Paul Madsen was quite inspired recently, publishing a number of blog entries about the Internet of Things (IoT) and APIs. He is ferreting out the little considerations that will be required for a practical IoT:
Paul Madsen: Identities - Thing & User In home automation, wearable, and healthcare use cases, that thing identity will need to be associated with or bound to a user identity (or multiple user identities). Once this association is made, then any subsequent message from the thing can be understood to be occurring 'on behalf of' that particular user.
You will find more of Paul's thinking in the Mobile section below. I didn't publish last week so there are quite a lot of items. Dig in!
Spotlight on Kantara Member SecureKey In this edition of Spotlight, we are pleased to tell readers more about SecureKey, their unique role in IdM, and why they became members of Kantara Initiative.
Mike Schwartz: DIY 2Factor using OpenID Connect as the authentication API There is no license fee for passwords. It may sound silly, but businesses are simply not used to the idea that they need to pay for authentication. Also, the idea that passwords are "dead" is crazy. Companies already manage passwords for people. However, as everyone knows, passwords alone are a recipe for disaster. So what is a domain to do if they want to add a second factor of authentication, but they don't want to add yet another SaaS fee or annual per user license?
Aaron Berman: SSO: Absolutely necessary, but is it sufficient? Today many organizations are spending lots of money adding multi-factor and/or risk-based authentication to their environments. This is being done to prevent bad people from stealing usernames and passwords as well as to try and detect fraudulent logins. However, little is being done to answer the question "What is my security after I log on to the single sign-on solution?" I view this as placing a lot of locks and security on the front door of a house, which is required, but can provide a false sense of assurance when the back patio door is left open.
Martin Kuppinger: Identity Information Quality: Recertify the Identity One of the challenges many organizations are facing in their IAM infrastructure is "Identity Information Quality." That quality, especially in larger organizations, varies depending on the source it comes from. This challenge is not limited to the enrollment process, but also all subsequent processes. While the creation of new digital identities in IAM systems (at least for employees) is frequently driven primarily through imports from HR systems, changes of attribute values might be triggered from many different sources.
Doc Searls: IIW Challenge #1: Sovereign Identity in the Great Silo Forest If the answers come from you, they speak of your sovereign identity: that which is yours and you control. If the answers come from your employer, your doctor, the Department of Motor Vehicles, Apple, Facebook, Google or Twitter, they speak of your administrative identity: that which is theirs and they control.
Hans Zandbelt: Federation at Scale with a SAML Proxy In presentations on federation at scale that I did (e.g. at the Cloud Identity Summit), I'm arguing that there are basically two different methods of scaling up: using a metadata service or using a proxy. I'll go in to more detail on the former in a followup post, but right now I'd like to point out where, how and why a proxy can be used to scale up federation.
Mike Schwartz: Higher Education ADFS Wishlist The higher education community is one of the most advanced adopters of SAML. Many universities also use Active Directory... so it is only natural that they have some great feedback about what they'd like to see in ADFS (Active Directory Federation Services).
Binary Blogger: Identity Brokers Clouding Identity Lifecycle Management - They Are Different Over the past year there is a new concept, a brochure buzzword, that has popped up that is beginning to 'cloud' and confuse an already difficult business concept. I am talking about Identity Brokers, Identity Hubs, and other new startup companies that are offering Identity-like capabilities but are not Identity Lifecycle Management solutions. Identity is flashier than authentication when it comes to the marketing I guess.
Anil John: Who are the Natural Source of High Assurance Credentials for Public Sector Services? In an earlier blog post I raised the concern that the expectations of the identity and security community as to how high assurance credentials will be provided to end users is driven from a technology perspective and not a lifestyle perspective. This blog post explores how, or even if, high assurance credentials can be made part of the day-to-day fabric of our online lives, and who are best suited to do so.
Mike Jones: OpenID Connect Specs Nearing Completion Based on feedback from developers, the OpenID Connect working group decided to replace the OpenID Connect Messages and OpenID Connect Standard specifications with a new OpenID Connect Core specification that combines the contents from both of them before finishing OpenID Connect.
Dave Kearns: Apple finally gets something right Apple's new iPhone (the 5S model) is equipped with the Touch ID fingerprint reader. Its release just a couple of weeks ago has generated more discussion (and bloviating) about biometrics, fingerprints in particular, than all other fingerprint systems together. Not only that, but it's forcing me to do something I've rarely - if ever - done before: say something nice about Apple.
Martin Kuppinger: Mobile Security: Virtualization on the smartphone LG recently announced a new platform called GATE that will enable some LG business smartphones to run two mobile operating systems in parallel. LG appears, with this feature, to be reacting to the security concerns many organizations have around BYOD (Bring Your Own Device).
Paul Madsen: Consent anti-patterns for Internet of Things User-control will be key for many (but not all of course) Internet of Thing use cases. A key piece of such control will be collecting the user's consent for 1) a given thing to act on their behalf or 2) a given application to acess/control the thing.
Paul Madsen: Users, groups & things Below is an attempt to tease out a taxonomy of Internet of Things use cases - differentiating based on 1) on whose behalf the thing acts on (whether a data subject or not) 2) the data subject of the data the thing collects and shares
Paul Madsen: I don't even drink milk! Along with the smart toaster, a fridge that can sense when the household is about to run out of milk and send a compensating order to the local supermarket is presented as home automation's killer app.
Peter Brantley: Re-Engineering Government On October 4, with the federal government in full shutdown mode, a hardy band of open government advocates, public officials and civic hackers gathered in Washington, DC to brainstorm about the future of annotation, law-making, and re-engineering the workings of government.
Dave Birch: Pals in Palo Alto Well we went off to our first ever Bay Area Tomorrow's Transactions Unconference. For those of you not familiar with these, "Tomorrow's Transactions" is Consult Hyperion's brand for our thought leadership activities in digital identity and digital money.
Philippe Benitez: Money2020 bringing together technology and payment leaders for the future Money2020 has been full of interesting insights on new and developing payment technologies. Payment players from across the spectrum have gathered for Money2020 this week in Las Vegas, from start-ups to those who have been in the industry for decades. With so many payment power players under one roof, I wonder how many years of combined expertise is represented by the 4,200 attendees?
Identity Woman: Interesting events in 2013 This is a calendar of events that I know in 2013 (and beyond). I think they're interesting, I'm currently planning on attending all the events in BLACK, I'm helping co-organize all the events with RED headlines. Some events will change from interesting to attending as they approach.
API Strategy & Practice Oct 23-25, Parc 55 Hotel, San Francisco Application Programming Interfaces (APIs) are changing the face of digital business by enabling new business and technical strategies across many industries.
eID & ePass 5th edition National eID & ePassport Conference - the Global Forum on the drivers behind the digitalization of citizen ID documents proudly announce the 5th edition in BERLIN 2013, 28th & 29th of October @Intercontinental Berlin.
Defrag 2013 Nov. 4-6, Broomfield, Colorado Accelerating the 'AHA' Moment
IDM 2013 Conference and Exhibition 6 Nov., Russell/London The IDM 2013 Conference and Exhibition is the UKs largest and premier gathering for IT and Business professionals responsible for IDM Infrastructure and Deployment.
InCommon Advance CAMP: Identity Services Summit Nov. 12-13, 2013 San Jose, CA https://spaces.internet2.edu/display/ACAMP2013/Home Part of the 2013 Identity Week (www.incommon.org/idweek) Join leading identity architects and developers from U.S. research and higher education and international and commercial identerati. Explore the state of the art in identity services and discuss the leading edge work that's taking us there. Join us and get involved!
InCommon: CAMP Cloud: Identity and Access in an Era of Outsourced Services Nov. 14-15, 2013 - San Jose, CA Part of the 2013 Identity Week (www.incommon.org/idweek) Are your campus stakeholders looking at cloud-based solutions? Are you experiencing challenges or do you have concerns with outsourcing email, storage, or other essential services? Are you concerned about the management and maintenance of an accurate, accountable identity inventory?
Gartner Identity & Access Management Summit 18 - 20 Nov. 2013 | Los Angeles, CA Gartner Identity & Access Management Summit 2013 shows you how to develop your IAM strategy while advising on tactical IAM issues, challenges by BYOD or SaaS adoption, integration of social platforms, and more.
KuppingerCole Information Risk & Security Summit 2014 Nov. 27-28, 2013, Frankfurt, Germany The Information Risk & Security Summit at the Frankfurter Innovationszentrum FIZ Conference Lab, offers an unseen combination of thought leadership and interactive session formats, tackling the most demanding questions IT professionals are confronted with: How to support the extended & connected enterprise with brilliant services without taking too many big risks.
Cloud Security Alliance Congress Dec. 4-5, The Rosen Centre Hotel, Orlando, FL The CSA Congress is the industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security.