It’s that time of year, when everyone does their best Carnac the Magnificent impression and rolls out their prognostications and top 10 lists. Here at Identropy, we’re not so sure about trying to predict the future, but we do know a thing or two about helping customers succeed in meeting the goals of their IAM programs. So if you’re looking to make a new year resolution, we’re here to remind you of some steps you can take to truly set your IAM program up for success.

First, create an IAM governance body. Without establishing a governance body, your organization is not going to be able to overcome the roadblocks, complexities and sometimes personalities that often derail even the best planned IAM project. Proper governance is also crucial in making sure that the project adjusts properly to the continuously evolving business and policy environment that IAM needs to operate within. Our CTO, Ash Motiwala, recently wrote an article for SC Magazine on how to go about setting up your IAM governance body.

Next, you’ll need an IAM Roadmap (if you don’t have one already – naughty list). If you have more than a few identity related problems that you are trying to solve, an Identity Management Roadmap will be critical to ensure that you tackle it as a program, with various phases that are sequenced in the appropriate priority order and have tangible business benefits and “wins” along each step of the way.  We’ve published a series of blog articles on developing an IAM roadmap that can help you think through how you may want to approach your own situation.

Of course, in order for the governance body to know how the program is progressing and make good decisions, they need good information. To address that, you need to take the final step of using metrics to help measure the effectiveness of your IAM program and identify inefficiencies and issues. Our very own Frank Villavicencio wrote for CSO Online earlier this year about the 10 IAM Metrics that matter. Even if you don’t use a tool like our own SCUID Operations, there are simple reports and analysis you can do on a periodic basis to get some visibility into how your IAM tools and processes are doing against the business objectives laid out by the governance body. It’s a worthwhile investment that can often pay for itself in terms of the improvements it can help identify.

So take some time to figure out how to put in place the support structure your IAM program needs to truly achieve its potential and deliver on the objectives you laid out for it.

And Happy Holidays from the Identropy family to yours!

[Cross posted from the Identropy Blog]

Tags: Best Practices, IAM Metrics, Identity Governance, SCUID, SCUID Operations

Establish Your Fundamental Security Posture

Part of the allure of cloud-based services is the whole access from anywhere aspect of it -  at work, on the road, in a coffee shop, in a public park, in your hotel room. As public, often free, wifi becomes something we (especially road warriors) start to rely on more, make a checklist of things you do in order to secure your interaction with cloud services, which should include (but isn’t restricted to):

1. Make sure you secure your communication with cloud services by using HTTPS instead of HTTP. I highly recommend installing the ‘HTTPS Everywhere’ plugin that the EFF have released
2. Use a Virtual Private Network. It lets you route all your activity through a separate secure, private network, thus giving you the security of a private network even though you’re on a public one. A lot of people can get it through work, but if your job doesn’t come with one then get your own, like CyberGhost VPN or WiTopia (Check out this Lifehacker article)
3. And watch out for shoulder surfers

Don’t Reuse Your Passwords

It’s an all too common phenomenon: when setting up an account with a cloud service, users are forced to come up with yet another password, and they choose a familiar, well used one. Especially when signing up for services for work, people will often use the same password they use to access services internal to the enterprise (like their email system, or their corporate CRM system). Reusing those passwords definitely helps you remember it for next time, but it’s the equivalent of leaving your house keys in the mailbox – someone else will eventually see it and figure out how to use it.

Better Still, Use A Password Manager

As our usage of the cloud increases and we battle password fatigue, that last point becomes increasingly harder for us. But there are tools like LastPass and 1Password that can help us greatly, not only by remembering the passwords for us (in the cloud, of course) and providing simple plugins to autofill those pesky login forms, but by also generating random string passwords that are stronger than your average password. Just remember to follow all their recommendations: create a really strong and unique Master Password, configure the settings to recognize trusted locations (like your home network), make sure to read their ToS and security policies, and use common sense in trusting what is still a cloud service.

Bring Your Own Identity

But those last two points still rely on having multiple passwords, which is recognized widely as an insufficient approach to security. Federation technology has matured to the point where we can now rely on federated login to cloud services. Most enterprise service providers will support federation with your corporate identity, eliminating the need for passwords to log into these services. And on the consumer side it is becomingly increasingly easy to sign into your services like Tripit or Flickr using your Gmail, Facebook or Twitter identity, using mechanisms like OpenID and OAuth that do not share your password with the relying site. The goal is not to go down to one password for one account that is your key to your online life, but rather have a manageable number of identity providers that you then use to access your various services. And use common sense to evaluate the sensitivity of a particular service before setting up a relationship between it and an external site.

Review Those Service-to-Service Relationships

The concept of a periodic review of user access is a cornerstone in enterprise governance programs. Why should our personal life be any different? As you rely increasingly on the federated model, set up time to periodically go into your services and review which Mobile Apps and 3rd Party Services you have granted access to. Did you grant some twitter ranking site access to your twitter account months ago, but have never gone back and used it? Reviewing the access grants will remind you to sever that relationship, removing any possibility of abuse or exploit.

Are there any other steps you take that help keep you safe? Practical suggestions only please, unlike this (hint: see second last bullet).

[Cross-posted from the Identropy blog]

Tags: Cloud Security, Password Management, Passwords Must Die, Personal Identity Management

Maybe I’m being too cynical. Maybe there is reason to be cautiously optimistic about the fact that Google seems to have heard the protestors. But don’t go declaring victory just yet.

Tags: Google Plus, Google+, NymWars, Pseudonymity

Want to get a deep dive on how to achieve success with your identity and access management program? Then join us for a lunch and learn where Quest Software and Identropy will share insight on the key technologies and best practices that can help you improve your security and compliance posture while maximizing your ROI and avoiding common pitfalls that doom these projects. During the Identropy session, we’ll be sharing insights we’ve gathered from well over a 100 implementations. Plus you get to network with your peers and some really cool people from both Quest and Identropy (and me!). Space is limited, so register now (locations, dates and registration links below).

Boston, MA

• Date: Wednesday, September 14, 2011 at 11:45 a.m.
• Location: Davio’s Northern Italian Steakhouse
• Identropy Speaker: Ashraf Motiwala, CTO
• Register Today

Livingston, NJ

• Date: Wednesday, September 21, 2011 at 11:45 a.m.
• Location: Strip House Steakhouse
• Identropy Speaker: Nishant Kaushik, Chief Architect
• Register Today

Tags: Best Practices, Identity Management, Identropy, Lessons Learned, Quest One Identity Solution, Quest Software

In his post, Bob talks of Google trying to do social with an eye on the lucrative targeted advertising dollars that Facebook is currently hogging. This is the motive I alluded to at the end of my post as well. But things (appear to) have become a bit clearer here (albeit still speculation). During an interview with NPRs Andy Carvin, Google CEO Eric Schmidt didn’t throw out the usual pro RealName arguments about maintaining civil discourse online and such, but basically talked about Google’s ambition to be an identity service – a platform on which commerce and government services can run. And for such a platform to be widely adopted and billable, the data needs to have a certain fidelity – no different than the kind of identity stores we build within enterprises today.

Google already has such an identity platform – it’s called Google Profiles. If you’ve ever created a GMail account for any reason – as a GMail user, to enable an Android phone, for using Picasa – you have a Google Profile. The problem is that these service-derived profiles are of low value to the user, created only to get on to the desired service, and so they are never maintained and have low data quality. And like in a lot of enterprises that engage in identity administration and provisioning projects, Google has to deal with multiple identities per person that need to be linked and correlated. If doing that is hard in the enterprise space, imagine how hard that is do in the personal space where users not only have no reason to facilitate this, they actively engage in keeping some of these profiles separate and distinct. Just in writing this post I noticed that mine still reflects my Oracle position – unlike my LinkedIn, Twitter and Facebook profiles. The common thread through those three services that I kept up-to-date? They’re social, an extension of me into the online world.

That’s why Google+ is so important to Google’s aspirations for Google Profiles. Google wants to use social as the honeypot that draws in all those users and keeps them highly engaged and motivated to keep their data up-to-date. They see how well this is working for the Facebook identity platform and want to replicate that success. But here’s the disconnect – Facebook got to this spot organically. While Zuckerberg may be a visionary in many aspects, his first priority when building Facebook was to build a social network where people would hang out. As the social engagement increased the number and fidelity of identities in Facebook’s database grew as well, The team then pounced on the opportunity to build a platform out of this. In true engineering-driven style, Google is reverse engineering this – seeing where they want to get to and trying to replicate the same path, but instituting fixes that short circuit what took Facebook years to do. Except that there are no shortcuts.

The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook is being far more successful in doing so using far more insidious means). Facebook also has a policy of Real Names, but it realizes that to make the social work you have to cater to the psychology of the users. So there are no identity verification processes, no automatic suspension of accounts and schemes that entice us to provide real data instead of telling us to do so. The fidelity of the data is proven by it’s socially verified reputation, not because there is a policy document that can be pointed to (at the end of the day, a much more robust and legitimate mechanism).

Do you know what you get if you feed a tribble too much?

Google may think that social is all cute and cuddly, but they may be about to find out that it’s a completely different beast that could clog up their systems. Meanwhile, the battle for our online self-determination will continue. IIW XIII should be a lot of fun.

Tags: Digital Identity, Facebook, Google Plus, Google Profiles, Google+, Identity Services, IIW, NymWars, Privacy, Pseudonymity, Real Names, RealName

Is This Your Security Solution?

And then there was the notice we got from our building management asking us to tape up our windows. It had very specific instructions on the  pattern in which to lay down the tape. And of course they had tape for sale in case we didn’t have our own. Looking around, we could see a number of other windows where tape had been put up. So, following instructions and the trend, I started the exercise. After one window, I stood back and questioned the wisdom of doing this. It really didn’t seem like this tape was going to do much against any force strong enough to shatter the double-paned glass we had. A quick check on the web turned up enough “myth-shattering” articles (especially from official sources) to make me and my wife realize that the exercise was pointless. It was patently obvious that the tape was not going to prevent the glass from shattering, or keep the shattered pieces from flying around the room.

Yet all around us, people were spending precious time putting up tape. Why? Because they felt like they were doing something – something that would keep them safe, something they could point to and say “well, at least I tried”.

The analogy with how security and risk management goes in IT is laughably obvious. It’s classic security theater – getting a false sense of security for having done something that is of no benefit whatsoever, but which (literally) helps you sleep better at night. The real issue here is not the waste of good tape, but the fact that doing something like this actually increases your risks. Believing you’ve actually reinforced the windows could lead you to make the mistake of actually sleeping close to a window and putting yourself in harms way. And feeling that this option exists keeps you from actually analyzing the situation properly and taking the steps you really should take, like putting up hurricane shutters or installing hurricane proof glass. Keep in mind that you need to assess your risk accurately instead of going overboard, because while installing hurricane shutters may be a tad too much in an area like ours where hurricanes are (gratefully) a rare occurrence, it really should be top of mind if you’re down in Florida.

It’s also important to understand the psychology underlying these wasted efforts. All too often, “tape jobs” are last minute efforts that stem from a lack of planning. If you analyze your threats proactively, you have time to properly measure your windows and install hurricane shutters. But if you push things out and end up reacting to the news that a hurricane is coming – well, then you’ve run out of time to do a good job, the store is probably out of shutters and even plywood, and there’s little you can do at that point except retreat. How many times have we come across organizations that are under the gun to evaluate software, deploy and get a recertification process done in a completely unmanageable timeline because they failed an audit?

So if you’ve been pushing out that risk assessment, get on it now. Or you might just end up standing in a long line at the neighbourhood hardware store buying a roll of tape that will do absolutely nothing for your reality.

[Cross-posted from the Identropy blog]

Tags: Best Practices, Risk Management, Security, Security Theater

This debate is really about the concept of pseudonymity online – an argument that has been going on forever. While pseudonyms and their necessity have long been understood and accepted in the real world, for some reason the same logic is being discredited when the concept is extended to the online world.

As a parent, I know and understand the desire to create a safe haven online for my child. And as someone who does participate in online discussions on blogs and other social media, I am well aware of the problem of spammers and trolls. But these so-called “Real Name” policies have absolutely nothing to do with these issues, which are used as a false crutch to lend legitimacy to the argument. You just have to watch scenes from Capitol Hill, or the British Parliament, or this epic from the South Korean Parliament to see that knowing the commenter does absolutely nothing to tame uncivil discourse (as I hear shouts of “You Lie”!). And since no one is going to pay for any kind of identity proofing to actually validate the identities of these self-asserted “real names”, the promise of protection offered by such a policy is actually a blatant lie.

But what is even worse is that these policies create a discriminatory, exclusionary environment against those that need pseudonymity the most. Kee Hinckley wrote an amazing post that describes why allowing pseudonyms is a crucial part of society’s fabric, especially when brought online. What really gets me is the hypocrisy of social networks touting their role in social and political movements like the Iran and Egypt uprisings or support networks for LGBT youth, and then instituting policies that would remove the very protections that the people involved in those movements relied on. In the case of people organizing and posting during the middle east movements, pseudonymity was a key requirement enabling them to do their work without fear of reprisal on them or their families. And the fact that they were pseudonyms did not detract from us believing (trusting) them, as they built their reputation over time through their actions and voice online.

(source)

The names we choose online are also key to establishing context for what we are doing, and even more important in keeping different contexts that we want to keep separate apart. While the ability to link disparate personae is getting easier every day based on complex data analysis on publicly available data becoming cheaper (I would point you to Bob Blakley‘s excellent “The Death of Authentication” talk if it ever makes it’s way online, but read commentary here), it is still not possible for the casual observer that we care about in a social sense (the one that would care if you are a gay rights activist who also happens to teach in their son’s school). These contexts also allow the building and establishment of reputations that would get diluted by all the extraneous noise that would come from combining them.

It is true that as commercial entities, Google and Facebook are well within their rights establish any sort of policy that they want, and that as consumers we are free to take our business elsewhere. But that argument misses a much larger reality. As much as we may want to deny it, Google and Facebook are an increasingly large part of the very fabric of our online existence, and exert huge sway over how the business of the internet is being shaped. When Randi Zuckerberg throws out ridiculous ideas that “anonymity must be eliminated online” (not just on Facebook, but everywhere on the internet), she’s not viewed as just another marketing executive, and it unfortunately has a great deal of influence. Eliminating pseudonyms on networks where “most of” the people are will exclude from these spaces the very people that need the social benefit of their network effects, as Danah Boyd (or should I say @zephoria) so passionately articulates. Being a social network comes with some social responsibility too, and as Paul Carr recently reminded us it would behoove all of us (in the tech industry) to remember that. Because “Real Names” isn’t about eliminating spam and increasing civility. It’s really about ensuring that the data we have online is as real as possible for the benefit of the advertisers who are paying for accurately profiled targets. And I’d argue that even that is a false premise.

Tags: Digital Identity, Face, Google Plus, Google+, Identity Fallacies, NymWars, Privacy, Pseudonymity, Real Names, RealName

Another Catalyst conference (now Gartner Catalyst) has come to an end with the former Burton Group analysts challenging us once more to do better as an industry. It’s an unfortunate reality that cost overruns, unrealized benefits and missed objectives still plague most customers of identity management solutions. While there are still things we need to do on the technology side of the equation (most notably, moving towards a pull-based identity architecture in our application and platform layers), there is much more we can do in a more immediate fashion on the business and deployment side of identity management. And since any new proposal must be accompanied by an appropriate buzzword, here’s the one I took away from Catalyst – fit-for-purpose (putting $1 in the Bob Blakley piggybank).

For a while now, it’s been fashionable to bash provisioning. But to me, this was always misguided anger. Yes, it’s true that many provisioning projects suffer from missed deadlines and budget woes. But that was never because of the technology, which did exactly what it was supposed to (though there is still much we can do to improve it’s maturity and stability). It was always because of the way it was sold, deployed and mismanaged. How often did we hear massive provisioning projects being drafted to achieve regulatory compliance, only to find out that it wasn’t a sufficient control? How many connector development projects were defined to automate provisioning to many 100s of targets, without any ROI calculations ever being done to determine it’s value to the business (though it’s value to the implementing SI was all too obvious)?

Look Familiar

The angst has gone so far as to create a whole new market – Identity & Access Governance (IAG) – and marketing terms like “next generation provisioning”. But there is nothing revolutionary (or even evolutionary) about the model of automating provisioning to your most sensitive and/or high volume targets, while only setting up approval workflows and manual provisioning for the rest. You could do this with Thor’s Xellerate provisioning product (now Oracle Identity Manager) back in 2003, when we created full fledged functionality for manual provisioning that included email notifications and a provisioning task list (with detailed data and instructions) for your IT admins. Through all the noise and FUD, what is actually coming to the fore is the deeper and more relevant concept of understanding exactly what your use cases are for your IAM deployment, and focusing the features, design and deployment on meeting those use cases.

The most successful IAM projects have always done exactly this, with plans that classified their applications into tiers corresponding to the controls they wanted to put in place, creating role management projects that emphasized defining only the higher value business roles instead of trying to blanket everyone in the enterprise, and finding the right blend of automated controls, manual decision-making and oversight mechanisms. The defining characteristic in these projects was always an attitude of rational, measured response to the risk involved – in other words, an emphasis on making sure that any solution rolled out was fit-for-purpose.

This is the philosophical approach to IAM that attracted me to Identropy, where it exists both in the advisory and implementation aspect of our business, and in our approach to designing SCUID Lifecycle. Lifecycle is not meant to be all things to all people. It’s meant to be exactly what is needed for the majority of customers out there. We’ve used our years (decades?) of expertise in this space to come up with just that measured set of features and use cases, and will continue to refine them in conjunction with our customers. That is the part that excites me most about this new journey I’ve started. And I’m glad that Lori, Bob and the rest of the Catalyst gang validated our core belief for us.

These Guys Are Here To Help

Tags: Access Governance, Best Practices, Identity Governance, Identity Management, Provisioning

The central idea of the presentation was that the cloud has caused the seemingly well-understood, albeit reviled, discipline of user provisioning to splinter (SPLITTER!) into 3 different factions – the Traditionalists, the Progressives and the New Age Thinkers. You’ll have to listen to my talk to understand it in more detail, but the reviews of my talk on Twitter seemed to be “certified fresh“. While Ian Glazer pondered:

This JIT + Pull model that @NishantK proposes in a new age wrapper on a traditional core – externalized authZ fixes some problems #cis2011

I did have Paul Madsen raving:

I declare @nishantk Python theme for #cis2011 prez a success. And am reconciled to seeing it over and over for next 3 years

All in all, I think I accomplished my goal of edutaining the folks at CIS on the continued existence of user provisioning, and its future prospects. Because the account CRUD problem will continue to be a weight around the neck of enterprise cloud adoption unless we put in place the right solutions.

Tags: CIS11, CIS2011, Cloud Computing, Cloud Identity Summit, Federated Provisioning, JIT Provisioning, Just-In-Time Provisioning, Monty Python, Provisioning

I’m not a Lebron James, so I can’t really drag this out for an unnecessary 5 paragraphs (though I do feel like I am joining an All-Star team). So here it is. Starting today, I am going to take my talents (be what they may) to Moonachie NJ and join Identropy.

For a while now I’ve been wanting to get back into startup mode, to really tackle the identity management problem the way I want to. These are interesting times we are living in, as they say, and there is a real opportunity to turn this space on its head. And I’m going to get that chance now, as Chief Architect in a company that has all the necessary elements in place – a crackerjack team, innovative thinking and an unwavering focus on the needs of the customer. They’ve already had one incredible and unique solution – SCUID Operations – come out of that approach, and I’m excited to see what I can bring to the party.

Like I said in my farewell post, the number one thing for me is the team, and Identropy is an incredibly talented and passionate group of individuals working towards one vision. I’ve worked with some of these guys in the past (and didn’t hold it against them when making the decision to join), and have interacted with others over the years in this little community of ours. I’ve always had a deep respect for their expertise and commitment, and love that they’re the kind of people you want to go out and have a beer with at the end of a hard day. The relationships they have built with their customers are enviable by all standards. And they have an open, collaborative culture that should be fun to work in.

I am really looking forward to what we can accomplish together. It should be one hell of a ride. Of course, all my other nonsense – Twitter, this blog, the conference circuit rounds – will continue as before without interruption. I’ve only just scratched the surface of what I’ll be working on, and will definitely be sharing more in the coming weeks. But if you want an in-person take, grab me in Keystone or in San Diego. Be warned though – you may have to be the one buying the round (I am back in startup mode, after all). See you there.

Tags: Cloud Security, Identity Management, Identity Services, Identropy, Identropy Identity Management, Managed Identity Services, Personal, SCUID