Thursday Jan 28, 2010

So Long, Farewell, Auf Wiedersehen, Good Night


Well, my friends, it is time for me to say goodbye. It's been a wonderful 5 years at Sun. As many probably suspected, I will not be joining the Oracle Identity team.

These past five years have been the best professional experiences in my life. I had a blast working with the Java Enterprise System team and Sun's systems management team, but nothing beats my experience working with the most talented Identity Management team in the world. Oracle is inheriting THE BEST Identity products available and I wish them luck on their strategy and direction.

Although I'm very happy that this process has finally come to a close, I am sad to see Sun fading away. I believe the environment that Sun fostered was a once in a lifetime opportunity and I appreciate the experience and have tremendous gratitude for all that it offered me.

If you want to continue following my blog, I plan to continue to write on identity at www.smokingmonkey.org. Also, feel free to connect with me on LinkedIn.

Thursday Jan 14, 2010

New Blog at SmokingMonkey.org


Today, I imported all entries from this blog into my new WordPress blog at smokingmonkey.org. I'm using GoDaddy to host and installed my own instance of Wordpress. I plan to double-post content to both sites for the forseeable future. Figured it was time to have my own space to blog so I could be more irreverent then ever!

Visit SmokingMonkey.org!

Tuesday Dec 22, 2009

IDM Buzz Podcast: ROA, OAuth, REST Services and OpenSSO


Last week I had the opportunity to record an IDM Buzz Podcast with Michael Cote of Redmonk and Jamie Nelson, Sun's Director of Engineering for OpenSSO.

In this episode we discuss the latest OpenSSO Express 9 launch and our new Fine-Grained Authorization (FGA) capabilities. We also explain why we chose a Resource Oriented Architecture when designing our FGA solution and did some therapy with Cote to help him deal with his exposure to a shaved, punk rock cat (we're hoping his health care covers the session).

Listen Now

Also, if you missed our webinar last week on the OpenSSO Fine-Grained Authorization capabilities check out the replay here. Enjoy!

Thursday Dec 17, 2009

Watch Webinar: Next Generation Fine Grained Access Control Using Open SSO

For those that missed it, below is the webinar we recorded yesterday on OpenSSO's new Fine-Grained Entitlement Enforcement capabilities. Enjoy! You can also read the press release here.

Wednesday Dec 09, 2009

OpenSSO Integrates with EJBCA, Enterprise Class PKI Certificate Authority


There's a couple of nice technical articles available that demonstrate how to integrate EJBCA and OpenSSO. EJBCA is an enterprise class PKI Certificate Authority built on J2EE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used stand-alone or integrated in other J2EE applications. EJBCA provides users with digital certificates for strong authentication and digital signatures. OpenSSO uses these credentials to provide single sign-on and authorization. Check out the articles.

Using OpenSSO To Protect Java EE Applications: Setting Up X.509 Client Authentication

Integrating EJBCA and OpenSSO (pdf)

Tuesday Dec 08, 2009

Next-Generation Fine-Grained Entitlement Enforcement Using OpenSSO


As we near the end of the year, Kuppinger Cole and Sun Microsystems will take an in-depth look at how you can externalize authorization using next-generation technology that scales! Analyst Felix Gaehtgens will review the market and provide insight into what's ahead, and Sun Chief Identity Strategist Daniel Raskin will share exciting news about how customers can use OpenSSO to implement a repeatable, scalable process for externalizing authorization.

Register Now for this free Webinar to learn more about:

\* What's happening in the market regarding externalized authorization
\* Key trends and priorities
\* Actions you should think about for 2010 and beyond
\* Fine-grained entitlement enforcement in OpenSSO Express 9

While other vendors offer fine-grained entitlement enforcement as a standalone solution, Sun's OpenSSO is the only solution to deliver access management, federation, secure Web services and now fine-grained entitlement enforcement — all in a single application.

Date: Wednesday, December 16, 2009
Time: 10:00 am PDT / 1:00 pm EDT / 19.00 CET (
check my timezone)
Duration: 1 hour
Speaker: Kuppinger Cole Analyst Felix Gaehtgens and Sun Chief Identity Strategist Daniel Raskin

OpenSSO & Layer 7: End-to-End Web Services Security

Last week I recorded a new Identity Buzz Podcast with K. Scott Morrison, Layer 7 CTO & Chief Architect. We discussed the Sun OpenSSO Enterprise / Layer 7 SecureSpan Gateway integration. The combined Sun / Layer 7 solution offers a powerful one-two punch when trying to conquer web services security.

Essentially, the solution allows you to deploy SecureSpan as a policy enforcement point and OpenSSO as a Policy Decision Point when abstracting and centralizing authentication and authorization for your company's web services. The SecureSpan Gateway is a nice complement to OpenSSO because it inserts an abstraction layer between the web service requesters and web service endpoints in order to govern and secure their transactions. Rather than having to deploy a local agent to protect every web service you can implement a gateway that acts as a broker to all your services.

To learn more about this integration listen to our latest Identity Buzz Podcast on the topic.

Listen Now

You can also subscribe to the feed and get episodes automatically. Here’s the iTunes friendly link and the Feedburner feed. There is also a nice article describing the integration on the Sun Developer Network titled "Delegating XML Gateway Runtime Authorization to OpenSSO." Enjoy!

Wednesday Oct 28, 2009

ABAC + RBAC = ARRRRR-BAC

Arrrr, me mateys!

I'm going to stand on my soap box for a few minutes to share my take on the ongoing dialogue around RBAC versus ABAC. The debate over which one is better seems to be as heated as the debate over which side of a black and white cookie tastes better (Seinfeld - Black & White Cookie Episode).

I'm constantly asked by customers about which approach I prefer. Analysts seem to enjoy this conversation as well. In fact, Kuppinger-Cole did a nice Q&A on the debate earlier this week and does a great job outlining the issues.

Critics of the RBAC model argue that RBAC is static and believe that taking an RBAC-only approach will lead to an excessive number of roles. They argue that policy decisions will need to leverage Roles plus attributes embedded within your application infrastructure.

Honestly, I think the debate here is somewhat self-created by framing it in terms of RBAC versus ABAC rather than simply acknowledging that a good policy engine needs to support both roles and dynamic attributes. It is very rare to come across customers that are able to contain all attributes within a role. I have yet to see a real-world organization with a clean RBAC implementation. Arguing for purely RBAC is a nirvana that casts a blind eye to the grey areas of the application infrastructure world.

The issue of RBAC v. ABAC is less a decision about choosing one over the other and more a decision around where one draws the line when defining roles. Todays organizations need to define a clear line between what attributes should be part of a role and what should remain application specific. The balance between how you define roles versus attributes is very use case driven and contextual to each customers environment. This boundry is often based more on business context, IT budget, perceived value of abstracting identity from apps, and a gazillion other factors that could influence what you should do.

From the perspective of entitlement enforcement, the basic jist is that any system that is going to work for a customer needs to support both ABAC and RBAC. Policy enforcement decisions need to take in to consideration role definitions and sometimes they also need to incorporate dynamic attributes from applications.

As we refine entitlement enforcement in OpenSSO (our Beta was made available in September 2009) we are looking at this from both perspectives and expecting real implementations to require a hybrid solution that is dynamic and can take in to consideration both roles and attributes. Our solution consumes roles, allows applications to push attributes to OpenSSO for policy evaluation, and allows OpenSSO to pull attributes for policy evaluation. In fact, OpenSSO also supports policy referrals or partial policy referrals to help make an "accept" or "deny" decision.

Thus, my solution is to stop arguing about RBAC versus ABAC and change the name to ARRRRRRRRR-BAC (use the best pirate voice you can muster). Thus, like the black and white cookie, we can all live together again in harmony.

Friday Oct 09, 2009

Bookmarks for October 9th 2009

Links for the day . . .

  • Sun Microsystems Releases New Versions of Role Manager and Directory Server Enterprise Edition -- Sun Microsystems, Inc. (NASDAQ: JAVA) today announced new versions of Sun™ Role Manager software and Sun™ Directory Server Enterprise Edition, offering organizations updated tools to intelligently manage their identity portfolio. Customers will benefit from increased business transparency and compliance, simplified access controls, as well as better performance and scalability.

  • The OpenSSO REST Interfaces in Black / White – DocTeger gives a comprehensive explanation of OpenSSO's REST-like identity services, with the usual cool music video at the end.
  • Tuesday Sep 29, 2009

    Federating to Salesforce CRM in Under 5 Minutes

    I just finished editing a video on how to federate to Salesforce CRM using OpenSSO in under 5 minutes. It was a lot of fun to make. Like our Google Apps Starter Kit, we'll be launching a Salesforce Starter Kit shortly that walks you through a step-by-step guide on how to do this as well. Basic jist is this solution allows you to reduce sign-ons for your employees and allows them to access Salesforce services using their enterprise credentials rather than their Salesforce credentials. Enjoy!

    Tuesday Sep 22, 2009

    Announcing New OpenSSO Community Lead -- Hubert Le Van Gong

    I wanted to update you on the news last week about Pat Patterson (aka SuperPat) moving on from Sun and our search for a new community lead.

    As you all now know, Pat has moved on from Sun and thus has stepped down as the OpenSSO community lead. I want to wish Pat the best of luck in his future endeavors. He is not only an icon among the OpenSSO world, but he is also a great friend. I jokingly told Pat on his last day that he is "now dead to me," but the truth is I will miss him dearly and look forward to pestering him lots in the future.

    That said, I am very happy to announce that our new OpenSSO community lead is Hubert Le Van Gong. Hubert has a long history with OpenSSO. He is an identity architect at Sun with strong expertise in IdM protocols as well as RESTful web services. He started working with OpenSSO in the context of interoperability with the Microsoft-backed web services stack. True to Sun's tradition of eating its own dog food, he then helped deploy OpenSSO and its OpenID extension as an Identity Provider for Sun employees. More recently Hubert has been working on new OpenSSO extensions like OAuth and OpenID 2.0. Check out Hubert's blog to read about OpenSSO community activity and feel free to ping him via IRC. His IRC handle is hubertlvg.

    In addition to Hubert, you can always contact me directly at daniel.raskin@sun.com or Jamie Nelson, the Director of OpenSSO Engineering, at jamie.nelson@sun.com. We are also on IRC and our handles are draskin and jamiefnelson, respectively.

    Please join me in welcoming Hubert to his new role and start pinging away with questions!

    Tuesday Aug 18, 2009

    OpenSSO Express for Improved SSO

    If you have a spare hour tomorrow (Wednesday August 18th 2009) morning, join me as I will be presenting a webinar titled OpenSSO Express for Improved SSO. The webinar is at 10am PDT/1pm EDT/7pm CET for an update on the very latest features in OpenSSO Express 8 and beyond, such as mobile one-time passwords, the Fedlet for .Net, and SalesForce.com integration. We will also be previewing our OAuth Token Service.

    Monday Jul 27, 2009

    OpenSSO Express 8 & OpenDS SE 2.0 Arrive!

    Theeeeeeeey're heeeeeeeeere . . .

    Thursday Jul 16, 2009

    Technology Preview: OpenSSO OAuth Token Service

    Check out the preview of our new OAuth Token Service. You can now use REST and the OAuth Token Service for securing your apps. It's a nice, light-weight alternative to WS\*.

    About

    Read my extraordinary thoughts about the world of identity and access management. As an identity child prodigy, I have much to say about these subjects.

    Search

    Categories
    Archives
    « July 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
      
           
    Today