I make no secret of being an old hippie and a Deadhead. It’s just what I did back then - I like to dance and there was nothing like the dance of the Dead. And I'm proud to be a geek, but I draw the line at being a nerd. So when one of my heroes in security and identity, Gunnar Peterson, talks about the roles of hippies and nerds in building your identity defenses, I’ve just got to give it a read.

  • Software Security - Putting Hippies and Nerds to Work in the Right Places
    “The foundation of the Security Triangle shows the differing mindsets at work. Identity and Access Services are about doing the right things - authenticating and authorizing your employees, customers and partners. Have Hippie programmers build these. Defensive services are about dealing with malice - defensive coding, input validation, output encoding - have Nerd programmers build these.”

There were several other items of interest to the identity community:
(Among them are some remembrances of Bob Morgan, a true Identian, who “went on to the cloud” last week.)


  • A Salute to RL Bob
    “Today we were saddened to learn of the passing of dear RL Bob Morgan who has metaphorically “migrated to the cloud” now. Bob, or “Uncle Bob” as some of us called him, made so many contributions to the Identity community at large. Notably via: Internet2 Middleware, IETF, IIW, ISOC, Kantara, OASIS… too many to list them all. Recently RL Bob was awarded the Internet2 President’s Award for Leadership where many of his colleagues saluted him (in their best Hawaiian shirts).”
    [Jeff Hodges: RLBob migrates to The Cloud]
    [J Trent Adams: Bob's Clothing Paradigm
  • Nat Sakimura: Analyzing Yahoo! Voices Password Leakage
    “Yahoo! Voice is a relying party to Yahoo! and is federating the authentication. This means that Yahoo! Voice should not have any password to be stolen.  This is a contradiction. So, I went on to researching what Yahoo! Voice really is.”
  • Kim Cameron: Yes to SCIM. Yes to Graph.
    “Today, since the Developer Preview focuses a lot of attention on our Graph API, I thought it would be a good idea to respond first to the discussion that has been taking place on Twitter about the relationship between the Graph API and SCIM (System for Cross Domain Identity Management, formerly Simple Cloud Identity Management).”
  • Dave Kearns: Wednesday afternoon in the mountains
    “If you're going to be attending the Cloud Identity Summit next week I've got a tip for you. But first, if you're NOT going to CIS 2012, why not?? Everyone who's anyone in identity will be there (well, OK, mostly everyone) because while it's called the CLOUD Identity Summit, we all know that the cloud is simply another platform, so almost everything you learn will  be applicable to your datacenter as well as to any SaaS you might be using. Plus, it's in Vail - high up in the mountains of Colorado.“
  • Chris Ceppi: 8 Years at Ping Identity - IT Security Crosses the Identity Bridge
    “In the same way presidents travel to get the work of the US done, in 2012, the best companies are making strategic decisions about where to run core business processes. Many have decided that in order to stay competitive and win, core business processes must travel.”
  • Patrick Harding: Comment: Passwords Are the Achilles’ Heel of Cloud Security
    “To address single sign-on (SSO) at cloud scale, Ping Identity’s Patrick Harding says IT administrators, security architects and developers must focus their energy on solving the problem with secure standards such as SAML, rather than implementing Band-Aid solutions like password vaulting”
  • Trends Driving the Adoption of Identity and Access Management Technologies
    “Recently I was asked to outline the trends driving the adoption of Identity and Access Management (IAM) technologies. I decided to break this down into five trends that cover various technologies considered as part of the IAM stack of capabilities. This includes Web Access Management, Federation, Identity Management, Provisioning, Role and Compliance and other IAM technologies.”
  • 5 Business Trends Driving IAM Spending
    “Dark Reading spoke with a range of IAM experts to find out what market forces are causing today's brand of "identity crisis." Here's what they named as the key drivers behind IAM spending today.”
  • Has Nick Denton really reinvented comments?
    “So is this convincing evidence of the reinvention of comments? In some ways, perhaps. It’s certainly a positive step to see writers responding to readers in the comments section of a post (although Denton has apparently outlawed the use of the term “comments”). This is something we try hard to do with every post at GigaOM, because we see those comments as an important way of interacting with — and learning from — our readers, or what journalism professor Jay Rosen likes to call “the people formerly known as the audience.” Some have dismissed comments as cesspools filled with bile and not worth their time, but we disagree, and it’s nice to see that Denton does too.”
  • Mark Dixon: Life Management Platforms: Informed Pull and Controlled Push
    “I have been intrigued by the potential emergence of “Life Management Platforms” as described in the Kuppinger-Cole advisory note, “Life Management Platforms: Control and Privacy for Personal Data.”  The concept that particularly interests me is integration between systems that would allow controlled sharing of information, using principles Martin Kuppinger describes as “informed pull” and “controlled push.””
  • Kantara Initiative: Call for Proposals: organizational reform of Kantara governance, bylaws, operating procedures and structures
    “Kantara Initiative is opening a call for proposals regarding organizational reform of the Kantara governance, bylaws, operating procedures and structures. This call is open to all organizations and individuals who wish to submit a proposal.  Responses received will be published publicly ONLY where the submitter has provided permission to do so.”
  • Kantara Initiative Announces Europoint as the latest Kantara-Accredited Assessor
    “Kantara Initiative is proud to announce that Europoint is now a Kantara-Accredited Assessor with the ability to perform Kantara Service Assessments at Assurance Levels 1, 2, 3 and 4.  Europoint is approved to perform Kantara Assessments in the jurisdictions of Sweden and Europe. With this Accreditation, Kantara and Europoint are well positioned to provide Trust Framework Approval programs to European markets.”
  • CIS Series. George Fletcher: Is federation killing customer service?
    “Fletcher, chief architect for consumer identity services at AOL, wants to know how to convince web site owners, so called relying parties, that identity federation won’t do more harm than good to customers paying for valued services.”



  • Open Social State of the Union 2012
    “I'm excited to announce that this year's "State of the Union" event will be held on Tuesday, July 17, 2012 at the Jive's offices in Portand, Oregon. It lines up with OSCON, the premier conference for open source technologies. We'll have discounted passes for the conference, so be sure to check out the OSCON site for all the detailed information about that event. If you just want to grab some swag, we'll also have "Expo Only" tickets as well.”
  • NSTIC: SECOND DATE ADDED – Identity Ecosystem Steering Group Webinar July 17 at 3PM
    “The NSTIC National Program Office will host an additional Identity Ecosystem Steering Group webinar for any interested stakeholders on July 17 at 3PM EST. The webinar will  provide a general overview of the proposed governance documents that will guide the Steering Group, discuss the initial meeting and answer questions from participants.”
  • inCommon: The Future Of Federated Identity: Or, Whither SAML?
    “AM Online - Thursday, July 19, 2012
    1 pm ET / Noon CT / 11 am MT / 10 am PT
    Join the next IAM Online (special day and time) for a session with Eve Maler, an expert on emerging identity and security at Forrester Research.”
  • FICAM: Access Control and Attribute Management WG Industry Day Invitation
    “September 5, 2012 in the Washington, DC area.
    The FICAM Access Control & Attribute Management Working Group (ACAGWG) is working to address the needs of the Federal Government for access control, lifecycle management of attributes, and the associated governance processes around entitlements and privileges. If you are interested in engaging with this cross-government (Federal, Defense, IC and more…) working group during our upcoming industry day, please read on...”
  • IDentity.Next'12
    “20-21 November 2012 - The Hague in Holland. Two-day event about Digital Identity”


  • Brian Mulloy: API Design Tour: Digital River – On Designing URIs, Handling Formats, Pagination
    “In the inaugural stop on our API Design Tour, we talked with the Digital River API Team about their approach to API design. The video and slides from our session are here. Below are some more of the design questions we put to the team. “
  • Todd McKinnon: The Right Side of History: Run, Don’t Walk, to Embrace a Mobile Enterprise
    “Think about it: Just 10 years ago, we had fax machines, PBX boxes (remember those?) and those clunky cell phones. Today, buoyed by the cloud, we’re drowning in email, tablets and smartphones at every turn. Change happens fast, and in ten years, the technology we use at work and at home will look very different from how it looks today.”
  • Ronnie Mitra: Are Open APIs Too Open for Big Business?
    “I’ll admit it.. I’m a “big enterprise” guy.  I’ve either worked for or worked with very large enterprise organizations for most of my career and I’ve seen these companies struggle with the challenge of incorporating ideas that are spawned from the collective brain trust of the theorists, coders and entrepreneurs that exist in the chaos outside the enterprise’s doors.”
  • Scott Morrison: Hey Twitter: API Management = Developer Management
    “In the API world, this is an easy point to miss. The server side always wields disproportionate power by virtue of controlling the API to its services and this can easily foster an arrogance about the server’s place in the world. This effect is nicely illustrated by Twitter’s recent missteps around developer management.”
  • Cisco, Intel, Box and Layer 7 Address the Role of Identity in API Security at Cloud Identity Summit 2012
    “Ping Identity, The Cloud Identity Security Leader, today announced Anand Sharma of Cisco, Vikas Jain of Intel, Francois Lascelles of Layer 7, Mark O'Neil of Vodel, and Andy Kiang of Box will address the role of identity in API security and management at this year's 2012 Cloud Identity Summit. Taking place at Vail, Colorado's Cascade Resort, the summit explores the role of identity as the new perimeter and examines ways cloud computing, mobile device access and social networking are transforming business and IT.”

Cloud Computing

  • Things To Do When Your Cloud Provider Goes Down
    “I am critical of the Buzzwords, marketing hype and embellished promises around The Cloud. So I came up with a list of things you can do when your provider goes down.”
    [You’re going to laugh and cry if you read this!]
  • Mike Desai: Cloud Computing Trends: A Look Back and A Look Forward
    “So let us take a brief look at some of the findings released last year, and make some predictions on what the results may find in this year’s installment, which is likely under way as we speak.  Some things that stood out to me from the 2011 report findings:”

Valuable Identity

  • John Fontana: NSTIC’s $2.5 million grant for oversight chief goes to SI
    “NIST names system integrator Trusted Federal Systems to oversee the Steering Group that will build policies and guidelines for the National Strategies for Trusted Identities in Cyberspace initiative”
  • Building Federated Search Capabilities for Homeland Security and Law Enforcement Partners
    “To create this capability among the four SBU/CUI systems – FBI’s Law Enforcement Online (LEO), the National Security Agency’s (NSA) Intelink-U, Department of Homeland Security’s (DHS) Homeland Security Information Network (HSIN), and the Regional Information Sharing Systems’ (RISS) RISSNET  – a common framework, including data models and schemas, must first be developed. The project was initiated on October 1, 2011 and is scheduled to be completed by September, 30, 2012.”
  • Chris Maher: "Identity and Resilience": A Prescient Paper from the Early Days of the New Administration
    “While this paper, "Identity and Resilience" has been somewhat overtaken by events (or is that... *validated* by events?), I remain enchanted by this particular excerpt. It speaks to the pivotal role that government MUST play in advancing a vendor neutral (or as I like to call it, "supra agora") framework. Further, it is equally applicable in the context of "machine identity" and the standards-based hardware root of trust that NIST is now promoting. “
  • Facebook wants to be your online bank
    “The social media giant is quietly supporting new services for banks that want to engage socially with their customers: The decidedly unsocial business of online banking.”
  • LevelUp declares payment war, kills interchange fee for merchants
    “Every month, it seems players in the mobile payment market try to outdo each other, offering merchants a slightly lower transaction fee in a game of one-upmanship. LevelUp, a Boston-based loyalty and payment startup, has played that game to some extent, pushing down its fee to 2 percent. But now, it’s laying down the gauntlet to competitors by doing away with processing fees forever in what it calls a bid to achieve “Interchange Zero.””
  • Chirpify Uses Twitter to Compete in P2P Payments
    “Chirpify's payment service connects to a user's PayPal account and enables a person to send payments to individuals or businesses by tweeting at the recipient's Twitter handle. PayPal is the only supported payment method for now, but Chirpify has much grander plans for the future.”


* Required Fields