Category Archives: Bandit

Cloud Computing Precipitates Identity-based Security

edge_of_cloudsNot for the first time, I have found a post by Gunnar Peterson to be very useful and insightful. This time, I followed his lead to a post by Chris Hoff.  It’s a piece called “Cloud Providers and Security ‘Edge’ Services – Where’s The Beef?“. I highly recommend the whole of both posts. Mr Hoff’s post is a discussion of what it might mean to integrate security services to the edge of the cloud, and his questioning about what the edge of the cloud could mean. The common answer is that it is securing from services in the cloud to the edge of an enterprise, location, or … something. Something inside a boundary that can be surrounded by some model of security that happens at the network level. Which leads to this statement:

None of the models are especially friendly to integrating network-based controls not otherwise supplied by the provider due to what should be pretty obvious reasons — the network is abstracted.

Chris Hoff, Gunnar and others have been decrying for years that network level security is insufficient. Sometimes the recognition that network level security is insufficient (and often counter productive) has pushed people to make a goal of ‘deperimeterization’, which is a cool word but certainly has not helped move the industry from it’s predilection for network level security. It is much more likely that the term that will finally precipitate a movement from network level security to identity-based security will be “Cloud Computing”.

In Mr Hoff’s post he emphasizes this point:

So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.

Gunnar’s commentary on Mr Hoff’s post makes some equally insightful points:

For access control purposes, security is fairly straightforward, its a game of subjects (like users, user agents, claims, and web services), objects (like resources, URIs, data, and service providers) and what Hoff calls metastructures (like identity and policy). Security is a word that is meaningless by itself, you always have to qualify it: data security, application security, network security and so on. So when people talk about “edge” security, what is it they propose to “secure” an edge device? That’s fine as far as it goes, but its important to note that providing security services to device on the edge doesn’t do much of anything to either side of the edge. Too often people assume that securing the edge means everything “inside” the edge is also “secure” but this is smoke and mirrors for auditors not security for your enterprise assets.

I think of that type of security (with subjects and objects) as identity-based security. An identity is what you apply policy to — it is the subject or object of an access control policy. It’s the base type of the concepts of subjects and objects. The metastractures are processes of authentication and authorization based on those identities. It’s much higher level than SSL and the network layer, but it’s much closer to what’s necessary for business processes and security needs in the cloud.

Gunnar concludes:

Whenever you evaluate security and especially Cloud security, its important to enumerate the subjects, objects and metastructures that you are extending security services to, instead of just describing some security service in the abstract. This problem is a pandemic in information security the whole point of SOAP is that it was a firewall friendly protocol designed to go through the firewall, that was 10 years ago, yet today information security still relies on SSL and network firewalls as primary protection mechanisms (what are they protecting?).

Indeed, what are they protecting? While network level security can enable a secure transmission of data from point A to point B, it does not prevent the vast leakages of passwords and personal information that have become common. Perhaps the growth of Cloud Computing will finally push the industry to systems in which users don’t have passwords, or at least systems which can securely serve their users without receiving their password or storing personal information. If a SaaS application doesn’t have the information, there’s one less place that it needs to be secured. Such identity services have been viable for some time, but have needed a push to get broader adoption. Cloud Computing.

We appear to be on the edge of a nervous breakthrough.

EIC 2009, and a New Focus on Identity in the Cloud

EIC 2009 at NightFrom May 5th to May 8th I attended the 3rd European Identity Conference (EIC). As a testimonial on the front page says, it was “a wonderful and informative event, well run and useful in so many ways.” (If I quote a page quoting me, is that recursion or delegation?)

I attended the first two EICs and, while I greatly enjoyed them, each conference has been better than the last. EIC strikes a good balance between providing a forward looking vision of what identity management technology should provide for business, and what practical solutions are available now.

In previous years I have noticed great contention about what identity system had the best design, had the correct name, was the most open, was favored by which group, etc. I asked other vendors why there seemed to be much less of that contention this year. All of them answered that there is not much to debate; there are valid use cases for the classic federation protocols, as well as OpenID, OAuth, and information cards — and all are open standards. So we’ve all been implementing products that use these protocols. However, as the products are deployed most system designers also recognize that we are far from done. What we have available now in open standards are valid systems that are a leaps forward, but are still not sufficient – there is still more to be done to make the systems more intuitive, more usable, more functional.

I presented my thoughts on these issues in an early OASIS session. The presentation was “Gaps and Overlaps in Identity Management Solutions”. The gist of the talk was that we don’t need to dumb down identity systems for people; we need to provide more intuitive, nuanced and contextual systems so that people can express the richness of relationships online. I illustrated this point with a stereotypical Granny who commonly handles delicate interactions with complex forms of indirect speech as she navigates many kinds of relationships in real life. We have too long focused on trying to make her use a single user name and password, rather than than allowing her to manage relationships. Our users do not need us to dumb down online identity systems – they need us to allow them to intuitively handle the richness of relationships. Online systems need to perform transactions within various contexts, unequal power levels, third party sources, etc. To bring the point home – so to speak – the presentation featured photos of my mom as the stereotypical Granny.

The tireless Felix saw the presentation and posted an interview with me about it.

Over the next few days there were many presentations and lively panel discussions, including the one led by Dave Kearns and discussed in his newsletter. I greatly enjoyed participating in 3 panels and moderated a 4th. One thing I really like that seems to happen frequently at EIC is that the audience participation with a panel can get quite animated and extend into the expo area after the session.

The expo also was expanded this year. What I particularly liked about Novell’s booth was that it highlighted customers and their innovative use of Novell products – it seemed much more interesting and less like a sales pitch. As always, it was good to get to meet my Novell colleagues there: Marina Walser, Ulrike Beringer, Klaus Hild, AleÅ¡ Kučera, et al. Marina gave a great keynote (which was much discussed over the next few days, especially the customer survey results) and also recorded an interview with the ubiquitous Tim Cole.

With Marina and Ulrike, I participated in some press interviews. Being a typical unilingual American, I can’t actually read some of the resulting articles. Nevertheless, they appear to be quite interesting based on the (sometimes humorous) automatic translations.

It was a very busy week. I sometimes could only listen to part of a session before going to another commitment. One of my favorite (unfortunately partial) sessions was “Access Control in the Cloud” by André Koot. Rather than theory of identity systems or analysis of protocol families, André focused on using claims and information cards as a basis for flexible and manageable access control from an enterprise or university to cloud based services.

There were many other great discussions and presentations by visionaries and curmudgeons. Apparently attending a conference in Europe is the only way to see Jackson Shaw these days – well worth the effort.

The final EIC highlight was particularly significant to me because it involved my new area of focus – identity and security services for Cloud Computing. On the last afternoon I led a workshop about Enterprise Identity in the Cloud. It had been a long and intense conference, so we expected light attendance and decided to keep it as just an open discussion. The best part about this was that we had a small, but tightly focused conversation with customers, systems architects, and representatives of a few vendors. It was particularly great to have Martin Kuppinger join us to share his deep insights into cloud computing, and provide some adult supervision.

Overall, I noticed three themes at EIC this year:

  1. Open standards-based multi-domain identity systems are shipping in real products from many vendors, and solving real problems.
  2. There is more to do to make identity systems rich enough for online relationship management.
  3. Cloud computing is an important concept, a valid trend, and it provides strong use cases for multi-domain identity systems.

I am left with one question: did the beer taste so good because I was in Germany, or was it just the beer?

First Identity Selector in a Linux Distribution: DigitalMe in OpenSUSE 11.1

As my last post shows, I’ve been thinking a lot lately about the evolution of identity services over time. I’m currently researching and thinking about how identity services should integrate with the emerging cloud computing paradigm. However, sometimes we get working in the daily grind, the months and years go by, and we can miss significant milestones, like this one:

geekoWhen OpenSUSE 11.1 was released on December 18th 2008, it included the DigitalMe identity selector in the main repository.

I guess it could be said that OpenSUSE 11.0 was the first Linux distribution to support an identity selector, but it wasn’t in the main repository when 11.0 was released, so I’m going with OpenSUSE 11.1.

digitalme logoWhat this means is that users of OpenSUSE 11.1 can install and run DigitalMe as easily as Firefox or Open Office or any other package. Just open up the package manager, search for digitalme and install. There are actually two packages that start with digitalme. One is the identity selector itself and the other is the Firefox addon. If you install the digitalme-firefox package, the selector is installed automatically. And you are automatically notified of updates!

Thanks to Andrew Hodgkinson for making DigitalMe happen, and getting it packaged for OpenSUSE!

(Andy, I think you may be due to update your blog. Your regular rate of one post every 1.5 years appears to have slowed.)

As always, thanks to the Higgins project for hosting most of the source code used to build digitalme, and for their support and collaboration.

Information Card breakthrough with Novell Access Manager 3.1

There have been a number of articles in the press over past few weeks about the release of Novell’s Access Manager 3.1. The articles by John Fontana at NetworkWorld and by Sean Michael Kerner at are well worth reading. Both articles mention new features in the product, it’s interoperability with Microsoft products via open standards, and (my favorite) how code from the Bandit project relates to the product.

Yesterday, Dave Kearns posted his comments about Novell Access Manager 3.1 from his popular newsletter. Some excerpts:

The real breakthrough for me, at least in terms of Microsoft services, was Novell’s inclusion of Windows CardSpace as an authentication type for its multifactor authentication. Novell, through its sponsorship of the Bandit Project, has been in the forefront of information card technology, and this release of Access Manager makes it easy for identity technology managers to add this factor to their risk-based authentication schemes.

This may well be the first CardSpace implementation in a business-focused product by a non-Microsoft vendor. Now that is “ground breaking”.

A solid enterprise product, supported by a leading IAM vendor, and implementing open standards in conjunction with open source implementations — this does seem to me to be another significant step in moving to new-paradigm identity systems.

What are the next steps for 2009?