Identity, Security & Me

It still amazes me that so many of my friends are displaying their date of birth on their public facebook profile.

Don’t they realise how useful this is to potential Identity thief?

Well its finally happened to me.

After been very careful with my credit card details over the years, last week I finally fell victim to Identity Fraud. Yes, whilst checking my credit card transactions online, I noticed a airline ticket that I certainly didn’t buy. A call to my credit card company revealed two further airline transactions that had not yet been posted onto my statement.

Within one day, 3 separate airline tickets had been bought on my card. Fortunately, the bank had noticed something suspicious and put a stop on my card. Of course, i’m fully covered by my credit card company. However, I can’t help thinking now whether my stolen details were a result of something careless I have done or whether it was a problem over which I had no control (i.e. insider fraud). Still, irrespective of which it is, I will be ever more vigilant when my replacement card arrives.

As always, I am constantly talking to new people about Identity Management in the Enterprise. We always talk about the usual topics; provisioning, authentication, authorisation, audit etc. More and more recently I have been asked by people what my thoughts are on OpenID. Previously, these types of discussions were limited to the hardcore ID people such as the Identity Gang. But now, I seem to be getting asked the question more and more by people within the Enterprise. A number of times it has been people who don’t really understand what OpenID is, other than its one of the ‘new terms’. Others are more informed.

So what do I think of OpenID and its application in the Enterprise……

I think OpenID so far has done a lot for pushing forward Identity 2.0 and has seen a reasonable adoption within the ’social internet’ (blogs, wikis etc). There is definately a good use case for its application there. However, organisations have not yet really started to adopt this technology. There have been a couple, including Sun who announced an internal OpenID server for employees last year. However, in the main its uptake has been extremely limited.

I have no doubt that eventually OpenID will start to find a place within the Enterprise. However, at the moment, I really can’t see its application within the arena. The problem that I see Enterprises facing when looking at OpenID is the lack of trust in the Identity provider. Anyone can set up an OpenID server (indeed this blog is one) and use it to sign-on to OpenID enabled sites. However, where is the trust that I am indeed Paul Toal when I hit the target site. For enterprise, cross domain single sign-on, federation based on SAML (and the other standards) provides that pre-defined trust agreement. Clearly, what it lacks (and OpenID goes towards addressing) is the user consent.

As long as the trust issue is outstanding I don’t see why Enterprises would adopt OpenID for any transactions of any value (financial or otherwise). There is a big difference from posting a comment on a blog that I have signed onto with my OpenID Identity, to performing a business transaction with an Enterprise partner using my self-asserted OpenID.

The answer to this might be to ensure Enterprises host the OpenID server so that their partners can be assured of trust. However, isn’t that what standard federation today gives us. Do we actually want our employees deciding whether, as an employee their Identity information can or can’t be shared with other business partners?

Maybe I am missing the point (feel free to correct me), but at the moment, I just don’t see where OpenID fits within the Enterprise.

Technorati Tags: OpenID, federation, enterprise, trust

Finally, after much speculation and a couple of leaks on the Internet, Oracle has finally announced that they have bought Bridgestream for their Enterprise Role Management capabilities. Despite Mel’s thoughts that Oracle has paid over the odds for them, I think this is a very good announcement for Oracle.

This acquisition stands to further enhance Oracle’s already comprehensive offering in the Identity and Access Management space and put them in an even stronger position to offer a complete solution.

I am currently in San Francisco (more on that later) finding out more details about both the Bharosa and Bridgestream acquisitions and hopefully will find out the strategy for these two products moving forward.

From a personal point of view, I must say that Oracle is certainly a good place to be working right now around IAM, what with these recent acquisitions and their strategy and vision.

Powered by ScribeFire.

I saw in a press release today that Oracle has announced its intention to buy Bharosa. This is a company that specialises in fraud prevention and strong authentication security solutions. This will add the following capabilities to the IAM stack:

• Proactive real time risk-analysis
• Strong authentication
• Fraud prevention

Working within Oracle’s Identity Management team, I see this as a really positive move for Oracle that will provide a real differentiator as well as a strong compliment for the existing products within the IAM suite.

I’m look forward to finding out more about Bharosa’s products in the coming weeks and months.

Technorati Tags: authentication, risk, oracle, identity, access management

Recently I have been involved, at varying levels, in a number of projects centred around federation and primarily federated authentication. Whilst most of my work in the past has been working with the SAML specification, one of the recent projects focused around Shibboleth.

There are a couple of observations I have made when speaking to people about federation.

1. Usually, during client meetings there are several comments about how the solution has to be “Shibboleth compliant” or “SAML compliant”. However, when you dig down a bit further, you usually find that the person dictating this compliance doesn’t fully understand what they are asking for or what it means. For example, when discussing Shibboleth, the discussion moved round to talk about how it uses SAML as its underlying protocol, I asked the client what specific functionality of Shibboleth above and beyond what SAML could give them did they require. The response was very limited. (Note: I’m not particularly picking on Shibboleth here. It just happens to be a recent example). When people ask for SAML compliance, what exactly do they require? Do they plan on using every piece of the spec in its entirety, e.g. SSO, SLO, IdP Discovery etc? Are they planning on using all the bindings, e.g. Artifact, SOAP, POST, PAOS etc. For many companies, it seems to me that compliance with an open standard is sometimes just a tick in the box of an RFI/RFP rather than fully understanding what they are going to use the spec for and what benefits they will gain from its use. For example, does it matter whether a solution (thinking of no particular vendor here) supports the SAML ECP profile. Is this something the client will use in the specific project you are talking to them about.

I think it is important that people who are looking at using federation technologies understand not only what it can do, but also, what options are available within the standards for achieving the end result (including which standards to use). This also includes having an understanding of what the spec doesn’t give you (e.g. how a user authenticates to retrieve their SAML assertion). Whilst this education is the job of the relevant vendors and consultants within the industry, it is also the responsibility of the client to gain that base knowledge.

2. The second observation I has seen is the limited deployments of federated technologies. As I said above, my most recent projects have both been around federation. The plan for my clients was to minimise local user management and benefit from the SSO that you can gain through federation (fairly standard stuff). However, in both cases, when it came down to detailed discussions about the federated partners, it is surprising how many partners are just not in a position to be able to offer support for federated authentication. One particular client was looking at a system designed for approx 300,000 users. They had a local user store to account for a few ‘exceptional’ users who could not authenticate using federated technology (circa 5000 users). However, during detailed design, the number of local users rose drastically to approx 150,000 since several of the federation partners were not ready. This is not unique.

Whilst more and more people are looking at using federation in their business, I believe we are very much still at a stage of putting the technology in place and have the clients build the frameworks to support federation. That way, clients can start with a fairly central repository of users, but, over time, as business partners become ‘federation enabled’, the users can be migrated over to the external partners. Its all about flexibilty within the framework and within the architecture and not expecting that all of your Identity Providers and Service Providers will be ready to offer a full federated service from day one.

Technorati Tags: saml, federation, open standards

Further to my post last week, it seems I am not the only person who wasn’t impressed by InfoSec Europe 2007. Paul and Mel both seemed disappointed.

Technorati Tags: infosec, infosec 2007, security, conference, exhibition

Yesterday, I went to InfoSec Europe at Olympia in London. I have been to this event for the passed few years and as usual, I spent about 5 hours walking round, talking to people and listening to seminars. I only have one word to describe the event overall:

DISAPPOINTING

Technorati Tags: exhibition, infosec, infosec 2007, seminar, security

Eugene Cozonac posted a comment on an article he saw on the FT website.

The post (and the article) talk about how easily people will divulge their passwords when offered an incentive. In this case, people were offered chocolate bars. According to the research, in total approximately 62% of people asked gave up their password.

I have a problem with research of this type. If I was stopped in the street and offered chocolate in exchange for my password, I would happily tell the researcher that my password was H4EDwb!!.

The fact that I have just made that up and don’t (and never will) use it for anything, makes no difference to the researcher. As far as they are concerned, I have just divulged my ’secret’ password and I am another of their statistics.

In the meantime I am quite content with my free chocolate bar. Bonus!!

Technorati Tags: passwords, phishing, security, bribes

A few days ago I wrote a post around federation and how I was surprised it wasn’t simpler to configure.

In response to this, “Curious” posted a comment directing me to a post by James Mcgovern where he talks about why federation has been slow to be adopted and how this could be partly the fault of the vendors and the industry analysts. Whilst I agree with the message that James is trying to convey, there is one particular point he writes that I don’t necessarily agree with.

“I wonder if the CTOs of these companies have ever considered that if they expect to sell solutions to federated identity that part of the purchase requirement may be the need to federate with someone else that already has the software?”

Whilst I believe that it is normally a major benefit if your trusted partner(s) already has a federation solution in place, I don’t think it is a necessity. There is no reason why the deployment of a federated solution couldn’t encompass both ends of the partnership at the same time. I do agree, however, that it is simpler and usually quicker from a design and deployment perspective, if indeed, the trusted partner already has the technology in place and is using it already.

However, it can also introduce extra challenges when trying to integrate with existing deployments. Lets say, for example, that you want to role out a new federation platform based on SAML 2.0 (see why the Danish public sector chose SAML 2.0 over other standards here). Since SAML isn’t backwardly compatible between versions, this poses a problem when trying to partner with a service provider who only supports SAML 1.0. Here you have two options:

1) Pick a product that supports both versions of the standard and then configure different protocols for different partnerships.
2) Utilise a further standard outside of SAML to provide the ‘glue’ between the two versions of the protocol and handle the token conversion (e.g. WS-Trust)

Had the partner not had an existing SAML deployment already, it would have potentially been possible to deploy and utilise a single version of SAML (i.e. 2.0) and to help guide the partner to ‘federation enable’ their software. This could be through a full access management type product (e.g. Tivoli, eTrust, Fusion etc) or through a lightweight engine (e.g. PingFederate). Obviously, there are a number of factors that would help make this decision which I won’t go into now. Adopting a single version of the standard may seem less flexible but if there are no reasons for using multiple different protocols or versions, why complicate the architecture.

Therefore, to summarise, I think there are advantages and disadvantages to integrating with partners who already have federation enabled infrastructures. In some cases it can be a major bonus and in others it can add additional (but not insummountable) deployment challenges.