Dave Miller is the CSO for Covisint. Among other endeavors, Covisint runs the OnStar network, the in-car satellite connection offered on cars from General Motors. OnStar offers car owners many services including remote unlocking, crash detection, and remote diagnostics. Dave has spoken in the past about the various identities required for the operation of OnStar - the car, the owner, and the driver. Being a “man-rated” system, the effectiveness of authentication is paramount, but as always, convenience is a factor. In this interview with CSO magazine, Dave relates the real-world challenges he’s encountered in designing the security of OnStar.

  • Dave Miller: Will your next car steal itself?
    “The second issue is deprovisioning. This involves managing the process when an owner sells a car, and making sure that the previous owner can't still remotely start the car. "If the user [identity] isn't automatically deprovisioned from the old owner to the new owner, the old owner can still control the car's operation," Miller says.”

There were several other items of interest to the identity community:


  • Phil Windley: Unlocking Data Exchange: The Long Tail of Data
    “But data is often onerous to obtain, difficult to trust, and hard to understand. Fixing these problems—making trustworthy, understandable data flow more freely, consistently, and reliably—will provide a wellspring of new ideas and companies to prosecute them.”
  • Matt Flynn: Access Governance on Unstructured Data
    “Gartner research VP Earl Perkins posted a few days ago on the intersection of data and applications within IAG (Identity and Access Governance). I've certainly seen the same issues and we've been working with customers on these challenges quite a bit over the past six months. In fact, I authored a paper on the topic in April which is available in the STEALTHbits resource library titled Access Governance on Unstructured Data.”
  • LexisNexis adds interactive voice technology for identity proofing
    “IVR on Demand enables LexisNexis customers who need identity proofing and multi-factor authentiimaginecation services for access to high-risk or high-value information to create and deploy identity proofing and voice biometrics via the cloud for user verification and authentication.”
  • Craig Burton: The Internet of Things Gets Huge Boost
    “Scott Lemon and his new startup Wovyn is showing visionary thinking that will lead to what KuppingerCole calls The Life Management Platform (You can download the report for free). Watch the video, note how they are supporting open protocols and open APIs.”
  • John Fontana: Phishers hooking Facebook, Twitter, Google, Yahoo passwords
    “Barracuda security researchers Dave Michmerhuizen and Luis Chapetti say they are seeing specially built log-in pages that appear similar to pages used as part of the OpenID authentication process. When users type in their credentials, the data is collected by a rogue website, which sends back a message that the credentials have been validated.”
  • Meet Silk, the Semantic Web for the rest of us
    “It works like this: you build a series of pages inside Silk and link them together with tags. The pages can be anything you like: text files, pages from your website, company documents, your schedule. And the tags, too, can cover anything you like: any genre of data you can imagine. You then use the simple editor to add tags to your documents (telling it, for example, that the “United States” in your file refers to a country) and it connects the dots for you.”
  • Doc Searls: VRM at IIW
    “VRM was a hot topic at IIW last week, with at least one VRM or VRM-related breakout per session — and that was on top of the VRM workshop held at Ericsson on Monday, April 30, the day before IIW started. (Thanks to Nitin Shah and the Ericsson folks for making the time and space available in a great facility.) Here’s a quick rundown from the #IIW14 wiki:”
  • Ian Glazer: Coexistence: Thoughts from IIW14
    “Last week was the Internet Identity Workshop. It is hard to believe it is the 14th IIW; it has definitely come a long way in both attendance and content. I think the biggest takeaway from IIW for an enterprise IAM professional is – be ready to coexist.”
  • Jesse Bentz, Janrain: IIW14 Wrap up
    “Several of us at Janrain recently participated in the 14th annual Internet Identity Workshop (IIW) in Mountain View, CA. In addition to some of the bigger corporations like Google, Microsoft and Sony, participants included representatives from government, universities, and a strong international presence.”
  • Peter Alterman: Why LOA for Attributes Don’t Really Exist
    “As I have argued in public and private, I continue to believe that the concept of assigning a Level of Assurance to an attribute is bizarre, making real-time authorization decisions even more massively burdensome than they can be, and does nothing but confuse both Users and Relying Parties.”
  • John Fontana: Google, Facebook, MySpace; privacy rule breakers or trend makers?
    “The major social networking sites have all been fined for improper use of private data; is that a trend that should be ringing alarm bells or a sideshow for the paranoid and uninitiated?”
  • Martin Kuppinger: Dynamic Authorization Management Best Practices
    “Dynamic Authorization Management is about dynamically deciding to approve or not authorization requests provided by services (like applications) based on policies and attributes (roles, application used, context, whatever,…). It includes policy definition and management, the access to sources for these attributes like directory servers, databases, ERP systems, and systems for context- and risk-based authentication and authorization. A key standard is XACML. The role of Dynamic Authorization Management within overall IAM (Identity and Access Management) is defined in the KuppingerCole Scenario Understanding Identity and Access Management.”
  • Enterprise Facebook Use Wanes, At Least According to Zscaler
    “Zscaler saw Facebook traffic drop from more than 50% in Q1 to 43% by Q4 last year. The authors posit that a drop in time spent on Facebook's site as seen by Alexa may be one of the contributing factors. Or it could just be that corporate folks are frustrated in trying to find their posts thanks to the new timeline feature.”
  • Facebook and Google dominate 76% of social logins, according to Janrain study
    “Following this trend, Janrain has released a study powered by its Engage tool, which analyzed some 365,000 sites. Overall, Janrain found that Facebook accounted for 45% of social logins, while Google came in at 31%. Yahoo and Twitter collectively hold an 18% share of social logins, while LinkedIn, MySpace and a number of other sites account for the remaining 3%.”
  • Martin Kuppinger: Bring Your Own Identity? Yes. And No.
    “Recently I read a blog post  by Nick Crown, Director of Product Marketing at UnboundID. He talked about “Bring Your Own Identity” which he thinks is more groundbreaking and disruptive than BYOD (Bring Your Own Device). I would say yes, there is a value in BYOI, but:”
  • The digital divide in Identity Management
    “The paper – I recommend you all read – does not care about these problems which seem SO huge to us, but merely touch a small fraction of all mankind (which is, by the way, true to about 99% of the problems I solve during my work…). It cares about the problems of billions of people not even HAVING an identity, because they did not get registered by their mother upon birth and thus do not have a valid birth certificate.”


  • RSA: Citadel Trojan Outgrowing Its Zeus Origins
    “It is already very clear that Citadel is the new Zeus in more ways than one: it was based on the Zeus code and it has all the functions going way beyond any crimeware kit to date. More importantly, it is the only commercial malware in the cybercrime arena being aggressively marketed to criminals at this time, and quite logically, Citadel is slowly but surely converting Zeus operators and bringing them to its ranks, taking over Zeus’ market-share.”
  • Paul Madsen: Over simplified graphical representation of OpenID Connect
    “OpenID Connect layers new pieces on top - the new ID_token and the UserInfo endpoint (both in orange). As before, the client (normally) leverages the browser as the means to obtain tokens.”
  • How to enforce password complexity on Linux
    “By default, passwords must have at least six characters (see /etc/login.defs for possible changes). This is hardly long enough by current standards to consider passwords to be secure. You will have a much stronger password complexity policy if you change the first line to something requiring longer passwords and ensuring a degree of complexity as well.”


Cloud Computing

Valuable Identity

  • Live Blogging Finovate Spring 2012 San Francisco
    “Good morning! Gearing up for the two-day typing marathon that is Finovate. We’re at a huge venue this year (same as last year, apparently – someone else from Glenbrook was here then), a cavernous exhibition hall that has plenty of room for the 1200+ attendees; I can remember when there were 250 attendees. Congrats to Jim & Eric!”
  • Who We’re Watching in Payments 2012
    “What do eBay, Google, and Facebook all have in common? Sure, they all dominate their respective categories. And, yes, they all are hugely ambitious. Plus they all have demonstrated the ability to invent new markets. The other shared trait, in case you hadn’t noticed, is they are all in the payments business.”
  • HSBC moves to contactless as standard on all UK-issued debit cards
    “Visa is forecasting the number of contactless cards in circulation in the UK to reach 30 million by the end of the year, boosted by the roll-out of tap-and-go terminals at big ticket retailers and set-piece showcases such as the Olympics.”
  • VeriFone Unfurls the SAIL
    “Point-of-sale device maker and payments technology vendor VeriFone today announced the availability of its latest iteration in mobile payment acceptance solutions, SAIL. The announcement also states that the service includes a free app and data-encrypting card reader, as well as a software development kit (SDK). For merchants with fixed-location points of sale, VeriFone says, SAIL is easily integrated with the company's other devices, and that the platform is magstripe, contactless, barcode, and EMV-capable, using VeriFone's PAYware Connect gateway. The company seems to be positioning SAIL as a more robust mobile option for its channel partners who already have white-labeled or in-house mobile acceptance solutions. “
  • MasterCard Releases Its Wallet Service
    “Matching Visa's V.me wallet service, MasterCard has taken a major step forward in its digital wallet plans with the release of its own approach, one that includes access to PayPass facilities for contactless payments, a digital wallet in the cloud, and application programmer interfaces to encourage use of the MasterCard platform within merchant and financial institution applications.”


* Required Fields