If you think cloud computing is intrinsically less secure than what you deploylaye on-premises, read these arguments from Dave Kearns. Remember, if you have a breach on-premises, your only recourse is to fire some people.

  • Dave Kearns: The misunderstood cloud
    "Michael Osterman, of Osterman Research, recently opined about the security of cloud computing - and its misunderstandings. He compared cloud security to on-premise security in four areas (employee theft/incompetence, malware, hackers, and physical security) and showed that in all four areas the cloud should be, and generally is, more secure than on-premise data storage. Yet the myth persists that the cloud is less secure."

There were other items of interest to the identity community. I've added two new sections, Mobile and Social, to help sort them out. So now we have the megatrends: identity, cloud, mobile and social.


  • Canada Post updates digital mailbox
    "Canada Post is releasing a new version of its epost digital mailbox platform to add functionality and start leveraging government and business services. Along with design and navigational enhancements and improved bill management tools, it also features a new authentication process that connects a digital identity with a physical address."
  • Stephen Wilson: The Natural Limits to Federated Identity
    "Federated Identity has proven to be easier said than done. This slide deck summarises my new ecological frame for understanding the problem and clarifying the way forward. Existing real world business ecosystems have shaped the identities we have today, and places natural limits on how they may be artificially federated."
  • Jordan Phillips: Authentication Is Dead - Long Live Authentication!
    "We've recently returned from the Gartner Catalyst Conference in San Diego, which was an incredible opportunity to learn from analysts, do a little salesmanship, and share a drink with new friends. One of the hallmarks of these events is the proclamation that a technology, standard, or practice "is dead." Of course, such proclamations are generally made tongue-in-cheek, and have even spawned the occasional zombie meme and fears of a standards-hungry serial killer."
  • John Fontana: FBI looking at faces and yours might be next
    "The FBI is working on augmenting the modest fingerprint with biometric data to help chase bad guys as part of its $1 billion ID system upgrade, and privacy advocates are concerned if the Feds can get it right."
  • Matt Pollicove: The Stages of Identity
    "Recently I've been thinking about what happens to an identity through its life cycle and how the identity data is treated during this process. I think you will also see that the Enterprise itself has differing methods of dealing with it as well. I am considering this to be the beginning of a framework and nomenclature that one can use for expressing how people relate to their Identity data on a number of different levels. I think we can pretty much consider this to be a "work in progress," and I would greatly appreciate feedback."
  • Gunnar Peterson: What Identity And Access Management Can Learn From 'Car Talk'
    "In the old, pre-Web days, the cool kids who'd later grow up to be computer hackers worked on cars. While listening to the funny and informative radio talk show "Car Talk," I have often thought that hosts Tom and Ray Magliozzi would be computer geeks instead of car guys if born a decade later. Certainly, their rules apply to today."
  • @JohnFontana/IdentityList
    [John Fontana's Twitter list of the who's who in identity. An easy way to follow the identity conversation on Twitter.]


  • Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers
    "Over the past couple of weeks I have come across lots of questions/discussions on while OAuth/OpenId is cool as a feature in the ASP.NET templates in Visual Studio 2012, but how do I easily integrate this into my application outside of the templates. More so how do I extend the Universal Providers to integrate OAuth/OpenId and use other functionality such as roles etc. I am going to cover these two areas in this post using WebForms but you could integrate the same with MVC applications as well"
  • Google Wallet: Single Sign-On
    "Single Sign-On enables your customers to authenticate to your website using their Google credentials. That means if the user is logged into Google on their browser, they can log into your site with a single click. The information typically required for login can then be accessed via OAuth2 for Login. This drastically simplifies account creation and reduces the passwords a user needs to remember."
  • Salting and hashing ... and why it's just table stakes; Watch the puzzle unfold with the #CryptoCrux video-bytes
    "Hashing, salting and database encryption are ways to protect passwords. But, are they enough? Recent, large scale password breaches have demonstrated that these solutions are susceptible to proven attacks. Maybe something else is needed..."



  • Layer 7: WebSockets Tech Talk
    "We aim to keep our Tech Talks relevant and interesting for our viewers. We simply want to provide an open forum to discuss and ask questions about key issues around API Management. So, in keeping with that spirit, our next subject for discussion will be WebSockets and the excitement surrounding HTML5's support for the WebSocket protocol. And I'm excited to have Layer 7 API Architect Ronnie Mitra as my guest for this highly-topical Tech Talk."
  • John Fontana: Klout quietly transforming into platform via APIs, OAuth
    "Klout is quietly piloting with developers its new OAuth API and KloutPass authentication verification as first steps in a larger strategy to become a platform and offer its data through other apps."
  • Intuit opens up financial data service APIs to third party developers
    "Intuit is opening up the APIs to its financial data service - which powers Quicken, QuickBooks, Mint and FinanceWorks - to third party developers, inviting them to build their own services."

Cloud Computing

  • Bob Griffin: Keys, Clouds & Conferences
    "As I mentioned in my last blog, one of the sessions I gave recently at RSA Conference China was a discussion of "Keys and Clouds", exploring various models for key management and encryption in the cloud. It's a topic that comes up often in my meetings with customers about private, public and hybrid cloud strategy. It's also something that we've been giving a lot of thought to in the OASIS KMIP (Key Management Interoperability Protocol) standards committee that I co-chair. In fact, we'll be exploring the cloud-related use cases in our KMIP face-to-face next week and also discussing them in the KMIP webinar we'll be giving later in September."


  • John Fontana: New House bill targets mobile device tracking software
    "A mobile phone privacy bill that would require vendors to disclose tracking software and get end-user consent before activating that software was introduced Wednesday into the U.S. House of Representatives."
  • PCI has gone mobile -- is your app ready?
    "The folks over at the Payment Card Industry (PCI) security standards council have just published their "PCI Mobile Payment Acceptance Security Guidelines for Developers" document. If you're doing anything in the mobile payment space, this document is a must read, of course. Even if you're not doing mobile payments, though, it's still a pretty worthwhile read overall. But be prepared, some of their security goals are quite high indeed."
  • Facebook's "Biggest Strategic Mistake" Confirms Importance of Mobile APIs
    "A couple of days ago at TechCrunch Disrupt, Mark Zuckerberg admitted that the "biggest strategic mistake was betting on HTML5 too much". Facebook is taking a multi-platform approach to mobile apps, supporting both HTML5 as well as native app platforms (Android, iOS, etc). Why the shift? Native mobile apps are simply more engaging. After releasing their latest iOS app, consumption of stories increased two fold. That's not to say that mobile web is going away any time soon for Facebook - mobile web traffic accounted for more traffic than all their native apps combined."


  • Phil Windley: Living in a Silo Can Be Dangerous
    "When you live in a silo, asphyxiation is a real danger. Twitter had the temerity to actually take advantage of its one-sided terms and conditions and now people are mad. Don't get mad; change the game. Protocol gives us the tools to fight back. The only way to protect yourself is to move to a decentralized architecture."
  • Doc Searls: Project VRM: An olive branch to advertising
    "In my last post I talked about how DNT might be turned into DNT-D, for Do Not Track - Dialog. Then I said a bit more about that in this post at Harvard Business Review. Note that DNT is one among many possible HTTP headers. If DNT bogs down in politics (which it already has to some degree), there is nothing to stop anybody from working on alternatives that create opportunities for agreement and productive hand shaking between users and sites."
  • Doc Searls: Free Customers Are More Valuable than Captive Ones
    "Put down the customer. Step away from the marketplace." That's what Craig Burton once said to a clueless marketing officer at a meeting we both attended a few years back. It was one of the most right-on things I have ever heard uttered inside a company. It also comes to mind every time I hear unwanted surveillance of customers rationalized for marketing purposes, or how Big Data lets a company know a customer better than she knows herself."

Valuable Identity

  • Anil John: From AAES to BAE - Implementing Collection and Sharing of Identity Data
    "The Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance (PDF) calls out the need to implement the ability to streamline the collection and sharing of digital identity data (Initiative 5). The Authoritative Attribute Exchange Services (AAES) is the architectural construct shown in the Roadmap as the mechanism that can implement this capability. This blog post provides a description of the capabilities needed in an AAES, and outlines a concrete method for implementing it; via deploying a Backend Attribute Exchange (BAE) infrastructure."
  • Meaningful Use Stage 3 may require multifactor authentication
    "The healthcare industry is getting a peak at what Stage 3 of Meaningful Use may look like. The Office of the National Coordinator for Health IT's HIT Policy Committee voted Sept. 6 to accept the Privacy and Security Tiger Team's recommendation to require multifactor authentication in certain cases involving remote access to patient protected health information, Healthcare Info Security reports.
  • Latest in Chip and Pin Exploits
    "We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. Pre-play attacks may also be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design and implementation mistakes that enabled the flaw to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, or monitoring customer complaints. Finally we discuss countermeasures."


* Required Fields