At next week’s Cloud Identity Summit, Brad Hill will play the role of the man behind the curtain. But this time, that man wants you to be paying attention.
Hill, principal consultant at iSEC Partners, refers to his conference role as the “designated pessimist.” His session is entitled: "Are we doing better than passwords yet?"
Hill believes cloud identity and its predicted benefits have a great chance of hitting the target, but he also knows there are still questions along the flight path. Hopefully, knowledge of the past brings power to build a successful future.
“My question is are we really doing better than passwords,” he said. “The industry is investing all this money, we are spending all this time and effort in response to a pretty substantial criminal enterprise that has been built up around the weaknesses of passwords, credit card numbers, and authentication tokens.”
Hill says the industry needs to take a hard look at what it is building.
“Are we using the magic word ‘token’ to make it sound a lot better than it really is,” he asks.
Hill plans to explore how people are using access control systems, the way they are configured and the newer protocols that rely on tokens and the passing of data, especially at speeds that are interesting to business on the Internet.
Here’s his litmus test: “When the hacking community figures out these systems will the systems be as vulnerable to attack as traditional password and credit card systems are now?”
What is needed, he says, is a hard look at the properties of the systems to ensure security and assurance are improved along with the user experience and the velocity of data exchange.
“There is not a fundamental reason this can’t happen today,” he says. “One issue is how do you build incentives into a system where you have one version of the protocol to bring people on easily and have another version that is more secure with a higher assurance and a different pricing structure. The system is designed so it pushes people naturally to higher assurance levels.”
The expectation is that the future better trump the past.
“It’s not that hard, but we need to step up and own the responsibility,” Hill says.
Josh Alexander: Large organizations. The essential building blocks of a successful authentication infrastructure Even before we get to the building blocks of authentication, we should outline why authentication plays such an important role within a large organization. If we harken back to the fraud triangle, we remember that the three primary elements necessary for fraud are incentive, rationalization, and opportunity. Large organizations have been - and will continue to be - susceptible to the cornerstones of fraud as these organizations present both large incentives and simple rationalizations for perpetrating these transgressions. Limiting risk/access for these actions to occur creates a clear and present need for sound authentication infrastructure within a large organization. Thus, the essential building blocks of the authentication infrastructure for a large organization are the USES (Usability, Security, Economics, and Scalability).
Andre Durand: How the Connected Enterprise Will Create a $47B Identity Security Market: An Infographic The traditional security model assumes that putting your company's important assets inside the firewall is enough to shield them from outside threats. However, because cloud and mobile are now ubiquitous in today's enterprises, the concept of inside and outside has become considerably blurred. With employees accessing sensitive data from insecure networks and mobile devices, the new security paradigm must protect users and data regardless of their location or device. This infographic shows how this climate of sophisticated threats and outdated security models will turn a $6 billion identity management industry into a $47B market opportunity and why Next Gen Identity is the centerpiece of security for a connected enterprise.
Ian Glazer: The laws of relationships (a work in progress) in progress A few weeks back I had the pleasure of delivering my ideas for the Laws of Relationships. The Laws are meant to be design considerations to everyone building, deploying, or consumer identity relationship management services. The team at ForgeRock, our hosts at the IRM Summit, were kind enough to video the talks. What follows is both a video of my delivery as well as the slides themselves. I am very much interested in getting feedback on this. I want to channel the response into the Kantara Initiative Working Group that is forming around IRM.
Patrick Harding: Identity Answering Security Questions for Enterprise Cloud Adopters I joined a panel discussion titled "Solving the Real-World Challenges of the Cloud-Enabled Enterprise" at the Cloud Connect Summit during Interop in Las Vegas. The panel was unanimous in 'why' enterprises are adopting the Cloud (i.e. cost, scale, etc.) so the discussion focused on the 'how.' Predictably, the 'how' started with identifying the best platform to support workloads being moved from the datacenter to the Cloud, albeit private, public or both. And there is a trio of platforms to contemplate - SaaS infrastructure, PaaS and IaaS. A common question is 'what's identity got to do with the cloud platform?' In one word: plenty!
Sachin Agarwal: Should Enterprises Keep Their External APIs Public or Restricted? Netflix, the poster child for public APIs, recently retired it in favor of restricting access to a limited set of partners. More about Netflix's decision to retire their public API can be found in Daniel Jacobson's blog. This was perhaps the right decision for Netflix based on their business model and the type of API adoption they experienced. However, this decision should open up the debate about enterprises taking a second look at their API initiatives and determining the nature of their APIs, i.e. whether to make them public or keep them restricted.
Pam Dingle: Now, OpenID Connect is Real (and ratified) We at Ping have participated in the standards process to make OpenID Connect happen, working with some crazy smart contributors. We cast our vote last week within the OpenID Foundation in support of the standard. And now that Connect is ratified, we can't wait to get out there and contribute to a very quickly growing ecosystem. In my opinion OpenID Connect has the potential to address some of the most critical barriers to growth and success in this industry.
Jim Scharf: Want help with securing your AWS account? Here are some resources Some customers have asked how they should be using AWS Identity and Access Management (IAM) to help limit their exposure to problems like those that have recently been in the news. In general, AWS recommends that you enable multi-factor authentication (MFA) for your AWS account and for IAM users who are allowed to perform sensitive operations in your account. We also recommend that you use constrained, role-based access whenever practical, and that you do not use root credentials for everyday access to your account.
Hans Zandbelt: How We Get to Federation at Scale The exponential increase of Cloud/Saas adoption and the deployment of standards-based federated SSO in that environment is awesome but it brings along new challenges. The most important one is managing large numbers of federated SSO connections. A few years from now, organizations (Identity Providers) will have to deal with hundreds of connections, and SaaS providers (Service Providers) will push that to thousands of connections. This is no longer a task than can rely on manual configuration, which is too time-consuming, cumbersome, error-prone, and results in broken SSO connections.
Jeremy Grant: Progress on identity management: highlighting government and industry pilot projects Last month, we learned that two million Facebook, Gmail, and Twitter passwords were stolen. If you follow cybersecurity news, you have probably seen this story before; in fact, it seems like we are reading about password-focused breaches most every month now. Well, what if we didn't have passwords anymore? What if we had something better, something that offered more security and privacy, and was easier to use? That's exactly the challenge the National Strategy for Trusted Identities in Cyberspace (NSTIC) is trying to address.
David Brossard: Using ALFA Eclipse plugin to author XACML policies - Part 1 Attribute-based access control (ABAC) defines a new access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attribute, etc.), which can be compared to static values or to one another thus enabling relation-based access control. The standard that implements attribute-based and policy-based access control is XACML, the eXtensible Access Control Markup Language. In this tutorial....
Stephen Wilson: Facebook's lab rats It's long been said that if you're getting something for free online, then you're not the customer, you're the product. It's a reference to the one-sided bargain for personal information that powers so many social businesses - the way that "infomopolies" as I call them exploit the knowledge they accumulate about us. Now it's been revealed that we're even lower than product: we're lab rats. Facebook data scientist Adam Kramer, with collaborators from UCSF and Cornell, this week reported on a study in which they tested how Facebook users respond psychologically to alternatively positive and negative posts.
Niall Murphy: With Big Data, Big Responsibility The connectivity and connectability of physical objects is exploding the number of digital interfaces people are interacting through. The next 5 to 10 years will see a tremendous transformation as almost every physical object we use in our every day lives becomes internet enabled in one form or another - every thing we touch applying real-time information to adapt, optimise and enhance its utility.
Brian Milas: Hackers, Malware and . . . Analytics? What comes to mind when you hear the phrase, ". . . business intelligence reporting dashboards . . ."? You expect this from commercial enterprise and cloud applications . . . but here's more from the presenter,". . . crime packs with business intelligence reporting dashboards to manage the distribution of their malicious code . . ." This month James Lyne of Sophos presented a TED Talk titled "Everyday Cybercrime -- and What You Can Do About It". In it, he shared some interesting information that illustrates how tools like analytics and intelligence can be used for good . . . or evil.
Adam Dawes: Welcome OpenID Connect Improving security while making it easier for users to sign in is the perennial challenge we face in the authentication trade. Federated sign-in has long held this promise but to be successful, it needs to be simple for users to understand and easy for developers to deploy. Today, the OpenID Foundationannounced that the OpenID Connect specification has been ratified and is now available as an open standard for the world. We think it is going to make a big difference in improving people's login experience all over the Internet.
Tim Kellogg: MQTT in a Nutshell At 2lemetry we talk a lot about how easy it is to connect devices to laptops and cellphones. We host Message Queue Telemetry Transport (MQTT) as a service, which you can use to connect devices to web apps. In general, devices can be anything that record conditions such as temperature, pressure, GPS location, usage, and many other metrics. Here's a quick primer to understand the basics and get started. MQTT is just a pub/sub protocol. Pub/Sub is simple - when someone publishes a message it gets broadcast to everyone that is subscribed to the topic. It's a lot like a chat room with all robots (i.e. devices) and no humans.
Cloud Identity Summit 2014 July 19-22; Monterey, Calif. The modern identity revolution is upon us. CIS converges the brightest minds across the identity and security industry on redefining identity management in an era of cloud, virtualization and mobile devices.
Gartner Catalyst - USA Aug. 11-14; San Diego, CA A focus on mobile, cloud, and big data with separate tracks on identity-specific IT content as it relates to the three core conference themes.
Application Security Forum Nov. 4-6; Yverdon-les-Bains, Switzerland The conference is a well-established annual event dedicated to information, application and software security that features a full-day of training sessions and two days of conference sessions.