Anyone can kill off a protocol a.k.a XACML isn’t dead

There’s a little bit of a kerfuffle going on in XACML-land. A non-Gartner analyst made the claim that XACML is dead. Such a claim doesn’t go unnoticed; so Gerry, Anil, Danny, and Remon have all responded that no, XACML isn’t dead. It is not pining for the fjords. It isn’t even zombified.

Anyone can declare a protocol dead. Last year it was SAML. This year, apparently, it’s XACML. Now as someone who killed off the entire IAM industry, I think I’m in a position to comment about this.

It’s easy to say X is dead. SAML, SPML, DSML – doesn’t matter – you declare it dead, write your blog post, and call it a day. But what’s hard to do, and what is necessary to do, is, if you kill something off, you have to offer an alternative. In the case of IAM, I believe we are seeing the hazy outline of what it will become reborn as start to emerge: something more nimble, developer-friendly, and more indistinguishable from business services.  In the case of XAMCL, no alternative was provided.

Just a few things to keep in perspective when thinking about XACML. First, separate externalized authorization management (EAM) from XACML. Enterprises have been doing EAM for decades. The pattern of using something like RACF as a decision-as-a-service facility is a well established practice. Although enterprises may not be using XACML, they are doing EAM and that will only continue.

Continue reading

Google Glass, Privacy, and a Book Recommendation: It’s all in the post-processing

I saw my first pair of Google Glass at the IAPP’s Privacy Summit a few weeks back. I can’t say for certain but I’ve got a feeling that the wearer was not only loving the utility his pair of Glass provided but also the circumspect looks shot his way by hundreds of privacy professionals. This got me thinking about how societal privacy issues are born – not just with Google Glass but with any technology.

As Glass debuted, people have been raising multiple privacy concerns including the concern that Glass could send images of people’s faces back to the Googleplex for post-processing such as facial recognition. This concern is rooted in the asymmetric relationship between the people in the line of sight of the Glass wearer, with whom they may not have a relationship, and Google who could collect their image and use it for whatever purpose it sees fit.  The random stranger might not have a relationship with the Glass wearer and she most certainly does not have a relationship with Google (or whoever makes the next Glass-like widget) in this context. The concern, I believe, is not just of asymmetric relationships and power imbalances but also one of post-processing.

Continue reading

How to Provision a Pope in 6 Easy Steps

Having deprovisioned your previous Pope, you thought your work was done. But just as soon as you’ve settled back into you desk chair you see it – white smoke wafting up from the chimney. It’s time to provision a new Pope!

Step 1 – Meet the new Pope

First things first, go meet the new Pope. Invariably new Popes arrive with panoply of devices that they want connect to continue to be able to use, and this one is no different. You and your CISO take an inventory of all the gadgets the new Pope wants to use: iPhone, Android tablet, Xbox, Chromebook, etc. With list in hand, you’ll have to start working with your security and device management peers on a strategy to quickly get those devices working with your infrastructure. (If the new Pope doesn’t get his time playing WoW: Mist of Pandaria, he gets a bit grumpy.)

Step 2 – Don’t wait for HR

You can’t leave the Pope just to sit on his mitre and wait for access to business systems. The new Pope has got to be productive minute one of his Popehood. But unfortunately, the new Pope won’t be in the HR feed until the next payroll run, which isn’t for another 12 days. Mussolini might have made the trains run on time but not even he could do anything about HR. To be fair, a new Pope isn’t really a new hire but a strange combination of a transfer and a new persona; needless to say, HR is going to need to take their time. This means you cannot wait for the HRMS to signal the user provisioning system to kick into action. Time for the manual bypass! Hand register the new Pope in the user provisioning system, but be ready for some strangeness when the new Pope does finally show up in the HR feed – misspellings, wrong job codes, and missing data will lead to odd provisioning events.

Continue reading

How to Deprovision a Pope in 6 Easy Steps

Recent announcements got me thinking about how to deprovision executives such as a Pope. Never had to deprovision a Pope before? No worries. We’ve come up with a sure-fire 6 step process guaranteed to help you help your Pope incur a separation from payroll.

Step 1 – Listen to HR

In order to kick off the deprovisioning process, ensure that the user provisioning system can, in fact, know that someone has left the organization; the most common way to do that is to “listen” to the HR system. Got that set up? Good. Oh wait, did HR actually submit his status change to ‘Abdicated?’ Does the user provisioning system actually know how to process ‘Abdicated’ status codes instead of ‘Terminated?’ Say a Hail Mary and proceed to Step 2

Step 2 – Disassociate said Pope from super-user accounts

Assuming the user provisioning system knows that your Pope is abdicating, the next step is make sure the he doesn’t “own” any god-like, privileged accounts such as root, domain administrator, SYSOPER, etc. You’d hate it if, whilst processing the deprovisioning event, the user provisioning system wipes out a crucial (often really hard to recover) account. Run a report, check to see if your Pope has some privileged accounts, and if he does, reassign ownership to someone else.

Continue reading

The Business of Identity: Thoughts from the NSTIC White House Event

Yesterday’s National Strategy for Trusted Identities in Cyberspace event was a bit of a blur. Really good conversations. Lots of new ideas swimming through my head. Here are some of the highlights:

New faces from outside the echo chamber

First and foremost, there were a lot of new faces and new companies at the NSTIC event. The NSTIC team did an admirable job of getting companies to the table that hadn’t been there before. There were retailers, energy companies, and banks in the room who had never engaged with the identity community before. This is a huge step forward. As I wrote about last week, participation, specifically relying party participation, is critical to the success of NSTIC. As Senator Mikulski said, “The key to a voluntary system is actually having volunteers.” If the event was indication, there is a new wave of volunteers, willing to participate in NSTIC.

Business of Identity

The bulk of our conversations yesterday were regarding the business impact of better identity practices. Companies pointed to existing inefficiencies that they can remove from their business simply by starting to accept federated credentials. These sorts of scenarios weren’t particularly complex, which is why they have good chance to succeed. They are simple scenarios with real business impact – exactly the kind of thing identity teams need in order to demonstrate value.

What was even better was that these simple scenarios were the stepping-stone to more complex, new business opportunities. Remove inefficiencies, then unlock new business, repeat. We’ll be talking more about these opportunities in future blog posts and in our research.

Continue reading

Beyond Industrial Era Identity Management

(The following is the statement I’ll deliver today at the National Strategy For Trusted Identities in Cyberspace event at the White House.)

Our way of thinking about identity management is outdated. This outdated thinking poorly reflects the way we interact on Main Street, and it doesn’t fit the needs of people and enterprises trying to interact on the Internet.

On the whole, current thinking regarding identity management is that of the Industrial Era. Enterprises are creating “company towns” for identity. In the Industrial Era, companies, such as Pullman, created towns for their workers to live in, and these towns provided all the services that the employees could use. In today’s identity “company towns,” the enterprise has created your identity, owns your identity, and you cannot use your identity anywhere else – it has no value or meaning outside of “the town.”

This model is problematic. First, this is antithetical to our belief in self-determination. Second, this model is costly. Enterprises have to create and support extra services to manage identities. This also increases information security risk because the enterprise possesses potentially sensitive information that it must protect, not to mention the problems and risks related to over-collection of personal information. The last problem with this outdated way of thinking is that it doesn’t reflect how the non-digital world works.

In the “real” world, I can choose how I want to be known and how much I want to share with others. I can pick my nicknames; I can choose not to share my name. I can choose to tell a merchant my phone number or that my first car was made in America.

Businesses have grown to accommodate and augment the way we interact. Companies offer services to help an enterprise strengthen individually asserted claims, such as my name and my address. Credit bureaus and other services help businesses gain higher assurance that the “Ian” in front of them is really me.

We must leave the “company town” model of identity management. We must shift our digital interactions to be more like our day-to-day, face-to-face ones. The evolution toward federated identity would mean that our identities are no longer owned by parties other than ourselves.

Just as in the real world, third parties can be consulted to help an enterprise have greater assurance that the “@iglazer” using its service is me. Such third parties can help the enterprise have greater confidence that “@iglazer” is over-21 and has a verified mailing address here in DC. By the way, the services offered by these third parties are new business opportunities.

With both greater assurance about the individual’s identity and confidence in what they claim about themselves, business can:

  • avoid managing identities and thus not have to deploy extra services such as password reset
  • reduce information risk by collecting less information about individuals
  • deliver higher value services to the individual

In the last year, NSTIC has acted as a catalyst, not only for protocol and specification development, but has also driven policy conversations, and more importantly, business conversations. In a way, NSTIC has given the “all clear” signal for the business to get involved in this evolution of identity management.

I used to take calls from Fortune 500 companies asking, “Should we care about OpenID?” Now I take calls that ask:

  • “What are business models for identity providers?”
  • “What communities of interest are likely replying parties for our identity services?”

Within these questions are lie new business opportunities that my customers are looking to capitalize upon.

Now is the time to act. Study your current use of identity – are you the mayor of an identity “company town?” If you truly think you own other people’s identities, take a hard look at whether that ownership brings enough value to offset the expense and risk of maintaining those identities. For most organizations, the risk and expense of owning identities outweighs any tangible benefits. For most organizations, owning identities is a vestige of outdated thinking. As NSTIC gains momentum, now is the time to plan and deploy for our federated future. I am very eager to hear from my fellow panelists and the audience what they are doing and what they have planned.

 

Put 100 Relying Parties in a Room and What Do You Get?

It’s an open secret among us identity geeks that, despite all of federated identity’s progress, one thing has lagged significantly: relying party participation1. Getting relying parties to the table, to talk about challenges they have with identity on the Internet, has always been a hard problem. Although the identity community has grown, the number of relying parties getting involved with things like the Internet Identity Workshop hasn’t kept pace.

Willingly or not, NIST’s National Strategy for Trusted Identities in Cyberspace (NSTIC) has taken up the challenge of increasing relying party participation. Without real-life use cases based on actual business, actually problems, NSTIC is, though aspirational, vague. However, armed with a set of discrete use cases, NSTIC (and more importantly the identity community) can begin to craft solutions, discover unforeseen challenges, strengthen protocols, and tackle policy issues. But to get these needed use cases requires relying parties to be involved.

To that end, NSTIC is hosting an event at the White House Wednesday May 23rd. The program office has invited over 100 companies all of whom are potential relying parties. These companies are household names, spanning multiple industry sectors. In short, they are a cross-section of economic engines of this country, and by bringing them together in a safe space, the NSTIC program office hopes pick up the pace of relying party engagement and bolster the ranks of companies who can become more efficient and unlock new value by using federated identity.

But there’s only so much convincing the government can do directly. At the event, I’ll be participating on a panel of companies from different industries discussing the value they can recognize by using the techniques that NSTIC promotes. I am going to try and tweet as much as I can from the event and will follow up with a post on its results. If you want to keep tabs on NSTIC’s relying party party, follow me, and tune in on Wednesday May 23rd at 10am eastern.

 

1 I know that getting identity providers to play is an issue too but that seems to be an easier problem to solve.

spots of thoughts: ian and friends rant, rave, and ruminate