Midwest IT Survival

For any of those in the Cleveland/Akron, Ohio, USA area the week of 1/22, I’ll be speaking at the University of Akron on the topic of Identity Management in “the cloud” and general career opportunities in the Information Security industry.  More specifically, the title of the presentation is “Identity and Access Management Reference Architecture for Cloud Computing” and I’ve already published the slides on SlideShare here.

I’m looking forward to good interaction with the students and faculty.  If you are in attendance, please stop by and say hello!

As I mentioned in my previous post, I had the opportunity to present at the 9^th annual Information Security Summit 2011. The full title of my presentation was “Identity and Access Management Reference Architecture for Cloud Computing” and just about filled the room with attendees. I was impressed with the turnout given I was in the last speaking slot on the first day up against three other speakers with very interesting topics.

For those interested, I’ve placed my slides on SlideShare:

All in all, it was a great conference attracting mostly local security and audit professionals. Given my tenure in the area, I ran into all kinds of familiar faces going back at least 10+ years. It was great to catch-up with all those of which I’ve crossed paths.

Context is increasingly important from GartnerIAM

For the next three days I’ll be attending the Gartner Identity and Access Management Summit.  I’ll post a daily summary of the sessions I’ve attended.  If any of the sessions have something particularly noteworthy, I’ll relay those interesting items via Twitter.

Well, another Gartner Identity and Access Management Summit has come and gone.  It is great to be surrounded by people enthusiastic about identity and security.  The biggest thematic difference between this event and events of a few years ago is the recognition that establishing identity is not longer based primarily on the strength of the authentication factor.  There was almost no talk of X.500 certificates versus one-time password key fobs versus smart cards.  The energy of the discussions was around contextual awareness during the authentication process.

I was only able to make it to one session on this last day due to my travel needs.  I attended @bobbarkley’s Identity Assurance which was an overview on how the government has progressed in establishing agency identity providers and audits of those providers.  Additionally, the government has formed a more structured application risk assignment process.  In the graphic below, an individual application is ranked in each category on the left column.  Whichever row has the risk assignment farthest to the right determines the authentication level needed for access to that application.  Thus, if everything scores a low but the financial impact to the use of the application is moderate, then access to the application requires a credential meeting level 3 requirements.

Requirement levels, or more specifically, LOAs are as follows:

Level 1 = no proof, just a password that maybe the same one assigned to multiple people

Level 2 = single factor, such as individually assigned passwords, with some documentation presented (but not verified) of who issued the credential

Level 3 = multi-factor (say, fixed password plus one time password) with documentation presented and verified of who issued the credential

Level 4 = multi-factor with FIPS 140-2 hard token + encryption with government issued or financial services issued documentation presented, in person and a biometric of the individual captured for reference

LOA = Levels of Authentication, got to love government acronyms

Clearly, level 4 requires quite a bit of material to prove the person is indeed who they say that they are.

All in all a great conference and I am hoping to have the opportunity to attend next year to see how the industry advances in 2011.

SAML 2.0 is King of Federation Standards

For the next three days I’ll be attending the Gartner Identity and Access Management Summit.  I’ll post a daily summary of the sessions I’ve attended.  If any of the sessions have something particularly noteworthy, I’ll relay those interesting items via Twitter.

Day 2 was a quest for more customer stories and testimonials.  But the opening session by Chris Hansen, correspondent for the NBC News “Dateline NBC” program was riveting.  Hands down it was the fastest 45 minutes of the entire conference.  Chris had a way of sharing the behind the scenes stories that lead up to the final “To Catch a Predator” specials that really had the audience hanging on his every word.  I recall the promotions for the show but I never actually watched the show itself.  The gist is an NBC investigative reporting team, lead by Hansen, pose as a 13 or 14 year old boy or girl online and attract predators to a house for inappropriate encounters.  The house is wired with microphones and hidden cameras.  The predator arrives and Hansen confronts the individuals about their illegal behavior.

One of the most disturbing comments Hansen shares is that he felt if they picked any city in the US, his team could setup their operation and within 24 hours, have 50 people lined up wanting to participate in illegal behavior.  He mentioned he had doctors, firemen, clergy, businessmen … non-stereotypical people all looking to take advantage of children online.

Hansen linked his investigative team’s methodology to being successful with attracting pedophiles, electronics fraud, terrorist cells, you name it.  It was a bit concerning on how the strong can take advantage of the weak online and it is very challenging for law enforcement to thwart such attacks.

It sounds like a very negative topic, but Hansen did an excellent job of communicating the seriousness of his experiences along with humor and a pragmatism that left the listeners with a deeper appreciation for the work his journalistic team dedicates to such endeavors.

Back to the quest for more customer stories and testimonials

I didn’t find the remaining morning sessions communicating anything I didn’t already know.  It wasn’t until the post lunch session on “Managing Identity in the Cloud” by Gregg Kreizman that I found something noteworthy.  With all the buzz around cloud computing these days, I figured this would be a popular session and I wasn’t disappointed.  With multiple concurrent sessions, I would venture a guess this one had the bulk of attendees compared to other sessions in the same timeslot.  Without further delay, below are my bulleted notes from this session:

• Web Access Management and Identity Management are precursors for SaaS/Cloud solutions for your business.
• Make sure to get Identity and Access Management (IAM) provisions into your contracts and terms and conditions with cloud providers.
• Federation was slow to start, but it is growing strong at present, kicked into high gear with companies looking to leverage cloud solutions.
• Cloud vendors are offering federation support, even though this presents an easier path to customer switching (reduced customer “stickiness”), because customers are demanding it.

I finally was hoping to hear some good customer insight at the “Road to Success is Paved in Strategy” session with a senior manager of global security at Mattel.  It was a well constructed session on IAM strategy, but nothing radically different than the textbook approach to introducing a new technology and/or security discipline in a large organization, namely:

• Implement IAM as a 3 to 4 year initiative
• Have a focused PMO around IAM
• Mattel chose to focus a dedicated PMO resource, a business analyst and a systems analyst to IAM
• Prioritize applications (don’t boil the ocean)
• Get senior level champion outside of IT
• Cast a wide net with stakeholders, application owners
• Don’t just focus on technology
• Stay focused on business goals and objectives
• Focus on quick wins
• IAM can be painful so don’t expect an easy road, especially if you buy tools first
• Get some outside industry help

Lastly, it seems “New Directions in Federation” has confirmed what I was sensing since first embarking on federation a handful of years ago: SAML 2.0 is emerging as the clear winner amongst the various competing standards.  Federated authorization is another story.  No clear choice amongst the emerging standards morass.

Thus, let me be the first to pitch “Hillbilly Federated Authorization via SAML 2.0”

• In the SAML 2.0 payload on a federated sign-on, in addition to providing the required authentication information, use the <saml:AttributeStatement> element to include the identity provider’s user specific authorizations for the partner’s application.
• In addition, add “auto-provisioning” where all of the attributes needed for your authenticated user to be setup in the partner application is provided in every SAML assertion.
• Couple “Hillbilly Federated Authorization” with “Auto-provisioning” and one has a very light weight and company controlled extended/federated authentication and authorization model.

Where does this break down? Well, for one, if your federation partner is unwilling to work with you on this hybrid solution.  And second, if you have a significant number of authorizations (fine grained entitlements), then trying to duplicate those in your directory plus add an administrative UI to manage those directory attributes PLUS keep everything in sync with every partner major/minor application upgrade … I think there will be plenty to talk about Federation at #GartnerIAM 2011.

Context based security is all the rage

For the next three days I’ll be attending the Gartner Identity and Access Management Summit.  I’ll post a daily summary of the sessions I’ve attended.  If any of the sessions have something particularly noteworthy, I’ll relay those interesting items via Twitter.

At the end of day one, the role Identity and Access Management plays in the enterprise is getting even more complex.  If you thought trying to abstract authentication from applications and build an enterprise service to aggregate that access technology was challenging, the new theme of “context” based security really pushes the complexity to a new level.

Although the opening keynote session was a push from Gartner analyst Bill Hostmann to link Business Intelligence (BI) to Identity and Access Management (IAM) data “intelligence”, it just wasn’t compelling to me.  The presenter seemed to be taking a set of industry analyst BI maturity slides and peppering them with loose links to the data collected by IAM infrastructures.  The speaker was very good at presenting his material.  I just wasn’t feeling the level of “transformational” elements of BI + IAM he was pitching.  Although, if you follow my tweets from this session with the #GartnerIAM tag,  there was quite a bit of tweet-worthy buzz phrases in the presentation.

I really enjoyed the next session on Context- and –Identity-Aware information security by Neil MacDonald.  Maybe it was the crash course in Internet adaptive authentication I enjoyed at a past financial services firm during the FFIEC online authentication guidance days of 2005-2008, but I enjoyed his extension of the theme that the binary security decision of accept/deny access is fading fast.  The new focus is making the accept/deny decision within the context of the request itself.  Some of the salient points I took down during his session were:

• Security-wise, “owning it” no longer equals “controlling it”, or
• Connecting to “our” network with “our PC” no longer works, clouds, phones, non-PC devices, virtual data centers all are “out of our direct control”
• Context extends to the device that is making the access request:

• - Is it patched?
• - Has it been here before?
• -  Has it been successfully granted access in the past, when, from where?

• Past = binary, trust or not trust.  Going forward = patterns/models assist in making trust decisions
• One company’s model of “accept/deny” may not be the same as another company’s model of “accept/deny”
• Context is using more information in order to build better models
• Goal in Info Security now is establishing “trustability” of apps, identity and information
• Past = signature based determination of pass/fail security decisions, signatures now changing too fast and requires someone to identify and distribute the “bad” signature, but when target is you, no signature exists
• Present = Build “reputations” by asking “the community” if this pattern has been seen before as positive/negative
• Identities are adaptive models.  No absolute trust/distrust.  Yes/no needs to be determined based on the context of the identity.

The challenge I find with Gartner and other such conferences is the conference sponsorship dynamic.  Vendors heavily finance the event.  Thus, vendors want to push products beyond just the vendor galleries.  Yet, no one will attend a one hour session that is a full court press by a particular vendor extolling the value of their products.  Thus, vendors tend to pitch their products in the first half of a session and then bring a loyal customer to share success stories in the second half.  At the same time, analysts need to convince potential new customers of their expertise that they indeed possess massive domain expertise without giving away all of their billable knowledge.  Ultimately, the most value I find at such conferences is to hear the stories of real world customers that are solving real world business problems.

The CISO for Triple-A tried to share such a real world experience in a session but I didn’t learn anything new in this session.  It took until 3pm to finally hear such a presentation that I found interesting.  The IAM architect for ING shared how they used Oracle products to address their IAM challenges.  Below are some of the notes I took included ING’s problems before embarking on their IAM quest.

ING’s current problems were:

• Improve security and operational efficiency (14 days to get a new employee access to stuff to do their job)
• User access driven by IT not business
• Meaningful and efficient access approval process
• Multiple and complex access control models in IT systems

ING’s key drivers were:

1.      Provide additional security and access controls

2.      Reduce provisioning costs

3.      Reduce on-board time and streamline process

4.      Change business process rather than custom code to achieve results

They, of course, used a suite of Oracle products in their quest.

Additional interesting tidbits I noted related to ING’s pre-IAM problems:

• 40% of helpdesk calls are “reset my password” calls
• Users have average 12 different user ids+passwords

ING’s lessons learned:

• Executive sponsorship is critical, especially to break down existing kingdoms
• Discovered IAM involves 75% process, 25% technology
• Business focus and this need for real identified business drivers
• Change leadership, obtaining buy-in from organizations
• Go for quick wins
• Need for non-production systems to test all rules before implementing in production, same schemas, same data as prod, etc.
• Need for a standard user id, IAM is the chance to fix this, avoid random mess of multiple IDs per person
• Use out of the box connectors before building custom, only build custom on high change applications

All in all, the conference is great for IAM professionals of all non-hands-on levels, but I think @bdgreen stated it best: “Just finished up my first day at #GartnerIAM . It all sounds so “pie in the sky” at this point. I need more case studies/substance.”

Identity and Access Management

For the next three days I’ll be attending the Gartner Identity and Access Management Summit.  I’ll post a daily summary of the sessions I’ve attended.  If any of the sessions have something particularly noteworthy, I’ll relay those interesting items via Twitter.

I’m looking forward to hearing the latest advances and trends related to Identity and Access Management technology!