Authentication Obsession

As always Bob has an interesting post out there. Taking up the issue of authentication, he issues this challenge:

“I believe that this community should commit itself to achieving the goal, before this decade is out, of providing every computer user with a strong authentication device and the infrastructure required for its universal acceptance.”

The post started my mental wheels turning. I 100% agree with Bob that current state of affairs for user authentication is unacceptable. He provides some great guiding points on what a better authentication system should look like. He says:

We need to get a strong authentication device into the hands of every man, woman, and child on the planet.
To do that, we’re going to need lots of strong authentication device providers and lots of innovation. The devices are going to need to be cheap, they’re going to need to be trivially easy to use, and they’re going to have to come in all shapes, sizes, and colors to fit with the widest possible variety of lifestyles.

Trivially easy to use. To me, above and beyond the abilities of the authentication system, it has to be easy to use. Why? Consider who has to use it. Your parents. People who are not necessarily technologically savvy. Consider that when identity people get together they talk of metasystems, infrastructure, standards, and a whole slew of topics that only they understand. (I am not laying blame here, but we talk about what we know.) The vast majority of people out there have no idea what strong authentication means. Think how hard it is to train corporate users to use a strong auth system. Now imagine rolling out that system for the entire Internet. Remember you have to train everyone on it… including your parents. Now you start to begin to see that challenges we face in solving both the technical and social issues around with moving beyond passwords and into improved authentication land.

After hearing a few comments from America’s Growth Capital last week, I started thinking that we have an authentication obsession. We have to learn from the network world and not let the application tier develop a perimeter defense mentality: “I have strong auth enabled this application; we’re safe.” sounds an awful lot like “We’ve got a firewall; we’re safe.” Yes, strengthening authentication and getting away from passwords as soon as possible is extremely important. But let’s face it, the identity house isn’t anywhere close to complete. We are obsessing about the plumbing and there’s no roof or power in place yet. Knowing what happens after authentication is just as important, if not more so, than what happens at authentication.

As I went through Dulles today, I had a chuckle at the most hackable authentication event you will ever see… airport check-in. Bruce has written about this. I am Jim Badguy and want to travel. I am a wanted bad person. I’m not on the TSA No-Fly list because that list is actually generated from a list of people who receive Publisher’s Clearinghouse mailers. I have Bill Goodguy’s credit card info. I buy an e-ticket with Bill’s card info. I save the e-ticket out of my browser. I print a copy out with Bill’s name on it. I manipulate the saved version of the e-ticket, and put my name on it. I head off to the airport with both copies of the ticket in my bag. I get to security and show them my valid driver’s license and my manipulated e-ticket, the one with my name on it. Everything is cool and off I go to the gate. I get to the gate use the valid ticket, the one with Bill’s name on it, to board the plane. Authentication totally hacked. What I do after the point of (mis)authentication because critically important.

Yes, authentication is important, but we cannot lose sight of the fact that authentication is just the beginning. Recognizing an identity is the start. Observing how that identity interacts with other identities fills in more of the picture. Getting the complete picture involves both recognition and observation.

Tags: , , , ,

Thoughts from RSA

Given a little time and some distance from the RSA Conference last week, I feel ready to comment on all the fun.

First, I can’t wait for RSA to be back in San Francisco next year… for a lot of reasons. The “last call at 11:00” on Thursday harkened back to drinking in England. 11? Ask anyone in OASIS or the IETF and they’ll tell you, you can’t collude to make a new standard any time before midnight. Bob has an interesting conspiracy theory on why closing time is 11.

Second, RSA is always great to help put faces with names. I got to sit and chat with a bunch of interesting people. Granted, with all the people running around the convention center, it can get a bit overwhelming.

Third, I got to try out some new ideas on a variety of people from the press to analysts to other vendors in our space. Two things came up in these talks: policy interfaces and the second thing. (The second thing will be a separate post.) Reading Sara’s post on policy was refreshing. The Identity lexicon is a strange one. We use words that have multiple meanings. We use terms to hide the realities of market segments. Policy is definitely high on the list of overused and under-defined terms.

Combining some trends I have seen in the market and reflecting on my post about Yet Another Management, I think it is time to highlight another problem with the P word – the management of policy. Quick, vendors, count how many policy management interfaces you have? I spent last week asking a variety of vendors how many different policy management interfaces they have for their products. I think the average for a decent sized identity management vendor is around 5. (One vendor told me of over 10 different policy management interfaces for their suite of products.)

Customers are being overwhelmed with different policy tools. Multiple policy management interfaces from multiple vendors. This wouldn’t be so bad if:

  1. All of the tools could link back to some overall IT Governance policy management system.
  2. They talked to each other.
  3. They used consistent names for their operations and subjects.

Of course I realize the effort required to address the previous points is huge and would require monumental work among competing vendors. But, playing the long game, we as an industry are going to have no other choice. We have to keep in mind that no one is in business solely to learn how to use a myriad of policy management interfaces; they are in business to fly planes, manage people’s money, provide healthcare, etc. I have started to see the market, especially the mid-market, begin to push back against adding more and more policy tools into their environment. I don’t think the villagers are at the gate with pitchforks and torches yet, but they are starting to grumble in local bars. Around mid-2007 I think the villagers will reach the gates, demanding unified policy tools that use consistent language throughout. We had better start working on this now.

Tags: , , ,

Roles, Courion, a Prediction for 2006, and RSA

Roles, Courion and Trusted Network Technologies
Between Rob and Dave, we’ve started a nice little set of discussions on roles. Since the boss and the CTO have weighed in, I figured it was my turn.

Roles have been a touchy subject. The industry has wandered a bit over the years to get to where we are now. I remember when role based access control (rbac) was losing a bit of steam and being upstaged by rule based access control (rbac). I used to tell customers, “NIST has it easy. They don’t have to sell anything. If you find that the first idea you had isn’t working, replace it with a new one with the exact same abbreviation. That way you can change what you are talking about without having to reprint the marketing material.” Now this was back in the day that Access360 and Waveset were going head to head. (Ah… the good old days.)

The industry has grown a lot since then. We (the industry and customer base) are ready to have more meaningful discussion about role lifecycle management. The US market is starting to come around to roles as new forms of technology can turn role lifecycle management from a painful expensive task into an ongoing dynamic process. We can talk about bottom-up versus top-down. We can look at the way policy and role definition intermingle in various applications. It is a great time to be working in this space.

Dave’s post on roles as the fuel for something more than identity management and security addresses the real end goal of customers: IT governance. How does a company turn business process into IT operations into operational efficiency? I’m with Dave here in saying roles can help. However, if role definition is static and done in isolation then it is a wasted effort.

Enter our announcement with Courion. Between Courion’s abilities to mine their data to build roles and our abilities to observe identity interactions on the network, we can turn role lifecycle management from a painful expensive task to an ongoing dynamic process. If the process is not ongoing, then any IT governance decision based on role decisions will be using stale data. If these decision are not made on valid data from the identity map of the enterprise, then they are made in isolation and will be suspect. Together Courion and Trusted Network Technologies can do role mining in a timely fashion based on the identity interactions of the enterprise.

A Prediction for 2006
It’s a bit late to be making predictions for the year, but better late than never. The Identity Management market is a broad market. It encompasses everything from two-factor authentication to role lifecycle management to federation and beyond. There, as you would expect, are a lot of vendors in this space, with more coming every day. My gut tells me we are going to see a more and more of the smaller vendors in this space teaming to bring better more meaningful solutions to the market. Instead of having a flurry of market consolidation and large companies acquiring smaller ones, 2006 will be a year of seemingly unrelated companies coming together with products that simply work better together. This space is finding natural resonance with verticals like health care, higher education, and retail banking. Smaller vendors are nimble and can bring joint offerings to these spaces quickly. We’ll see how this prediction pans out as the year progresses.

Finally, we are headed, along with just about everyone else in the space, to the RSA conference next week. I’ll be hanging around our booth (#1816) along with the rest of our bloggers: Dave, Rob, and Doug. Come on by and say hi. Put a face to the blog entries.

Tags: , ,