Security Management : Kantara Initiative

Thank you CNN for some Pre-RSA PR

Merritt Maxim — Thu, 16 Feb 2012 16:11:00 GMT

CNN published an article yesterday, "Will a standardized system for verifying Web identity ever catch on?" I highly recommend this article, if only because it describes the web identity challenge in simple terms without resorting to the usual acronym soup and jargon that often dominates these discussions (present company included).

Articles like this appearing in mainstream sites such as CNN are evidence that the internet identity problem is real and not theoretical. While discussions on internet identity generally focus on the problems it poses for end-users, the identity problem is equally concerning for any web property that provides identity or consumes identities. The internet identity problem can lead to:

Poor user experience (leading to customer defection/attrition)
High management costs (for providers) and
Increased risk.

While there seems to be universal agreement that internet identity is a problem, solutions have been slow to develop. Fortunately, we have seen some progress over the last 18 months with the emergence of trust frameworks. Simply put, trust frameworks are an entire ecosystem for managing identities. A good analogy is the existing credit card processing networks. Yes, these networks are closed, but there are clear definitions of roles and responsibilities among all members and most importantly, of the liability exposure for each involved party. As a result, most consumers do not even think twice when pulling out the plastic to pay for groceries, gas or anything else.

We need the equivalent for the online world. The emergence of trust frameworks such as Kantara, OIX and NSTIC are all very positive steps. While the author of this article correctly points out some of the limitations and issues impeding progress of these initiatives, the existence of these initiatives is proof that there is considerable interest in finding a solution to this problem. Multiple frameworks can and will co-exist as they offer different capabilities. Some initial deployments in the US government have identified considerable cost savings from standardizing identity interactions in a trust framework.

And now for the shameless plug: I will be speaking on this very topic at the RSA Conference in San Francisco on Wednesday February 29, 2012 at 9:30 PST in room 304. If you are attending RSA, I invite you to join and learn more about trust frameworks, the benefits they provide and what individual organizations can do to best take advantage of these frameworks. If you will not be attending RSA, please chime in on the comments section and let's take this discussion online.

Flickr ID image used under Creative Commons License courtesy of LarimdaME.

Catalyst 2010 in Prague

Matthew Gardiner — Wed, 30 Jun 2010 12:42:00 GMT

I recently returned from Burton Catalyst 2010 in Prague where I did what you are supposed to do at such conferences - present, listen, and socialize. As part of the first full day of the conference, where identity was the central theme of one of the three tracks, I sat on a panel on Identity Assurance Frameworks (IAFs) with Bob Blakely of Burton and Tony Nadalin of Microsoft. I was there representing Kantara Initiative's IAF. The takeaway for me is that assurance frameworks are necessary for identity federations to be set up and operated amongst more loosely coupled organizations and inevitable with the rise of cloud computing and its inherently hyper-distributed approach to computing. The next six to nine months will be critical to see if the IAF snowball continues to pick up speed.

I listened to a lot of sessions both within and outside the identity track. I was thoroughly informed and entertained as usual by Kim Cameron of Microsoft and Bob Blakely and Ian Glazer of Burton and somewhat befuddled by content in the SOA track. SOA seems to continue to suffer from too much theory and not enough practice. Hasn't that been part of the problem for the last 10 years? Finally on the socialize front, CA put together a great (I had nothing to do with it) hospitality suite on the theme of Avatar. The décor, food, and ambiance were really well done and the room was packed all night. I plan to be at Catalyst 2010 in San Diego doing another round of presenting, listening, and socializing. Please join me if you can.

Kantara Initiative One Year Later (Almost)

Matthew Gardiner — Tue, 23 Feb 2010 01:45:00 GMT

At this year's RSA 2010 Conference the Kantara Initiative is celebrating its first birthday with a day-long workshop entitled Technology, Policy, and Compliance for Identity Services in 2010 & Beyond. It was just a year ago at the RSA Conference 2009 that a number of organizations publicly announced their intention to found this identity focused industry consortium. Soon after, in June of 2009, the Kantara Initiative was officially born. This prompted my first blog about the organization.

In many ways this workshop shows both the progress of and the need for Kantara. As the identity industry has matured and broadened so must the collaboration around the issues of technology, policy, privacy, and compliance. No longer is identity an exclusively large enterprise issue. Like with other technologies, what is for the consumer and what is for the enterprise are blurring and colliding. Just look at the participating organizations for the workshop, in addition to identity and security vendor mainstays such as CA and Oracle, you have well known organizations that at first blush might not be considered identity-centric organizations, such as PayPal, NTT, Google, NIH and others. This workshop really represents a microcosm of the broader identity marketplace - all in one convenient room at the Moscone Center.

In my session, Identity as Security Glue for the Cloud, I will be presenting with Chris Sharp of MEDecision. Without tipping my hand too much, I plan to review the models of cloud computing (SaaS, PaaS, IaaS) and how categories of identity and access management and related standards play a central role in how security must be managed both for and in the cloud. As a live example, Chris will discuss his healthcare related service and how he is using standards-based identity services to keep operations running smoothly.

If you are coming to the RSA Conference I encourage you to register for this Kantara workshop and take part in the celebration.

Should Cloud Providers Be Security Black Boxes?

Matthew Gardiner — Fri, 22 Jan 2010 22:10:00 GMT

Reading about Microsoft General Counsel Brad Smith's recent speech at the Brookings Institution got me thinking about the issue of security and privacy related transparency at Cloud providers. I fully agree with his statement that "... it should not be enough for service providers simply to say that their services are private and secure....there needs to be some transparency about why this is the case." However, a key word here is "some." There has to be a balance, but it shouldn't be achieved through legislation. That process would be so slow and would only further murk-up the balancing process. Security and privacy professionals don't agree on how much security is enough, so we certainly can't expect legislators to do a good job of it. There are plenty of areas that should keep the law-makers busy, such as modernizing existing laws that never contemplated the Internet and Cloud models, as well as sorting out conflicting international laws (where you must do something in one jurisdiction, but doing so puts you in violation in another jurisdiction).

How do we find the balance? It should stay with the open market and be further matured through industry codes of conduct and certifications. Security and privacy should be a feature of the various Cloud service offerings, and organizations such as the Cloud Security Alliance and the Kantara Initiative are working to help Cloud providers find the balance.

I find it helpful to compare what is going on now - in this context of the Cloud - with what we experienced in past years in traditional enterprise IT. If we look at how enterprises "managed and secured" their sensitive data and applications of the years, I think overall we can say it was very messy with breaches and spills seemingly around every corner. Only over the past few years have we witnessed more effective control. Over-simplified, enterprises did a relatively poor job of IT security because it was allowed (or forced) to operate as a black box, with non-IT management either not understanding or not caring enough to know what was going on with sensitive applications and data. This let the security/privacy investment balance go out of balance for too long.

I would like to say that I see an aggressive and proactive position on security and privacy from the Cloud providers, but I don't. There is this unfortunate tendency toward the security black-box again, which when done to extremes is unhealthy.

Buyers of Cloud services, let your money do the talking. Demand effective security and privacy and be willing to pay for it. And don't accept security and privacy as a pure promise, as Brad Smith points out.

Report from ISSE 2009 & Thoughts on Emerging IT Clouds

Matthew Gardiner — Mon, 26 Oct 2009 19:06:00 GMT

I recently returned from attending and presenting at the ISSE 2009 conference in The Hague, Netherlands. I particularly like this annual security conference in part because it brings together European security professionals from a very broad set of communities, covering governments, academic institutions, and industry – which is very healthy. At this conference you get the European view of things in a few days – and you cover a very comprehensive set of topics, from cryptology to security awareness of children, and everything in between.

I specifically presented on two topics, the Kantara Initiative and its Identity Assurance Framework (IAF) as well as best practices for security for services. For the Kantara Initiative I focused on the purpose of the organization and the IAF in particular to drum up more collaboration between them and relevant people and programs in Europe, such as STORK.

As an attendee of the conference I particularly enjoyed two of its sessions on cloud security. With the cloud in its nuclear, over-hyped, breathless stage it is really nice to hear from two seasoned professionals with a more balanced and reasoned perspective. So kudos from me to Gerry Gebel of the Burton Group and Rick Gordon of the Civitas Group for offering up their balanced thinking on cloud security. Some interesting points I jotted down from their sessions:

· There are clearly some valid economic reasons pushing organizations to start cloud-ifying their IT operations, such as greater specialization, economies of scale, increased flexibility and agility

· But there are also significant security and privacy issues that mitigate these potential advantages, such as greater vulnerability to DNS attacks; lack of transparency of people, process, and technologies; lack of control over data management; and many other issues

· Different layers of the IT stack, from hardware to applications and everything in between, have very different dynamics and thus need to be considered separately.

Gerry’s takeaway was “Enterprises should not use public clouds for sensitive data” and should lean toward building private or internal clouds, which can gain much of the economic benefits of clouds without being impacted as significantly by the tricky security and privacy issues of going public. I agree with this assessment and would add - you can’t outsource something externally until you can abstract (outsource) that IT function internally for your enterprise. So use the step of a private IT cloud get some benefits in the short and intermediate term and prepare your organization to leverage public services when they become available and your organization becomes ready.

After the ISSE 2009 conference I also presented at the Edge User Conference in Amsterdam on Security for Services. My next blog will cover my takeaways from that event.