December 17, 2014

Kuppinger ColeSecure Mobile Information Sharing: Adressing Enterprise Mobility Challenges in an Open, Connected Business [Technorati links]

December 17, 2014 10:41 AM
In KuppingerCole Podcasts

Fuelled by the exponentially growing number of mobile devices, as well as by increasing adoption of cloud services, demand for various technologies that enable sharing information securely within organizations, as well as across their boundaries, has significantly surged. This demand is no longer driven by IT; on the contrary, organizations are actively looking for solutions for their business needs.



Watch online

KatasoftLaunch a SaaS – and Battle Your Robot – With Stormpath [Technorati links]

December 17, 2014 05:00 AM

Can a fighting robot be an educational tool? Jonathan Wagner thinks so. Wagner is the mastermind behind Gigabots, an educational robotics platform developed in conjunction with Mozilla that makes use of realtime event and data synchronization.

Wagner is Co-Founder and CEO at Big Bang, a company that creates software that makes it easy for people to connect devices in realtime. Big Bang’s platform is a publish-subscribe system – with benefits. It allows software developers to create real-time applications on mobile or desktop devices as well as Internet-of-Things based devices. Like Robots that dance and teach kids about technology.

Gigabot Prime

Gigabot Prime

Mozilla was interested in software and applications that use high-speed connectivity for educational settings. The Gigabots – a partnership with Gigabots and Mozilla – are a connected robotics platform, using Lego Mindstorm EV3 robots, the Gigabots API and the Big Bang cloud service to connect the bots in realtime.

The company has already piloted Gigabots in classrooms and Maker Faires, receiving praise from parents, kids, and educators alike. “The kids absolutely they love it, we’ve had such an enormous response from them,” Wagner said. Gigabots are just one of the projects running on the Big Bang cloud service platform, currently in private beta.

Gigabots Dashboard

The Big Bang RealTime Platform

Big Bang is a data synchronization platform that allows devices and applications to send and receive data in realtime to other connected applications. Whether it’s a desktop client, web browser or awesome robot, applications are connected to a common API with streaming events or automatic data synchronization across all the channels. “It gives you the building blocks you need to create really sophisticated real-time applications without having to write all your own software and without having to maintain your own infrastructure and servers.”

BigBang Website

How did Wagner cook up the idea for software that facilitates real-time connectivity? Experience in the video game industry proved to be ample inspiration.

“At my previous company, we created middleware for games: massively multiplayer games, virtual worlds, and simulations. We had customers like Ubisoft, Disney, MTV and Viacom,” Wagner explained.

He often encountered developers who were interested in developing a mobile game, but had no experience doing any of the networking necessary for the application.

Even beyond the gaming world, Wagner noticed an increasing demand for real-time features in traditional applications. While that’s easy for large, experienced companies with impressive resource pools to pull off, it is much more difficult for a novice developer.

“Developers are starting to want those types of features in every application and so the Big Bang platform makes it easy to create those types of applications and those types of experiences for users.”

Wagner decided that the solution was to create technology to make the real-time connectivity process simpler and easier. In doing so, he turned to Stormpath.

A User Management for SaaS

Like developers turn to the Big Bang API for data synchronization, Big Bang came to Stormpath for user management. “Its one of those basic parts every application needs and that you have to write, but it’s not really the main point of your application,” says Wagner.

Stormpath powers login and registration to the Big Bang service, handling both authentication as well as authorization. For a SaaS, separating users into secure, partitioned directories is key, as is managing the different roles within those partitioned tenants.

“We use Stormpath to manage authentication for our customers. When our customers create applications on our platform, their users are also authenticated with Stormpath” Big Bang also relies on Stormpath for Token Authentication and session management.

In the future, Big Bang may need to expand its use of Stormpath into external directories, such as an LDAP or Active Directory server owned and hosted by a customer, or social login like Google Apps. Wagner sees Stormpath as an authentication platform that will scale as his use cases grow and get more defined.

Big Bang is built on a micro-services architecture in Node.js and Java, and has used the Stormpath Node and Java SDKs as their development plan has matured. “It’s made it really easy to iterate, because I haven’t had to worry about migrating data from different environments. I don’t have to worry about replicating data from production to staging to testing and those kinds of things,” he said.

He also benefitted from the feature-richness of the Stormpath API. “I didn’t have to set up all of the little fiddly things like password resets and all that kind of jazz. It’s really important for a product. Everyone expects it from every product, so it doesn’t really distinguish you.”

BigBang Platform Login

Building Blocks

If you want to check out how the Big Bang Platform can connect devices in your app, check out the repo for their JS client and sign up for their open beta.

If you want to spend more time building awesome stuff – like dancing robots or a disruptive SaaS – get started with Stormpath. Its free for developers to play with. And we love Startups.

December 16, 2014

Phil Hunt - OracleStandards Corner: IETF SCIM Working Group Reaches Consensus [Technorati links]

December 16, 2014 03:41 PM
On the Oracle Fusion blog, I blog about the recent SCIM working group consensus, SCIM 2's advantages, and its position relative to LDAP.

KatasoftMaking Python Authentication Fast [Technorati links]

December 16, 2014 03:00 PM

Python Logo

You know what’s really lame? Slow websites.

Unfortunately, certain parts of the authentication process are supposed to be slow. This may seem counterintuitive, but slowness in the authentication process is a big part of being secure.

This article talks about how authentication works in Python (not just hashing), and how you can make your site faster for your users without compromising your security.

I’ll walk you through Python pseudocode, and show you exactly what you need to understand to ensure your auth system is as quick as possible.

Password Hashing is Slow

When a user signs up on your website, and gives you their password — the best practice is to hash the user’s password before storage. This means you’ll use a hashing algorithm like bcrypt or scrypt which translates a password string into a bunk of gibberish that cannot be reversed.

Once you have a hash, there’s no way to recover the original password.

Here’s the important bit: strong hashing functions like bcrypt and scrypt are meant to be slow!

The more CPU, RAM, and time required to compute a hash means an attacker will need to spend that much longer attempting to brute for a password.

Pretend for a moment, that you’ve hacked a company user database and now have access to all user password hashes.

Let’s also say that these are bcrypt 10 hashes.

If you’re trying to figure out what the password are, there’s only one thing for you to do: brute force them.

To do this, you might write some code that iterates over every possible password combination (in the example below I’m using the brute library on PyPI):

$ pip install brute

# crack.py
from brute import brute

HASH_TO_CRACK = 'xxx'

for pw in brute(length=8):
    if HASH_TO_CRACK == bcrypt(pw):
        print 'Password is:', pw
        break

In the example above, we’ll iterate over every possible password of 8 characters and less, attempting to brute force it.

Each time you generate a new possible password, you’d then run it through the bcrypt function, get the resulting hash, and compare it to the hacked password hash you have. If you get a match, it means you’ve successfully brute forced the user’s password!

But here’s the kicker: bcrypt and scrypt take a while to compute, and use a lot of resources.

Since both bcrypt and scrypt are mathematically slow to compute, attackers have a much harder time brute forcing these hashes as it requires a lot of computer resources ($$$).

So, since we now understand how hashing works, and why it is time intensive — let’s talk about authentication.

NOTE: If you’re interested in learning more about password security, you might want to read through an article we wrote a while back on the right way to do password security — it’s a good read. And if you want even more info, check this out.

How Authentication Works

When a user typically registers or signs into a site, you’re going to be hashing their password, and either storing it in a database or comparing it to a value in a database — but what happens after that? You remember the user either with an ID in a session, or via an API key of some sort.

Here’s some pseudocode:

# register.py
user = User('r@rdegges.com', 'hithere!123')
user.save()     # save this user to the database

# Create a new session cookie in the browser, which holds the user ID.
session.create('session', user.id)

The idea is that a user ID will be stored in the user’s browser via cookies — this way, the next time the user requests a page on your site, the user’s browser will send that cookie with the user’s ID along to your server, allowing you to look up this user’s account information, without needing the email address and password again.

Here’s some more pseudocode:

# views.py
user = User.find(id=session)

As you can imagine — finding a user account by ID is very quick (no password hashing is necessary).

So — what this means is that only the initial user creation and login processes are slow — the rest of your site can still be fast!

But let’s not stop just yet.

Optimizing for Speed

Since user data is typically required on every page of a website, this data is accessed very frequently.

If you’re using a database like Postgres or MySQL, this means that if you have a few hundred website users, you might be querying your users table in the database a couple hundred times per second.

That’s quite a few queries!

If your site needs to do other things, you might be unnecessarily slowing down page loads.

So what can you do to speed things up? Cache!

Caching is the solution to most speed and performance problems — and making user data quickly available is one of the most effective ways to speed up your site.

The idea is pretty simple: keep a key / value store in memory that consists of a user ID for the key, and the user’s account data as the hash.

This helps, because the next time a user makes a request for a page on your site, and sends you their session cookie, instead of querying the database to find the account, you can instead query an in-memory cache directly for this information.

This might be the difference between 1ms and 100+ms in every user request: that’s a lot of saved time! While it doesn’t seem like much on it’s own, when you start adding in latency caused by other parts of your application, you can really speed things up a lot overall.

For caching, you’ll most likely want to store this data in a cache system like memcached or redis, both of which have awesome python libraries.

In pseudocode, you’ll likely do something like this:

if session:
    user = cache.get(session)

    # If no user was found in the cache, try querying the database directly.
    if not user:
        user = User.get(id=session)

Implementation

If you’re using a web framework like Django, you can really easily do all of the things mentioned in this article by simply using the built-in auth system.

If you’re using another framework / tool, you might want to google around for libraries — there are typically a few good options to help with this stuff regardless of what tooling you’re using.

Lastly, if you’re using Python / Flask / Django, and want to get all the awesomeness of best practices around user storage and security, you might want to check out our developer service: Stormpath.

Our service stores user accounts and user data for you, taking care of password hashing, encryption, data security, best practices, and everything else.

It’s free to use for most applications, and integrates easily into Python, Flask, and Django apps.

The latest release of our Python library includes built-in support in-memory, memcached, and redis caching to ensure your site is ALWAYS as fast as possible, out of the box.

If you’d like to get started with Stormpath, you can check out our libraries here:

To learn more about what Stormpath is doing for password security, check out our security page.

Julian BondSnout. [as Wall] Thus have I, Wall, my part discharged so; And, being done, thus Wall away doth go. [Technorati links]

December 16, 2014 02:12 PM
Snout. [as Wall] Thus have I, Wall, my part discharged so; And, being done, thus Wall away doth go.
A Midsummer Night's Dream : W Shakspear.

James Bridle of New Aesthetic and Drone Drawing fame goes on a walk. He follows the edges of the London Congestion Zone, documenting some of the CCTV cameras he sees. The edge of the congestion zone is the 3rd wall around the city. The first being the Roman City Wall, the second is the anti-IRA Ring of Steel. It's the first wall that is largely virtual consisting principally of ANPR  cameras.
http://shorttermmemoryloss.com/nor/2014/11/07/all-cameras-are-police-cameras/

In Park Lane, he was accosted by a pair of security guards who performed a citizen's arrest and held him until the Police turned up. "When they arrived, the police officers explained that carrying a camera in the vicinity of Central London was grounds for suspicion."

This reminded me of a London Met and Transport Police campaign. 
http://content.met.police.uk/Campaign/counterterrorism2009

A key part of that was a poster campaign http://voidstar.com/images/cctv.jpg "A bomb won't go off here because weeks before a shopper reported someone studying the CCTV cameras.", "Don't rely on others. If you suspect it, report it". This scary bit of Orwellian double speak prompted an Internet meme generator long since gone. The phrase "don't rely on others" prompted me to mash the image up with some Hawkwind lyrics from Sonic Attack. "Think only of yourselves"   http://voidstar.com/images/sonic_attack.jpg The message is clear though. Only look at CCTV cameras out of the corner of your eye because if you pay too much attention to them, you'll be suspected of harbouring thoughts of terrorism.

But then there's London Transport's posters. http://www.yourlocalguardian.co.uk/yoursay/schools/10148054.ORWELLIAN_STYLE_TRANSPORT_FOR_LONDON_POSTERS__A_HUMOUROUS_SATIRE_OR_SUBTLE_HINTS_OF_TOTALITARIANISM_/ This all begins to get scarily post modern. Is this some hipster designer taking the piss out of their brief and sneaking it past some middle management sign off? Or is it doubleplus-good propaganda that works better at inserting the idea into our brain because we laugh at it.

James Bridle can be found here.
http://new-aesthetic.tumblr.com/
http://booktwo.org/
 The Nor » All Cameras Are Police Cameras »
This essay is the first of a series of reports from The Nor, an investigation into paranoia, electromagnetism, and infrastructure. Map-500. On the morning of Thursday, 30th October 2014, I set out to walk the perimeter of the London Congestion Charge Zone, a journey of some twelve miles around ...

[from: Google+ Posts]
December 15, 2014

KatasoftHow to Win at White Elephant [Technorati links]

December 15, 2014 05:35 PM

Friday night marked the Stormpath Annual Holiday Party, and ended two weeks of conspiracy and planning for the White Elephant gift exchange that would be played that night. We are not a rowdy bunch. We actively recruit teammates with low ego, and a bent towards compromise and collaboration over competition and office politics. We don’t have a “brogrammer” culture. But we take games seriously.

Very. Seriously.

Over team lunch at the Baywatch diner on Friday, Brent and I discussed our strategies for the evening’s White Elephant. My planning had begun two weeks in advance. Several coworkers told heart-wrenching stories of White Elephant gift planning gone awry. “Rainzilla nearly destroyed the package!” It was pretty clear that White Elephant is “a thing” – not just a benign game, but in fact a way to earn the respect and admiration of your colleagues. However fleeting. It somehow matters.

Team Stormpath

What Is White Elephant?

To be clear, White Elephant is not a game you can technically win, and there are a lot of ways to play. These are the rules we use:

White Elephant refers to a “dud” gift that might be added to the stock of gifts under the tree. We don’t play that way, because who wants a dud gift? If there is a clear and obvious dud, stealing cascades can go berserk.

How to Win at White Elephant Gift Exchanges

Let’s be clear, winning white elephant is not about getting the best gift, its about giving the best gift. You win by bringing the gift that gets stolen so many times, it goes out of play and the final recipient grins gleefully while several people shoot them looks of mock violence.

You can also win by bringing something that is so widely acknowledged as exceptionally cool, that is treated with a reverence that transcends theft.

Team Stormpath 2

How to Win:

1) Serve a Big Market The ringers at the Stormpath White Elephant were a pizza stone, a set of fancy chopsticks and a semi-satirical motivational poster. Why does this work? We have a very high-concentration of foodies and cooks. Also of people who used to live in Japan. And we all enjoy the rotating motivational posters, a la “Fuck Mediocrity”, on the wall of our Developer Evangelist’s home office, seen in daily hangouts and occasionally video tutorials. Products that get the most demand are the ones that satisfy the biggest market need. Think about your coworkers as a mini-market. What are their greatest needs?

2) Take Your Office Meme To Etsy Stormpath has a strong office meme around Star Wars. We watch it (Machete Order, thank you very much) as a team for family movie nights. Joe Stormtrooper is our default account on the website. Our entire demo recreates the StarWars universe as a user model. We have a directory for the Sith Empire that includes subgroups for “Imperial Officers” and “Bounty Hunters”. Every office has a meme, and Etsy has an impressively wide array of custom handmade stuff that speaks to that meme. I had a painful moment Friday morning when I discovered Stormtrooper coasters while shopping for my mom.

3) Don’t Forget the Significant Others At Stormpath parties, we include wives, husbands, girlfriends, boyfriends, or even parents. While its pretty easy to buy something that will be a hit with half a dozen rabid Star Wars fans, the SO’s are often an overlooked target audience. Plus, there is nothing that is going to score you more points with the guy who sits next to you than bringing something his girlfriend or boyfriend thinks is awesome. Look for something trendy, innocuous, that someone would never buy for themselves. E.g. 2011 whiskey stones, 2012 corksicle, 2014 pizza stone.

4) Booze While this may not work for every company, its entirely possible booze is the trump card white elephant gift. Brent won big props for bringing a jar of Apple Pie Moonshine. If you have a Costco card, you may be able to get a ridiculously large bottle of… anything. Just the fact that its big will make it popular. Also, look around for a Pre-Christmas wine deal. Even the snobbiest wino is happy with a good $25 bottle of wine. (I speak from hiccup experience)

5) Bells and Whistles Sometimes its not the gift itself, but a feature of the gift that makes it interesting and desirable. This year, I had a win and a loss. The win was a small box artisanal champagne-flavored marshmallows… dipped in gold. The loss was three boxes of handmade marshmallows in three different flavors. The “winner gift” was more popular not because anyone thought they would taste better. There were even fewer. But they were dipped in gold – the “bells and whistles” feature made it more desirable.

From everyone here at Stormpath, Happy Holidays! May your parties be filled with victory and good noms.

Kuppinger ColeCloud Compliance Remains a Challenge [Technorati links]

December 15, 2014 02:40 PM
In Karsten Kinast

The cloud is reality – but still legally controversial in the details. So what do we need to consider for the future with regard to liability, especially as there are few practical alternatives for data management in the cloud and many already see the cloud as unmatched in value from an economic viewpoint?

Over and over again, references are made to the cloud’s problems with multiple national and international data protection laws. Among other things “sensitive data” – for example, health data – internationalization presents huge legal problems with data management in the cloud. The problem, though, is not seen this way by all supervisory authorities responsible for data protection.

Often underestimated, however, is the fundamental legal point of criticism regarding the lack of data sovereignty of the cloud user and the lack of control options for the cloud provider. Questions abound, such as:

This problem field is clear but it appears less helpful if it’s stated as: “classic data protection does not function in the cloud”. You can, however, get closer to the truth if you note that the cloud’s own manner of functioning has not yet been recognised by law as regards the aforementioned control options – at least not in Europe. The legislators now demand, for example, control over the service providers to whom one entrusts his/her own data or that from third parties. This control only functions with the help of transparency in regard to important questions:

As to the question of control options, you should put your cards on the table and demand that the European legislators revise their own regulations for the cloud that acknowledge the missing control possibilities as collateral damage to the cloud. It seems feasible to subject cloud providers, in return, to specific obligations so the basic concepts of data protection pursued by the control rights can be achieved by an alternative route. Should an established legal conception – the necessity of the control principle – be abandoned in order to help a modern type of data management out of the juridical problem area? Or will data protection do its job of protecting the citizen only if complete visibility and control continues to be codified?

Occasionally legislators and bureaucrats represent that one must simply reinterpret the current data protection legislation: A technical interpretation of the data protection law would solve the problem. Analogously, a meaningful technical solution does not have to stand in the way of unfashionable, non-IT oriented law. That sounds compelling. A revision of the data protection law would thus not be necessary at all. Caution is called for once again: As opposed to the copyright law, data protection law is not commercial law. Data protection is a personal right. Hence, the interests of the citizens in data protection principally ranks behind a technical and thus economy-friendly interpretation of the law. As a result, the issue of control and data sovereignty in the cloud remains unresolved to date.

This is the reason why it is occasionally claimed that the cloud is “illegal,” or even “extra-legal”. This is certainly not the case. Yet the obligations with regard to liability law are not to be underestimated with regard to data sovereignty and the cloud customer. As such, you may be liable, under certain circumstances, for possible shortcomings of the cloud provider although you only purchased the cloud service. This always involves the chain: Cloud provider – Cloud customer – Customer of the cloud customer. As a cloud customer, you are in the middle and must ensure a proper level of data protection to your own customers which is simply not offered as depicted, and with regard to control, is also not realisable, because the data in the cloud is ubiquitous and, for example, no specific information can be given as to the whereabouts of the data.

Even if one accepts this problematic liability and takes the risk of data protection non-compliance further aspects of the cloud are also problematic in terms of data protection legislation. This concerns, for example, data quality. Especially as regards the already mentioned sensitive data which may, if at all, only be brought into the cloud if a detailed examination of this individual case appears to be admissible. This depends on the technical framework conditions, but also on the Terms and Conditions of the provider.

Further discussions concerning the legality of the cloud could involve:

The following always applies (as already mentioned): If I myself “purchase” the cloud and use it to provide services to third parties, I cannot, generally, disclaim responsibility; I must be liable, if need be, for the above mentioned “purchased” deficiencies to my contractor, my employees etc.

IS4UFIM 2010: Eliminating equal precedence [Technorati links]

December 15, 2014 01:59 PM

Intro

Precedence can be tricky in certain scenarios. Imagine you want to make FIM master for a given attribute, but you need an initial flow from another data source. A good example is the LDAP distinguished name. If you have a rule that builds the DN automatically based on a base DN and one or more attribute values, the object is provisioned with the correct DN on export. But when you want to visualize this DN in the FIM portal, you need to be able to flow it back. If FIM is master over the distinguished name attribute, this flow will be skipped "Not precedent".

So you have to consider the option of using equal precedence, since manual precedence is not possible in combination with the FIM MA. But equal precedence is dependent on the synchronization cycle order: "the last one to write the attribute wins". Therefore it is not an option if FIM needs to be the absolute master of the DN attribute and you want to make sure that it always has the value you expect it to have.

Single valued attribute

The solution I came up with to work around this issue involves using two separate metaverse attributes. The flow is illustrated by following table.

Datasource Metaverse FIM Portal
ds_attr mv_attr1 fim_attr
mv_attr2

By using two metaverse attributes, both requirements are satisfied:

Multi valued attribute

We tried to apply this solution for multi valued attributes as well. A well known attribute that fits this use case is proxyAddresses. Initially, some exchange attributes are set in AD, such as mailNickName and homeMdb. Exchange generates some proxyAddresses based on defined rules. These aliases need to be available in FIM if FIM is used to manage this information.

To our surprise, the solution did not work in this case. After some investigation, the explanation was simple. The two metaverse attributes were not equal, which resulted in unexpected values after two or more synchronization cycles.

  1. Delta import delta sync FIM MA: fim_attr flows to mv_attr2
  2. Export AD MA: mv_attr2 flows to ds_attr
  3. Delta import delta sync AD MA: ds_attr flows to mv_attr1

The third step is expected, but does not update the entire value of mv_attr1 (key here is "entire"). The delta import delta sync step checks only changed attributes (and for multi valued attributes only changed entries). The value of ds_attr was just exported, so FIM compares its value with the originating metaverse attribute, which is mv_attr2. Since the values of mv_attr2 and ds_attr match, the export is successfully confirmed. But the value of mv_attr1 remains unchanged and is different from mv_attr2. In the next synchronization cycle, the value of mv_attr1 will be synchronized to the value of fim_attr, which results in an unwanted value.

If full synchronizations are used, everything works as expected because all entries in the multi valued attribute are taken into consideration. On a delta sync, only the changed fields are evaluated. We applied an advanced import flow to allow the flow of addresses generated by Exchange for newly create mailboxes.

if (csentry["ProxyAddresses"].IsPresent 
  && mventry["ProxyAddresses"].Values.Count == 0)
{
  mventry["ProxyAddresses"].Values = 
    csentry["ProxyAddresses"].Values;
}

Summary

The proposed configuration allows two-way updates while enforcing precedence for one data source. However, it does not work for multi valued attributes using delta synchronizations.

December 14, 2014

Kaliya Hamlin - Identity WomanInternet Identity Workshop #20 is in April !! [Technorati links]

December 14, 2014 11:31 PM

IIW is turning 20 !

That is kind of amazing. So much has evolved in those 10 years.
So many challenges we started out trying to solve are still not solved.

I actually think it would be interesting as we approach this milestone to talk about what has been accomplished and what we think is yet to be accomplished.

I am working on organizing a crowd funding campaign to support completing an anthology that I have outlined and partially pulled together. I will be asking for your support soon. Here is the post on my blog about it.

In the mean time tickets for IIW are up and for sale! You can also order a special T-shirt we are designing especially for the occasion.

Online Ticketing for Internet Identity Workshop XX #20 – 2015A powered by Eventbrite

Kaliya Hamlin - Identity WomanID Anthology – the community “cannon” [Technorati links]

December 14, 2014 11:25 PM

A few years ago I pulled together the start of a community anthology.
You could think of it as a cannon of key blog posts and papers written in the Identity Gang and circulated around the Internet Identity Workshop and other conferences back in the day like Digital Identity World.

I think with IIW coming into its 10th year and #20 and #21 happening this year the time is right to make a push to get it cleaned up and actually published.

We need to make the important intellectual and practical work done thinking and outlining digital identity that this community has done .  I also have included works that highlight key issues around user-centrism and identity that originated from outside the community of the identerati.

I am working on organizing a crowd funding campaign to raise a small amount to work with a professional editor and type setter get the needed copyright clearances so we can have a “real” book.

In the mean time I have this outline below of articles and pieces that should be included.

I would love to hear your suggestions of other works that might be good to include. It may also be that we have So many that choose to do more then one volume. For this first one my focus is more on early works that were foundational to a core group early on – essays and works that we all “know” and implicitly reference but may not be known or accessible (because they are 6-10 years ago in blogosphere time and that is eons ago) or may not even be on the web any more.

You could comment on this blog. You could use the hashtag #idanthology on twitter. You could e-mail me Kaliya (at) Identitywoman (dot) net. Subject line should include IDAnthology

The book would be dedicated to the community members that have died in the last few years (I am open to including more but these are the ones that came to my mind).

 

Digital Identity Anthology

Context and History from the User-Centric Identity Perspective

edited by Kaliya “Identity Woman”

Forward, Preface, Introduction – TBD

Openning Essay – by Kaliya

Contextualizing the Importance of Identity

Protocols are Political – Excerpts from Protocol: How Control Exists after Decentralization

Identity in Social Context

Identity in Digital Systems

The “Words” – taking time to contextualize and discuss the meaning of words with broad meaning often used without anchoring the particular meaning the author is seeking to convey.

Identity
Trust
Reputation
Privacy
Security
Federation

 

Pre-Identity Gang Papers

Building Identity and Trust into the Next Generation Internet (10 page summary)

Accountable Net (summary or key points)

Cluetrain Manifesto by Doc Searls et al. (some key highlights)

The Support Economy (some key excerpt?)

Identity Gang Formation

Andre Durand’s talk at DIDW way back in the day.

Blog post of Kaliya and Doc meeting at SBC (now ATT ) park in SF -

Dick’s Identity 2.0 talk.

Phil’s Posts

Johannes – early Venn

The Community Lexicon

Laws of Identity + Responses

The Laws of Identity

4 More Laws (by Fen Labalme)

Verifiable, Minimal and Unlinkable (by Ben Laurie)

Axioms of Identity

Key Identity Gang Ideas + Posts

On The Absurdity of “Owning One’s Identity

Law of Relational Symmetry

The Limited Liability Persona

Identity Oracles  (Bob Blakley)

Identity Spectrum version 1   version 2    (Kaliya)

Onion Diagram (by Johannes)

Venn of Identity (Eve Mahler)

Claims and Attributes

Context and Identity

Signaling Theory

Agency Costs

Social Protocols

 What is Trust?

The Trouble with Trust and the Case for Accountability Frameworks

Trust and the Future of the Internet

User-Centric ID and Person-hood.

At Crossroads: Personhood and Digital Identity in the Information Society

The Properties of Identity

 

The Privacy Frame

Ann Covukian’s Take

Daniel Solove’s work

Taxonomy of Privacy

Model Regime of Privacy

Understanding Privacy

The Future of Reputation

Nothing to Hide

Identity and Relationships

A Relationship Layer for the Web, Burton Group Paper

 

Privileged and Not Gender and Other Difference

Genders  and Drop Down Menus

Designing a Better Drop-Down Menu for Gender

Disalienation: Why Gender is a Text Field on Diaspora

“Gender is a Text Field” (Diaspora, backstory, and context)

NymRights

There were many posts that arose out of the NymWars that began with Google+ turning of people’s accounts in July of 2012 – I have to go through and pick a good selection of those from BotGirl, Violet Blue and others.

Personal Data Concepts and Principles

Vendor Relationship Management Community,

The Support Economy

Exploring Privacy:

LumaScape of Display Advertising

My Digital Footprint (By Tony Fish)

Personal Data the Emergence of a New Asset Class, WEF Report

Rethinking Personal Data: Strengthening Trust

The Paradox of Choice: Why More is Less

Visions and Principles for the Personal Data Ecosystem (Kaliya)

PDX Principles (Phil Windley)

Control and Protocol

Its Not so Simple Governance and Organizational Systems Theory

Accountable Net

Visa the Original “Trust Framework”

Life organizes around identity form When Change is out of Control. and Using Emergence to take Social Innovation to Scale.

Intervening in Systems

Closing Essay

 

Appendix 1: Information Practices the Evolution of FIPPs

Drawing on this work.

Appendix 2: Bills of Rights

 

 

 

 

 

“The” Words

 

 

 

Kaliya Hamlin - Identity WomanA Preliminary Mapping of the Identity Needs in People’s Life Cycles [Technorati links]

December 14, 2014 10:12 PM

This start of a paper and idea for an interactive Exercise to be done at the ID360 Conference was written by myself and Bill Aal. It was submitted to the 2014 ID360 Conference put on by the Center for Identity at the University of Texas at Austin.

Over people’s life cycles there are many different “identity events” that occur. While considering how people interact with an identity ecosystem the whole range of lifecycle events must be considered not just those in mid-life career people.  We present a draft Field Guide to the different stages of life naming different key events and contextualizes what identity needs they might have. We also explore a user centric view of the hat looks at the digital lifecycle from the perspective of our needs as people in a social context. This may be contrasted with a view of the digital life cycle from governmental, civil society or business perspectives. We end with exploring the implications of going beyond the tension between privacy rights and institutional desires for security and authentication.

This paper builds on some of the key concepts of the paper also submitted to ID360 by Kaliya Hamlin entitled The Field Guide to Identity: Context, Identifiers, Attributes, Names and More

The first part of the paper draws  the key concepts from that paper and go on to articulate to ask critical questions that are particular to the Digital Life Cycle. It is an attempt to layout a research program for a user centered view of the digital life cycle.

The second part of the paper charts key life stages and identity events along with community and institutional interactions that are likely.  We would like to work with the organizers of the conference to have a interactive wall sized paper map available in the conference center as the event is happening to both consider each phase from the individual’s point of view and the institutions and potentially contextualize the contributions of different papers/presentations on the map.

Key concepts:

Identity is socially constructed and contextual.

More and more at earlier and earlier ages, we are given identifiers by the state, medical institutions and educational institutions that signify who we are in the social field.
How do our identities evolve through an interaction between our bio/social roots and the institutional identifiers we are assigned?

When are we recognized as a person?

Do we think of ourselves as our drivers license, or library card identifiers??Does our online representation play out in the development as human identities?

Self as a Part of Something Greater

We are defined by who we are, connected to our identities as part of something greater.
Do online identities support that sense of being part of a larger whole?

Context of Observation

The context of observation matters for shaping our identities. It defines the scope of our freedom expression our ability to make choices about context. There are three different types of observation that are quite different.

Being Seen – a mutual act. I see you, You see me. We see each other.  ?How do digital social networking identities help us see each other?

Being Watched – This is where one is observed but it is not known by the person who is looked at.  There may be interaction between actors, but there is less of an  “I- thou” quality. How do we know when we are being watched?   In small society social interactions, we grow up being watched and knowing that we are being cared for.
How do our online identities help us be seen as we mature?

Being Stalked – This is what happens when the watching shifts from an appropriate happenstance window of time and space to  watching over time and space – to following and monitoring our behavior without our knowledge. Recent attention to government surveillance and corporate access to our most intimate online interactions gives rise to anxiety over privacy/anonymity.
How do we create principles that allow for control over the stalking?

Self in Mass Society

The self is shaped differently by living in a mass society.
The first systems of mass identity were paper and bureaucratic record keeping of the state as way to give abstract identity to citizens to provide them services and to control their movement. It is vital to remember that we are not our government issued paperwork.

We are people with our own identities, our own relational lives in our communities. We must not mistake how identity in mass society operates for what it is a system, a set of technologies to manage identity in mass society.
How can we create systems of digital identity that recognize and support our having continuity across governmental, educational and medical systems, that protect our first amendment and privacy rights?

Self in Communities

Communities provide the middle ground in between the Small Society and Mass Society modalities of Identity. Communities of interest, communities of practice and geography give us the affordance to move between different contexts and develop different aspects of ourselves. This type of contextual movement and flexibility is part of what it mean to live in cities and particularly large cities, where people in one context would not necessarily share other contexts. We need to work to ensure the freedom to move between communities is not implicitly eroded in the digital realm. One key way to do this is to build digital systems that people have the capacity to use non-corelateable identifiers (pseudonyms) across different contexts they do not want linked.

Self in relationship to Employers

The power relationship between an employee and an employer is quite clear.  This power relationship is NOT the same of an individual citizen’s relative to their government or the power relationship of a person relative to communities they participate in. There is a tension between the employers rights and responsibilities and the individual employees rights and responsibilities.
For example, should an employer have the “right” to access an employee’s private social network activities, or surveillance of their life outside the workplace?
What are the digital assets that are uniquely the employer or employee?
How can standards apply across the business world??

Other areas we wish to explore:

Power and Context

The Self in a Small society is embedded in a social mesh one can not escape. There is no “other place” and one is defined in that society and because it is so small one can not leave. The self in a Mass society is in a power relationship with the state. Where one has rights but one also must use the identification system they issue and manage to interact and connect with it.

The self in community gets to navigate a myriad of different communities ones each with its own social constructions and how power operates and flows within it. (egalitarian, religions, social)communities, work places (traditional owner – worker | worker owners | holocracy).  These communities, needs and responsibilities change over a person’s lifetime.
How can consistent, yet user centered identity frame works support this development?

Where to Start

The start of all our conversations about people’s identity comes from being embodied being in a social context.  Online digital identifiers and systems at their best should support the unfolding of our identities, help us access institutional and government services, as well as help those systems provide better service.

Contexts in which Identity Lifecycle issues arise:

We are at the beginning stages of exploring how from a person’s perspective, their online identities can evolve.  This is in the process of being refined by looking at the identity needs of the individual, the state and businesses and where those interests might clash.  This is a long term research project that we are initiating  The idea is to go  beyond the usual clashes of privacy and personal rights vs big data.  Etc/

This is the beginning of a research project that we are just initiating.
We invite the collaboration of the ID360 and other professional and academic communities.

 

Person’s View Institutional View
Pre-Birth  
Prenatal Screening
Birth
Naming
National Identity Number
Community Acknowledgement
Enrollment in Mass Society
Medical Info
Adoption
Kid
School
After-School
Camp
Sports
Arts
Online social networks
Gaming
Medical
Biometrics
RFID Tags
            
Teen
Self Expression / Identity Exploration Online
School ID
Drivers License
Banking Info
Medical
Sports
Social Networking
Work related
Student
University/Trade School
Student Loan
Social Identity
Adult
Economic Realm
Consumer
Worker
Owner
Owner of major items such as
            Car/Home
            Social Identity
            Computers / Portable Devices
Financial
Community Realm
Political affiliation
local, state/provincial  and national government, rights and responsibilities
(Taxation, licensing, relation to court systems, permits etc)
Voting Eligibility, residential status, citizenship, entitlement programs
Religious Affiliation
Interest Groups
Service Groups
Special Needs
Mental Disabilities
Physical Disabilities
Relational
Married
Partnered
Parental
Divorce
Blended Families
Elder
Retirement
Deteriorating Mental /Physical Condition
Death
Post Death Digital Life

Anil JohnMy 10 Most Popular Blog Posts of 2014 [Technorati links]

December 14, 2014 07:45 PM

First and foremost, Thank You! Thank you for your continued readership. Thank you for the diverse range of opinions and feedback you have provided on the blog, as well as the extremely positive feedback regarding my email only newRECENTLY newsletter.

Your feedback has helped me to shape the content and topics to better address your challenges in delivering secure and trustworthy digital services. I think you will find the content areas such as risk management, authentication, identity proofing and more, that I am building out, useful.

For this blog post, I ran the analytics to discover which posts you found interesting in 2014. Here are the top ten, in the order they were written.

Click here to continue reading. Or, better yet, subscribe via email and get my full posts and other exclusive content delivered to your inbox. It’s fast, free, and more convenient.


The opinions expressed here are my own and do not represent my employer’s view in any way.

December 13, 2014

Nat Sakimuraザ・クリスマス・ソングをフルートで吹いてみた [Technorati links]

December 13, 2014 03:00 PM

今年もお世話になった方々へ、クリスマス・カードにかえて…。

The Christmas Song はMel Torme & Robert Wellsが1944年の夏の暑い日[1]に、寒い時のことを思えば少しは涼しくなるかと書いた曲です。その頃はまだエアコンとかなかったので、精神的エアコンを目指したわけですね。わずか40分で書いたこの曲は、ナット・キング・コール(Nat “King” Cole)の歌で大ヒットし、もっともよく演奏されるクリスマス・ソングの一つになりました。

「栗は暖炉で炙られている。鼻は冬将軍に弾かれている。」で始まるこの歌は、こどもが目を輝かせてプレゼントを待って眠れなく、トナカイが空を飛べるところを隠れて見つけてやろうと考えているところなどを描写する、とても心温まる歌です。

1歳から92歳までの子供に、この簡単な言葉を贈ろう。
何度も色々な言い方で言い古されてきた言葉だけど、『あなたにメリー・クリスマス』。

相変わらず一発録り[2]なので色々瑕疵がありますが…。お楽しみください。Merry Christmas!

[1] 日本はその頃、「鬼畜米英」で全く余裕もなく総力戦をやっていたわけで、彼我の余裕の違いがまざまざと。

[2] それだけじゃなくて、そもそもジャズを勉強したことないし、結構ジャズをされる方からしたら変な演奏だと思います。6日前にこの楽譜(めちゃモテ・フルート「ザ・クリスマス・ソング」)をゲットした時は、どう弾いたものか途方にくれたくらいですから。ジャズとクラシックだと語法も何も違いますからね…。

 

December 12, 2014

Kaliya Hamlin - Identity WomanWe must understand the past to not repeat it. [Technorati links]

December 12, 2014 07:31 PM

Please see the prior post and the post before about how we got to discussing this.

We can not forget that the Holocaust was enabled by the IBM corporation and its Hollerith machine.  How did this happen? What were these systems? How did they work? and particularly how did the private sector corporation IBM end up working a democratically elected government to do very horrible things to vast portions of its citizenry? These are questions we can not ignore.

In 2006 Stefan Brands gave a talk that made a huge impression on me he warned us and audience of very well meaning technologists that we had to be very careful because we could incrementally create a system that could lead to enabling a police state. It was shocking at the time but after a while the point he was making sunk in and stuck with me. He shared this quote (this slide is from a presentation he gave around the same time)

Stefan

It is the likability that is the challenge.

We have to have the right and freedom NOT to be required to use our “real name” and birthdate for everything.

This is the defacto linkable identifier that the government is trying to push out over everything so they can link everything they do together.

Stephan proposes another Fair Information Principle.

Stefan6

I will share more of Stephan’s slides because I think they are prescient for today.

Stephan’s slides talk about User-Centrism technology and ideas in digital identity – ideas that have virtually no space or “air time” in the NSTIC discussions because everything has been broken down (and I believe intentionally so) into “security” “standards” “privacy” “trust frameworks” silos that divide up the topic/subject in ways that inhibit really tackling user-centrism or how to build a working system that lives up to the IDEALS that were outlined in the NSTIC document.

I have tried and tried and tried again to speak up in the year and a half before the IDESG and the 2 years since its existence to make space for considering how we actually live up to ideals in the document.  Instead we are stuck in a looping process of non-consensus process (if we had consensus I wouldn’t be UN-consensusing on the issues I continue to raise).  The IDESG are not taking user-centrism seriously, we are not looking at how people are really going to have their rights protected – how people will use and experience these large enterprise federations.

Yes everyone that is what we are really talking about…Trust Framework is just a code word for Enterprise Federation.

I went to the TSCP conference a big defence/aerospace federation (who was given NSTIC grants to work on Trust Framework Development Guidance) where this lovely lady Iana from Deloitte who worked on the early versions of NSTIC and potential governance outlines for IDESG – she said very very clearly “Trust Frameworks ARE Enterprise Federations” and it was like – ahhh a breath of fresh clear honest air – talking about what we are really talking about.

So back to the Stephan Brands re-fresher slides on user-centric ID so we don’t forget what it is.

 

Stefan5

 

Stefan4

 

Stefan2

 

 

 

 

 

Stefan3

 

 

Stefan2

Look at these, take them seriously.

 

Ludovic Poitou - ForgeRockOpenIG 3.1 is now available… [Technorati links]

December 12, 2014 07:04 PM

It’s my great pleasure to announce the general availability of OpenIG 3.1, a minor update of the ForgeRock Open Identity Gateway product, following the press release of early December.

The Open Identity Gateway is a simple standard-based solution to secure access to web applications and APIs. It supports SAMLv2, OAuth 2.0, OpenID Connect and can capture and replay credentials, enabling SSO and Federation.

With a four months release cycle since the previous release, OpenIG 3.1 doesn’t contain many major new features, but it does bring several new enhancements to the product, including :

For the complete details of the changes in OpenIG 3.1, please check the release notes.

You can download the ForgeRock product here. It’s been heavily tested by our Quality Assurance team : functional tests on Windows, Mac and Linux, stress tests as proxy, with OAuth2 and OpenID Connect, non-regression tests… The documentation has been entirely reviewed and all examples tested.  The  source code is available in our code repository (https://svn.forgerock.org/openig).

We are interested in your feedback, so get it, play with it and give us your comments, either on the mailing list, the wiki, the OpenIG Forum or through blog posts.

 


Filed under: Identity Gateway Tagged: API, authentication, authorization, ForgeRock, gateway, identity, identity gateway, openig, opensource, release

Julian BondBruce Sterling: Data globalization sure has had a corrosive effect on international law and order.  ... [Technorati links]

December 12, 2014 06:52 PM
Bruce Sterling: Data globalization sure has had a corrosive effect on international law and order.  Even "democratic rule of law" governments are capable of any aberration nowadays: assassination, torture, sabotage, abduction, invasion, guerrilla war, surveilling whole populations, jailing journalists, chasing dissidents into exile, over-arming the police, you can name it.
http://brucesterling.tumblr.com/post/104828876008
 BruceS — .. »
http://www.economist.com/news/international/21635044-malicious-computer-code-making-spooks-job-easier-ever-spy-who-hacked-me
"IT IS 30 years since William Gibson, an American-Canadian author, wrote...

[from: Google+ Posts]

Julian BondI can see this coming in handy one day, [Technorati links]

December 12, 2014 01:40 PM
I can see this coming in handy one day,

http://driltracts.tumblr.com/post/103464595307/words-by-dril-art-by-jack-chick

via

http://www.electronicbeats.net/en/features/columns/visual-feels/visual-feels-dril-tracts/
 dril tracts — words by @dril, art by jack chick »
words by @dril, art by jack chick

[from: Google+ Posts]

Kuppinger ColeUnderstand Your Access Risks - Gain Insight Now [Technorati links]

December 12, 2014 09:47 AM
In KuppingerCole Podcasts

Access Intelligence: Enabling insight at any time – not one year after, when recertifying again Imagine you have less work and better risk mitigation in your Access Governance program. What sounds hard to achieve can become reality, by complementing traditional approaches of Access Governance with Access Intelligence: Analytics that support identifying the biggest risks, simple, quick, at any time. Knowing the risks helps in mitigating these, by running ad hoc recertification only for these ...



Watch online

Kaliya Hamlin - Identity WomanFaith and the IDESG [Technorati links]

December 12, 2014 05:46 AM

Since becoming involved in the IDESG, I have become concerned that we do not have people of religious faith – with that as their primary “identity” within the context of participating in the organization. Let me be clear about what I mean, we have many people of many faiths involved and I am not disrespecting their involvement. We also don’t have people who’s day job is working for faith institutions (that they would take time out from to “volunteer” on this effort to explicitly bring in a faith perspective). Someone from say the National Council of Churches would not be a bad thing to have given that one of groups of people who today have consistently sue against “identity systems” are Christians objecting to ID systems put into public schools to track children students. With this proactive faith stance involved the systems we are seeking to innovate reduces the risk of rejection via law suite. I also think the views of those from Jewish, Muslim Sikh, Budhist, Hindu and other faiths should be proactively sought out.

Another Tweet from the Tampa meeting….

Tampa15

 

 

Kaliya Hamlin - Identity WomanDear IDESG, I’m sorry. I didn’t call you Nazi’s. [Technorati links]

December 12, 2014 05:42 AM

The complaint  by Mr. Ian Glazer was that I called my fellow IDESG colleagues Nazi’s. He was unsatisfied with my original statement about the tweet on our public management council mailing list.  Some how this led to the Ombudsman taking on the issue and after I spoke with him in Tampa it was followed by a drawn out 5 week “investigation” by the Ombudsman before he issued a recommendation.  During this time I experienced intensive trolling about the matter on twitter itself.

Here is the tweet that I authored while pondering theories of organizational dynamics in Tampa and without any intent to cause an association in the mind of a reader with IDESG, NSTIC, nor any person or persons in particular note that I did not reference anyone with a @____ or add any signifying hashtags e.g., #idesg or #nstic in this tweeted comment.

Tampa11

I own that the tweet was provocative but it was It was not my intent to cause harm to anybody or to the IDESG organization and wider identity community.

I in no way intended to imply that any member of the IDESG has any intention remotely similar to those of the NAZI party of Germany.

I in no way intended to imply that the content of the meeting of the IDESG related to the content of the meeting I referenced in the tweet.

I am very sorry if the tweet had an emotionally negative impact on people on the management council and particularly those of with Jewish Heritage.

I fully acknowledge that referencing anything relative to the Nazi era is triggering. It touches on our collective shame and surfaces vulnerability it is very hard to look at.

I also believe that we have to actually be prepared to do so. If we don’t examine the past we can’t be sure we will not repeat it. [Please click to see my my next post for this to be further expounded upon]

I’m sorry I didn’t say something along these lines sooner.

One should not feed the internet trolls and I didn’t.

I was in a process were I felt it was inappropriate to speak about this more until the Ombudsman’s process had run its course.

I think that we all need to keep in mind our roles as Directors of the IDESG when we interact with the public and with each other.

The whole process left my and my attorney puzzled. My attorney wrote a letter to the Management Council/Board of Directors with a whole bunch of questions and now that this is posted we look forward to their answers to those questions.

 

 

 

December 11, 2014

Kaliya Hamlin - Identity WomanThe Field Guide to Identity: Identifiers, Attributes, Names and More. Part 1 Intro + What is Identity [Technorati links]

December 11, 2014 09:53 PM

This paper is still being worked on. I submitted it to the 2014 ID360 Conference hosted by the Center for Identity at the University of Texas at Austin and was sent to present it there until I had to back out because I was still sick from attending the NSTIC meeting in San Jose 2 weeks before. Another version will be submitted for final publication – so your comments are welcome.

Introduction

I was attending a day long think tank called Forces Shaping the Future of Identity hosted by the Office of the Director of National Intelligence and facilitated by the Institute for the Future. A man in the audience pipped up “Are we going to Define what we mean by Identity?” I smiled :).  One can’t go very far in a conversation about identity before someone asks “that” question. It always is asked when space is opened up to discuss the topic.
I have been engaged with communities of technology professionals and with forward looking civil society organizations circling around the question what is Identity for over 10 years. The simple one-liner comprehensive definition that I use is Identity is socially constructed and contextual. However it’s just one line.  This paper is a Field Guide covering core concepts along with a visual language to represent them so we can talk about it in a meaningful way across the whole lifecycle from cradle to grave, both online and off and in other times.  It builds on the model we used for the Field Guide to Trust Models that I co-wrote last year for the ID360 Conference.

Part 2: Names, Part 3: Identifiers  Part 4: Name Space, Attributes and Conclusion.

This is Part 1:

What is Identity?

Identity is socially constructed and contextual.

Our sense of self arises first from our social interactions with our family of origin.  Humans are unique animals in that 80% of our brain growth happens outside of the womb in the first three years of life. Our family of origin is within the context of a community and in this age broader society that ultimately reaches to be global in scope.
The names we have, identifier systems, attributes that are articulated all depend on our context and from there the social constructions that define these.

Sense of Self

We are told who we are by our family – they give us a name and share with us who we are.

When does it begin? When people recognize you?

When are we recognized as a person?  Different cultures have different traditions.
I have had a connection with the 3HO Sikh community. When a woman is 120 days pregnant there is a celebration to welcome the spirit of the child into the community. Women who give birth in that tradition stay at home and don’t go out for 40 days after the child is born.

Self as a Part of Something Greater

We are defined by who we are connected to. Our identities as part of something greater. Children seek to understand their environment to understand where they fit in. An example from my childhood is one my first memories.  I remember a Canada Day Celebration we attended in Hastings Park. Being Canadian is to be mutli-cultural. The day had different ethnic communities performing on a stage different folk dances while dressed in traditional dress. At some point they handed out Canadian flags on 30 centimeter (12 inch) flag poles with a stand made out of shiny gold colored plastic in a box. It symbolizes this point in time where I understood myself to be part of something bigger to be part of the nation I was born in along with understanding some key values.

Projection of Self

We begin to understand who we are by projecting ourselves into these contexts we find ourselves and learning from the response – shaping ourselves.
There is an African saying/word –  Ubuntu – I am because you are. We are the authors of each other.

Context of Observation

The context of observation matters for shaping our identities. It defines the scope of our freedom expression our ability to make choices about context.
There are three different types of observation that are quite different.

Being Seen – a mutual act. I see you, You see me. We see each other.

Being Watched – this is where one is observed but it is not known by the observee. However it is known to the observee that they might be watched for example walking down one’s street, one knows that one could be seen by any of one’s neighbors looking out their window. One also knows that being inside of one’s own home prevents one from being watched. When walking into a store one knows that the storekeeper will see us, watch us in the store and we know that when we leave the store they will not be able to watch us. When we return to the same store they will likely recognize us (because we are returning in the same body) and know something about us based on prior interactions. In time a relationship of knowing might develop.
It should be noted that our bodies in physical space give away attributes about us that we can not proactively hide. Because we live in a society that is full of implicit bias the experiences of different types of people is different in the world.  Banaji’s work on implicit bias is a starting point. Following the Trayvon Martin verdict the president gave a speech where he said that before he was president he regularly was shadowed while shopping in stores because he was stereotyped. My partner had this happen to him this fall while shopping at Old Navy and it was not the first time.

Being Stalked – This is what happens when the watching shifts from an appropriate happenstance window of time. To watching over time and space – to following and monitoring our behavior without our knowledge.

Self in Small Society

I have often heard it said that with the advent of what appears to be ubiquitous digital identity and the fact that we can be “seen” is just like it was when we lived in small societies.

In small societies it is said that there is no privacy – everyone knows everyone’s business. Their is another layer there is a relational human connection that weaves the people in this context together.

They know each other, they can understand when they are seen and know they are being watched as the move about town.

In a a small society you also know when you are not being watched when you are in your own home with your blinds drawn.

A mesh-network of relationships that form over life and inter-generationally that inform identity and role in the society.

Self in Mass Society

The self of is shaped by living in a mass society.

We developed systems using the technology of paper and bureaucratic record keeping of the state as way to give abstract identity to citizens to provide them services. This began first with the pensions given to civil war veterans. In the 1930’s a system was developed to support people paying for and getting Social Security benefits. The advent of cars as machines that people operate gave rise to the development of licensing of people to be able to drive the vehicles. These all assigned people numbers by the state so they can present themselves to the state at a future time and be recognized. It is vital to remember that we are not our government issued paperwork. We are people with our own identities, our own relational lives in our communities. We must not mistake how identity in mass society operates for what it is a system, a set of technologies to manage identity in mass society.

Self in Communities

Communities provide the middle ground in between the Small Society and Mass Society modalities of Identity. Communities of interest, communities of practice and geography give us the freedom to move between different contexts and develop different aspects of ourselves. This type of contextual movement and flexibility is part of what it mean to live in cities and particularly large cities. Where people in one context would not necessarily share other contexts. The freedom to move between different contexts exists in the digital real. The internet enabled those in more remote locations to also participate in communities of interest and practice well beyond what they could access via their local geography. We need to work to ensure the freedom to move between communities is not implicitly eroded in the digital realm. One key way to do this is to ensure that people have the freedom to use non-corelateable identifiers (pseudonyms) across different contexts they do not want linked.

Self in relationship to Employers

The power relationship between an employee and an employer is quite clear. The employer does the vetting of potential new employees. They are hired and given access to the employers systems to do work for them. When the employee was no longer working for a company because of any number of reasons – retirement, resignation, termination – the employer revokes the employees ability to access those services. This power relationship is NOT the same of an individual citizen’s relative to their government or the power relationship of a person relative to communities they participate in. In both cases the person has an inherent identity that can not be “revoked”.

Power and Context

The Self in a Small society is embedded in a social mesh one can not escape. There is no “other place” and one is defined in that society and because it is so small one can not leave.

The self in a Mass society is in a power relationship with the state. Where one has rights but one also must use the identification system they issue and manage to interact and connect with it.

The self in community gets to navigate a myriad of different ones each with its own social constructions and how power operates and flows within it. (egalitarian, religions, social) communities, work places (traditional owner, worker | worker owners | holocracy).

Abstraction

The start of all our conversations about people’s identity comes from being embodied beings. The beauty of the digital realm is that we can abstract ourselves from our bodies and via digital identities interact via digital media. This gives us the freedom to connect to communities beyond those we could access in our local geographic location.

Atoms and Bits

Atoms and Bits are different. The difference between them is still not well understood.

  • “Atoms” Physical things can only be in one place at one time.
  • “Bits” Can be replicated and be in two or more places at once.

Physical Body

Atoms – We each have only one physical body. Our physical bodies can only be in one physical place at once. It is recognizable by other humans we meet and interact with. Because it is persistent we can be re-recognized and relationships can grow and evolve based on this. When we move between contexts in physical space – we can be recognized in different ones and connections made across them. We also have social norms, taboos and laws that help us maintain social graces.

Digital Representation

Bits – When we create digital representations of ourselves we get to extend ourselves – our presences to multiple places at the same time. We can use a digital identity that is strongly linked to the identity(ies) and contexts we use/have in the physical world. We also have the freedom to create a digital representation that steps out of the identity we occupy in the physical realm.

We can be an elf or an ork in a online game.
We can cloak our gender or choose to be a different gender.
We can cloak our race or choose to be a different one when we represent ourselves online.
We can interact on a level playing field when in the physical realm we are confined to a wheel chair.

These identities we create and inhabit online are not “fake” or “false” or “not real”. They are representations of the self. The digital realm is an abstraction and gives us the freedom to articulate different aspects of ourselves outside of the physical world.

Digital Dossier

In the digital realm because it is en-coded means that our our movements around digital space leave trails, records of the meta-data generated when we click, type, post a photo, pay for a song do basically anything online. We leave these behind and the systems that we interact with collect them and reconstruct them to develop a digital dossier of us. This behavior if it happened in the world of atoms in the physical space would be considered stalking. We have a stalker economy where our second selves are owned by corporations and used to judge us and target things at us.

Power in Space & Relationships

The freedom of people to transend aspects of identity from the physical world is disruptive to some of default power dynamics.

Disrupting Privilege

The push back against Google+’s requirement for the use of “real names” was lead by women and others who use the freedom of the digital realm to step out of the bias they experience in the physical world.

The people who were pro-real name were largely white men from privileged positions in the technology industry and implicitly through the support of the policies wanted the default privileges they enjoyed in the physical realm to continue into the digital.

Shape of Space

In the physical world we understand how different physical spaces work in terms of how big they are, how many people are in them, what the norms and terms and conditions are. We know that based on these we have a social understanding.

The challenge in the digital world is that the space is shaped by code and defined by the makers of the contexts. These contexts can change at their will. As has happened repeatedly with Facebook’s changing settings for who could see what personal information. This instability creates mistrust particularly by vulnerable people in these systems.

The commercial consumer web spaces currently have a structure where they collect so much information about us via their practices of stalking us digitally. They have enormous power over us.

Kaliya Hamlin - Identity WomanThe Field Guide to Identity: Identifiers, Attributes, Names and More. Part 2: Names [Technorati links]

December 11, 2014 09:52 PM

This paper is still being worked on. I submitted it to the 2014 ID360 Conference hosted by the Center for Identity at the University of Texas at Austin and was sent to present it there until I had to back out because I was still sick from attending the NSTIC meeting in San Jose 2 weeks before. Another version will be submitted for final publication – so your comments are welcome.

Part 1: Intro + hat is Identity?   Part 3: Identifiers  Part 4: Name Space, Attributes and Conclusion.

This is Part 2:

Names

Names are what we call ourselves and what others call us. They are a special kind of identifier because they are the link between us and the social world around us. We present ourselves using names so people know how to refer to us when talking to others or call us when they are talking to us. They convey meaning and have power.

Digital devices can also have names are defined by the administrators of these devices. Places have names given to them by people in a given context these help us refer to a geographic location. It should be noted that the names first nations (indian or native american) people had for places are different then the ones that the American’s colonized their land used.

Given Names

These are the names our parents give us when we are born. In America we have a naming convention of a first name and last name. This convention originates from ___ when states were seeking to impose control.

Name structure in various cultures

Different cultures have very different naming conventions. In Hong Kong their is a convention of an english first name written in English and a Chinese character written last name. In Mayanmar everyone has a first name.

Meaning in Wisdom Traditions

Different wisdom traditions ascribe different ways to interpret and ascribe meaning in names.

NickName

These arise when people start to refer to us by a different name then the name we might give ourselves. We can take these on and they can become our name. They might arise from our families, from school, from sports teams, social clubs, work places. In these different contexts, the name that we are referred to may have nothing to do with the name our our birth certificate and the people using the name to refer to us.

Name on Government Issued Paperwork

We have a convention in the liberal west of registering names with the state. This originated out of several practices in the last several hundred years. One key aspect of this is to both provide services to citizens but also to control citizens.

Pen Name / Stage Name

A name used by artists for their artistic expression and authorship. It does not match the name on government issued paperwork and is often used to obscure the link between such authorship and government paperwork names so that they are free to express themselves artistically.

Autonym

A name that one uses to refer to themselves. An example is that when Jorge Mario Bergoglio became pope he chose to become Pope Francis.

Pseudonym

A name that one uses to interact in various contexts that may be linked one’s name on one’s government issued paperwork. Bob is clearly linked to the name Robert or Barb to Barbara or Liz to Elizabeth on government issued paperwork. It is important to note that many non-european languages also have examples of these.

Mononym

This is name consisting of a single word. Examples include Stilgarian and Sai. Madona or Cher are examples of Pseudonymous, Mononym, Stage Names

Handle

A name that one uses to represent ones digital identity in online contexts. It arose in computer culture when people needed to have a user name within a computer system. This is closely related to Screen names.

Screen Name

The name that one chooses to have displayed on screen. In a system like World of Warcraft the service knows identity information of their clients who pay monthly to access their service. They choose to support those player presenting to the other players on the system and forums a “screen name” that reflects their gaming persona or character name.

Name Haystack

Different Names have different qualities of hiding in the haystack of the similar or the same names. Some people have huge name – haystacks where tens of thousands people have the same name – Mike Smith, Joe Johnston, Mohamed Husain, Avi Blum, Katherine Jones. Mike Garcia who works for NIST said that there were 17 different Mike or Michael Garcia’s. People use pseudonyms to help manage the fact that name-haystacks exist making them more or less identifiable depending on the size of theirs.

Roles

RBAC – Roll Based Access Control is based on managing the rights and privileges for digital systems based on roles. When a person gets a role assigned to them the inherit the privileges.

Community groups also have different roles that might have . Earn role from getting a degree.

Titles, Given and Created

There is a history of titles being pasted down.

Eastern Wisdom Traditions pass them down from guru to student creating lineage’s.

I have had conversations with friends about who the next “Identity Woman” might be. This identity that I have constructed to hold an aspect of my self – work focused on people’s rights around their digital selves. I could see at some point handing this identity over to someone else who wants to continue the torch over.

Collective Single Identity

Theses identities are co-created by two or more people. They are managed and maintained and people jointly act together to create a persona.

 

 

 

Kaliya Hamlin - Identity WomanThe Field Guide to Identity: Identifiers, Attributes, Names and More. Part 3: Identifiers [Technorati links]

December 11, 2014 09:52 PM

This paper is still being worked on. I submitted it to the 2014 ID360 Conference hosted by the Center for Identity at the University of Texas at Austin and was sent to present it there until I had to back out because I was still sick from attending the NSTIC meeting in San Jose 2 weeks before. Another version will be submitted for final publication – so your comments are welcome.

Part 1:  Intro + hat is Identity?   Part 2: Names   Part 4: Name Space, Attributes and Conclusion.

This is Part 3:

Identifiers

For people Names are a special class of Identifiers. They are both self-asserted by people and are used to refer to them and acknowledge them in social context.

System Identifiers

In systems, bureaucratic, digital and techno-bureaucratic identifiers are alpha numeric string pointers at/for people in systems.

This may seem simple but their are many different types and a person with a record in a system will likely have more then one type. To get these different types of identifiers I will share different examples.

Persistent Correlateable Identifiers

This type of identifier is re-used over time within contexts and across multiple contexts.

Examples

Student Number - When I enrolled at my university I was assigned an 8 digit student number. This number was persistent over my time as a student at the school. When interacting with school institutions I was asked to share this number so that activity could be linked together across different facets of the institution.

Social Security Number – This number is issued by the federal government to those born in the US as part of the standard process for being born. It is meant to help those who submit money to the SSN system and when they retire be able to collect money from the system.

Phone Number - People today often have a personal number that they use across many different contexts. It is common place to ask for a phone number to be able to contact a person. What people don’t know is that those are used to look people up in data broker services. The phone number is used to link together activity across contexts.

E-mail Address - Many people have one personal address and use it These are often used across different contexts. What people don’t know is that those are used to look people up in 9data broker services like RapLeaf.

Directed Identifiers

A directed identifier is created to support individuals using different identifiers in different contexts. The purpose of this is to inhibit the ability to link records across contexts.

Examples

The British Columbia eID System – This system enrolls citizens and issues a card to them. When the card is used to access different government systems by the citizens. It does not use one identifier for the citizen. Rather for each system it uses a different identifier for the system – an identifier directed for a particular system.

Defacto Identifiers

By combining a name names, and key attributes together systems use this combination to create a defacto identifier which uniquely identifies a person often in the context of a whole society. An example is the us of “name” “birth date” and “birth place”. It seems innocent enough to be asked for one’s name, birthdate and place but this becomes a persistent correlateable identifier to link and track activity across many systems. The creation of defacto identifiers that are persistent and correlateable limits people’s ability to control how they present in different contexts.

Opaque Identifiers

An opaque identifier is one that does not give away information about the subject it identifies.

Examples of Opaque Identifiers

The BC Government eID program has at its core an opaque identifier on each card – it points to their card record. It is just a number with no meaning. If they loose their card a new opaque identifier is issued for their next card.
Examples of Non-Opaque Identifiers

National Identity Number in South Africa contains a lot of information it is a 13-digit number containing only numeric characters, and no whitespace, punctuation, or alpha characters. It is defined as YYMMDDSSSSCAZ:

  • YYMMDD represents the date of birth (DoB);
  • SSSS is a sequence number registered with the same birth date (where females are assigned sequential numbers in the range 0000 to 4999 and males from 5000 to 9999);
  • C is the citizenship with 0 if the person is a SA citizen, 1 if the person is a permanent resident;
  • A is 8 or 9. Prior to 1994 this number was used to indicate the holder’s race;

• Z is a checksum digit.

The US Social Security Number is created via a formula and so the number gives away information about the person it identifiers.

Phone numbers give away information about the metro region that a person was issued the number from.

End-Point

Some identifiers that represent people are also end-points to which messages can be sent.

Physical Address

It is often forgotten in conversations about digital identity that we had a system of end-points for people before networks known as a mailing address. They system of mailing addresses was developed and is maintained by the US postal service.

Network Address

Phone Number – Now with cellular phones people have their own phone numbers (not just one for a household or their workplace as a whole). This permits both voice calls being made, text messages and MMS Multi-Media messages. The name space for phone number originates from the ITU-T. They are globally unique. They are also recyclable.

E-mail Address – These addresses permit people to send messages to the address they have. They are globally unique. The name space for domain names resides with ICANN. They are also recyclable.

Device Identifier

Many digital devices have unique identifiers. Activity on digital networks can be linked together by tracking these activity originating from particular devices even if people using them .

Non-End-Point

These are identifiers that do not resolve in digital or physical networks.

Document Identifiers

Documents like birth certificates have serial numbers that identify the document.

Document Validation Systems

These systems are used to look up which documents are infact valid. When properly constructed they don’t give away any information about the person. Those using the system type in the serial number of the document and information it contains and the system simply returns a Yes/No answer about weather it is valid or not.

Beacons

A beacon actually broadcasts from a digital device a persistent correlateable identifier to any device that asks for it. It creates a form of tracking people and their devices in the physical world.

Examples

RFID chips, cellular phones, laptop computers

Polymorphic

These systems generate different identifiers depending on context.

Examples

The BC eID system way of using one card that then supports the use of different identifiers depending on context.

Time Limited & Revocable

Some identifiers are created and point at a person but are revocable. An example is a phone number that is after one stops paying one’s phone bill for a month is re-assigned to another person. An employee at a company may have an employee number that is revoked (no longer valid) once employment is terminated. A passport number is an identifier that has a time limit it is good for 5 or 10 years. A landed immigrant card (green card) in the US is only good for 10 years.

Un-Revocable

These identifiers are persistent and are not revoked. Examples include Social Security Numbers.

Identifier Issues

Identifier Recycling

Some identifiers are in systems where identifiers that point at one person can be discontinued (they stop paying their phone bill or using their e-mail address) and then the identifier can be re-assigned to a different user.

Delegation (Acting on Behalf of Another)

This functionality is critically to a variety of user populations. Elders who want to delegate access to their accounts children. Service professionals who have contractual relationships with clients such as an accountant managing access to financial & tax records. Most systems are designed with an assumption that people themselves are the only one accessing accounts. This creates a problem when people want to delegate access they have to turn over their own credentials so the person they are delegating to “pretends” to be the actual user.

Stewardship (Care-Taking – Oversight)

Their is another role that is slightly different then delegation when someone turns over a power of attorney like function for a particular account/set of functions. Stewardship of identity is the type of relationship a parent has for a child’s identity or the type of care needed to help the mentally disabled with their interactions online.

The Mesh of Pointers

We end-up with a way that identifiers work together as a web of pointers towards a particular individual.

Kaliya Hamlin - Identity WomanThe Field Guide to Identity: Identifiers, Attributes, Names and More. Part 4: Name Spaces, Attributes, Conclusion [Technorati links]

December 11, 2014 09:51 PM

This paper is still being worked on. I submitted it to the 2014 ID360 Conference hosted by the Center for Identity at the University of Texas at Austin and was sent to present it there until I had to back out because I was still sick from attending the NSTIC meeting in San Jose 2 weeks before. Another version will be submitted for final publication – so your comments are welcome.

Part 1: Intro + What is Identity?   Part 2: Names   Part 3: Identifiers

This is Part 4:

Name Spaces

Different identifier systems work differently some originate from physical space and others operate purely in the digital realm.

Local

A great example of a local name space in the physical world is a school classroom. It is not uncommon in american classrooms that when there is a name space clash – that is two people have the same name in the same space – they take on different names to be identifiable within that context. Take for example those with the names “Stowe” “Fen” and “Chris” – each is one part of the name Christopher : Chris – Stowe – Fer. When they were in grade school each took on a different part of the name and it stuck with them.

Global

These names spaces mean that identifiers within them are unique and global. Phone numbers, domain names and thus e-mail addresses.

Private

Some private name spaces seem like global name spaces but they are run by private companies under privately decided terms and conditions. Examples include skype handles, twitter handles,

International Registry

These are identifiers in a global space that are registered and managed globally an example is domain names.

Attributes

Self Asserted

These are attributes that people self defined. They include things that are subjective like “favorite color” or “name”

Inherent

These arise from the individual and typically do not change (such as birth date) and are not as morphable. Sex and ethnic identity are things that people have and display in the physical world that don’t (typically) change throughout one’s life.

Ascribed

These are attributes that are given to us by others or by systems. This may include names that are imposed on us by social convention and or power relationships.

Assigned

These are attributes that are given to us by others or by systems.

Examples:

Social Security Numbers are assigned by the Social Security Administration.

Conclusion

Identity is a big topic and outlining the core concepts needed to understand it was the purpose of this paper. We need to think about how the systems that manage identity are structured. Are they designed to have power over people, supporting people having power with one another or enabling power to be networked between us to create something greater then ourselves. These questions are relevant across the whole life-cycle of identity from cradle to grave.

Ian GlazerShowing my work [Technorati links]

December 11, 2014 07:53 PM

A few weeks back I posted my 9 step process for building  a presentation. I wanted to share some example of that process in action. What follows are glimpses of my “No person is an island” talk which I delivered at Defrag in November.

Step 1 – Finding the Nucleus

I had two quotes that served as the nucleus for this deck.

hierarchies and our love for them is the strange love child of Confucius and the military industry complex

and

treating people like just nodes just rows in a database is, essentially, sociopathic behavior. it ignores the reality that you, your organization, and the other person, group, or organization are connected

Step 2 – Build and outline

I use OmniOutliner for my outlines.  Here’s a PDF of it: no one is an island outline

Step 3 – Write the speech

You can read the final version here, but if you want to see the original with my notation for pictures, check this out.

Steps 4 & 5 – Skeleton Deck to Version 1 Deck

This was a bit of an unusual presentation for me in that I had material from another presentation I wanted to include. That helped get me to a more polished looking version 1 of the presentation than I usual have. Just a heads up – I usually work Keynote but to be fair to my non-Mac friends, I have posted the deck as a pdf: No person is an island v1

Steps 6 to 9 – Getting to ship the deck

I ended up doing 5 revisions to this deck. Usually I do about 10. Here’s the final version:

No Person is an Island: How Relationships Make Things Better from iglazer

CourionRisk-aware IAM: A Hot Topic for a Cold December [Technorati links]

December 11, 2014 07:27 PM

Access Risk Management Blog | Courion

Nick BerentsAt last week’s Gartner IAM Summit in Las Vegas, it was fascinating to see how the conference has grown. Over 1,200 attendees made this the largest Gartner IAM event to date, which says there is a huge amount of interest in identity and access management. Many were there to understand the basics, but there was plenty for IAM professionals looking to strategize for the future and who are seeking to maximize their IAM investment.

The highlights for Courion were two presentations that attracted close to 200 attendees. One was a case study featuring our own Kurt Johnson and Mark Teehan, an IAM Program Manager from Harvard Pilgrim Health Care.

In the presentation Mark described how his organization, a health benefits company that serves more than 1.2 million members, expanded its IAM program to reduce access risk across the organization by constantly monitoring and analyzing data generated by its IAM systems. The company has moved beyond provisioning and certification by implementing tools and processes to proactively identify and remediate the access issues that lead to business risk. For example, the organization has reduced orphaned and abandoned accounts and established a management process for system and non-human accounts, and has reduced accounts with privileged capabilities and those with unnecessary access. The session really resonated with attendees, judging by the number of questions and post-session conversations that occurred.

I held a lunch session that described how to assess risk before an IAM implementation. I reviewed how an Identity and Access Intelligence solution can help diagnose access risk in any organization and how an organization can take the findings frwatchfuleyeom that diagnosis to formulate an actionable remediation plan. I spoke with a number of attendees who are working on the basics of IAM but who can clearly see the value of being more proactive. These attendees confirmed their desire to eventually deploy a continuous monitoring solution to address access risk.

For conference attendees who missed either session, or anyone who is interested in the topic, I highly recommend tuning into our upcoming webinar:

Tim Callahan, CISO of Aflac, and Kurt Johnson, VP of Strategy for Courion will present, Keep a Constant Vigil: Risk-Aware IAM on Monday December 15th at 11:00 a.m. Eastern.

This webinar will help an IAM professional at any level. I hope you can tune in!


blog.courion.com

KatasoftStormpath and Django [Technorati links]

December 11, 2014 03:00 PM

Django logo

One of the really nice things about Django is that it ships with a fantastic ORM, user authentication, and admin panel. These three things make building secure Django websites incredibly easy, and generally make Django sites more secure than their counterparts.

This is why I’m super excited to announce that as of very recently, Stormpath officially supports Django >:)

Our new django-stormpath library allows you to keep using all of the normal Django auth system stuff, while completely handling all scaling and security issues.

If you’re not already familiar with Stormpath, what we do is really quite simple: we store user accounts for your application. We do one thing, and we do it well.

Our service will store your users, handle all the password hashing and security, and provide wrappers around common bits of functionality like:

So — with that said, what makes our new Django library awesome is this: if you want a managed service for storing / accessing user data, Stormpath makes things super easy.

Using django-stormpath

The way you use our new django-stormpath library is pretty simple.

Firstly, you need to install the library using pip:

$ pip install django-stormpath

Next, you’ll need to add a few settings in your settings.py file:

INSTALLED_APPS = (
    # ...
    'django_stormpath',
)

AUTHENTICATION_BACKENDS = (
    'django_stormpath.backends.StormpathBackend',
)

AUTH_USER_MODEL = 'django_stormpath.StormpathUser'

# Your Stormpath credentials, these can be retrieved from your dashboard.
# If you don't have an account, go make one!  https://api.stormpath.com/register
STORMPATH_ID = 'xxx'
STORMPATH_SECRET = 'xxx'
STORMPATH_APPLICATION = 'https://api.stormpath.com/v1/applications/xxx'

The settings above are all you need to get things working.

Once you add in the settings above, your Django site will start magically working with Stormpath. The way things work is pretty cool:

Not bad, right?

Hosted Login / SSO

In addition to using Stormpath for your Django user storage — you can also use Stormpath’s hosted login pages if you’d like.

The way this works is also pretty cool:

To learn more about this, check out the relevant docs.

I really like the hosted login stuff as it makes building single-sign-on applications super easy.

Feedback?

Since this is a brand new integration for us, we’d love to get your feedback! If you have any thoughts, please send us an email.

-Randall

Kuppinger ColeSeven Fundamentals for Future Identity and Access Management [Technorati links]

December 11, 2014 01:34 PM
In Martin Kuppinger

Identity and Access Management is changing rapidly. While the traditional focus has been on employees and their access to internal systems, with an emphasis on the HR system as the leading source for identity information, Identity Management has to address a far more complex environment today.

Over the past several years, we have already seen a number of drastic changes triggered by Cloud Computing, Mobile Computing, and Social Computing. Different deployment models and the management of access to Cloud applications, authentication and secure information access of mobile users, and the ever-tighter integration of business partners and customers has, for some time, had a massive impact on the way Identity and Access Management is done.

But these changes are just the tip of the iceberg. Users accessing services through apps, access management for operational IT, and the Internet of Things (or, better, the IoEE as the Internet of Everything and Everyone) with billions of things that all have identities (and belong to someone or something) are three mega-trends that will further change the role of Identity and Access Management.

Traditional concepts for Identity and Access Management that have been focused on the internal IT are no longer sufficient. We still need some of these, but they cover only a fraction of the future scope – and for some organizations already today’s scope – of Identity and Access Management.

Instead of traditional concepts for Identity and Access Management, organizations should define a new view of that topic. The following seven Fundamentals for future Identity and Access Management might help organizations shape their own strategy and roadmap for Identity and Access Management.

Fundamental #1: More than humans – It’s also about Identities of things, devices, services, and apps

Everything has an identity. Whether it is something like a smart meter, one of the various connected elements in connected vehicles, or a device within the realm of wearable computing, everything has an identity. They might require access that has to be managed. They will be accessed from devices through apps, all requiring an identity. Identity and Access Management is no longer about the human accessing a particular system, but about humans, things, devices (which we might consider just being things), services and apps (which again might be considered just a specific type of service) accessing and interfacing with other humans, things, devices, services and apps. That drastically changes the number of identities we have to deal with. It changes authentication. It requires management of relationships between identities. It massively expands the scope of Identity and Access Management.

Fundamental #2: Multiple Identity Providers – We will not manage all identities internally anymore and trust will vary

There is no central directory anymore, neither for humans nor for all the other things and services. We cannot manage millions of customers the same way we manage thousands of employees. Furthermore, many people do not want to re-register again and again with other companies. They want to re-use identities. BYOI (Bring Your Own Identity) is an increasingly established concept. In the future, there will be even more Identity Providers. Trust will vary, and we will need to understand risk and context (see Fundamental #7).

Fundamental #3: Multiple Attribute Providers – There will no longer be a single source of truth and information on identities anymore

There will not only be different Identity Providers, there will also be different Attribute Providers. This is not really new. The HR system never ever was the only source of truth and information about identities. Many attributes never showed up there, and a number of changes always have been triggered by other systems or manually – just think about the process of immediately blocking all access of an employee that has been terminated. This happens first in the Identity and Access Management system, while the lay-off is reflected later in the HR system. But even the “Corporate Directory” that in some organizations is considered as being the single source of truth will not withstand the evolution towards an Identity and Access Management, which not only supports Cloud, Mobile, and Social Computing, but also OT (Operational Technology) security, APIs (Application Programming Interfaces, which apps, services and systems interact with each other through and which need to be protected) and the apps, and the Internet of Things. There will be many sources of trust for various attributes.

Fundamental #4: Multiple Identities – Many users will use different identities (or personas) and flexibly switch between these

There is no 1:1 relationship between persons and their digital identities. A person might have different identities. At a higher abstraction level, a person might be an employee, a freelance contractor, and a customer of the same corporation all at the same time. One person, multiple identities. On a more concrete level, a person might switch from their Facebook account to Google+ to self-registration to a type of account we do not even know yet (trends are changing rapidly on the Internet), but it remains the same customer. Organizations have to understand that it is still the same person – otherwise they will lose the former relationship.

Fundamental #5: Multiple Authenticators – There is no single authenticator that works for all

Simply stated, username and password do not work for wearable computing. More generally, there are so many different types of identities and related elements in future Identity and Access Management, that it becomes just too obvious that there is no common denominator for authentication anymore. Username and password have served (but not well…) for this purpose for decades. Many companies tried to standardize on a specific strong authentication technology to overcome their limits. Now, we have to accept that there is no single approach we can rely on. We will have to support different authentication mechanisms, while understanding the risk and making risk-aware access decisions – see Fundamental #7.

Fundamental #6: Identity Relationships – We must map humans to things, devices, and apps

Things belong to humans or organizations. They might be part of bigger things – just think about the connected vehicle. Humans use devices with apps to access services. The apps act on their behalf. What this means is that there are complex relationships between identities. Future Identity and Access Management must understand and manage these relationships in order to make the right decisions.

Fundamental #7: Context – Identity and Access Risk varies in context

A key concept of Future Identity and Access Management is context. Which device is someone using? Which type of authentication? Where is the device used? There are many elements that make up the context. Depending on that context, risk varies. Identity and Access Management has to become risk-based and, with the ever-changing context, dynamic. While today’s static access controls implicitly reflect a risk understanding in a static context, future access controls and decisions must become dynamic to adapt to the current context.

These Fundamentals help defining the scope, strategy, and roadmap for future Identity and Access Management.

Kantara InitiativeEmpowering Users in the Data Driven Economy   Recently updated ! [Technorati links]

December 11, 2014 11:49 AM

Imagine a world where public and private services and e-commerce are powered by masses of personal data and digital experiences are highly customizable and optimized for personal preferences and experience. Each experience is unique and tailored to engage users further and on and on-going basis.

To some the idea of a hyper personalized and seamlessly connected experience is quite attractive.  To others this vision is frightening, particularly considering that participation in this optimized experience world may become less voluntary and more mandatory to access even the simplest of public or private sector services and benefits.

The Data Driven Economy

These concepts of seamless and personalized experiences make up a portion of the fabric of the data driven economy. Development of the data driven economy presents vast opportunities for connection between users, business, and governments. The data driven economy can bring economic growth through job generating business and entrepreneurial innovation. Data driven services can help governments to better connect their citizens to public services. This hyper connected world also introduces amplified risks with regard to user privacy and data security. In light of the exponentially growing set of economic opportunities the Organization for Cooperation and Economic Development (OECD) is focusing part of their agenda on the evolution the of data driven economy. Kantara Initiative is present for the discussion through our participation in the OECD through the Internet Technical Advisory Committee (ITAC).

User Value Principles

As many aspects of our digital society speed toward strategies considering a data driven economy, we take a moment to reflect upon core user value principles that will support the realization of data driven economic benefits for society as a whole.  Principles that, when mindfully innovated upon, will engage customers and citizens to drive adoption and sustain positive relationships.

Value Principles for respect of the user in the data driven economy:

User Data Power Plants

With respect to development of data driven economies, there are substantial benefits to broadening focus from collection and management of personal data to working mindfully to build processes and systems that respect and actively engage with users. Participatory users represent “data power plants” that generate the fuel for innovation that powers applications, services and more. Respecting users and helping them to take a more active role in the use and management of their data strengthens user-to-service or user-to-brand relationships.

User Consent is Not Enough

It may be tempting to consider that the solution for respectfully engaging users is as simple as ensuring they have provided consent for data collection and use. However, today many users are still challenged to understand how their data flows through services generating a connected life digital footprint. Furthermore, users are challenged to consider current and future implications of their digital footprint. This lack of understanding makes user consent one of the “biggest lies” in the online experience. The Internet Society, a Member of the Kantara Initiative Board of Trustees, has generated excellent resources to help users to better understand the impact of their personal data digital footprint.

Kantara Initiative Helping to Enable IoT Opportunities

Kantara Initiative Members are working in a number of ways to help empower the user connected life experience.

  1. The Identity Assurance Work Group (IAWG) builds Trust Frameworks to verify specific actors in the trust layer of on-line transactions.
  2. User Managed Access (UMA) provides an open standard approach solution to empower users to control, manage, and interact with their data resources.
  3. Consent and Information Sharing Work Group (CISWG) develops solutions like OpenNotice and the Minimum Viable Consent Receipt.
  4. Identities of Things (IDoT) provides a landscape review of the identity layer of the IoT landscape.

Kantara Members are doing more to empower, respect, and engage the user to help business and governments realize the societal and economic opportunities of IoT!

– Joni
Executive Director, Kantara Initiative

 

Nat Sakimura「同意なんて本当はいらないんじゃない?」 – WirelessWire News(ワイヤレスワイヤーニュース) [Technorati links]

December 11, 2014 03:36 AM

私のことが、ワイヤレスニュースに出ていました。

「同意なんて本当はいらないんじゃない?」 – WirelessWire News(ワイヤレスワイヤーニュース).

若干補足をすると、僕が言いたかったのは、

  1. 「明示的な同意」というのは、既にそれが必要な段階で同意すべきものでは無い(何故なら、それは、直接的業務に不必要なデータを取得しようとしているということだから)ので「いらない」。基本的には「暗黙の同意」ベースにすべきだ。
  2. いたるところにカメラのある社会でのべつくまなくデータを垂れ流して歩いている現代人に対しては、取得は時・ところかまわずリアルタイムでずっと起き続けてしまう。つまり、従来に比べて「観測による取得」の比重が増える。この場合、「取得前の同意」というのは破綻していて、「利用前の同意」にシフトせざるを得ない。
  3. 「推測による取得(プロファイリング)」には、本人にとってメリットのあるもの、デメリットのあるもの両方ある。基礎データが取得されていることを本人が知っていて、データのオプトアウトも容易で、かつメリットが有る確率がデメリットの確率に比べて格段に高いならば、そのように「良くしてもらう」ことは本人の期待の範囲として、「暗黙の同意」がある範囲として扱って良いのではないか?一方、デメリットのほうが当該個人について出てしまった場合、企業は少なくとも通知し利用の同意を取らなければならない。

です。 「同意」が要らないなんて言ってないからねw。

 

December 10, 2014

Kuppinger ColeFIDO Alliance announces final FIDO 1.0 specifications [Technorati links]

December 10, 2014 10:16 PM
In Alexei Balaganski

Yesterday, culminating over 20 months of hard work, FIDO Alliance has published final 1.0 drafts of their Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) specifications, apparently setting a world record in the process as the world’s fastest development of a standard in the Identity Management industry.

I wrote a post about FIDO Alliance in October, when the first public announcement of the specifications has been made. Since that time, I’ve had an opportunity to test several FIDO-compatible solutions myself, including the Security Key and Yubikey Neo-N from Yubico, as well as the FIDO ready fingerprint sensor in my Galaxy S5 phone, which now lets me access my PayPal account securely. I’ve studied the documentation and reference code for building U2F support into web applications and cannot wait to try it myself, seeing how easy it looks. Probably the only thing that’s stopping me right now is that my favorite browser hasn’t implemented U2F yet.

Well, I hope that this will change soon, because that’s what publishing finalized specifications is about: starting today FIDO alliance members are free to officially market their FIDO Ready strong authentication solutions and non-members are encouraged to deploy them with the peace of mind, knowing that their implementation will interoperate with current and future products based on these standards. Press coverage of the event seems to be quite extensive, with many non-technical publications picking up the news. I believe that to be another indication of importance of strong and simple authentication for everyone. Even those who do not understand the technical details are surely picking up the general message of “making the world free of passwords and PINs”.

Those who are interested in technical details would probably be interested in the changes in the final version since the last published draft. I’m sure these can be found on FIDO Alliance’s website or in one of their webinars. What is more important, however, is that products released earlier remain compatible with the final specification and that we should expect many new product announcements from FIDO members really soon. We should probably expect more companies to join the alliance, now that the initiative is gaining more traction. Mozilla Foundation, that includes you as well!

In the meantime, my congratulations to FIDO Alliance on another important milestone in their journey to the future without passwords.

 

 

Kuppinger ColeAccess Governance for Today's Agile, Connected Businesses [Technorati links]

December 10, 2014 09:09 AM
In KuppingerCole Podcasts

In today’s fast changing world the digitalization of businesses is essential to keep pace. The new ABC – Agile Businesses Connected – is the new paradigm organizations must follow. They must connect to their customers, partners and associates. They must become agile to respond to the changing needs of the market. They must understand, manage, and mitigate the risks in this connected world. One important aspect of this is the governance of the ever-increasing number of identities – customers, ...



Watch online

Ludovic Poitou - ForgeRockNew features in OpenIG 3.1: Statistics [Technorati links]

December 10, 2014 08:28 AM

OpenIGOpenIG 3.1 is almost out the doors… Just a few days of testing and it will be generally available.

The new version introduces a general purpose auditing framework, and some basic monitoring capabilities. Mark wrote a blog post describing the details of the auditing framework and the monitoring endpoint. I’ve started playing with it for demonstration purposes and wanted to get more out of it.

If you want to expose the monitoring endpoint, you need to add the following 00-monitor.json file under .openig/config/routes/ and decorate a few handlers as Mark describes in his post. You might also want to extend this configuration to require authentication and avoid letting anyone have access to it.

The monitoring endpoint allows to display basic statistics about the different routes: the counts of in progress requests, completed requests and failures. So the output looks like this:

{"Users":{"in progress":0,"completed":6,"internal errors":0},
 "main":{"in progress":1,"completed":1074,"internal errors":0},
 "groups":{"in progress":0,"completed":4,"internal errors":0},
 "Default":{"in progress":0,"completed":16,"internal errors":0},
 "monitor":{"in progress":1,"completed":1048,"internal errors":0}
}

Each tag represents a route in OpenIG, including the “monitor” one,  “main” representing the sum of all routes.

I was thinking about a better way to visualise the statistics and came up with the idea of a monitoring console. A few lines of Javascript, using JQuery and Bootstrap, an additional configuration file for OpenIG and here’s the result:

Screen Shot 2014-12-09 at 13.15.18

As you can see, this adds a new endpoint with its own audit: /openig/Console. The endpoint can be protected like any other route using OAuth2.0, OpenID Connect, SAML or basic authentication.

Let’s look at what I’ve done.

I’ve added a new route under ~/.openig/config/routes: 00-console.json with a single StaticResponseHandler. Instead of adding the whole content in the json file, I’ve decided to let the handler load the whole content from a file (named console.html). This allows me to separate the logic from the content.

00-console.json

{
    "handler":{
        "type": "StaticResponseHandler",
        "config" : {
            "status": 200,
            "entity": "${read('/Users/ludo/.openig/config/routes/console.html')}"
        }
    },
    "condition": "${exchange.request.method == 'GET'
        and exchange.request.uri.path == '/openig/Console'}",
    "audit" : "Console"
}

Note that if you are copying the 00-console.json file, you will need to edit the file location to match the absolute path of your console.html file.

Now the console.html file is actually a little bit long to display here. But you can download it here.

But it’s a basic html page, which loads Jquery and Bootstrap:

<!DOCTYPE html>
<html lang="en">
<head>
<link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.0/css/bootstrap.min.css">
<!-- Optional theme -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap-theme.min.css">
<!-- Latest compiled and minified JavaScript -->
<script src="//code.jquery.com/jquery-1.11.1.min.js"></script>
...

And at regular interval (default is 3 seconds), it gets the statistics from the monitoring endpoint, and displays them as a table:

...
<script>
$(document).ready(function () {
    setInterval(function () {
        $.get("/openig/monitor").success(writeRoutesStats);
    }, 3000);
});
...

The whole Console fits within 60 lines of html and javascript, including some logic to use different colours when internal errors occur on a route.

Finally, the nice thing about the Console, being based on BootStrap, it also has responsive design and allows me to monitor my OpenIG instance from anywhere, including my phone:IMG_4090

If you do install the Console on your instance of OpenIG 3.1 (or one of the latest nightly builds), please send me a screenshot. And if you do customize the javascript for an even nicer look and feel, don’t hesitate to send a pull request.


Filed under: Identity Gateway Tagged: console, dashboard, ForgeRock, identity gateway, monitoring, openig, opensource

Mike Jones - MicrosoftJOSE -38 and JWT -32 drafts addressing the last of the IESG review comments [Technorati links]

December 10, 2014 02:44 AM

IETF logoSlightly updated JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) drafts have been published that address the last of the IESG review comments, which were follow-up comments by Stephen Farrell and Pete Resnick. All DISCUSS comments had already been addressed by the previous drafts. The one normative change is that implementations must now discard RSA private keys with an “oth” parameter when the implementation does not support private keys with more than two primes. The remaining changes were editorial improvements suggested by Pete.

The specifications are available at:

HTML formatted versions are available at:

December 09, 2014

Julian BondAt last, a replacement for Audiomap/TuneGlue. EMI killed that probably by accident, about a year ago... [Technorati links]

December 09, 2014 05:10 PM
At last, a replacement for Audiomap/TuneGlue. EMI killed that probably by accident, about a year ago. Try this instead as a tool for exploring n-dimensional music-artist space.
http://musicroamer.com/ It's the same kind of idea. Put in one artist, it will build a rubber band spider diagram of related artists. Double click on one to expand it.
 Musicroamer - Discover New Music »
Discover new music. Find related artists. Get top tracks, album listings and listen to free music

[from: Google+ Posts]

CourionSurvey Findings: Access Risk Attitudes [Technorati links]

December 09, 2014 04:01 PM

Access Risk Management Blog | Courion

We recently conducted a survey and the findings reveal that while IT security executives understand the risk factors that lead to a data breach, their organizations may not be able to effectively remediate those access risks. Here's an infographic that highlights some of the findings:

Access Risk Survey Infographic 12 9 2014

Click here to view the complete survey findings.

blog.courion.com

Kuppinger ColeExecutive View: Courion Access Governance/Risk Products - 71046 [Technorati links]

December 09, 2014 02:12 PM
In KuppingerCole

The GRC triumvirate (Governance, Risk and Compliance) have long been mainstays of Identity Management (IdM). In fact, IdM has mutated into Identity and Access Management (IAM) as well as Identity and Access Governance (IAG).  Access Governance remains one of the fastest growing market segments in that broader IAM/IAG market.Over the past few years, the field of Access Intelligence, providing advanced analytical capabilities for identifying access risks and analyzing the current status...
more

December 08, 2014

Kuppinger ColeQuis custodiet ipsos custodes? [Technorati links]

December 08, 2014 08:50 PM
In Alexei Balaganski

Or, if your Latin is a bit rusty, “who is guarding the guards themselves”? This was actually my first thought when I’ve read an article published by Heise Online. Apparently, popular security software from Kaspersky Lab, including at least their Internet Security and Antivirus, is still susceptible to the now-well-known POODLE exploit, which allows hackers to perform a man-in-the-middle attack on an SSL 3.0 connection by downgrading the level of encryption and effectively breaking its cryptographic security.

When this vulnerability was published in September, many security researchers called for immediate demise of SSL 3.0, which is a very outdated and in many aspects weak protocol, however quite a lot of older software still doesn’t support TLS, its modern replacement. At the end, many web services, as well as all major browser vendors have implemented some sort of protection against the exploit, either by disabling SSL 3.0 completely or by preventing downgrade attacks using TLS_FALLBACK_SCSV. For a couple of months, we felt safe again.

Well, turns out that getting rid of POODLE isn’t as easy as we thought – it’s not enough to harden both ends of the communication channel, you have to think about the legitimate “men-in-the-middle” as well, which can still be unpatched and vulnerable. This is exactly what happened to Kaspersky’s security products: as soon as the option “Scan encrypted connections” is enabled, they will intercept an outgoing secure connection, decrypt and analyze its content, and then reestablish a new secure connection to the appropriate website. Unfortunately, this new connection is still using SSL 3.0, ready to be exploited.

Think of it: even if you have the latest browser that explicitly disables SSL 3.0, your antivirus software would secretly make your security worse without letting you know (your browser will be connecting to the local proxy using new TLS protocol, which looks perfectly safe). Just like I was writing regarding the Heartbleed bug in April: “there is a fundamental difference between being hacked because of ignoring security best practices and being hacked because our security tools are flawed”. The latter not only adds insult to injury, it can severely undermine user’s trust in security software, which at the end is bad for everyone, even the particular vendor’s competitors.

The problem seems to be originally discovered by a user who posted his findings on Kaspersky’s support forum. I must admit I find the support engineer’s reply very misleading: the SSL vulnerability is by no means irrelevant, and one can imagine multiple scenarios where it could lead to sensitive data leaks.

Well, at least, according to Heise, the company is working on a patch already, which will be released sometime in January. Until then you should think twice before enabling this option: who is going to protect your antivirus after all?

Kantara InitiativeKantara Initiative to Participate at IHE North American Connectathon 2015 [Technorati links]

December 08, 2014 03:17 PM

NEWUSALogo_colorKantara Initiative will join with more than 500+ of the industry’s top engineers, IT architects, and project managers to take part in five intense days of interoperability testing at the IHE North American (NA) Connectathon 2015. Set to take place at its new location in the Cleveland Convention Center and HIMSS Innovation Center in downtown Cleveland Ohio, on January 26 – 30, 2015, the IHE Connectathon provides an unparalleled opportunity for
interoperability testing and problem resolution.

The IHE Connectathon has been an annual event with continued growth in the level and scope of participation. In 2015, the North American Connectathon looks to be even bigger and better offering unprecedented testing opportunities in new and emerging technologies. No other testing event allows you to reduce development costs and time to market like the IHE Connectathon.  Kantara Initiative is taking an active role in advancing health IT by promoting the use of Trust Frameworks in the Healthcare Industry; and, to foster collaboration with regional, national and international Healthcare IT organizations.

We invite you to learn more about the largest interoperability testing event in North America by
visiting the event sponsors website – IHE USA.

Kuppinger ColeRead your cloud contract well: Your cloud service might become disruptive to your business [Technorati links]

December 08, 2014 09:03 AM
In Martin Kuppinger

There is a lot of talk about disruptive technology and disruptive innovation – not only in the context of fundamental technology changes, but also in the context of innovating your business by being disruptive.

Cloud Computing has a potential for fostering such innovation in business, for various reasons:

While nothing in this leads to disruptive innovation in business, it helps businesses to become more agile and fosters such innovation. The flexibility Cloud Computing promises (and, in many situations, delivers) helps the business to move away from IT as the naysayers and showstoppers.

However, there is another notion of “disruptive” Cloud Computing can bring to business. It might become disruptive to the business itself. If you have ever read a standard contract of a Cloud Service Provider (CSP) thoroughly (and cloud business is about standard contracts), you have probably seen a number of points in there, which might become challenging to your business.

Look at the parts of the contract that cover topics such as end-of-service, changes to the service, or availability. According to their contracts, many CSPs could go out-of-business at virtually any point in time. They can change their services, typically with short prior notification (if they notify at all). And their guarantees regarding availability might not meet your requirements and expectations.

Furthermore, you will rarely (not to say never) find sections that guarantee upwards compatibility of the APIs (Application Programming Interfaces) provided by the cloud service.

Is this all bad? Not necessarily. To some degree, there are good reasons for these contracts (aside from the potential liability issues). A benefit of Cloud Computing is the flexibility of changing the service rapidly for improved capabilities, but also for improved security. Clearly, a common three-month patch window we observe in many organizations (and in others, far longer or fully undefined) is not sufficient anymore in these days of zero-day attacks. In addition, availability of cloud services is commonly far better than of internal IT services, at a fraction of the cost of implementing high availability.

On the other hand, feature changes might become massively disruptive. They might lead to a huge increase in help desk calls, when users are confronted with a new user interface or some features are somewhere else now. These changes might prevent applications from working at all. They might remove features some customers relied on. The CSP might argue that virtually no one used a particular feature. However, if you are among the 1% who did, it doesn’t help you at all knowing that 99% never used that feature.

When APIs are changed, this can affect integration between cloud services or between a cloud services and your existing on-premise applications. It also, as with any changes, might affect your customizations. The typical argument is that the advantage of cloud services is that they provide a well thought-out standard set of features in areas where you will most likely not gain a competitive edge by customization. I’ve heard this argument in various forms several times. Yes, ideally an organization relies on a standard service. However, to pick a common example: in most services, you must customize. Just think about your own sub-sites and libraries in Microsoft SharePoint on Office 365. Moreover, most business applications, such as CRM in the cloud, ERP in the cloud, or service desk in the cloud, do not exist in isolation from the rest of the business. There is a need for integration.

So what can you do?

On one hand, CSPs should understand these issues. At least the APIs must become upwards compatible. That requires more thinking about the APIs that shall be exposed upfront. It requires better software design. But it is feasible, maybe with the one or other issue when a major upgrade is done. The same holds true for customizations. These must work well.

On the other hand, if the APIs change or customizations might get lost – or when features are discontinued – there must be a notification way ahead, so that customers can prepare for that change.

For customers, the reality of standard cloud contracts means that they must prepare for such unwanted changes. There must be an exit strategy if a cloud service is discontinued or a CSP goes out of business. Customers must think what to do in case of availability issues. And they must do their customization and integration work while keeping in mind that things might change. They must be aware that relying on a cloud service, particularly SaaS (Software as a Service), might become disruptive to their business.

It is not that relying on the Cloud is bad. If customers do a fair comparison of cloud services to their on-premise services, they will find many areas where cloud services score far better. However, not everything in cloud services – and particularly not everything in the very unilateral (in the sense of “unfair”) standard contracts – is good. If this is well understood, customers can benefit from Cloud Computing without disrupting their business.

December 07, 2014

Julian Bond"The greatest shortcoming of the human race is our inability to understand the exponential function... [Technorati links]

December 07, 2014 10:37 AM
"The greatest shortcoming of the human race is our inability to understand the exponential function." - Albert A. Bartlett[1]. This is especially true of exponential growth with short doubling periods. Particularly troublesome are functions that double in under 5-10 years because they wrong foot us. We think the near future is going to be like the recent past just a bit more so, when the growth rate means it's actually going to be radically different.

Then there's the revolutions and technologies that ought to be possible and contributing to some exponential growth function but are actually permanently 30 years out. Like Nuclear Fusion power, AI, Moon bases, batteries that are high capacity, low volume and cheap.

And there's 30 year futures with a date. 2030 still feels like the far future because back in 2000 it was. Except that now we're half way there and it's only 15 years away. So when politicians talk about targets for 2030 (especially about climate change), you'd better ask what they're going to do right now to get there, because it's not that far away any more. It's not just some far future that can safely be ignored for a few years. Take, for instance the recent PR about China-USA agreements on reducing CO2 emissions; That date of 2030 is prominent. If China and the USA have any chance at all of hitting even those relatively modest goals, they had better start going after them aggressively today, not in 5 years time.

So combine short doubling period exponential growth, with a belief in technical fixes that are actually permanently 30 years away, with a belief that 2030 is so far future as to not be worth bothering about right now. Does that look like sleep walking over a cliff with your eyes shut?

[1] Here's another good one from the same guy. "We must realize that growth is but an adolescent phase of life which stops when physical maturity is reached. If growth continues in the period of maturity it is called obesity or cancer. Prescribing growth as the cure for the energy crisis has all the logic of prescribing increasing quantities of food as a remedy for obesity." - Albert A. Bartlett
[from: Google+ Posts]
December 06, 2014

GluuOAuth2 evolution not revolution [Technorati links]

December 06, 2014 07:06 PM

startfleet_federation

Question: “Our federation runs a well established Shibboleth infrastructure, and all changes would cause considerable costs. What are specific advantages of your AM solution that could justify a replacement of Shibboleth?”

There is no reason to rip and replace. In fact SAML is still ahead of OAuth2 with regard to multi-party federation. For applications that currently use SAML, or where SAML is the most cost effective solution that meets the requirements, use SAML!

However, completed in 2006, the requirements for SAML didn’t include mobile or IOT security. Since that time, there has also been a paradigm shift in web services from XML/SOAP to JSON/REST. There are other economic advantages for JSON over XML: less complex issues with XML canonicalization, less bandwidth on the network, less memory and CPU to parse on constrained devices. Combined with strong developer preferences for REST, these advantages have lead many application developers to prefer an OAuth2 based authentication API over SAML.

The key to adoption is convincing the web developers to use your APIs. The trust benefits of the federation are not constrained to one protocol. Ultimately, if using profiles of OAuth2 like OpenID Connect and UMA enable members of the federation to access more content, that’s a win. Perhaps the adoption of new standards could even be justified as a way to give end-users more control of their privacy, which is made possible with the advances in usability offered by OAuth2.

While work still needs to be done on OAuth2 multi-party federations, Gluu has already proposed REST APIs and JSON schema for OAuth2 multi-party federation on the OX Wiki Page. Gluu is seeking to move this effort to a standards community, for example the IETF OAuth working group, OASIS, Kantara, or the OpenID Foundation.

Adding new entities to the federation and additional technical taxonomy will require updates to the legal agreements of the federation. Gluu has started to draft sample federation legal documents that could be used to quick start a group of entities that want to form a new access federation:
Sample Federation Public Website
Participation Agreement
Data Protection Code of Conduct
Access Banner
Federation Policies

In addition, the Gluu Server can also include a deployment of the Jagger federation management software. More local federations may be efficient for smaller groups of entities that collaborate. Although this software currently only supports SAML, we have spoken with the authors of this software at EDUGate and they plan to add support for OAuth2 federation protocols. For more info on Jagger, see the Jagger Website.

Finally, the Gluu Server stack includes the Shibboleth IDP. The oxTrust admin web interface renders Shibboleth IDP and SP xml configuration files. Furthermore, the Gluu Distribution of the Shibboleth IDP includes a Shibboleth IDP Login Handler to use oxAuth (OpenID Connect) for authentication. In this way, authentication business logic can be centralized for both SAML and OpenID Connect applications. Its not uncommon for the Gluu Server to also obtain a CAS ticket, or some other kind of internal authorization token.

Anil JohnProtecting Personal Data with Multi-Factor Authentication and Identity Proofing [Technorati links]

December 06, 2014 06:00 PM

The need for multiple factors of authentication in the current environment is something that many can agree on. But does that impact how we do web site authentication risk assessment? What other aspects of token and credential choice are impacted?

Click here to continue reading. Or, better yet, subscribe via email and get my full posts and other exclusive content delivered to your inbox. It’s fast, free, and more convenient.


The opinions expressed here are my own and do not represent my employer’s view in any way.

December 05, 2014

Kuppinger ColeIdentity & Access Management als Fundament für das Digitale Business [Technorati links]

December 05, 2014 09:26 AM
In KuppingerCole Podcasts

Das Digitalzeitalter, die Verschmelzung der digitalen mit der „wirklichen“, der analogen Welt, verändert unser Geschäft grundlegend und irreversibel. Bestehende Geschäftsmodelle an die neuen Anforderungen anzupassen und neue Chancen wirksam und effizient zu nutzen, ist die große Herausforderung dieser Transformation und unserer Zeit. Plötzlich ist die IT überall und Bestandteil aller Ebenen der Wertschöpfung. Alle Beziehungen eines Unternehmens, insbesondere aber die zu Kunden und Geschäftspa...



Watch online
December 04, 2014

Matthew Gertner - AllPeersFishing With Limited Supplies [Technorati links]

December 04, 2014 09:24 PM

Can I Fish With Limited Supplies?

FishingMany people remember fishing as part of their childhood; at least, they do if they grew up in a rural area. But that was likely with a lot of gear. Fishing poles, bait, hooks, and a number of other items may have been used if you were fishing with your grandpa or going out on the lake with a group of your friends. In a survival situation, however, you may not have access to all those supplies – or your fishing pole may break, or you may have other issues that come up in the process. Let’s take a look at some of the things you can do to make sure that you and your family can get the fish you need in order to get through a survival situation.

Fishing with Limited Supplies

If you’re bugging out, you want to make sure that you have the lightest supplies possible – which likely means that you are not going to have a fishing pole with you. That being said, there are plenty of different ways that you can fish, even without a fishing pole. You can make sure that you have hooks and fishing line with you, or you can use supplies that you would have for other purposes in order to make the hooks.

Some people will carve hooks out of wood, and they are quite effective. You can also use wire, pins, coconut shells, thorns, and shells off of animals (empty turtle shells, seashells, etc). As long as the material is strong and you can form it or carve it into a hook shape, you will be able to make it into a hook.

That being said, you can also improvise the bait as well. There are lots of things that fish will just eat up without thinking about it, so you can pretty much use anything that you want as bait. Bugs and worms work especially well, because you can find them pretty much anywhere and they will be small enough to put on the hook that you’ve put together.

Alternative Forms of Fishing

Of course, you may be in a situation where you don’t feel like you can stay outside for extended periods of time. That being said, there are a lot of different ways that you can catch fish without having to stay at the pond for hours at a time. You can hook up a stakeout, which is a setup of two reeds with one long line in between the two, and then two shorter lines that have hooks with bait on the end. This sits at the bottom of the lake, and then fish go up to it and eat the bait. Just make sure that the hooks can’t get tangled up, so that you can get multiple fish at a time.

You can also make a net of some sort if you want to try and catch fish that way. You can use parachute suspension line or any other type of elastic to help you go in and catch the fish as you want to catch them. It’s fairly simple, but you may need a little help from making a fishing area – some people will use rocks or other hard objects as a boundary, especially if you are trying to fish on a river or another form of moving fresh water. By making a “pond” to fish out of (with rocks as a border), the fish will get grouped up and end up being a lot easier to catch than they would if they were just going down the river normally.cod on red background

All that being said, fishing in the wilderness takes some practice and some time, but if you’re willing to put both of those things in, you will find that you can have a pretty good supply of food for you and your family. It’s about being creative with what you have and utilizing items in the world around you to make sure that you can get the big catch of the day at a pretty quick pace. By having some of the basics in your survival kit or hoard, you too can enjoy fresh fish as part of your survival diet.

 

Nat Sakimura千本桜から小林幸子から和楽器バンドから伝統音楽への流れ [Technorati links]

December 04, 2014 05:39 PM

今日流れてきた記事に『小林幸子が示した「干され芸能人」が生き残るための道』というのがあった。芸能界を干された小林幸子がNico動でボカロ曲を歌って復活してきているという話で、ある意味従来モデルの終わりの始まりが示唆されていて面白い記事だった。

そこから、「さちさちにしてあげる♪」→「紅一葉を哀愁感たっぷりで歌ってみた」→「千本桜 【カウントダウンLIVE】」とたどった。

千本桜 」は、2011年黒うさPが作詞・作曲・編曲し、ボーカルに音声合成ソフト「初音ミク」を使用してインターネット上で公開した楽曲で、カラオケなどでも非常に流行っている曲だという[1]。(私は聞いたことなかったが。)オリジナルは、こんな感じ。

動画の完成度に驚かされるが、歌は流石に小林幸子の方が良いなぁと思いつつ下を見たら、「和楽器バンド」というのが見えた。それが、これ。しびれますね[2]。

始まりは和楽器だけ。そしてボーカルの歌い出しから明らかに邦楽をやっている人だというのが分かる。ちょいと調べたら、2012年のコロンビア全国吟詠コンクールの優勝者らしい。すぐに洋楽器も重ねられて低音も補われ、普通のロックとしても聴きやすく成っていて、「これなら世界に出られるんじゃない?」という感じ。ぜひ、クールジャパンで売りだして欲しいところだ[3]。

KatasoftBalance Forecasting: Personal Finance Backed By Stormpath [Technorati links]

December 04, 2014 02:07 PM

Developer Robert Chitoiu had long relied on Quicken Online to forecast his bank account balance and make financial decisions. But when Intuit shut down the product, he couldn’t find anything similar that would allow him to create balance projections. The idea for Balance Forecasting was born and he started coding.

Balance Forecasting Forecast View

The Quest For a Better Personal Finance Tool

“I don’t care about the past; I care about what happens in three months,” Chitoiu said. “If I change the bill today, let’s say I want to pay $500 instead of $700 on my credit card this month, what happens in three months? Am I going to go negative? No other personal finance app could answer those questions.”

Balance Forecasting lets you glimpse into your bank account’s future, ensuring users will never get caught off guard with costly overdraft fees. After a user inputs monthly income and expenses, Balance Forecasting will generate a detailed forecast of all incoming and outgoing transactions.

Originally started as an iPhone app, Balance Forecasting is now a webapp with full data visualizations and a mobile-friendly interface.

Balance Forecasting Charts

Unlike feed-driven software like Mint, Balance Forecasting relies on manual reconciliation, which means less security risk, more control for the user and more predictable finances. “You have full control of your account. I like to know exactly what’s going in and out. I don’t like to do the guessing game,” says Chitoiu.

Why Stormpath?

“A big reason why I chose Stormpath is simply because it’s extremely easy to get started and extremely easy to hook up the API and you don’t have to worry about login, which is a huge problem,” Chitoiu explained. “So having that free time allows you to focus on some other features.”

In addition to using Stormpath’s API for login and registration, Chitoiu also utilizes the account validation workflow, which sends users an email prompt allowing them to validate their account. If a user doesn’t activate his or her account, he or she can’t log in. Chitoiu points out that because this is handled directly by Stormpath, it doesn’t generate any additional work for him.

“I just spent a very short amount of time setting everything up and getting the login and registration working. I don’t have to waste my time on designing and reinventing the wheel.”

Balance Forecasting Profile View

The development process for Balance Forecasting actually began in Node. It was only later, after he was about three-fourths of the way through the coding process, that Chitoiu decided to switch to PHP, as it was a more well-established framework with the support of a stable LAMP stack. Stormpath’s support for both languages made the switch seamless.

Creating a Secure App: Separation Between Data and User Credentials

When it comes to creating a personal finance app, security is of utmost importance, especially as any kind of hack or security issue could compromise users’ sensitive financial data.

One way to increase the security of user data, is to separate information about the user’s account from application-specific data, such as their financial inputs. This model is more complex than most developers want to tackle at the outset of a project. “At the start, I was storing the users in SQL database. It wasn’t very secure so I decided to redesign the whole thing, throw away the old code and start with a fresh clean slate.”

Stormpath helped Chitoiu separate and secure user credentials independent from his application data, which ensures user privacy and data anonymity. “Right now the way I’ve set it up is everything is completely anonymous. If somebody were to somehow get access to the MySQL database they would not be able to make any connection to whose data it is. They would see a bunch of bills – like a $100 car payment. But there is no way they could connect it to an e-mail address.”

Keep It Simple

Balance Forecasting has a simple user implementation, but intuitive financial features – and with the help of Stormpath, Chitiou has been able to focus more of his development time on users financial planning.

If you’d like to get a better read on your financial future, Balance Forecasting offers a free month first month and $19.99 yearly subscription.

Interested in how Stormpath can help you put development cycles back into the features that matter, you can get started here.

Ludovic Poitou - ForgeRockOn track for the release… [Technorati links]

December 04, 2014 11:43 AM

Yesterday we’ve announced the new releases of 3 of ForgeRock products : OpenAM 12.0, OpenIDM 3.1 and OpenIG 3.1.

There are still a few days before we make OpenIG 3.1 generally available. We are currently stressing it out and reviewing the documentation. But all indicators are green for now :

Snapshot of OpenIG Issue Tracker


Filed under: Identity Gateway Tagged: ForgeRock, identity, identity gateway, IRM, openig, release

Julian BondIn the next UK election (and/or by-election) will you vote Blue Tory, Red Tory, Yellow Tory, Purple ... [Technorati links]

December 04, 2014 10:24 AM
In the next UK election (and/or by-election) will you vote Blue Tory, Red Tory, Yellow Tory, Purple Tory or Orange Tory[1] run by a white male from a privileged background that is pro-Trident[2] and has a vested interest in business as usual.

Or will you vote for a party led by a woman, trying to make a difference, that is anti-Trident and anti-war; like the Greens[3], SNP or Plaid Cymru.

But then why settle for a party that is only slightly raving when you can vote for a party that is fully two stops past Barking on the district line[4] and vote Raving Loony!

[1] What colour are the Ulster Unionists?
[2] https://www.craigmurray.org.uk/archives/2014/11/the-trident-test/
[3] Petition to get the Greens into the TV party debates.
https://www.change.org/p/bbc-itv-channel-4-sky-include-the-green-party-in-the-tv-leaders-debates-ahead-of-the-2015-general-election
[4] http://en.wikipedia.org/wiki/Becontree_tube_station
 Craig Murray » Blog Archive » The Trident Test  »
The Rochester By-Election further destroys the intellectual case for the BBC's decision that only male party leaders who support Trident can debate on TV before the UK general election. The Greens got five times as many votes as the Lib Dems in Rochester, and are ahead of them in several recent ...

[from: Google+ Posts]
December 03, 2014

Mark Dixon - OracleCory Doctorow:Will Technology Set Us Free or Enslave Us? [Technorati links]

December 03, 2014 07:10 PM

CoryDoctorow

I heard my first speech from Cory Doctorow at the Gartner IAM Summit this morning. He gave an interesting overview of the history of digital copyright law and attempts to enforce limited access by schemes such as Digital Rights Management and encrypted data streams. He expanded beyond this basic overview to discuss how current laws make it illegal to reveal hidden flaws in software and devices. Some points I found particularly thought-provoking include:

Interesting ideas worthy of further investigation.  The concept of unintended consequences certainly applied here.

Matthew Gertner - AllPeersPrepping and Your Kids [Technorati links]

December 03, 2014 06:52 PM

Prepping 101 for Younger Family Members

Safety firstAdvanced planning and preparation is the key to surviving any disaster. It is important that every member of your family, especially younger children, know what to do during an emergency. Being organized and prepared will help children feel more confident and less scared during chaotic events.

Things Your Kids Need to Know

Even though they will look to you for guidance during a time of crisis, whether it is a natural disaster or something more ominous, they should have knowledge of some fundamental survival skills. Children can be vulnerable during disasters, especially if they are somehow separated from their parents. However, here are some skills you can teach them in the event of an emergency.

Central Meeting Locations

If your family has to evacuate your home, you should have a central meeting place to go to in order to ensure everyone has escaped safely. Find an area that is easy to find and far enough away from your home in case it becomes engulfed in flames or collapses. Teach your children the importance of going to that place and staying there until you find them.

You will want to choose a meeting location that is away from your home in case you and your children are separated during a crisis. Pick out a location that is easy to get to, but that has camouflage that they can hide in until you can go to them. Make trusted friends and other family members aware of this location as well in case they need to go to your children in your absence.

Teach Basic First Aid

During an emergency, it is imperative that everyone in the family knows what to do for bumps, bruises, cuts, and burns. Teach your kids how to treat their injuries in case you are injured or cannot tend to them yourself. Show them what supplies to use on cuts, how to stop a cut from bleeding, teach them CPR and what to do if they are burned. Make sure your child’s bug out bag should have emergency medical supplies in it.

Create Secret Signals

Smaller children can be very trusting and during a time of chaos, you don’t want them to fall prey to predators. To help prevent them from trusting the wrong people, create hand signals or teach them a phrase to question someone with if they try to pick them up when they are alone.

Teach your children that if the person in question cannot answer the question or if they don’t see the hand signals that they shouldn’t go with that person, no matter the circumstances. Once you’ve settled on a simple phrase and create hand signals, teach them to everyone in the family and trusted friends, so they know to use them when picking up your kids.

Keep Your Kids Active

It is important that children of all ages stay active so they will be healthier and have some stamina in times of crisis. Get them away from their computers and gaming systems on the weekend to go running and swimming. Even smaller kids should be able to run short distances and swim.

Teach your children how to climb trees to hide from animals and people. Make sure they know some basic hunting and fishing skills so if they are alone and stranded, they can survive until you or someone else they trust can find them. Going camping on a regular basis is a good time to teach them basic outdoor survival skills.Explorer kid girl walking with backpack in grass

Teach Skills to Avoid Sickness

It is important to teach your kids which foods they should not eat in case they have food allergies or how to make sure water is safe to drink. It could be days before you can get to a doctor, so staying as healthy as possible during a crisis is important. You should also teach your kids to like vegetables because during an emergency being a picky eater could be problematic.

Practice Your Plans

To ensure your children know what to do in an emergency, routinely practice your emergency plan. Teach them how to escape the house, where to meet at, where they should go if separated from you away from home and practice the survival skills you’ve taught them.

Mark Dixon - OracleEarl Perkins: The Identity of Things for the Internet of Things [Technorati links]

December 03, 2014 06:20 PM

Earl Perkings, Gartner

Yesterday, at the Gartner Identity and Access Management SummitEarl Perkins, Gartner’s Research Vice President in Systems, Security and Risk, gave a thought-provoking talk, proposing that Identity and Access Management as it is today is not going to cut it for the Internet of Things. Some the highlights include (filtered through the lens of my interpretation):

I really like Earl’s ideas about convergence of “entities” and “relationships” between entities.  Please note my blog post Identity Relationship Diagrams  posted in March 2013.

I also favor his view that identity management should not be separate from device management.

It will be interesting to see how architectures are transformed and what “jello sticks to the wall” in the coming years.

Gerry Gebel - AxiomaticsBeyond RBAC and towards ABAC – Tales from Down Under, Part 2 [Technorati links]

December 03, 2014 04:52 PM

Welcome back! Here is Part 2 of the Axiomatics road trip to Australia and New Zealand. As mentioned in Part 1, the trip was loaded with interesting conversations and here are five more topics that warranted some additional commentary:

Business Analysts are the optimal policy authors

“Who writes the policies” is often a question we are asked by customers who are new to the ABAC approach. Every organization is different, but generally the answer is a combination of people who are familiar with the technology or who represent the business/application areas. I believe similar collaborations occur when implementing other IAM technologies, such as user provisioning or user authentication. In ABAC systems, the access rules are typically very specific to the line of business applications that are integrated. Therefore, the person writing the access rules must be very aware of the business, security, risk, legal, or privacy constraints for that particular application or business unit – IT personnel normally don’t fit this archetype. Rather, a business representative provides important input or, ideally, a person with business analyst skills should be able to complete the bulk of the policy authoring task.

Legacy security models for database content

Axiomatics recently introduced a product to filter database content, based on centrally defined and managed access policies. During the course of describing this new product, we learn about the current practices for protecting database content. It turns out that organizations have a bevy of techniques and workarounds that are somewhat analogous to the RBAC and group models used elsewhere in the organization. These techniques include stored procedures (most prevalent), customized table views, web services that call specific stored procedures, application specific code that call specific stored procedures, and others. More recently, we even heard of a customer that has a dedicated group that performs custom data extractions and manually redacts or masks data.

The above techniques suffer from some of the same limitations associated with legacy RBAC approaches. Namely, they are costly to construct and maintain, are user centric rather than resource centric and, more importantly, don’t provide the flexibility or granularity of access required in modern data sharing and collaboration scenarios.

Pre-masking data

It was very interesting to learn of one scenario where an enterprise customer preloaded a customer database with masked data in one column – and the unmasked data in a separate column. Access to the clear text or masked columns were controlled by which stored procedure was called by the application. By preloading the masked data, system performance was optimized instead of masking data as it is being returned to the application.

Bring Your Own Identity (BYOI)

BYOI, or Bring Your Own Identity, is a topic that came up during conversations with one organization that is working to build an identity proofing and credentialing service. The idea is that clients who are issued high assurance credentials would be able to use the credential at multiple internet properties. Said another way, if a user is proofed an issued an authentication credential by a well-trusted provider, they should be able to “bring” this credential to other sites.

I first wrote about BYOI in a blog post back in September of 2008 – you have to use the wayback machine (screen shot included here for convenience) to find it at this point. It’s great to see this idea catching on and to see constructive discussions about re-using high value credentials. To date, we have seen the most re-use of lower value credentials, such as Facebook.

byoi copy

Privacy requirements: country specific

We’ve seen privacy become a primary authorization requirement in the past year or so and this was strongly reaffirmed during our trip. Banks that operate in multiple jurisdictions are increasingly pressured to uphold country-specific privacy laws and regulations. For example, certain countries require that bank customer files and information can only be accessed by bank employees of the same citizenship or that are domiciled in the same country. These privacy rules are in addition to the business, security, and risk rules and other regulations the financial institution may be implementing.

With an ABAC system, it is much easier to incorporate region- and country-specific access rules. In an ABAC policy, rules can enforce all the security or privacy rules required because of the policy language used under the covers. In essence, you have a programming language at your disposal which is specialized for access control scenarios. Furthermore, policy analysis can be performed to validate that the correct controls are in place.


IS4UFIM on Azure [Technorati links]

December 03, 2014 03:52 PM
While deploying your Forefront Identity Manager labs in your own local virtual environment is convenient, it does consume a lot of your precious disk drive space and there is no questioning the impact of hardware failure. So why not move your virtualization layer to the cloud and let Azure take care of the storage, networking and compute infrastructure for you? This post will go over the steps we took in order to successfully automate the deployment of our FIM lab environments on the Microsoft Azure platform.

Azure infrastructure fundamentals

In order to create domain joined environments in Azure, there are four components we need:

1. An affinity group
Having our resources deployed in the same region (data center) is a fair option, but there is no certainty these resources are also located in the same cluster within that data center. Using affinity groups, we can define a container in which all our virtual machines are physically placed close together. This improves latency, performance and thereby cost.
2. A cloud service
This component is responsible for hosting our virtual machines. It gets assigned a public IP address, making it possible for you to connect to your environment from any location using your own defined endpoints.
3. A virtual network
In a domain joined setup it is necessary your machines can talk to each other. Using a VPN, we make sure VM's are deployed in the same IP range. These VM's can be assigned a static internal IP address which makes it possible to define your domain controller as the DNS server for the virtual network.
4. A storage container
Each deployment gets its own container to host their virtual hard disks (VHD's) under a storage account which is linked to the subscription of the deployment's cloud service.

Setup process

The whole process is executed using the Azure library module for PowerShell. First we authenticate our Azure account and select the current subscription we wish to use for our setup. We then assign a valid storage account to this subscription.

Combining the infrastructure elements we can set up our Azure environment in which our lab will be deployed. We first check and create a valid cloud service name in an affinity group. Then we retrieve the xml configuration. In this configuration we insert our new VPN, and DNS server to use. The address space for this virtual network will be 10.0.0.0/16, with a DNS server referenced to the IP address of the domain controller. Finally we create a new storage container for this lab. And that's it, our environment is ready for deployment.

Next up we will provision our servers. We have preconfigured each server up to the point of domain joining and captured a generalized VHD of this state. These VHD's are stored as images on our storage account so we can use them over and over again as a base machine for each server. Each machine has it's own parametrised configuration consisting of the VM name, size, location of the VHD, image to use and endpoints to assign for both RDP and remote PowerShell. We assign it the correct static IP address and subnet name defined in the VPN configuration. The next step depends on the type of server, there are 2 ways of defining the provisioning configuration.

We start with the AD server, which will not include any domain parameters. We define our provisioning parameters just like we would provision a standalone machine. When the machine is booted up, we run a remote script through the PowerShell endpoint and promote it to a domain controller. And voila, we created a domain within our VPN.

Next up we provision the other type (non-AD) of servers to the domain. Sadly, it is currently not supported to send parallel requests on the same cloud service using the Azure API. Instead, and because the domain provisioning configuration is the same for all the other servers, we can create the instance for each server and send them all together in one creation bulk request. This is as close as it gets to parallel provisioning of multiple servers in the same cloud service.

After the domain provisioning step has been executed, we automate the configuration of each server using PowerShell scripts which run on the PowerShell endpoint defined for that server.

Faster deployments?

Depending on the chosen server setup, this process can take quite a while to complete (mainly the installation of software during configuration).A basic setup consists of an AD / SQL / FIM server and takes about half an hour to complete in it's most basic configuration. Available optional servers include Exchange, BHOLD, and SCSM (both management server and data warehouse) which takes the total server count up to 7 servers. A full setup takes a lot longer and for this reason, we implemented a complementary way of setting up our labs. We started from a fully working lab setup and captured the VM's as specialized images as opposed to generalized in the previous method. This way you can use these images in a new azure environment in a slightly different provisioning configuration and have your basic deployment set up in less than 6 minutes! The drawback of this, is that the lab is not completely configurable as it uses a saved state (snapshot) of a previous domain joined setup.

The lazy way

Having a PowerShell cmdlets library at our disposal is really nice, although running these commands ourselves is not really what we were after. So we made our own WPF application to create an interface which will invoke the underlying PowerShell scripts (both the Azure module locally and configuration of servers remotely) in C# using a PowerShell class. During setup, passwords for all the (service) accounts are generated and stored in an xml file which is compliant for import to KeePass. The RDP configuration is automatically generated in an RDG file which can be opened with RDCManager (http://www.microsoft.com/en-us/download/details.aspx?id=44989).

Let’s round up with some visual material!

Account setup:




Environment setup:





Redeploy a default lab with a limited set of parameters:




Fully customize your deployment parameters for each server:




Start a full installation or manually proceed with each step:

ForgeRockNew Products. New Paths to Connected Identity. [Technorati links]

December 03, 2014 03:45 PM

Our development theme this release has been “configuration over customization.”   We designed configurable services so features like social sign on can be added to your application or service in minutes.   We recognize that technology is rapidly changing how we deliver products and services to our customers, making it clearer than ever that connected identity is at the center of everything online.  That’s why we want to be sure our customers are able to deploy customer facing identity services quickly and securely.  Below is a summary of a few of  our recent enhancements:

Enabling social sign on to your applications and services isn’t anything new but being able to do it in under a minute is new! It’s common to see applications that allow a new user to login with their Google or Facebook identity instead of “Registering” which requires the end user to create a new profile, username and password. The added convenience for the end user, means higher adoption rates, more people willing to sign up. For the administrator and developer, though, adding social sign on means more work – custom coding, testing, etc. With OpenAM, it is possible to enable social sign in less than one minute using a new wizard-based configuration tool which also comes pre-configured for Facebook, Google, and Microsoft.

A new UI-based policy editor tool makes it easier and faster to implement fine-grained authorization.  As organizations connect with their customers in the digital world, managing the right level of access and setting policies on what customers are able to do once they get access to application or services has become complex and relationship based.  The new policy editor tool in OpenAM makes it possible to easily define permissions and policies that reflect business dynamics.

Consumers want more control over their online identity experience and expect self-service features.  When the end user of identity management was an employee, or even a business partner, it was ok that the organization controlled the identity.  With this new release of OpenAM, it’s even easier for administrators to enable the end user to manage their online identity experience, decreasing the demands on the help desk and improving the customer experience.  While this has been possible in the past, it often required customization and coding on the part of the developer.  With OpenAM, these self-service capabilities are readily configurable and include:

·       Self registration

·       Forgotten password & password reset

·       Profile management

·       Account permissions (OAuth 2.0)

·       User management of trusted devices

·       User management of OAuth 2.0 tokens

New cloud connectors in OpenIDM extend trust between on premises IAM frameworks and the cloud, supporting commonly used enterprise SaaS based services like Google, salesforce.com, Office365 and Azure.  With the OpenIDM cloud connectors, end-users are able to use their same credentials to access applications and services regardless of where they reside – on premises or in the cloud.   With the OpenIDM cloud connectors, administrators are able to quickly add new cloud services and leverage their existing identity infrastructure to manage access and permissions, saving them time and ensuring better security with only one identity management system to manage.

Adaptive risk enhancements – the OpenAM contextual scripted authentication service enables the administrator to dynamically call 3rd party services like LexisNexis and Equifax for identity profiling.   With simple scripting and without a complicated integration, the registration process of a new user can include checking a user’s credit score at Equifax, for example. The adaptive risk enhancements also include device authentication so device details can be used for a more dynamic and intelligent authentication process.

Performance monitoring and auditing with OpenIG. An application and API gateway, OpenIG enables consistent enforcement of enterprise access policies for applications and APIs on premises or in the cloud, whether they’re legacy or modern.  This latest release introduces monitoring and auditing capabilities, allowing customers to have a comprehensive view of the activity to their applications and APIs.

 

For more Information:

 

OpenAM 12.0

Product Page

Register for Webinar

Product Demo

 

OpenIDM 3.1

Product Page

Replay Webinar

Product Demo

 

OpenIG 3.1

Product Page

Product Demo

The post New Products. New Paths to Connected Identity. appeared first on ForgeRock.