honored today to have the wise sage of Identity, Dave Kearns, refer to me a “fellow grandfather” and borrow content from my DIDW post (with my permission, of course) in his article about Digital ID World.  It’s always great to share thoughts with Dave.

Thursday Sep 24, 2009

Identity Management Trends and Predictions


My Sun Microsystems colleague Dave Edstrom asked me recently to prepare a webinar entitled “Identity Management in 2010: Trends and Predictions” and present it on the weekly “Software Technical Roundtable” he co-hosts for Sun Microsystems employees and partners.  Preparing for this specific event gave me just the right impetus to crystalize my thoughts on this subject, so I thank Dave for giving me the challenge.  I prepared the presentation deck (in OpenOffice, of course) earlier this week and presented the webinar to about 90 people this morning via Webex/teleconference.

I can’t share everything I discussed with our restricted audience this morning, but in this blog post, I’ll briefly describe eleven major trends that I see in the industry.  This is a precursor to more detailed posts I’ll author on each trend over the next several days.

First, a few caveats:

  1. Predictions rarely happen as quickly as we would like.  For example, in 2007 I gave an Identity Trends presentation at the JavaOne conference.  While some of my predictions evolved as expected, several trends have taken longer to develop.  I suppose it will be the same with the trends I describe in this post.
  2. This presentation focuses more on business issues than technology.  I did not attempt to address the trends in specific protocols or products, but chose to focus on the impact of these trends on business.
  3. This list of trends reflects my own opinions, which are not necessarily reflective of Sun Microsystems official positions or product road maps.
  4. This presentation does not represent Oracle in any way.  I have not discussed this list of trends with any Oracle people, nor could I comment on those conversations if I had.

With those caveats, here is my list of the top eleven Identity Management trends for the year ahead.  I really tried to make a nice round list of ten, but I felt it made more sense to separate Authentication and Authorization into separate subjects.

  1. Market Maturity.  The Identity Management market is maturing.  Much focus is being given to best practices of how to maximize enterprises’ investment in these systems.  Rather than focusing on green field Identity implementations,  enterprises are concentrating on system expansion or replacement.  The industry continues to consolidate, as we at Sun are well aware.
  2. Authentication. Demand for strong authentication is growing as enterprises and government agencies seek to deter cybercrime. While some have predicted “death of the password”, the widespread use of UserID/Password as the predominate method for authentication will most likely not go away until we see wide adoption of alternate authentication methods that are both secure and easy to use.
  3. Authorization.  Fine grained authorization is increasingly desirable but difficult to implement.  Policy management standards (e.g. XACML) are also desirable, but not in broad production.  Complexity in adapting applications to take advantage of standard authorization methods will continue to delay adoption.
  4. Identity Assurance.  Answering the question “are you really whom you claim to be?” prior the issuance of Identity credentials continues to be a thorny problem, but is increasingly important in the ongoing battle against fraud. The Liberty Alliance Identity Assurance Framework provides a valuable industry model that defines four levels of assurance, based on confidence in the validity asserted identities and the potential impact of errors.
  5. Roles and Attributes.  There is a growing acceptance of role based access control in production systems.  Governance of the role definition and maintenance process, linked to governance of the Identity Provisioning governance process, is essential.  Enterprises are discovering that the use of roles is potentially broader than RBAC, including use of data analytics to evaluate the effectiveness of organizations.  The use of attribute-based authentication is being hailed in some markets, particularly the public sector, as an alternative to RBAC.  However, a blended approach may be the best solution.
  6. Identity Federation.  In some ways, Identity Federation is a given.  SAML is broadly used a standard protocol and successful business models have been implemented.  However, broader adoption is often difficult because business challenges are larger than technology challenges.  Burning questions swirl around the challenges of using federation in cloud computing.
  7. Regulation.  Government regulations (e.g. SOX, HIPAA/HITECH), which primarily address governance, security and privacy issues, will continue to expand, both on national and state/province levels.  For example, the HITECH Act which became law earlier this year expanded HIPAA security and privacy regulations to address business partners, and added security breach notification to the national statute.  At the same time, industry-driven regulations such as PCI DSS also impose stringent requirements on online merchants.  In all these areas, Identity is a critical enabler for compliance.
  8. Personalization and Context.  Personalization can enhance the value of online user experience.  Both identity and context are essential for personalization.  Concepts such as “persona selection” and the “purpose-driven web” focus on enriching user experience by blending identity and context.
  9. Identity Analytics.  Advanced data analytics will bring value to many identity-based activities such as Authentication (historical “fingerprints” based on your patterns of accessing online resources), Context/Purpose (predicting preferences from your historical activity) and Auditing (who really did what when?).
  10. Internet Identity.  Identity systems for the Internet must efficiently accommodate billions of individual Identities.  User-centric or user-managed Identity technologies such as Infocard/Cardspace and OpenID are trying to address the inherent tension between security and ease-of-use requirements.  Commercial Identity providers are emerging, including the likes of Facebook, Google, Yahoo, PayPal, Equifax and others, both in public and private sectors.
  11. Identity in the Cloud.  Identity as a Service (IDaaS) is a critical foundation for Cloud Computing.  A number of IDaaS companies are emerging to address this specific need.  One of the main barriers to effectively implementing Identity in the cloud is the increased complexity of having to establish effective trust relationships between enterprises and service providers, while protecting the security and privacy requirements imposed by customers and regulations.

So, there is my list of eleven major trends.  Your list or focus on specific topics might different.   Please let me know what you think.  Please also stay tuned to my discussion of these eleven trends in future blog posts.

Thursday Sep 17, 2009

Digital ID World – Final Thoughts

I missed the final sessions of Digital ID World on Wednesday because of commitments in California.  Judging from the Twitter traffic, it sounded like some great stuff was discussed.

As a follow-up to my posts for Day 1 and Day 2, here my top ten final thoughts about the conference (without the benefit of Day 3):

  1. Most Stimulating Information. Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.
  2. Newest Identity Concept. Phil Windley’s proposal to enable contextualized, purpose-based user experiences using the web browser as a point of integration triggers lots of new thoughts about extracting value from the Internet.
  3. Most Reinforced Notion. The Identity Management market is maturing.  Companies are seeking to learn best practices for getting the most out of their investments.
  4. Biggest Question in my Mind. How much validity should we place in Symplified’s claim that “Federation is Dead.  Long Live the Federation Fabric?”
  5. Most Enjoyable Networking Moments.  Meeting folks in person I have only met virtually beforehand.  In person wins every time.
  6. Most-asked Question.  Nearly everyone whom I spoke with asked me something about the Oracle acquisition of Sun.  That happened to be the easiest question for me to answer: “Until the deal closes, we are independent companies.  We must wait until then for details.”
  7. Best Trade Show Giveaway. An LED flashlight from Novell.  Incandescent bulb flashlights seem to be quickly joining buggy whips in the dustbins of history (except for special cases).
  8. Biggest Pet Peeve.  No power strips or WIFI were provided for attendees.  This severely limited note taking and real-time blogging.
  9. Most Entertaining Event.  No, not the parties.  It was the Chinese guy who drove my taxi to the airport.  He chattered non-stop for the whole trip about technology, Maryland, California, Utah, Idaho, Micron, Sun Microsystems, Oracle, potato chips, microchips, stock trading, traffic and dishonest taxi drivers.  What a hoot!
  10. Biggest Disappointment. The show seems to get smaller each year – both in the number of attendees and participating vendors.  Will it survive?

That’s my list.  What do you think?

Tuesday Sep 15, 2009

Digital ID World - Day 2

didw09 Today was really the first “official” day of the Digital ID World conference, but for me – Day 2.  So, here are some short highlights of the sessions I attended.

Cops and Robbers, Las Vegas Style – Jeff Jonas, Chief Scientist, IBM Entity Analytic Solutions

  • Las Vegas is his “laboratory” for identity analytics – resorts typically have 100+ systems and 20,000+ sensors
  • Context engines close the gap between the rapidly increasing amount of digital data and the less rapid growth of “sense-making” algorithms
  • Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people

Context Automation – Phil Windley, CTO, Kyntetx

  • Current focus in web marketing is focused on servers, using the metaphor of “location”
  • Focus on “purpose” from the client’s perspective, using an intelligent, adaptable browser, will bridge between server-based silos to give users a richer, more purposeful experience

The Implications of Privacy on IDM – Larry Ponemon, Founder and Chairman, Ponemon Institute

  • Many cultural differences are evident between nations and areas of the world with regard to privacy, security and identity management expectations.
  • Companies doing business internationally will need to be sensitive to cultural and legal issues in the nations where they do business.
  • People are growing tired of fact-based identity
  • Perceptions of privacy are inextricably linked to identity and authentication

Business Process and Legal Issues in Cross-Org Secure Collaboration – Peter McLaughlin, Foley & Lardner

  • Regulatory language should be treated as a floor, rather than a ceiling
  • Normal industry practices may represent minimum requirements but may not guarantee compliance
  • Make sure your business partners abide by same laws your company is subject to
  • Reputational risk will always stay with your company, but you may seek to share financial risk with partners

Identity Governance Frameworks – Marc Lindsey, Levine, Blazak, Block & Bootby

  • Legal agreements seek to apportion liability - who is responsible for what?
  • Comprehensive frameworks for governing such agreements are emerging
  • Modern federation agreements need to be better than the old EDI agreements

Dealing with International Privacy Laws – Discussion led by Larry Ponemon, Founder and Chairman, Ponemon Institute

  • Complex international privacy laws affecting data transport hamper organizations' ability to do their legitimate work.
  • Will it be easier or harder to deal with international differences in privacy laws in five years?  (majority of audience said no)

Federation is Dead: Long Live the Federation Fabric – Symplified

  • Federation must move to utility model to overcome issues of costs and complexity associated with one-to-one integration.

Building Good Practices into Your Processes – Edward Higgins, Vice President of Security Services, Digital Discovery Corporation

  • Education of employees on good security practices is critical part of getting value from your IDM investment


Digital ID World - Day 1

didw09 On Monday and Tuesday this week, I attended the Digital ID World (DIDW) conference held at the Rio Hotel in Las Vegas.  It has been enjoyable to take the pulse of the industry from yet another vantage point and connect with fellow Identity Management practitioners from diverse locations.  Of course, the first question nearly everyone asked  me had something to do with Oracle, but, of course, I can’t talk about that.  So, here are very brief highlights of each session I attended the first day (Authentication and Virtual Directory “Summit Sessions”):

The State of Authentication and its Impact on IDM – Jim Reno, CTO, Arcot

  • “Risk Based Authentication” is a fourth factor of authentication, augmenting traditional factors (what you have, know, and are)
  • Authentication should consider context when assessing risk

Authentication Case Study – Naomi Shibata, former GM/COO, MLSListings

  • Communications with users is essential prior to authentication system rollout

The Future of Authentication – panel including Jim Reno and Naomi Shibata, moderated by Bill Brenner, Sr. Editor of CSO Magazine

  • Business, legal, regulatory and liability issues are more onerous than technical issues when considering an authentication system
  • Authentication technology advances usually occur in response to advances in threats
  • Enterprises should periodically re-verify appropriateness of installed authentication systems in light of advances in technology and threats
  • Identity assurance is increasing in importance

Identity Service Virtualization and Context Management – Michel Prompt, CEO/Founder, Radiant Logic

  • It is difficult to define Identity without understanding the context in which it is used
  • Understanding relationships between identity objects enables a global model that links identities together to enable contextual views
  • Such Identity linking can occur in a virtualization layer between diverse identity repositories and applications which consume those identities

Case Study: Identity Services and Virtualization – Bill Brenner, CSO Magazine and Mohammad Khattak, Booz Allen Hamilton

  • Dynamic Access Control requires consolidate identity repository with many sources of identity information
  • When aggregating data sources, we need to understand the trust level in each source repository

Impact of Oracle/Sun Acquisition – David Rusting, Unisys and Todd Clayton, CoreBlox

Note: I am restricted from commenting on product roadmaps or anything related to the Oracle acquisition of Sun.  The following comments are views expressed by the panelists.

  • The primary discussion focused on how customers should plan for potential changes in either Sun or Oracle directory roadmaps
  • A virtualization layer between director and applications may provide a layer of abstraction to shield customers from changes in vendor roadmaps and reduce tie to single vendor
  • This may be a time to re-evaluate application needs and determine which direction to go with regards to directory technology

Stay tuned for Day 2!

Thursday Sep 10, 2009

"Anonymized" Data Really Isn't

I enjoy watching re-runs of the television drama, NCIS, where a dysfunctional little group of crime-fighting superstars often analyze divergent bits of data to solve seemingly unsolvable mysteries.  Last night, Agent McGee correlated data from phone records, automobile registrations and police station activity records to pinpoint a bad cop in collusion with an international drug lord.  Far fetched?  Perhaps not.

I have been spending much of my time recently preparing a white paper addressing the issues of HIPAA privacy and security compliance, particularly in light of expanded regulations emerging from the “stimulus bill” signed into law earlier this year.  As I have explored privacy issues related to electronic health records, I was particularly intrigued by an article by Nate Anderson entitled “’Anonymized’ Data Really Isn’t and here’s why not”, published in Ars Technica earlier this week.

On the surface, it would seem that removing obvious identifiers such as name, address and Social Security Number from a person’s data record would cause that record to be “anonymous” – not traceable to single individual.  This approach is commonly used by large data repositories and marketing firms to allow mass data analysis or demographic advertising targeting.

However, work by computer scientists over the past fifteen years show that it is quite straightforward to extract personal information by analyzing seemingly unrelated, “anonymized” data sets. This work has “shown a serious flaw in the basic idea behind ‘personal information’: almost all information can be 'personal' when combined with enough other relevant bits of data.” 

For example, researcher Latanya Sweeny showed in 2000 that “87 percent of all Americans could be uniquely identified using only three bits of information: ZIP code, birthdate, and sex."

Professor Paul Ohm of the Colorado School of Law, in his lengthy new paper on "the surprising failure of anonymization, wrote:

As increasing amounts of information on all of us are collected and disseminated online, scrubbing data just isn't enough to keep our individual "databases of ruin" out of the hands of the police, political enemies, nosy neighbors, friends, and spies.

If that doesn't sound scary, just think about your own secrets, large and small—those films you watched, those items you searched for, those pills you took, those forum posts you made. The power of re-identification brings them closer to public exposure every day. So, in a world where the PII concept is dying, how should we start thinking about data privacy and security?

Ohm went on to outline a nightmare scenario:

For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical 'database of ruin,' the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Re-identification has formed the database of ruin and given access to it to our worst enemies.

I won’t ask what your “blackmail-able facts” might be, and won’t tell you mine.  But it is sobering to think what abuses might emerge from the continued amassing of online data about all of us.  This certainly casts new light on the importance of privacy and security protections for all of our personal data.

Tuesday Sep 01, 2009

Cloud Computing: Identity and Access Management

csa While listening this morning to Glenn Brunette’s excellent webinar entitled, “Safety First: Protecting Your Services in the Cloud,” I was introduced to the Cloud Security Alliance, of which Glenn is a founding member.  I was intrigued by the document published by the Alliance in April 2009, entitled, “Security Guidance for Critical Areas of Focus in Cloud Computing.”  This initial report from the Alliance outlines “areas of concern and guidance for organizations adopting cloud computing. The intention is to provide security practitioners with a comprehensive roadmap for being proactive in developing positive and secure relationships with cloud providers.”  The report outlines 15 domains or areas of concerns that should be addressed by stakeholders in cloud computing initiatives.

I focused primarily on the section entitled “Domain 13: Identity and Access Management, “ authored by Subra Kumaraswamy, Senior Security Manager, Sun Microsystems and Jim Reavis, Co-founder & Acting Executive Director, Cloud Security Alliance.  The executive summary of the document provided five key recommendations regarding IAM in the cloud:

  • The key critical success factor to managing identities at cloud providers is to have a robust federated identity management architecture and strategy internal to the organization.
  • Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
  • Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed cloud customer internal policies.
  • Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.
    Consider implementing Single Sign-on (SSO) for internal applications and leveraging this architecture for cloud applications.
  • Using cloud-based “Identity as a Service” providers may be a useful tool for outsourcing some identity management capabilities and facilitating federated identity management with cloud providers. For example, they may be useful for abstracting and managing complexities such as differing versions of SAML, etc. Be aware that they become a critical new cloud provider for your organization and must be vetted with this broad guidance document.

Some of the key points I gleaned from the IAM section include:

Supporting today’s aggressive adoption by the business of an admittedly immature cloud ecosystem requires an honest assessment of an organization’s readiness to conduct cloud-based Identity and Access Management (IAM), as well as understanding the capabilities of that organization’s cloud computing providers. …

Standards support for achieving IdM federation with your cloud providers is crucial. … It appears as though SAML is emerging as the leading standard that enables single sign-on (SSO). …

You should understand the cloud provider's support for user management processes including user provisioning, de-provisioning and overall lifecycle management of users and access in the cloud in an automated way. …

You also need to perform due diligence to assure that the cloud provider's password policies and strong authentication capabilities meet or exceed your own policies and requirements. …

As a long term strategy, customers should be advocating for greater support of XACML-compliant entitlement management on the part of cloud providers, even if XACML has not been implemented internally. …

A good strategy towards the maturation of your own IdM in order to make it “cloud friendly” is to start enabling SSO within your own enterprise applications, for your existing user base of employees, partners and contractors. …

One of the investments you may consider is an Identity as a Service solution to bridge between cloud providers or even outsource some Identity Mgt functions. …

I will join Sun colleagues on a conference call tomorrow to explore the topic: “What is the same and what is different about the task of integrating a new app when it is in the cloud vs. internal?”  I’ll report back on what we learn from each other.

Thursday Aug 27, 2009

Quick Wins in Identity Management - Still Alive and Well

I enjoyed reading Felix Gaehtgens' recent article entitled "Quick Wins in Identity Management."  The essence of his post is summarized in his second paragraph:
With the current squeeze on cost and corporate spending, many IT departments find themselves in a true quagmire. On one hand, the IT industry is focusing on efficiency like never before - elaborating new approaches and processes to increase efficiency and do more with less. Governance and risk management is a big issue whose lack has greatly contributed to the current crisis. IT is under scrutiny to be more of a business enabler and less of a cost center. All of this requires change, new technology, and strategic vision. But as IT spending is reduced or even capped, this creates a Catch 22 situation. Under pressure, some IT departments try for more tactical approaches that can eventually be expanded into a broader strategy. Quick wins are needed to get there.

It is great to know that in prevailing Identity Management thought, the Quick Win concept is still valid.  Back in June, 2005, I authored a post entitled "Quick Wins for Identity Management," highlighting "Sun's Quick Win philosophy."  In that article, I proposed:

The value of a quick win project should not be underestimated. A number of advantages can accrue:

  • Measurable results are quickly demonstrated
  • Project momentum is maintained for future phases
  • The likelihood of continual sponsorship is increased
  • The system architecture is progressively validated
  • Configuration components are more easily reused
  • Impact on the enterprise is more easily understood
It is interesting, and not altogether coincidental, that a post I wrote earlier today featured the AegisUSA announcement of "Identity Appliances" to reduce entry costs and accelerate time to value.  The AegisUSA offering is yet another validation that the Quick Win philosophy really does work.

So, let me leave you with Felix's final words:
As usual, those who take a good long-term view are usually rewarded most in the long run. But when strategic initiatives are out, and the thinking is tactical, the above mentioned areas have shown the potential for quick wins. These quick wins have additional benefits because they can be everybody, but that cannot be an excuse to do nothing – those who are smart and creative will be able to push ahead in front of others. Hopefully these ideas will help you delivering value in these tough times.

... and mine, from the June 2005 article:

We encourage you to make this your philosophy: Segment your Identity Management project into manageable parts. Focus your attention first on the most urgent, most beneficial, most quickly implemented areas of the entire project scope. Drive directly to those areas where you will experience a quick win.

Ladies and Gentlemen, start your engines.

Technorati Tags: , , ,


Discovering Identity was founded on in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.

The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.


« July 2016