Security – Page 5 – ian glazer's tuesdaynight

Authentication Obsession

As always Bob has an interesting post out there. Taking up the issue of authentication, he issues this challenge:

“I believe that this community should commit itself to achieving the goal, before this decade is out, of providing every computer user with a strong authentication device and the infrastructure required for its universal acceptance.”

The post started my mental wheels turning. I 100% agree with Bob that current state of affairs for user authentication is unacceptable. He provides some great guiding points on what a better authentication system should look like. He says:

We need to get a strong authentication device into the hands of every man, woman, and child on the planet.
To do that, we’re going to need lots of strong authentication device providers and lots of innovation. The devices are going to need to be cheap, they’re going to need to be trivially easy to use, and they’re going to have to come in all shapes, sizes, and colors to fit with the widest possible variety of lifestyles.

Trivially easy to use. To me, above and beyond the abilities of the authentication system, it has to be easy to use. Why? Consider who has to use it. Your parents. People who are not necessarily technologically savvy. Consider that when identity people get together they talk of metasystems, infrastructure, standards, and a whole slew of topics that only they understand. (I am not laying blame here, but we talk about what we know.) The vast majority of people out there have no idea what strong authentication means. Think how hard it is to train corporate users to use a strong auth system. Now imagine rolling out that system for the entire Internet. Remember you have to train everyone on it… including your parents. Now you start to begin to see that challenges we face in solving both the technical and social issues around with moving beyond passwords and into improved authentication land.

After hearing a few comments from America’s Growth Capital last week, I started thinking that we have an authentication obsession. We have to learn from the network world and not let the application tier develop a perimeter defense mentality: “I have strong auth enabled this application; we’re safe.” sounds an awful lot like “We’ve got a firewall; we’re safe.” Yes, strengthening authentication and getting away from passwords as soon as possible is extremely important. But let’s face it, the identity house isn’t anywhere close to complete. We are obsessing about the plumbing and there’s no roof or power in place yet. Knowing what happens after authentication is just as important, if not more so, than what happens at authentication.

As I went through Dulles today, I had a chuckle at the most hackable authentication event you will ever see… airport check-in. Bruce has written about this. I am Jim Badguy and want to travel. I am a wanted bad person. I’m not on the TSA No-Fly list because that list is actually generated from a list of people who receive Publisher’s Clearinghouse mailers. I have Bill Goodguy’s credit card info. I buy an e-ticket with Bill’s card info. I save the e-ticket out of my browser. I print a copy out with Bill’s name on it. I manipulate the saved version of the e-ticket, and put my name on it. I head off to the airport with both copies of the ticket in my bag. I get to security and show them my valid driver’s license and my manipulated e-ticket, the one with my name on it. Everything is cool and off I go to the gate. I get to the gate use the valid ticket, the one with Bill’s name on it, to board the plane. Authentication totally hacked. What I do after the point of (mis)authentication because critically important.

Yes, authentication is important, but we cannot lose sight of the fact that authentication is just the beginning. Recognizing an identity is the start. Observing how that identity interacts with other identities fills in more of the picture. Getting the complete picture involves both recognition and observation.

Ian
Tags: identity, IdM, identitymanagement, strongauthentication, OATH

Thoughts from RSA

Given a little time and some distance from the RSA Conference last week, I feel ready to comment on all the fun.

First, I can’t wait for RSA to be back in San Francisco next year… for a lot of reasons. The “last call at 11:00” on Thursday harkened back to drinking in England. 11? Ask anyone in OASIS or the IETF and they’ll tell you, you can’t collude to make a new standard any time before midnight. Bob has an interesting conspiracy theory on why closing time is 11.

Second, RSA is always great to help put faces with names. I got to sit and chat with a bunch of interesting people. Granted, with all the people running around the convention center, it can get a bit overwhelming.

Third, I got to try out some new ideas on a variety of people from the press to analysts to other vendors in our space. Two things came up in these talks: policy interfaces and the second thing. (The second thing will be a separate post.) Reading Sara’s post on policy was refreshing. The Identity lexicon is a strange one. We use words that have multiple meanings. We use terms to hide the realities of market segments. Policy is definitely high on the list of overused and under-defined terms.

Combining some trends I have seen in the market and reflecting on my post about Yet Another Management, I think it is time to highlight another problem with the P word – the management of policy. Quick, vendors, count how many policy management interfaces you have? I spent last week asking a variety of vendors how many different policy management interfaces they have for their products. I think the average for a decent sized identity management vendor is around 5. (One vendor told me of over 10 different policy management interfaces for their suite of products.)

Customers are being overwhelmed with different policy tools. Multiple policy management interfaces from multiple vendors. This wouldn’t be so bad if:

All of the tools could link back to some overall IT Governance policy management system.
They talked to each other.
They used consistent names for their operations and subjects.

Of course I realize the effort required to address the previous points is huge and would require monumental work among competing vendors. But, playing the long game, we as an industry are going to have no other choice. We have to keep in mind that no one is in business solely to learn how to use a myriad of policy management interfaces; they are in business to fly planes, manage people’s money, provide healthcare, etc. I have started to see the market, especially the mid-market, begin to push back against adding more and more policy tools into their environment. I don’t think the villagers are at the gate with pitchforks and torches yet, but they are starting to grumble in local bars. Around mid-2007 I think the villagers will reach the gates, demanding unified policy tools that use consistent language throughout. We had better start working on this now.

Tags: identity, IdM, identitymanagement, RSA

What all the Macworld rumor mills missed

Before every major Apple event, a gaggle of rumor mills spin into action. From home media stations, to tablet devices, to spreadsheet applications, to Steve Jobs being declared iMaster of the Universe. Yup, everyone with a crazy idea for an Apple product makes their equally crazy predictions. But, there is definitely one announcement that they did not see coming. Ours.

Today we announced the public availability of our Identity Driver for Mac OSX. Granted, Steve wasn’t on stage talking about it, but we are going to work on that for next year. Okay, okay, so it isn’t an Apple product, but it does run on a Mac.

The rumor mills shouldn’t be ashamed about not anticipating our release. No one expects identity management news out of Macworld. Heck, people don’t expect identity management news about Apple at all. That doesn’t seem right to us. Macs in the enterprise are more and more common. And it’s not just the design staff and the cool people who have them; it’s regular people too.

We have customers with Macs in their enterprise. They wanted to be able to establish pervasive identity in their Mac communities just as they can with their Windows and Linux environments; they required a complete view of their world. Our customers asked and we delivered. And that was that… less getting some new Macs in the office and a bit of development work.

With all the regulatory and operational pressures of todays world, our customers realize that having an incomplete view of the enterprise is unacceptable. A partial audit will only keep your CFO partially out of jail, which gets the CIO partially fired and CEO partially indicted.

All said and done, I am glad we got Apple endorsed this press release. It demonstrates their commitment to enterprise customers. Identity management in the enterprise cannot have any gaps, no clump of disparates users of kinds of machines can be excluded. We are giving our customers complete vision into their enterprise and this new driver furthers our cause.

Technorati Tag: identity, mac

Default Security

The creepy thing about this article is not that government websites are using cookies. The creepy part is that most of them claim that they just took the defaults for their web authoring and serving software. We have seen time and time again that simply installing software and letting it run with default settings it nowhere close to a good security practice. With all those Security Configuration Guides out there, you’d figure someone would have read one.

Technorati Tag: securtiy