Identity and Access Management (IAM)

 

Although it's been a few weeks since the RSA show, I wanted to pass on something that struck me as I walked around the show floor, checking out all the booths.  Last year, the hot buzzword of the show seemed to be "compliance".  Everyone was jumping on that bandwagon in their marketing, because customers seemed to view their compliance challenges as the biggest problem that they faced.  And, when large enterprises express a major problem that they face, you can bet that very soon most software companies will begin to use that messaging in their marketing activities.  But, this year, a strong compliance emphasis was not in evidence at the RSA show.  Sure, there were a few pure compliance vendors there, but the amount of general compliance marketing was, in my view, less than in previous years.

 

What does this mean?  Do customers not care about compliance any more?  Have they given up on adopting technology to help them solve this problem?  Or, have they already solved it?

 

The answer, I believe, is "no" to all of these questions.  I actually think that the lack of overwhelming compliance messaging is good news.  It means that large enterprises have recognized the importance of automating their compliance activities....for example, using identity and access management solutions.....and have embarked on that journey already.  They have experienced the pain of attempting compliance with each regulation as it comes along, with the high costs and redundant effort that this approach entails.  They have seen how onerous compliance audits can be when their security controls are not automated or easily auditable.  So, they have begun to deploy solutions (particularly IAM) to help them along in this process.  They have adopted industry frameworks (such as CobiT) as best practices, and are using these frameworks to help them "rationalize" controls across a range of regulations, thereby minimizing the redundant effort that their compliance "silos" caused them in the past.  In summary, they have embarked on the "IAM compliance journey", and therefore are not highly swayed by a purely compliance pitch that was used in the past by almost all types of software security products.

 

But, they also recognize that their journey is just that....an ongoing process of automating and improving their security controls to further ease their compliance burden.  They will likely continue to automate their controls and testing processes,  making ongoing audits much less challenging, as well as ensuring that new regulations can be accommodated much more easily than in the past.

 

The following graphic illustrates some of the common characteristics of the phases of compliance automation and optimization.  As always, your mileage may vary......    But, a useful exercise is to ask yourself where you are on this continuum of maturity level, and what improvements (in technology, improved processes, etc) you need in order to be able to move to the next phase.  If you're down near the bottom left of the graph, don't despair.  I think many companies are trying to get through the "Reduce Costs" phase without too much pain.  Very few are actually in the Optimize phase.

 

 

Scott McNealy famously said "You have zero privacy - get over it". The recent

stories regarding the loss of personal data have put a sharp perspective on the

question of privacy. Polls show that people say they will only deal with

organization that they can trust to protect their personal data. What can

organizations do to achieve this trust?

 

Privacy

What is privacy and why does it matter? In this context the concern is the

capability for people to control what information about themselves is made

available to other people. There is no universal agreement on what information is

private; different cultures hold different views on this.

 

Privacy is a balance of the rights of an individual against the good of a group.

Sometimes privacy is in the interests of the group as well as the individual;

identity theft being one example of this. It is in everyone's interest that

information that could be used to impersonate an individual should not be publicly

available.

 

In Europe privacy of personal information is principally governed by two

directives 94/96/EC on personal data, and 2002/58/EC on privacy of electronic

communications. The Organization for Economic Co-operation and Development

has also published a set of principles for data privacy. These principles form the

basis for privacy of personal information in Europe.

 

Trust

Trust is important since it forms the basis upon which personal and commercial

transactions take place. In the context of information privacy, individuals allow

their personal and private information to be held by organizations trusting that it

will be stored and processed in accordance with the principals mentioned above.

The recent personal data breaches are a breach of trust by the organizations

holding the personal information.

 

What happens when there is a breach of trust? Traditionally commerce depends

upon legal enforcement. However, because of difficulties of legal enforcement on

the internet, new models of trust are emerging. An example of this is that

adopted by eBay' where each buyer and seller has a feedback rating.

 

Individuals are increasingly making decisions based on their perception of trust.

In September 2007 a study, conducted by the independent research consultancy

YouGov, showed that concerns over Identity Theft is changing online behaviour

and reveals which types of organizations the public trust to protect their personal

details. For example, while 60% of respondents answered that they would trust

their bank to keep their personal data secure, only 25% would trust the

government.

 

 

Security

Information systems security is what organizations use to ensure privacy of

personal information. Models for secure information processing grew out of the

needs by government and military agencies to use computing systems to handle

sensitive data. These were described in the Orange Book which was replaced by

the Common Criteria (ISO/ISEC 15048) for computer security. BS7799 provided

a more comprehensive set of standards and best practices for information

security management. This was later adopted as ISO 17799 and has now been

renamed as two standards ISO 27001/2. Specific industry standards have also

emerged such as the Payment Card Industry Data Security Standard (PCI-DSS).

These standards are well known and yet a survey conducted by CA across 482

organizations in EMEA found that while 62% of these were holding regulated

information in their IT systems:

• - Only 33% were able to identify orphan accounts (user accounts which cannot be related to a single person as owner) in their IT systems.
• - Only 41% were able to report on the access rights to information that were possessed by the users of their IT systems
• - Only 51% were able to monitor access to their IT servers.

 

What needs to be done?

If organizations followed the letter and the spirit of the ISO27001/2 standards

there would be fewer or no data breaches. It is time for compliance with these

standards to become mandatory where personal data is being held and for there

to be penalties for non compliance.

 

The card payment industry has taken a significant step towards improving

protection of card data through the creation of the PCI-DSS. Any organization

involved in credit card transactions needs to become fully compliant with this

standard.

 

An important advance recommended in the UK House of Lords report on Personal

Internet Security would be a data security breach notification law. This should

include workable definitions of data security breaches, covering both a threshold

for the sensitivity of the data lost, and criteria for the accessibility of that data.

Another recommendation of that report is that major companies, particularly the

software vendors, must now make the development of more secure technologies

their top design priority.

 

There should be training and formal accreditation for people who are responsible

for information security systems. In addition people in organizations who have

access to regulated data should have an appropriate level of training on privacy

requirements. You cannot drive a car without a driving license - so why should

you be able to manage access to the personal data of thousands of people

without proper training?

 

 

 

As information security professionals, we are always interested in finding stories or anecdotes to help make a point or to further educate people on the importance and need for strong information security.  

 

An item grabbing US headlines recently was the story concerning the inappropriate access to the passport files of the 3 major US presidential candidates, Barack Obama, Hillary Clinton, and John McCain:  http://www.cnn.com/2008/POLITICS/03/21/obama.passport/index.html

 

At first glance, this story did not seem particularly interesting, especially when I realized that a passport file contains basic statistics such as birth date, height, weight and eye color-information that is already widely available for such public figures as these.  Other than the applicant's social security number, there is no real significant private data in these files.  Clearly, this was purely a case of random snooping by curious employees, much like the similar incident when people accessed the medical files of actor George Clooney's and Britney Spears. http://abcnews.go.com/US/story?id=4498155&page=1

 

But, as more details around this story emerged this week, my interest in the story evolved from that of a concerned citizen to that of an information security professional.  According to State Department spokesman Sean McCormack, Senator Obama's files had been viewed three times by contractors working for the agency starting in January.  In Clinton's case, a trainee accessed her files in 2007.  McCormack said two of the contractors in the Obama case were "low-level" personnel and the other was in a mid-level position with no management role.

 

Now, let's reconsider this situation.  These were not full-time employees doing this, but contractors and trainees who do not even work for the State Department.  And while there is nothing wrong with hiring contractors (we have since learned that the State Department hires contractors to design, build and maintain their systems), this incident raises questions about how well (or not) the State Department is provisioning access to data, application and systems.  In this situation, it is not just that it was contractors that accessed the files, but that the contractors themselves were ‘low-level' personnel.  Unfortunately, we do not know the specific IT architectural details of the passport system, but the fact that contractors in non-management roles were able to access any and all data for highly public figures suggests that the passport system suffers from a monolithic "access for all" security model.  Unfortunately, this is often the case in legacy systems that were designed and deployed decades ago with no elaborate security access control mechanisms.  In the initial years of operation, such systems are only accessed by a small defined group of individuals.  Thus, auditing and controlling access to information is easy.  

 

But, as such systems become more widespread, the number of users requesting access increases rapidly.  And in the case of a high value application like the passport application system, it cannot be taken off-line over an extended period of time so that developers can create a more robust security model for the application.  As a result, this "access for all" model becomes the standard, meaning that everyone ends up with the same level of access, regardless of responsibility, title or function.

 

Situations like this scream out for identity and role management.  These types of systems empower organizations to create security and access models specific for individual roles and functions.  In the State Department case, a separate role category of ‘contractor' could be created and within the contractor category, certain roles such as trainee, manager etc. could be created with the level of security access commensurate with each role.  Such systems deliver two levels of benefits.  One, they greatly simplify management and administrative operations because the IT team only needs to manage dozens of roles instead of hundreds of individuals.  And secondly, identity management systems can reduce risk by ensuring that users' access to information is limited to their actual business function.  Had such systems been in place at the State Department, it is unlikely that these kinds of breaches would have even happened.

 

I recently returned from a week at the RSA Conference which is somewhat of an annual pilgrimage for IT security people that takes place in the heart of San Francisco in the Moscone Center. 

 

http://www.rsaconference.com/2008/US/home.aspx

 

Even though the Olympic flame relay was also in town on its only stop in North America on its worldwide tour, we RSA Conference attendees stayed focused on IT security.

 

http://edition.cnn.com/2008/US/04/08/us.olympic.torch/index.html

 

As I arrived in San Francisco on the Sunday before the start of the conference, one question on my mind was where are we in the adoption of identity federation?  This is a question I get asked a lot so I am always looking for evidence supporting one view or another.  So I wanted to find out how interested the average RSA Conference attendee was in the topic of federation?  This would certainly be a valid data point to help answer the larger question.

 

Fortunately I had a great way to gauge that because the very next day on the afternoon of "workshop monday" at the start of the RSA Conference, the Liberty Alliance was having a half-day workshop entitled, "Identity Federation & Web Services: Happening Today - Enabling Tomorrow".  Certainly one measure of interest and adoption can be taken from the nearly 500 people who registered and attended this workshop.  To see the slides from all of the presentations from this workshop please go to the Liberty Alliance Web site here: 

 

http://projectliberty.org/liberty/resource_center/presentations_webcasts. 

 

One of the key points of this workshop was to show interested RSA Conference attendees how the use of standards-based identity federation technologies can provide immediate business value as well as prepare the organization to thrive in a heavily federated and trust-based world that is rapidly descending on us in the form of SaaS, identity as a service, application outsourcing, user centric identity or whatever terminology or perspective fits your view of the world.

 

CA was fortunate to have two excellent federation customer case studies presented during the event, the first one from BT's Chief Security Architect, Robert Temple, in which he discussed their success in extending their Web security infrastructure to enable browser-federation with many partners of BT.  The second CA customer case study session was from Chris Sharp of MEDecision in which he discussed the key enabling role of a centralized, policy-based security service for SOA & Web services based applications.

 

My personal perspective is that federation in its broadest sense is now entering mainstream usage.  Will it solve all identity related problems that came before it?  Of course not.  But it has proven itself to be a valuable tool when applied by experienced practitioners to the right project.  To me that is a sign that mainstream, thought not necessarily ubiquitous usage, is currently unfolding.

 

In late February I gave a talk at a conference on e-ID in Belgium organized by L-SEC http://www.lsec.be. Belgium is one of the first countries in the world where all citizens will have their identity supported by a digital identity card. Unlike Finland, where the e-ID card is optional, in Belgium it is a legal requirement that every resident registers their address. This registration process is performed at the local town hall and delivers an e-ID identity card at a cost of around 10 Euros. Up to date around 7 million e-ID cards have been distributed; by the end of the year all 8.3 million citizens older than 12 years of age should be in possession of their e-ID. It is no surprise that Belgium is looking for ways to exploit this card.

 

One example of this is eBay who recently entered into an agreement to integrate e-ID as one of the verification options for its users in Belgium. This new functionality allows new and existing eBay-users to (re)register on the site by having their identity confirmed quickly, and safely. On top of that, eBay-sellers who use this verification method will get an ‘e-ID Verified’ label next to their username. Next to the seller’s profile and feedback score, this will be an additional indicator to that the buyer or seller is trustworthy.

 

The three basic functionalities of e-ID are data capture, authentication and electronic signature. Around 40 to 50% of all e-ID applications in Belgium relate to data capture and 40 to 45% are for authentication. Together data capture and authentication cover 90 to 95% of all the current applications. The much smaller number around 5% to 10% relate to electronic signature. ‘Data capture’ is when the card is put into the reader in the library, a hotel or in the city hall and the application reads the name and some other data on the e-ID card. ‘Authentication’ is used in all kinds of web applications (and incidentally CA’s SiteMinder is used by the Flemish Government MVG for this). The e-ID card is also well suited as authentication mechanism for PC banking.

 

The card stores a visible and digital picture but also allows to log on to the National Register, the government database. The e-ID card is used to authenticate the citizen for access to public services. The resident can also consult the Register and see what the authorities have stored and who has accessed that information (except for State Security). For example a user can use the card to borrow books from the library and later check which books he has borrowed and when they are due to be returned. A more mundane side effect of this is that access to municipal garbage dumps is now controlled by your e-ID card. If you try to dump your garbage at a dump that is outside of the commune where your address is registered you will not be allowed access!

The Identity Metasystem offers a new way to think about the relationship between parties that are interested in either consuming or producing identity information. Sometimes this is referred to as Identity 2.0, or more correctly as User Centric Identity. This new paradigm offers many benefits, from increased security, enhanced privacy, and the opportunity for new business models. It is sometimes misinterpreted as a technology that nullifies the current identity practices that many enterprises have in place. This is most likely due to the technical nature of most literature available on User Centric Identity, and on the focus of standards and interoperability. But it could not be farther from the truth.

 

What is really important about the Identity Metasystem is that it defines an “Identity Dial Tone” that prescribes how identity can flow seamlessly through enterprise websites, web services, and the ever growing social networking and collaboration services, spanning both high and low trust situations. For the potential opportunity of this new ecosystem to thrive, it is important that it is embraced and delivered to enterprise customers in a way that allows them to incorporate the concepts in their existing infrastructures, without the fear that large portions of the solutions will need to be replaced or significantly modified.

 

CA and Microsoft are committed to the Identity Metasystem and on helping customers realize the benefits of the Identity Metasystem, while protecting their current investments. To focus the discussion on business objectives, and less on technical practices, CA and Microsoft have jointly developed a White paper “CA and Microsoft Support for User-Centric Identity and the Identity Metasystem” that describes the Identity Metasystem, InfoCards and how they can be incorporated into existing solutions where CA and Microsoft technologies are being used.

 

During my recent visit to Euro CACS - the Computer Audit and Control Symposium - in Stockholm the event night was held at the Vasa museum.  This museum contains the preserved remains of the Vasa a 16^th century man of war that was recovered from the sea near Stockholm.  The story of this ship is one that will have a ring of familiarity to anyone involved in the IT industry.

The king of Sweden had recently won independence from Denmark and was at war with Denmark and Poland over trade.  He needed an impressive war machine to defeat his enemies and, as a consequence, he commissioned this ship to be built.  Because he needed something that went above and beyond the accepted standards he personally specified that this ship should have an extra gun deck.  At that time the best and most accomplished shipbuilders were from Holland - he therefore commissioned a Dutch shipbuilder to build the ship.

Building the ship was a long process taking two and a half years.  This was in part because the main source of oak needed to build the ship was mainly available from Denmark who was Sweden's enemy.  During the build the original shipbuilder died and was replaced by another Dutchman.

When the ship was completed it was named the Vasa in honour of the king whose family name was Vasa.   Because the Vasa was a new design - the admiral insisted on certain tests before he would accept the ship.  Included in these tests was a stability test - which comprised the crew repeatedly running across the deck of the ship from side to side.  This particular test had to be abandoned because the ship came so close to capsizing.  Before the tests were completed the king, who was making war off the coast of Poland, insisted that the craft be made available immediately to help with this effort.  The admiral therefore commanded the ship to be made ready and to sail to the King without further delay.

The Vasa set out from Stockholm harbour firing all guns in salute to the absent king.  There was a strong following wind and the ship made steady progress for 2km until it passed by a gap between the islands of the Stockholm archipelago.  Through this gap there was a strong gust of a crosswind which caused the ship to immediately roll to one side.  The gun covers, which had been opened for the salute, but had not been closed allowed water to pour in sinking the boat.  The stricken craft sank to the bottom with only the masts, still flying the Swedish flag, visible above the sea.

The enquiry which followed the loss questioned the shipbuilder, the admiral and the captain of the ship.  Everyone agreed that, because of the divine nature of the king, his specification of this new design could not be the cause.  The admiral was questioned about the stability of the ship.  He gave the opinion that all sailing ships were to some degree unstable and it was up to the captain to adjust the ballast appropriately to mitigate this.  The captain testified that he had fully loaded the ballast (a fact that was disproved during the recovery) and that it must be the fault of the shipbuilder.  The shipbuilder said that he was simply following the instructions of the king and the details worked out by his predecessor.  Finally the enquiry decided that it was the fault of the original shipbuilder.

So - even if your customer is divine and even if he puts the product into use when it failed his tests, and in addition the end user does not use the product correctly - you will be blamed if the product you delivered to his specification does not work.  

 

Excuse me while I blow our own horn a bit via the title of this blog. I recognize that excessive horn-blowing is not blogger couth. I do have a more general point to make in this blog – that the technology particulars of federation systems still do matter. But, first the facts. Recently CA and five other IAM vendors received certification from the GSA’s E-Authentication Solution for the GSA’s federation implementation that is based on SAML 2.0. To find out more about the GSA’s E-Authentication initiative please check out their very informative web site here:

http://cio.gov/eauthentication/

 

To get a listing of the currently approved vendors go this page:

http://www.cio.gov/eauthentication/documents/EAopensIOlab.pdf

 

The E-Authentication Solution (nee Initiative) has been around since 2002 (almost as long as standards-based federation itself) and has been very innovatively applying the concepts and standards around identity federation to particular needs of the US government. However, anyone interested in identity federation, whether inside or outside of government, can benefit from the approach that the E-Authentication Solution has taken. They very nicely have posted the main documents that make up their “circle of trust” or “federation ecosystem agreements”, so maybe you could borrow some ideas from their foundational documents. They are on the above web site for free downloading.

 

Getting back to the SAML 2.0 certification process just completed...many people with an opinion about federation, myself included, say that accomplishing federated SSO across organizations is now 80% about trust and how to accomplish and enforce it, and only 20% about technology. This certification is certainly all about the 20%. However, these types of interoperability activities still remain critically important to federation overall. Because of the nature of complex standards and specifications, reasonable technical people disagree about implementation details. And, of course, nearly every federation partner ecosystem has some unique implementation details and requirements. So, continuing to be diligent about interoperability and conformance testing remains critically important for federation adoptability.

 

The Liberty Alliance has also been doing important work in this area.  Check www.projectliberty.org for more detail

 

Getting some further third-party validation around this certainly puts a little bounce in our collective steps here in the CA IAM group and should give you every indication we will continue to stay on the forefront of the SAML federation technology we helped create.

I recently returned from a week in Warsaw, Poland where I presented at, and attended the ISSE/Secure 2007 (Information Security Solutions Europe) conference and reconnected with the city and people with whom I lived some 15 years ago. What is the ISSE/Secure 2007 conference? It bills itself as Europe’s only independent security conference. A primary organizer of the conference is ENISA, which is an offshoot of European Commission (EC) and was formed to advise and assist the EC, member states, and the European business community on network and information security issues and related legislative matters.

 

What struck me about this conference is that just by looking through some of the topics covered, which included; Identity Management, IT Security and the Law, Internet Crimes, Awareness Raising, and my personal favorite, Web service security (perhaps because I presented in this section), and many more, one quickly gets the sense that this conference really could be anywhere in world. We are all struggling with the same opportunities and challenges brought on by the Internet. From Polish banking regulators, to German computer scientists, American Product Marketing Managers, and many others, we were all there for the single goal of making it possible that the Internet and more particularly ecommerce over the Internet continue to develop and flourish with manageable risks and unbounded opportunities.

 

In many ways it was very apropos and personally poignant to have this conference in Warsaw, Poland. Once a country that was for nearly 50 years artificially cut off from its rightful place in Europe. Now with modern communication technology and of course the Internet, it is almost impossible to imagine the concept of building a wall to keep your people in and keep them isolated from the rest of the world. Not only is Poland modernizing very quickly relative to when I lived there some 15 years ago, but its scientists, engineers, and lawyers are right in the middle of making positive contributions to the next phase of the Internet’s development through evolved security technologies and legal frameworks.

 

Closing out this blog, I mentioned that for me personally this was also poignant trip. It was a lot of fun connecting and reminiscing with the family with whom I lived some 15 years ago. In many ways, their development is a microcosm of the country as a whole. For example, when I first lived with them they had a total of zero telephones, now for this family of 5 they have a total of 6 telephones. In addition, while I was explaining to them why I was in Poland, the lady of the house asked my opinion of a strange email that she had recently received apparently from her Polish bank urging her to log-in immediately by clicking the link… So, apparently the phishers are even attacking the Polish banking system and Polish consumers…We certainly are all in this together.

In 2006, the UK House of Lords undertook a far ranging study of the problem of internet crime and the resultant impact to individuals, businesses, and the economy as a whole. On August 10^th 2007, the results of the study were published under the title of “The House of Lords Science and Technology Committee. 5th Report of Session 2006–07. Personal Internet Security”. The link to this report is:  http://news.bbc.co.uk/1/hi/technology/6938796.stm

 

The report recognizes the invidious and criminal nature of modern cyber crime, and it’s far reaching impact in terms of economic costs, and impacts to the personal lives of those individuals affected. Even if measured solely on these points, the report would score highly for taking such an honest and accurate view of the nature and impact of the problem.

 

The report makes a number of recommendations and calls for action from a wide range of bodies- including government; the law enforcement community including police and the judiciary; ISPs; and hardware and software developers. These recommendations are worthy of consideration and comment.

 

The reports states that “The IT industry has not historically made security a priority.” While noting that “This is gradually changing” the report also calls for a more urgent and regulated push for change, calling for “software vendors (to) make the development of more secure technologies their top design priority.”. While recognizing the positive role of self regulation and codes of best practice, the report also “recommend(s) that the (UK) Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated.”

 

While it is admirable that security issues and ID theft are being recognised as serious issues requiring an improvement in the security state of business systems, we do not believe that the proposed measure (to make software vendor’s liable) would be the best way forward. All software developers clearly need to strive toward improving the ‘secureness’ of the software they author. CA, like many other significant software providers, places considerable effort toward this goal, and we improve our practices as best practices and new findings emerge. After all, as the report correctly acknowledges, security failures do not solely result from inherent software faults and it is important to take into consideration other areas of concern.

 

User error resulting from mistakes, ignorance or being scammed/tricked play a large role. So too can errors in architecture, implementation and configuration of the SW affect the security state. Software writers have no, or at best, little control over how their products are implemented and maintained. Even if a flaw is found and a fix issued, the software vendor has no way of forcing a company to implement the fix in a timely manner. Deliberate subversion of the security environment in order to meet business deadlines, cut costs, or to provide a higher degree of convenience for the end user can also play a role. In other words, sometimes the best intentioned efforts are subverted not because data theft is the goal, but for other reasons. As a result of the subversion however the door is left open to more nefarious attackers who’s goal is information theft or other criminal behavior. It must also be recognized that IT is also not the sole custodian of information, and the key problem is really information security failure, not IT security failure. Critical information in printed form, or on backup media such as tapes are significant sources of information that has leaked inappropriately in the past years. All these factors are not addressed by the House of Lords’ call for software companies to bear the financial brunt of the responsibility.

 

What would make a significant difference is a six pronged approach;

 

1. a focus on improving SW quality. This will require further education for the SW developer community - remembering that SW is developed on a global basis. If the UK government wishes to demonstrate a leadership role in this regard, funding and supporting education for secure SW developers would be a great start. Hand in hand with this should be an effort to make the ‘secureness’ of software and hardware a desirable characteristic for the buyer. Indeed, the report notes that today software and hardware makers do not have sufficient economic incentive to focus on security – this is because buyers often do not rate this characteristic as being a differentiator when making buying decisions. This needs to change at many levels
2. A push for every company's information governance practices to accredited to an internationally recognised standard such as ISO27001 (nee ISO17799). . Businesses must make it a priority to ensure that when implementing technology, project deadlines need to include adequate time for building security into the systems up-front. “Do it quick” and “Do it cheap” need to be reprioritized after “Do it securely”. To achieve this will actually require changing the expectations of company owners and shareholders too.
3. Improving end user education - including starting now with the next generation of users, our children. Providers of home computing platforms need to change how they market their products such that the user recognizes the risks associated with the product’s use. A home computer is not a TV set that instantly and forevermore will work “out of the box” without any care and feeding beyond a quick dust and dry-wipe of the keyboard. To purloin a phrase well known to pet owners “A secure computer is for life, not just for Christmas”.
4. As the report recognizes, mandatory breach disclosure requirements for companies which have information security breaches continue to be a part of the global solution. Again it is important to recognise the globally distributed nature of IT systems in the modern world. Breach disclosure must be enforceable regardless of where the information is processed, and regardless of under which jurisdiction the breach occurred.
5. Appropriate funding to provide for adequate levels of policing effort must be provided. Whilst the efforts of SOCA are admirable, I do not believe that enough trained police resources are available to meet the challenges of the fight against cyber crime, nor that the agencies have enough funding to support their efforts.
6. A demonstration by the government of best practices in information governance through ensuring that UK government IT (at all departmental and regional levels) is architected, implemented, and operated at the highest state of excellence. UK government should be a positive example to all businesses and citizens.

 

We should all welcome and applaud the effort the UK government has demonstrated in taking on this investigation and the resulting issuing of this report. Without a doubt the status quo must be challenged and it is important that all aspects of the problem are addressed in an even and comprehensive manner.

 

Being a contrarian by nature, I view the recent session at Burton Catalyst on Federation by Burton analyst Mike Neuenschwander, (Evaluating the Growth of Federation Deployments: Is There a Glass Ceiling?) and a companion research report by Mike (Federation’s Future in the Balance: Teetering Between Ubiquity and Mediocrity), as actually being more positive then the titles suggest.  In general new technologies usually start to enter the mainstream only after exiting what another analyst firm calls the “Through of Disillusionment”. That is, after vendors, customers, journalists and analysts start to realize that the new thing—in this case federation in its traditional form—doesn’t solve all related problems that came before it. Or the total set of problems that people think it might be able to solve.

 

While I wasn’t in the room during the birth of standards-based federation, the SAML standard (which basically started off as the Netegrity-driven Security Services Markup Language (S2ML)—before it was contributed to OASIS), I arrived on the scene while the baby was still just flapping around post birth. I know one of the fathers of federation quite well and chatted with him after Mike’s Catalyst session.  We agreed that federation at its inception with the SAML standard was really trying to solve a pretty narrow problem—single sign-on between security domains, both inside an enterprise and between enterprises. That pretty much was it. 

 

Being very deep in the Web access management and SSO security world, we came across many customer requirements of separate but partnering organizations trying to provide more seamless joint application access for their users through SSO. From this, a form of proprietary federation was born which later morphed into SAML, thus giving birth to this whole discussion and continued federation-based creativity and invention—all good from my point of view as long as we keep hold of our historical perspectives.

 

Are federation trust relationships trivial to set up legally and technically?  Does federation single handedly solve the credential explosion problem that is endemic on the Internet because its lack of inherent security? Do federation partnerships occur without meaningful IT collaboration?  Does federation eliminate all remote identity provisioning? Does federation always give users direct control over the use of their identity? No - No - No - Generally No - No. Are organizations using federation today successfully for what it was initially intended, for what it was born to do? Yes—absolutely by the hundreds—probably even by the thousands of organizations worldwide. While there are certainly more problems to solve, I don’t think we relegate federation to mediocrity just because in its first form it didn’t win the war.

 

My personal bottom-line is that there is no one-size fits all in this world, security management and IAM very much included. Identity federation as currently constituted (think SAML-based SSO for simplicity) is widely available from more than a dozen vendors and elsewhere and successfully solves real problems, perhaps more narrow than some would hope or dream of today, at real organizations. While it is very healthy to kvetch about problems yet unsolved and get on with trying to solve them, I also think that it is important to keep some historical perspective here and recognize that we wouldn’t be complaining about a technology that had no utility. Technologies with no utility are relegated to the dustbin of history and are simply forgotten. Every technologist should have their favorite one of these.  My personal favorite is the CueCat that I got by being a subscriber to Forbes Magazine.

 

Coming back from my digression—like all things in the IT world, often the hard part is knowing which tool to apply to which problem. And conversely, when not to apply the tool. Federation is just another tool. If you apply it well, you benefit. If you don’t, you don’t. I encourage you to seriously consider Mike’s point of view while keeping my perspective here in mind.

I was on an Identity Services panel at the recent Burton Group’s Catalyst conference in San Francisco. Burton Analyst Mark Diodati summoned architects from several companies (Phil Hunt/Oracle,  Nick Nikols/Novell, Bill Dettlebeck/BEA, Don Bowen/Sun as well as CA) to talk about Identity Services. Topics included: Why are identity services needed? Where is the state of the industry? Why should customers care? Are the standards ready? What standards? Again, why should anyone care?

 

First of all, fans of Jerry Springer were disappointed: There were no hurled insults or verbal wrestling. Instead, Web techies from five competitive companies were fairly aligned in our views on need and state of the identity standards and the need for identity service infrastructure. 

 

My viewpoint is simple: ID services are the glue of SOAs—period. Regardless of which SOA metaphor you choose: mesh, grid or bus, it is the common ID services that bind the business services and allows them to interoperate. It’s impossible to have any type of cross-service security without common identity.

 

In fact, we identity security geeks see WWW not as World Wide Web, but Who, Who, Who, as in: Who are you? Who can and should do what? (and why?) and Who did what? i.e., ID mgmt, ID delivery/session control, access control, compliance and audit.    

 

The crux of a real-world SOA is slipping these different facets of identity (management and flow) in between existing enterprise systems and the new tools and systems (compliance, cross-tier security audits, entitlement management, etc.). Identity services provide both a convenient abstraction and architectural place to provide this bridge.

 

So what identity standards will win? The beauty of small(er), composable standards is that the market decides which of the little standards survive. But my bet is that the likely winners are those which other standards use. Example: different parts of the SAML standard are being referenced by other standards. XACML is looking to WS-policy as a policy container, Liberty’s IDGov standard is looking to XACML’s privacy profiles. SAML, WS-policy, XACML—good bets.

 

So it was a fun panel with good industry colleagues. Maybe next time we can be more entertaining to Springer fans by stomping around and tipping over a few chairs.