A Maturity Model for De-Weaponizing Identity Systems – Part 2

In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.

Goals of the Maturity Model

When coming up with this maturity model, I had 4 goals in mind:

  1. Defend against all attackers
  2. Balance protection and productivity
  3. Achieve greater transparency
  4. Promote data provenance

Defend against all attackers

Since all 3 kinds of attackers can weaponize identity systems, we have to defend against every time of attacker: Bulk, Single Data Subject, and Successor. However in order to do this requires that we have specialized defenses against each type. Said differently, a generic defense is in effective. In fact, one can think of this maturity model as a specialization of existing security controls for identity systems, but more on that later. Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 2”

A Maturity Model for De-Weaponizing Identity Systems – Part 1

It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing.

And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.”

Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.

Who are these attackers?

There are two kinds of attackers: bulk and single data subject attackers; let’s look at both.

Bulk Attackers, as the name implies, want bulk data… they want all the data. Why they want all the data can vary widely. They might be interested in a single vendor’s customers. Or they might be interested in everyone in a region who shares a medical condition or ethnic heritage, or employer. They might be setting up for a later spear phishing attack. They might be putting the pieces together for an ethnic minority oppression campaign or a voter suppression campaign.

On the other hand, Single Data Subject Attackers are only interested in a single data subject. They are focused just one individual. Why? They might want to take control of a celebrity’s mobile phone for the lulz or leak personal photos to the web. They might be interested in dox’ing an adversary. They might want to make an ex-spouse’s life a living hell.

Continue reading “A Maturity Model for De-Weaponizing Identity Systems – Part 1”

Professionalizing Identity: What happens next?

Apologies for not getting this out sooner.

After having a great time at #CISNOLA I recovered a bit. In that time I got a lot of feedback on my micro-keynote on professionalizing the identity management industry. Lots of of very encouraging feedback.

There was a common theme to these conversation – I signed the pledge; so now what happens?

From a long term perspective, I simply don’t know.

On a shorter timeline, here’s what I do know.  Kantara is going to leave the pledge page open for a few more weeks. Around July or August, Kantara will convert the pledge list to a working group.  This discussion group will explore what a professional organization for our industry should look like. I have recommended that that working group spend the rest of the year identifying what the organization ought to look like, what it should do, what it should not do, etc.  My hope is that around the beginning of 2017 the organization gets going in earnest.

Well that seems like a long time to wait you might say. True. But we’ve gone 30 years without a professional organization – 180 more days isn’t going to kill anyone.  Having gone through the creation of one organization already, I am in no rush and I think the Kantara leadership is of a similar mindset.

In the meantime, what can you do? Send your colleagues to the Kantara pledge page. Talk with your peers about what you want to see in a professional organization for our industry. Find similar organizations that are doing interesting things and brings those things to the working group when it starts.

The Moments Ahead for Identity

[My address to the European Identity Conference 2016. Although this starts like my TCP/IP Moment talk it goes in a very different direction. In some regards, I think this might be the most important talk I have ever written and delivered.

Giving credit where credit is due – the ideas in this piece are the distillation of many many conversations over the years. I am deeply indebted to the following peers for their help, encouragement, ideas, and support: Allan Foster, Robin Wilton, Nat Sakimura, Josh Alexander, Chuck Mortimore, Joni Brennan, and Josh Nanberg.]

Remember when we used to pay for a TCP/IP stack? Remember when we paid for network stacks in general? Hell, we had to buy network cards that would work with the right stack.

But think about it… Paying for a network stack. Paying for TCP/IP. Paying for an implementation of a standard.

How quaint that sounds. How delightfully old school.

But that’s what we did!

And now? No one pays for a TCP/IP stack.

When network stacks became free networking jobs didn’t go away. I would posit that we have more networking engineers now than we’ve ever had before. Their jobs morphed with the times and changes in tech.

It’s mid-2016 and I think we need to admit as that the identity industry now looks a lot like the networking industry did at its TCP/IP moment. The standards are mature enough. The support for them is broad enough. And another thing, not taking a standards-based approach is antithetical to the goals of the modern enterprise.

Simply put, identity is having its TCP/IP moment. And this TCP/IP moment will spawn other moments in identity management.

I want to talk about three impactful moments ahead for our industry:

  1.  Standards-based identity
  2. Outcomes-based identity
  3. Professionalized identity

I want to talk about these moments and changes associated with them, but keep in mind that although great change is ahead, we need not be afraid of that change. Continue reading “The Moments Ahead for Identity”