My Catalyst 2009 Tweet Stream
| 7/27/2009 | |
| 5:28 PM | @iglazer loved FB privacy mirror. What interested me the most was how much of my friends data was shared with apps I installed #catalyst09 |
| 3:31 AM | Interesting day at Concordia workshop today. Its (painfully) obvious that THE issue to solve is AuthZ, in all its manifestations #catalyst09 |
| 7/28/2009 | |
| 11:26 AM | Sitting in the ‘Cloud Computing Security and Identity Management’ SIG meeting #catalyst09 |
| 11:35 AM | Ebay Chief Security Strategist Liam Lynch speaking about cloud computing (what they call fluid capacity) at ebay #catalyst09 |
| 11:40 AM | Moving to cloud computing can be an opportunity to fix broken internal processes – Liam Lynch, eBay #catalyst09 |
| 11:42 AM | Cloud Architecture: Interoperable interfaces to enable mobility and several levels of interfaces (IaaS, PaaS, SaaS) #catalyst09 |
| 11:44 AM | eBox (eBay in a Box) sounds interesting – software that is IDE integrated, SOA that allows 3rd party devs to create auctions #catalyst09 |
| 11:45 AM | eBox requires security considerations to be made inherent as eBay cannot rely on the 3rd party devs to not make mistakes #catalyst09 |
| 11:47 AM | eBay uses behavior and reputation as underpinnings for their identity management strategy #catalyst09 |
| 11:51 AM | Liam describing a claims based identity model consisting of static, semi-dynamic and dynamic claims. #catalyst09 |
| 11:53 AM | Reputation and behavior analysis generates (over time) dynamic identity claims that then get used in access control mechanism #catalyst09 |
| 11:59 AM | Liam describing how Role-based Access Control was insufficient for them (because of scale), and they had to move to claims-based #catalyst09 |
| 12:09 PM | @paulmadsen Thats what I understood. In some sense, a next generation ACL #catalyst09 |
| 12:11 PM | Must remember to follow up with Liam regarding the whole RBAC vs CBAC (Claims-based Access Control) thing #catalyst09 |
| 12:12 PM | Nils Puhlmann, co-founder of the Cloud Security Alliance now speaking to the SIG #catalyst09 |
| 1:09 PM | Everyone wants to get to the point where there is a checklist that CSPs (Cloud Service Providers) can be evaluated against #catalyst09 |
| 1:39 PM | @paulmadsen Likely. Nils made point that our industry history points to a long, confusing path. More checklists=more confusion #catalyst09 |
| 1:41 PM | Nils, CSA – I have not seen one security vendor announce that they will build security tools focused on the cloud #catalyst09 |
| 1:43 PM | Dan Blum pointing out that Symplified, Novell have shown focus on cloud security. Also pointing to Layer7 #catalyst09 |
| 1:44 PM | Liam points out that eBay has looked at some vendors, and the issue has always been whether they can scale to eBays needs #catalyst09 |
| 2:06 PM | OK. So got clarification on the RBAC vs CBAC issue from Liam. He explained that it is both a compliance, an admin & a perf issue #catalyst09 |
| 2:07 PM | On the management side, the claims on the user are generated at run-time based on the organizational dynamics (a rule) #catalyst09 |
| 2:08 PM | So they replaced reassignment of user from one role to another with reassignment of user from one org to another. #catalyst09 |
| 2:09 PM | Somehow this is more compliant. Not sure I understand that, unless role reassignment in their environ had no workflow controls #catalyst09 |
| 2:12 PM | Hmm! @pamelarosiedee pointing out that the CSA guidance doc doesn’t cover provisioning, and asking why that is #catalyst09 |
| 2:13 PM | Hmm! @pamelarosiedee pointing out that the CSA guidance doc doesn’t cover user provisioning, and asking why that is #catalyst09 |
| 2:38 PM | Lot of discussion has focused on the need for CSPs to be much more transparent so consumers can accurately measure risks #catalyst09 |
| 5:18 PM | People making the point that policy management is a key ingredient in an identity services env that is currently not covered #catalyst09 |
| 6:31 PM | Group is now working on the AuthZ service. First up: a debate on the meaning of Policy (vs policy) in context of P*P #catalyst09 |
| 7:49 PM | The AuthZ discussion has been very good. Strong push towards trying to condense the best of what’s out there and prior work #catalyst09 |
| 1:09 AM | Hanging out with some of the cool cats of identity at Osetra. Come by if in the area #catalyst09 |
| 3:38 AM | If today has been any indication, this is going to be a good conference and a fun time #catalyst09 |
| 7/29/2009 | |
| 11:41 AM | And away we go….sitting in the Identity and Privacy track at #catalyst09 |
| 12:04 PM | Panel – Layoffs, slew of M&As (more As) and need to improve efficiencies are big reasons why investment in IdM is sustaining #catalyst09 |
| 12:20 PM | Mark Diodati pointing out main thing I’ve always said holds back SPML – way too flexible => no schema => integration complexity #catalyst09 |
| 12:31 PM | Lori – Vendors and Analysts have ignored the need for management of entitlements, a pain that customers feel daily #catalyst09 |
| 12:46 PM | Panel – DLP becoming an increasingly important market that is getting connected to the identity management market #catalyst09 |
| 12:57 PM | Ian Glazer pointing out that the identity community is uniquely qualified to deal with the emerging privacy issues #catalyst09 |
| 1:02 PM | Michael Barrett of Paypal about to speak about consumer identity #catalyst09 |
| 1:24 PM | Not sure I learnt anything from the Paypal presentation. Michael avoiding saying whether Paypal will become an IdP #catalyst09 |
| 1:34 PM | Michael sort of hinting that consumers will not pay for high assurance identity UNLESS forced to do so by …? #catalyst09 |
| 1:58 PM | @paulmadsen True. I think high assurance IdPs could charge businesses that don’t want to incur cost of building their own #catalyst09 |
| 2:03 PM | Hmmm…Bob Blakley – cloud computing value prop is that integration/test/deploy is done on vendor time. Something seems missing #catalyst09 |
| 2:25 PM | Most interesting point Bob made: Cloud Identity Services will challenge fundamental architectural notions of IdM Infrastructure #catalyst09 |
| 2:33 PM | Bob says we need to move from identification (via user challenge) to recognition (via Id Svcs) for better user experience #catalyst09 |
| 2:37 PM | By the way, shout out to @iglazer for mentioning me in the morning panel as bashing him for restarting a terminology war. #catalyst09 |
| 2:37 PM | Nothing I like better than bashing my analyst friends π #catalyst09 |
| 2:40 PM | @paulmadsen What authorization decisions in the “Hooters” context were you hoping to learn about and exploit? π #catalyst09 |
| 3:01 PM | RT @mgd: Critical element in implementing entitlement management is adapting applications to fine grained policy infrastructure. #catalyst09 |
| 3:05 PM | Going to hear about Identity Oracles now, which is a fascinating topic #catalyst09 |
| 5:14 PM | Kevin Kampman sharing his analysis of the role management scene based on discussions with customers #catalyst09 |
| 5:19 PM | What’s Broken = Shifting definition of role mgmt and fragmentation of features, lack of common understanding #catalyst09 |
| 5:25 PM | What’s Real = Tools actually secondary. First and foremost Role Mgmt is about understanding, designing, documenting #catalyst09 |
| 5:28 PM | @jonathansander Intent matters, as Michael Barrett pointed out.Becoming IdP should be driven by biz value, not tech ability #catalyst09 |
| 5:29 PM | @jonathansander So if you are an Identity Oracle charged with protecting my identity, you will build those protection features #catalyst09 |
| 5:42 PM | RT @MatHamlin: In Role Mgmt, you need framework for execution. Includes biz owners/sponsors, technology, goals, and expertiece #catalyst09 |
| 7:17 PM | @paulmadsen I don’t think it was ever just Yes/No answers. It was answering the question without giving away more than it should #catalyst09 |
| 7:18 PM | Back in the IdPS track after some work calls #catalyst09 |
| 7:28 PM | The term “Entitlement Mgmt” causes confusion between the process for defining/managing them and the products to enforce them #catalyst09 |
| 7:30 PM |
Interestingly, the term “Claim” has not been used once (to my knowledge) so far today in any session. Wonder why that is #catalyst09 |
| 7:34 PM | @ggebel @jonathansander Looks like I spoke too soon. Wonder if I can add “foreshadowing” to my list of superpowers π #catalyst09 |
| 7:36 PM | @ggebel @jonathansander But after all the talk about claims, esp. in some of the SIG mtgs, I’m surprised at only a fleeting ref #catalyst09 |
| 7:54 PM | RT @ggebel: asking business to help define roles is a nonstarter. talk to them about their business process – Paul Rarey Safeway #catalyst09 |
| 8:04 PM | David Laurance just did a rundown of 6 objectives for using roles, and opines that those 6 are unrelated. I don’t think so #catalyst09 |
| 7/30/2009 | |
| 12:18 PM | Interesting! Mark Diodati: Companies are using Virtual Dir to expose the same identity data in diff forms for diff use cases #catalyst09 |
| 12:20 PM | So the theme of todays IdPS track is “achieving efficiencies”. Might oscillate between this track and the cloud computing track #catalyst09 |
| 12:44 PM | The questions from the audience for the Allstate presenter are pretty high quality and in-depth #catalyst09 |
| 12:48 PM | Switched to Cloud Computing track for security discussion #catalyst09 |
| 12:51 PM | Major risks from moving to cloud computing – (1) multi-tenant, dynamic characteristics puts sensitive, regulated data at risk #catalyst09 |
| 12:54 PM | (2) Vendor viability risks (3) DoS attacks on SP create risk for customer (4) lack of transparency, accountability lowers trust #catalyst09 |
| 1:00 PM | Dan Blum pointing out that cloud security gets evaluated unfairly, in that internal IT security isn’t evaluated at same level #catalyst09 |
| 1:02 PM | Dan: While security considerations for using cloud services are largely same, security processes themselves may need rethinking #catalyst09 |
| 1:05 PM | Key security enablers for Internal Clouds: Enterprise Key Mgmt, Identity and Policy Svcs, Strong AuthN, Federated Identity #catalyst09 |
| 1:08 PM | Burton recommendation on Enterprise use of public clouds: Don’t, in general, use public clouds for sensitive applications #catalyst09 |
| 1:24 PM | @rohanpinto Not exactly, and a question pointed out the issue: How would you classify Salesforce? It’s considered sensitive data #catalyst09 |
| 2:51 PM | Take away from AD Unix IdM bridge talk: normalize Unix namespace, and clean AD trust relationships. #catalyst09 (via @darrenyamaki) |
| 3:14 PM | Sony: Virtual Dir deployed on top of geographically local LDAPs allowed us to satisfy data compliance needs #catalyst09 |
| 5:08 PM | Starting 2nd half of IdPS track which is about Identity transparency and governance #catalyst09 |
| 5:22 PM | Forces impacting Enterprise IT: Externalization (cloud, outsourcing), Consumerization (devices), Democratization #catalyst09 |
| 5:25 PM | @iglazer @djrolls I think of it more like the different quadrants of the brain that work together for whole brain thinking #catalyst09 |
| 5:28 PM | IdM must facilitate both hierarchical orgs that are necessary for enterprise controls and social networks necessary for collab #catalyst09 |
| 5:54 PM | Dave Griffeth, RBS Citizens Bank providing a nice overview of how Roles-based Entitlement Certification can support compliance #catalyst09 |
| 6:02 PM | Dave setting out some analogies that could take hold -> “RBAC is like Communism” and the “Model After Virus” #catalyst09 |
| 6:21 PM | Dave recommends: To ensure visibility & avoid issues, ensure each group in LDAP that controls access is specific to a resource #catalyst09 |
| 6:22 PM | Not sure about that last recommendation from Dave. Works for sure, but defeats some of the objectives of role management #catalyst09 |
| 6:25 PM | Interesting that quite a few use case studies this years are talking to 2nd phases or iterations of IAM programs/deployments #catalyst09 |
| 6:27 PM | Wendy Booker, SunTrust Banks: In role modeling efforts, 20% of the population was 80% of the problem. All because of modeling #catalyst09 |
| 6:30 PM | Wendy Booker, SunTrust Banks: In role modeling efforts, 20% of the population was 80% of the problem. #catalyst09 |
| 6:36 PM | SunTrust eliminated model-as problem by letting managers look at access one of their reports has, and select for a new report #catalyst09 |
| 6:38 PM | @MatHamlin Not at all, because “like” users is never compliant if it can’t be converted to a role (based on your question) #catalyst09 |
| 6:42 PM | SunTrust: Even if you give user ability to select from application catalog, it usually isn’t good enough because they don’t know #catalyst09 |
| 6:42 PM | Cognitively, being able to see what someone similar has, and select from that, works better #catalyst09 |
| 6:45 PM |
@MatHamlin Probably a good idea, especially if it is a candidate role that will reviewed and certified before going live #catalyst09 |
| 7:24 PM | Burton: Complexity is the enemy of transparency. One vote for an identity services world #catalyst09 |
| 7:30 PM |
Role models should be tied to functional structures, not organizational structures as those are too fluid, resulting in chaos #catalyst09 |
| 7:34 PM | No love for provisioning systems this year. Burton: Provisioning Systems are ill-suited for all the expectations hoisted on them #catalyst09 |
| 8:50 PM | Rohit ended by echoing Oracle’s commitment to keeping Sun IdM customers happy/satisfied through any transition #oracle #catalyst09 |
| 9:00 PM |
2nd day of IdPS track over. Really looking forward to the privacy related sessions tomorrow. #catalyst09 |
| 9:00 PM |
And now, drinks! See you at the Oracle Hospitality Suite #catalyst09 |
| 7/31/2009 | |
| 11:34 AM | Kicking off the Privacy track on the last day of Catalyst with Bob Blakley #catalyst09 |
| 11:35 AM | @paulmadsen Just letting the market decide (even though our booth babe was a guy in a yellow suit escaping from a strait-jacket) #catalyst09 |
| 11:38 AM | Bob: Privacy is about personal dignity #catalyst09 |
| 11:43 AM | Principles of privacy: Accountability, Transparency, Meaningful Choice, Minimal Collection & Disclosure, Constrained Use, … #catalyst09 |
| 11:44 AM | Principles of Privacy (cont’d): Data Quality & Accuracy, Validated Access, Security #catalyst09 |
| 11:49 AM | David Miller, CSO Covisint talking about privacy in healthcare, which has specific, unique issues #catalyst09 |
| 11:54 AM | IAM is about privacy, not security. Security=Make it difficult to get something, Privacy=Make it easy to get what you should #catalyst09 |
| 12:08 PM | The Covisint Healthcare Information Exchange (HIE) allows for exchange of data between the endpoints (hospitals, doctors,…) #catalyst09 |
| 12:17 PM | Robin Wilton (@futureidentity) speaking on how to have a productive stakeholder discussion on privacy #catalyst09 |
| 12:19 PM | Robin ran series of global round tables as part of Liberty Alliance Privacy Summit to get contextual understanding of privacy #catalyst09 |
| 12:27 PM | The Basic Identifier Set viewed as pretty deterministic by most govts, but it can change over time (Name, DOB, Gender, …) #catalyst09 |
| 12:46 PM | Robin laid out a “Ladder” framework for the multi-stakeholder discussion (Philosophy | Strategy | Implementation | Technology) #catalyst09 |
| 12:46 PM | Hear hear! RT @mgd: Robin Wilton’s “Onions and Ladders” privacy discussion = most intellectually stimulating presentation at #catalyst09 |
| 12:47 PM | Now speaking: Bob Mocny, Director US-VISIT – the largest biometric authentication program in the world #catalyst09 |
| 1:56 PM | OK. Break over. @iglazer now dazzling us with regulations and laws that are going to change everything #catalyst09 |
| 1:59 PM | Ian: IT Security Audits will not address privacy needs. #catalyst09 |
| 2:03 PM | The new ecosystem of IT, Business partners is going to fundamentally alter privacy, breach remediation programs #catalyst09 |
| 2:20 PM | Heidi Wachs, Directory of IT Policy and Privacy Officer at Georgetown Univ talking about perspectives on protecting privacy/data #catalyst09 |
| 2:23 PM | Georgetown has a Data Security Task Force – representatives: CFOs of all campuses, VPs, CIO, Privacy Officers #catalyst09 |
| 2:25 PM | Different privacy officers in different realms – IT PO under CIO, HIPAA PO under Legal Counsel and FERPA PO #catalyst09 |
| 2:26 PM | UCLA (part of joint presentation) has a Privacy Board instead of Privacy Officers, w/ representatives from diff constituencies #catalyst09 |
| 2:31 PM | Interesting! For their data breach investigations, Georgetown was assisted by MPD and Secret Service, while UCLA by FBI #catalyst09 |
| 2:41 PM | Georgetown created an interim policy on the use, collection and retention of SSNs which laid out how SSNs could NOT be used #catalyst09 |
| 2:41 PM | When they tried to enforce it, the process was a nightmare. Vendor Certification Process reveled that it was everywhere #catalyst09 |
| 2:42 PM | Worse, people started hiding stuff so as to avoid getting in trouble. So Georgetown started doing network scans #catalyst09 |
| 2:43 PM | This was disruptive, ruffled feathers and created issues with partners #catalyst09 |
| 2:53 PM | Excellent presentation by Heidi #catalyst09 |
| 2:54 PM | Excellent presentation by Heidi, primarily because it was a honest, raw look at how data breaches are handled and implications #catalyst09 |
| 2:55 PM | Shuman Ghosemajumder, Biz Product Manager for Trust and Safety at Google speaking now #catalyst09 |
| 2:57 PM | Googles approach to security is custom, because everything they do has to be custom by the nature of Google #catalyst09 |
| 3:07 PM | Example of transparency & choice: Blurring of peoples faces, license plate numbers (automatically) in Google Maps Street View #catalyst09 |
| 3:09 PM | Shuman now talking about privacy implications of Interest-based Advertising (as opposed to contextual page content based ads) #catalyst09 |
| 3:20 PM | Google anonymizes server logs after 9 months – drops last octet in IP address, removes username(?) #catalyst09 |
| 6:35 PM | End of another great Catalyst conference. Session content was excellent, had wonderful discussions & made some great connections #catalyst09 |
| 11:59 PM | Boarded flight back home. Upgraded too. Been a wonderful week here in San Diego at the Catalyst conference. Now back to reality #catalyst09 |